Chapter 6. Tracking the bind DN for plug-in-initiated updates
In Directory Server, you can track which user performed an action that caused a plug-in to update an entry. If the tracking is enabled and a plug-in changes an entry as a consequence of an action performed by a user, you can see the user’s name in the modifiersname
attribute of updated entry.
6.1. Tracking user information for entry modifications performed by a plug-in
When the user performs an action that changes an entry, it can trigger other, automatic changes across the directory tree. By default, Directory Server is not tracking the name of the user who performed the action that has initiated the data modification. To track the user information, you can use the nsslapd-plugin-binddn-tracking
parameter.
For example, when the administrator deletes a user, the Referential Integrity Postoperation plug-in automatically removes the user from all groups. You can see the initial action in the entry as being performed by the user account bound to the server. But all related updates are, by default, shown as being performed by the plug-in, with no information about which user initiated the update.
A second example might be using the MemberOf plug-in to update user entries with group membership. The update to the group account is shown as being performed by the bound user, while the edit to the user entry is shown as being performed by the MemberOf plug-in:
dn: cn=example_group,ou=groups,dc=example,dc=com modifiersname: uid=example,ou=people,dc=example,dc=com dn: uid=example,ou=people,dc=example,dc=com modifiersname: cn=MemberOf Plugin,cn=plugins,cn=config
The nsslapd-plugin-binddn-tracking
parameter enables the server to track which user originated an update operation, as well as the internal plug-in which actually performed the operation. The bound user is shown in the modifiersname
and creatorsname
operational attributes, while the plug-in which performed the update is shown in the internalModifiersname
and internalCreatorsname
operational attributes. For example:
dn: uid=example,ou=people,dc=example,dc=com modifiersname: uid=admin,ou=people,dc=example,dc=com internalModifiersname: cn=MemberOf Plugin,cn=plugins,cn=config
The nsslapd-plugin-binddn-tracking
parameter tracks and maintains the relationship between the bound user and all updates performed for that connection.
The internalModifiersname
and internalCreatorsname
attributes always show a plug-in as the identity. The value of the attribute is:
-
cn=ldbm database,cn=plugins,cn=config
when the core Directory Server performs the change -
cn=the DN of the plug-in,cn=plugins,cn=config
when a plug-in changed the entry
6.2. Enabling tracking the bind DN for plug-in-initiated updates using the command line
For data updates initiated by a plug-in, you often need to know which user has performed the action that led to the update. In the command line, set up the nsslapd-plugin-binddn-tracking
parameter to track such user information.
Procedure
Set the
nsslapd-plugin-binddn-tracking
parameter toon
:# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-plugin-binddn-tracking=on
Verification
-
Display the
modifiersname
andinternalModifiersname
attributes of an entry that was changed by a plug-in. For example, if thememberOf
attribute is enabled, display the attributes of a user after you added the user to a group:
# ldapsearch -D "cn=Directory Manager" -W -H ldap://server.example.com -x -b "uid=example-user,ou=People,dc=example,dc=com" -s base -x internalModifiersname -x modifiersname dn: uid=example-user,ou=people,dc=example,dc=com modifiersname: uid=admin,ou=people,dc=example,dc=com internalModifiersname: cn=MemberOf Plugin,cn=plugins,cn=config
Additional resources
6.3. Enabling tracking the bind DN for plug-in-initiated updates using the web console
For data updates initiated by a plug-in, you often need to know which user has performed the action that led to the update. Using the web console, you can enable tracking of the user information.
Prerequisites
- You are logged in to the Directory Server instance in the web console.
Procedure
-
Open the
menu. -
On the
Advanced Settings
tab, selectEnable Plugin Bind DN Tracking
. - Click .
Verification
-
Display the
modifiersname
andinternalModifiersname
attributes of an entry that was changed by a plug-in. For example, if thememberOf
attribute is enabled, display the attributes of a user after you added the user to a group:
# ldapsearch -D "cn=Directory Manager" -W -H ldap://server.example.com -x -b "uid=example-user,ou=People,dc=example,dc=com" -s base -x internalModifiersname -x modifiersname dn: uid=example-user,ou=people,dc=example,dc=com modifiersname: uid=admin,ou=people,dc=example,dc=com internalModifiersname: cn=MemberOf Plugin,cn=plugins,cn=config
Additional resources