On Thu, Apr 24, 2025 at 07:04:46AM +0000, Windl, Ulrich wrote:
> Hi!
>
> Debugging issues with my OpenLDAP configuration I inspected the changelog.
> One entry had some "odd" values (IMHO).
> Consider this example:
>
> dn: reqStart=20250423131324.000185Z,cn=audit
> objectClass: auditModify
> reqType: modify
> reqDN: olcDatabase={4}mdb,cn=config
> reqResult: 0
> reqMod: entryCSN:= 20250423131324.377585Z#000000#005#000000
> reqMod: modifyTimestamp:= 20250423131324Z
>
> The change in entryCSN and modifyTimestamp are:
> OLD: 20250423131324.038419Z#000000#005#000000
> NEW: 20250423131324.377585Z#000000#005#000000
> OLD: 20250423131324Z
> NEW: 20250423131324Z
>
> So the change happened within the same second, and modifyTimestamp did
> not actually change. So the question is kind of philosophical: Are
> attibutes logged as changed when actually they did not change?
> This would apply to modifyTimestamp and modifyTimestamp in this case.
Hi Ulrich,
the accesslog main purpose is to serve as an auditable record of
operations performed. As such it records what has been requested (e.g.
set modifyTimestamp attribute to "20250423131324Z"), even if it ended up
being a noop for some reason like in your case.
Incidentally, it is also usable as a replication source, which deltasync
exploits.
Regards,
--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP
