9.16. Using the Retro Changelog Plug-in

The Retro Changelog plug-in configures Directory Server to maintain a changelog that is compatible with the changelog implemented in Directory Server 4.0, 4.1, and 4.1x. Maintaining a retro changelog is essential to maintain a changelog for directory clients that depend on a Directory Server 4.x-style changelog.
To use the retro changelog plug-in, the Directory Server 8.2 instance must be configured as a single-master replica.
When the Directory Server is configured to maintain a retro changelog, this changelog is stored in a separate database under a special suffix, cn=changelog.
The retro changelog consists of a single level of entries. Each entry in the changelog has the object class changeLogEntry and can include the attributes listed in Table 9.5, “Attributes of a Retro Changelog Entry”.

Table 9.5. Attributes of a Retro Changelog Entry

Attribute Definition
changeNumber This single-valued attribute is always present. It contains an integer which uniquely identifies each change. This number is related to the order in which the change occurred. The higher the number, the later the change.
targetDN This attribute contains the DN of the entry that was affected by the LDAP operation. In the case of a modrdn operation, the targetDN attribute contains the DN of the entry before it was modified or moved.
changetype Specifies the type of LDAP operation. This attribute can have a value of add, delete, modify, or modrdn.
changes For add and modify operations, contains the changes made to the entry in LDIF format.
newrdn In the case of modrdn operations, specifies the new RDN of the entry.
deleteoldrdn In the case of modrdn operations, specifies whether the old RDN was deleted.
newSuperior In the case of modrdn operations, specifies the newSuperior attribute of the entry.

This section contains information on the following retro changelog items:

9.16.1. Enabling the Retro Changelog Plug-in

The retro changelog plug-in configuration information is stored in the cn=Retro Changelog Plugin,cn=plugins,cn=config entry in dse.ldif. To enable the retro changelog plug-in from the command line:
  1. Create an LDIF file that contains the following LDIF update statements:
    dn: cn=Retro Changelog Plugin,cn=plugins,cn=config 
    changetype: modify 
    replace: nsslapd-pluginEnabled 
    nsslapd-pluginEnabled: on
  2. Use the ldapmodify command to import the LDIF file into the directory.
    /usr/lib64/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com -f retro.ldif
  3. Restart the server.
    For information on restarting the server, see Section 1.4, “Starting and Stopping Servers”.
The retro changelog is created in the directory tree under a special suffix, cn=changelog.
The procedure for enabling the retro changelog plug-in from Directory Server Console is the same as for all Directory Server plug-ins. For information, see Section 1.10.1, “Enabling Plug-ins”.

9.16.2. Trimming the Retro Changelog

The entries in the changelog can be automatically removed after a specified period of time. To configure the period of time after which entries are automatically deleted from the changelog, set the nsslapd-changelogmaxage configuration attribute in the cn=Retro Changelog Plugin,cn=plugins,cn=config entry.
The nsslapd-changelogmaxage attribute is a single-valued attribute. Its syntax is as follows:
nsslapd-changelogmaxage: Integer timeUnit
Integer is a number, and timeUnit can be s for seconds, m for minutes, h for hours, d for days, or w for weeks.


There should not be a space between the Integer and timeUnit variables. The space in the syntax above is intended to show that the attribute value is composed of two variable parts, not just one. For example:
nsslapd-changelogmaxage: 2d

9.16.3. Searching and Modifying the Retro Changelog

The changelog supports search operations and is optimized for searches that include filters of the form (&(changeNumber>=X)(changeNumber<=Y)).
As a general rule, do not perform add or modify operations on the retro changelog entries, although entries can be deleted to trim the size of the changelog. Only modify the retro changelog entry to modify the default access control policy.

9.16.4. Retro Changelog and the Access Control Policy

When the retro changelog is created, the following access control rules apply by default:
  • Read, search, and compare rights are granted to all authenticated users (userdn=anyone, not to be confused with anonymous access where userdn=all) to the retro changelog top entry cn=changelog.
  • Write and delete access are not granted, except implicitly to the Directory Manager.
Do not grant read access to anonymous users because the changelog entries can contain modifications to sensitive information, such as passwords. Only authenticated applications and users should be allowed to access this information.
To modify the default access control policy which applies to the retro changelog, modify the aci attribute of the cn=changelog entry.