logs archiveBotHelp.net / Freenode / #389 / 2015 / August / 11 / 1
gregwork
hello, how long does the changelog for a user object live?
im trying to view the changelog for a user but i am not getting any results, trying to figure out when the log expires
nhosoi
gregwork: I assume it is MMR changelog (cn=changelog5).
gregwork: please take a look at: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnchangelog5-nsslapd_changelogmaxage_Max_Changelog_Age
gregwork
what would be the impact of drastically changing that
to say 1,2,3+ years
heh
actually i see the default is 0
does that mean forever ?
mreynolds
grepwork: yes
gregwork: the main impact of having a very long maxage is that that is no constraints on how large it will get. A large changelog also takes longer to do database recovery(and ruv rebuilding).
gregwork
but that is the default
to keep changes forever
mreynolds
true
that's why I highly recommend setting a maxage :-)
gregwork
if this is forever, why does this return nothing: ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-PROD-SYMPROD-COM.socket -b cn=changelog5,cn=config targetDn=uid=gprocuni,cn=users,cn=accounts,dc=prod,dc=symprod,dc=com
this account has existed for 2 years
multiple changes
ive run that on all of my replicas
all of them return nothign
mreynolds
gregwork: The replication changelog can not be searched
only the retro changelog can
gregwork: you can export the changelog to ldif, but it is not a actual backend that you can access
richm
you can also use dbscan on it
gregwork
ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-PROD-SYMPROD-COM.socket -b cn=changelog targetDn=uid=gprocuni,cn=users,cn=accounts,dc=prod,dc=symprod,dc=com should work should it not ?
mreynolds
gregwork: I'm not 100% what a retrocl entry looks like, but yes it should
gregwork
thats pretty strange all 4 of my replicas say no such object
mreynolds
this is assuming you had the retrocl enabled the entire time
gregwork
well its freeipa, so i believe it is enabled
by default
nevermind
it appears to be off by default
that sucks
lol
mreynolds
sorry :-)