The changes in OpenDJ are detected using External Change Log (ECL) mechanism, similar mechanism to the one that was known as Retro Change Log in Sun Directory Servers. The ECL is presented as an LDAP subtree with base DN of
cn=changelog. Each change is represented as an entry in that subtree and it remains in that subtree for few days.
OpenIDM scans the
cn=changelog subtree for new entries in regular interval (in fact, the scan is done by the LDAP connector).
OpenIDM is using a special user for accessing OpenDJ:
uid=idm,ou=Administrators,dc=example,dc=com, it is not using the
cn=directory manager superuser. Firstly, this is a best practice. Secondly, OpenIDM is making the changes to the LDAP itself, during provisioning. We do not want to detect these changes in LDAP, as it may cause loops in the business logic. Therefore connector is filtering out all changes made by this user. Therefore, this user should be dedicated to OpenIDM.
Setting Up OpenDJ
On Initial Installation
When installing OpenDJ, make sure to enable replication by checking the "Server part of replication topology". This will enable External Change Log (ECL,
cn=changelog LDAP subtree).
On an existing Instance
Execute the following (adjusted where needed) commands:
This will also activate the ECL.
Each change of a user will then be reflected with it's own entry under cn=changelog!
Make sure that you import
example-base-only.ldif file that contains user
Set Up Access Control
The access to the ECL is controlled by OpenDJ global ACIs. We need to modify the ACIs to allow
deny ACI. This would otherwise override the other
allow ACIs that we want to place on
cn=changelog, so it needs to be removed.
TOTO: Need to figure out how to deny unauthorized access here.
allow ACI that will provide access to
cn=changelog to the IDM admin.
allow ACI that will provide access to root DSE attributes
lastChangeNumber to the IDM admin.