From 81216591a07c2886e5e54edb70f28004e9ae9af3 Mon Sep 17 00:00:00 2001
From: Mark Craig <mark.craig@forgerock.com>
Date: Fri, 04 Jul 2014 12:37:36 +0000
Subject: [PATCH] CR-3950 Fix for OPENDJ-1504: Update documentation for privilege to search cn=changelog

---
 opendj-sdk/opendj3-server-dev/src/main/docbkx/admin-guide/chap-privileges-acis.xml |    6 ++++++
 opendj-sdk/opendj3-server-dev/src/main/docbkx/release-notes/chap-whats-new.xml     |   12 ++++++++++++
 opendj-sdk/opendj3-server-dev/src/main/docbkx/admin-guide/chap-replication.xml     |   41 ++++++++++++++++++++++++++++++++---------
 3 files changed, 50 insertions(+), 9 deletions(-)

diff --git a/opendj-sdk/opendj3-server-dev/src/main/docbkx/admin-guide/chap-privileges-acis.xml b/opendj-sdk/opendj3-server-dev/src/main/docbkx/admin-guide/chap-privileges-acis.xml
index f01c8cf..c4ab259 100644
--- a/opendj-sdk/opendj3-server-dev/src/main/docbkx/admin-guide/chap-privileges-acis.xml
+++ b/opendj-sdk/opendj3-server-dev/src/main/docbkx/admin-guide/chap-privileges-acis.xml
@@ -781,6 +781,12 @@
     </listitem>
    </varlistentry>
    <varlistentry>
+    <term><literal>changelog-read</literal>*</term>
+    <listitem>
+     <para>Read the changelog (under <literal>cn=changelog</literal>)</para>
+    </listitem>
+   </varlistentry>
+   <varlistentry>
     <term><literal>config-read</literal>*</term>
     <listitem>
      <para>Read the server configuration</para>
diff --git a/opendj-sdk/opendj3-server-dev/src/main/docbkx/admin-guide/chap-replication.xml b/opendj-sdk/opendj3-server-dev/src/main/docbkx/admin-guide/chap-replication.xml
index 0dc2655..314e6c0 100644
--- a/opendj-sdk/opendj3-server-dev/src/main/docbkx/admin-guide/chap-replication.xml
+++ b/opendj-sdk/opendj3-server-dev/src/main/docbkx/admin-guide/chap-replication.xml
@@ -1972,13 +1972,23 @@
     <option>--noReplicationServer</option> or
     <option>--onlyReplicationServer</option> options.</para>
 
-    <para>With replication enabled, the changelog data can be accessed under
-    <literal>cn=changelog</literal>. For example, the following search shows
-    the publicly visible data available before any changes have been
-    made.</para>
+    <para>
+     With replication enabled, the data is under <literal>cn=changelog</literal>.
+     The user reading the changelog must however
+     have access to read and search the changelog
+     and must have the <literal>changelog-read</literal> privilege.
+     By default, Directory Manager has this privilege.
+    </para>
     
     <screen>
-$ <userinput>ldapsearch --baseDN cn=changelog --port 1389 "(objectclass=*)" \* +</userinput>
+$ <userinput>ldapsearch \
+ --hostname opendj.example.com \
+ --port 1389 \
+ --bindDN "cn=Directory Manager" \
+ --bindPassword password \
+ --baseDN cn=changelog \
+ "(objectclass=*)" \
+ \* +</userinput>
 <computeroutput>dn: cn=changelog
 cn: changelog
 objectClass: top
@@ -1987,6 +1997,17 @@
 hasSubordinates: false
 entryDN: cn=changelog</computeroutput>
     </screen>
+
+    <para>
+     To allow other users to read the changelog,
+     add the <literal>changelog-read</literal> privilege to their entries.
+     For details on how to add a privilege, see the section,
+     <link
+      xlink:href="admin-guide#configure-privileges"
+      xlink:show="new"
+      xlink:role="http://docbook.org/xlink/role/olink"
+     ><citetitle>Configuring Privileges</citetitle></link>.
+    </para>
    </step>
   </procedure>
   
@@ -2003,10 +2024,12 @@
    and then start reading the next set of changes from where it left off on
    the previous request.</para>
    
-   <para>This procedure shows the client reading the change log as
-   <literal>cn=Directory Manager</literal>. Make sure your client application
-   reads the changes with sufficient access to view all the changes it
-   needs to see.</para>
+   <para>
+    This procedure shows the client reading the change log as
+    <literal>cn=Directory Manager</literal>.
+    Make sure your client application reads the changes
+    with sufficient access and privileges to view all the changes it needs to see.
+   </para>
    
    <step>
     <para>Send an initial search request using the LDAP control with no
diff --git a/opendj-sdk/opendj3-server-dev/src/main/docbkx/release-notes/chap-whats-new.xml b/opendj-sdk/opendj3-server-dev/src/main/docbkx/release-notes/chap-whats-new.xml
index 4ac1b11..21cf321 100644
--- a/opendj-sdk/opendj3-server-dev/src/main/docbkx/release-notes/chap-whats-new.xml
+++ b/opendj-sdk/opendj3-server-dev/src/main/docbkx/release-notes/chap-whats-new.xml
@@ -42,6 +42,18 @@
 
     <listitem>
      <para>
+      OpenDJ directory server now requires a privilege,
+      <literal>changelog-read</literal> to read and search entries
+      under <literal>cn=changelog</literal>
+      (<link
+        xlink:show="new"
+        xlink:href="https://bugster.forgerock.org/jira/browse/OPENDJ-1351"
+      >OPENDJ-1351</link>).
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
       OpenDJ directory server now provides a mechanism
       to reference password validators from subentry password policies
       (<link xlink:show="new"

--
Gitblit v1.10.0