Sun Java System Directory Server 7.0 tips: Retro changelog and the attributes of the deleted entry
Although I always had high level of respect for the documentation of the Sun products, I have to say that sometimes it was the root of an issue by not describing it well. Namely, it’s retro changelog plug-in has a feature of logging a set of attributes for the deleted entry, but it does not really explain anything more then just how to enable it. How to use it on the other hand came up as an issue for our developers…
Sun Directory Server Enterprise Edition 7.0 Administration Guide has a chapter called “Using the Retro Change Log” but it lists only steps how to set it up, rather then how to make a use of it for some features rather then the most obvious and basic ones. The use itself is very straight forward:
- you make a search on the suffix cn=changelog with the filter for (objectclass=changelogentry)
- and then watch for attributes: changeTime, changeType, changeNumber, targetDN, etc.
You can also make it a persistent search if you need to have updates in the moment when they take place. For example:
- normal search:
ldapsearch -h host -p port -D “cn=directory manager” -w password -b “cn=changelog” “(objectclass=changelogentry)”
- persistent search
ldapsearch -h host -p port -D “cn=directory manager” -w password -C ps:any -b “cn=changelog” “(objectclass=changelogentry)”
Of course, both lookups would return all attributes for the entry, but you knew that. The list of attributes can be found in the manual page for changeLogEntry(5dsoc). However, if you configure the feature to record the attributes of the deleted entries then, the first thing you will notice is that they do not show up, and since the documentation does not mention anything regarding this you have to do some digging. In the manual page for changeLogEntry object class you can see that one of the MAY attributes is deletedEntryAttrs which is supposed to hold the list of the attributes you wanted to keep track of. Looking into it’s manual page deletedEntryAttrs(5dsat) we can see it is an operational attribute which means we have to ask for it explicitely:
ldapsearch -h host -p port -D “cn=directory manager” -w password -b “cn=changelog” “(objectclass=changelogentry)” deletedEntryAttrs
The value of the attribute is encoded in BASE64 format, and when decoded it comes out in the familiar LDIF form. If you are courious to see what is inside form the command line, you can pipe the value through “base64 -d -i” tool:
print “<BASE64 value copied from the attribute>” | base64 -i -d
Poslednji komentari