Hi!
Debugging issues with my OpenLDAP configuration I inspected the changelog. One entry had some "odd" values (IMHO). Consider this example:
dn: reqStart=20250423131324.000185Z,cn=audit objectClass: auditModify structuralObjectClass: auditModify reqStart: 20250423131324.000185Z reqEnd: 20250423131324.000188Z reqType: modify reqSession: 1024 reqAuthzID: cn=config reqDN: olcDatabase={4}mdb,cn=config reqResult: 0 reqMod: olcRootPW:= {SSHA256}REDACTED agNLQ== reqMod: entryCSN:= 20250423131324.377585Z#000000#005#000000 reqMod: modifiersName:= cn=config reqMod: modifyTimestamp:= 20250423131324Z reqOld: olcRootPW: REDACTED reqOld: entryCSN: 20250423131324.038419Z#000000#005#000000 reqOld: modifiersName: cn=config reqOld: modifyTimestamp: 20250423131324Z reqEntryUUID: 7b0b106c-b490-103f-8f46-3bae5e23549d entryUUID: 7b40af6a-b490-103f-8f7d-3bae5e23549d creatorsName: cn=audit createTimestamp: 20250423131324Z entryCSN: 20250423131324.377585Z#000000#005#000000 modifiersName: cn=audit modifyTimestamp: 20250423131324Z
The change in entryCSN and modifyTimestamp are: OLD: 20250423131324.038419Z#000000#005#000000 NEW: 20250423131324.377585Z#000000#005#000000 OLD: 20250423131324Z NEW: 20250423131324Z
So the change happened within the same second, and modifyTimestamp did not actually change. So the question is kind of philosophical: Are attibutes logged as changed when actually they did not change? This would apply to modifyTimestamp and modifyTimestamp in this case.
Kind regards, Ulrich Windl
On Thu, Apr 24, 2025 at 07:04:46AM +0000, Windl, Ulrich wrote:
Hi!
Debugging issues with my OpenLDAP configuration I inspected the changelog. One entry had some "odd" values (IMHO). Consider this example:
dn: reqStart=20250423131324.000185Z,cn=audit objectClass: auditModify reqType: modify reqDN: olcDatabase={4}mdb,cn=config reqResult: 0 reqMod: entryCSN:= 20250423131324.377585Z#000000#005#000000 reqMod: modifyTimestamp:= 20250423131324Z
The change in entryCSN and modifyTimestamp are: OLD: 20250423131324.038419Z#000000#005#000000 NEW: 20250423131324.377585Z#000000#005#000000 OLD: 20250423131324Z NEW: 20250423131324Z
So the change happened within the same second, and modifyTimestamp did not actually change. So the question is kind of philosophical: Are attibutes logged as changed when actually they did not change? This would apply to modifyTimestamp and modifyTimestamp in this case.
Hi Ulrich, the accesslog main purpose is to serve as an auditable record of operations performed. As such it records what has been requested (e.g. set modifyTimestamp attribute to "20250423131324Z"), even if it ended up being a noop for some reason like in your case.
Incidentally, it is also usable as a replication source, which deltasync exploits.
Regards,
openldap-technical@openldap.org
-
Ondřej Kuzník -
Windl, Ulrich