Jump to: navigation, search

Obsolete:DS Additional Attributes in Retro Change Log

Obsolete Documentation

Please note that this content was marked as obsolete. We left the content here for study and archaeological purposes.

Please check our Documentation for a recent list of topics.


IPAv3 plans to utilize the Retro Change Log to help synchronizing IPA into Samba. A monitoring agent will be listening to the change log tree in IPA using persistent search. When a client performs an LDAP operation, it will be logged in the change log tree, then the monitor should detect that and subsequently invoke a sync agent which will perform the actual synchronization to Samba.

There are several issues with the current Retro Change Log implementation:

1. IPA and Samba entries are linked using the objectGUID which is stored in both entries. However, the change log entry currently only stores the DN of the IPA entry. In case of delete operation, the sync agent will not be able to find the objectGUID of that entry so it cannot delete the corresponding Samba entry. One solution is to record the objectGUID attribute in the change log entry as well.

2. Because of replication, when a client performs an operation on one instance, the change log entry will be duplicated to all other IPA instances. The sync agent should only synchronize the operation one time, so the monitor should filter out the duplicates. One solution is to add an attribute in the change log entry that indicates whether the operation is replicated.

See also:


The Retro Change Log plugin should accept a new multi-valued parameter nsslapd-attribute:

dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
nsslapd-attribute: <attribute name>[:<alias>]

The nsslapd-attribute contains the name of the attribute that will be added into the change log entry. It may optionally contain an alias for storing the value in a different attribute name in the change log entry. The nsslapd-attribute can be specified multiple times.

There are 2 types of attributes that can be added:

  • built-in attributes: special attributes generated by DS (e.g. nsUniqueId, isReplicated)
  • target attributes: attributes stored in the target entry (e.g. objectClass)

The plugin should support at least the following built-in attributes:

  • nsUniqueId: unique ID of the changed entry
  • isReplicated: boolean value indicating whether the operation is replicated
    • TRUE: the operation was replicated from other instance
    • FALSE: the operation was performed locally on this instance

If at least one nsslapd-attribute is specified, the object class extensibleObject will be added to change log entry.

For example:

dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
nsslapd-attribute: nsUniqueId:targetUniqueId
nsslapd-attribute: objectClass:targetObjectClass
nsslapd-attribute: isReplicated

The change log entry should look as follows:

dn: changeNumber=...,cn=changelog
objectClass: top
objectClass: changeLogEntry
objectClass: extensibleObject
changeNumber: ...
changeTime: ...
changeType: add/modify/modrdn/delete
targetDn: ...
targetUniqueId: <target object's nsUniqueId>
targetObjectClass: <target object's objectClass>
isReplicated: TRUE/FALSE


A new attribute isReplicated should be added into 01common.ldif or 02common.ldif:

attributeTypes: ( 2.16.840.1.113730.3.1.2085 NAME 'isReplicated' DESC 'Changelog attribute type' SYNTAX X-ORIGIN 'Changelog Internet Draft' )

and 60changelog.ldif:

attributeTypes: (
  NAME 'isReplicated'
  DESC 'a flag which indicates whether the change was replicated'
  EQUALITY booleanMatch

See also OID Assignments for Red Hat Directory Server.


Changes should be made in ldap/servers/plugins/retrocl in the following methods:

  • retrocl_start()
  • retrocl_postob()
  • write_replog_db()

Global Variables

int retrocl_nattributes = 0;
char **retrocl_attributes = NULL;

Reading New Parameters

Slapi_Entry *e = NULL;

if (slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &e) != 0) {
    slapi_log_error(SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME, "missing config entry\n");
    return -1;

retrocl_attributes = slapi_entry_attr_get_charray(e, "nsslapd-attribute");

for (retrocl_nattributes=0;
    retrocl_attributes&& retrocl_attributes[retrocl_nattributes];
    retrocl_nattributes++) {


Getting nsUniqueId Attribute

Slapi_Entry *entry;
char *uniqueId;

slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &entry);
uniqueId = slapi_entry_get_uniqueid(entry);


Generating isReplicated Attribute

int repl_op = 0;

slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op);

if (repl_op) return;


Getting User-defined Attributes

Slapi_Entry *entry;

slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &entry);
char *value = slapi_entry_attr_get_charptr(entry, attributes[i]);




The patch has been committed in these revisions: