We should implement a central logging facility of all changes, so that we have a central audit trail of which account changes were triggered when, what and by whom. Logs should be rotated using Logrotate and we should also add them to backups.
For LDAP changes we can probably hook into the existing logging of the LDAP library for managing users and groups, but in addition we also need to include some additional level of detail (e.g. triggered by admin changes).