Searching And Modifying The Retro Change Log; Retro Change Log And The Access Control Policy - Netscape DIRECTORY SERVER 6.01 - ADMINISTRATOR Administrator's Manual

NOTE There should be no space between the Integer and timeUnit
variables. The space in the syntax above is intended to show that
the attribute value is composed of two variable parts, not just one.
Example of
nsslapd-changelogmaxage
nsslapd-changelogmaxage: 2d

Searching and Modifying the Retro Change Log

The change log supports search operations. It is optimized for searches that include
filters of the form:
(&(changeNumber>=X)(changeNumber<=Y))
As a general rule, you should not perform add or modify operations on the retro
change log entries, although you can delete entries to trim the size of the change
log. The only time you will need to peform a modify operation on the retro change
log, is to modify the default access control policy.
Retro Change Log and the Access Control
Policy
When the retro change log is created, by default, the following access control rules
apply:
• Read, search and compare rights are granted to all authenticated users
( , not to be confused with anonymous access where
userdn=anyone
) to the retro change log top entry
userdn=all
• Write and delete access are not granted, except implicitly to the Directory
Manager.
You should not grant read access to anonymous users, because the change log
entries can contain modifications to sensitive information, such as passwords. Only
authenticated applications and users should be allowed to access this information.
To modify the default access control policy which applies to the retro change log,
you can modify the
aci
value:
attribute of the
cn=changelog
Using the Retro Change Log Plug-In
.
cn=changelog
entry.
Chapter 8 Managing Replication 321