Configuring a user to use soft or hard delete controls
To use soft deletes, a user must have access to the appropriate controls. By default, only the Directory Manager has access to these controls.
About this task
The user must also have the soft-delete-read
privilege. Access control instructions (ACIs) allow the user to:
-
Modify target entries
-
Use the soft delete and undelete controls
-
Use the soft-deleted entry access control to modify soft-deleted entries
-
Use the hard delete request control to permanently delete an soft-deleted entry
The uid=admin,dc=example,dc=com
user that is installed with the sample data during setup already has an ACI giving it access to user entries as follows.
(targetattr="*")(version 3.0; acl "Grant full access for the admin user"; allow (all) userdn="ldap:///uid=admin,dc=example,dc=com”;)
Steps
-
Add the following ACIs to the base suffix or other point in the directory information tree (DIT) to restrict the scope as required.
Example:
(targetcontrol="1.3.6.1.4.1.30221.2.5.20||1.3.6.1.4.1.30221.2.5.21") (version 3.0; acl "Allow admins to use the Soft Delete Request Control and Soft Delete Response Control"; allow (read) userdn="ldap:///uid=admin,dc=example,dc=com";) (targetcontrol="1.3.6.1.4.1.30221.2.5.22") (version 3.0; acl "Allow admins to use the Hard Delete Request Control";allow (read) userdn="ldap:///uid=admin,dc=example,dc=com";) (targetcontrol="1.3.6.1.4.1.30221.2.5.23") (version 3.0; acl "Allow admins to use the Undelete Request Control";allow (read) userdn="ldap:///uid=admin,dc=example,dc=com";) (targetcontrol="1.3.6.1.4.1.30221.2.5.24") (version 3.0; acl "Allow admins to use the Soft-Deleted Entry Access RequestControl"; allow (read) userdn="ldap:///uid=admin,dc=example,dc=com”;)
-
Add the
ds-privilege-name
attribute to the user with the valuesoft-delete-read
.Example:
$ ./bin/ldapmodify -s -p 1389 -D uid=admin,dc=example,dc=com -w password # Successfully connected to localhost:1389. dn: uid=user.10,ou=people,dc=example,dc=com changetype: delete # Deleting entry uid=user.10,ou=people,dc=example,dc=com ... # Result Code: 0 (success) # Soft Delete Response Control: # OID: 1.3.6.1.4.1.30221.2.5.21 # Soft-Deleted Entry DN: entryUUID=8dbe8cb4-1aa3-41c5-88ec-a6280eeff918+uid=user.10,ou=People,dc=example,dc=com