PingDirectory

Configuring a user to use soft or hard delete controls

To use soft deletes, a user must have access to the appropriate controls. By default, only the Directory Manager has access to these controls.

About this task

The user must also have the soft-delete-read privilege. Access control instructions (ACIs) allow the user to:

  • Modify target entries

  • Use the soft delete and undelete controls

  • Use the soft-deleted entry access control to modify soft-deleted entries

  • Use the hard delete request control to permanently delete an soft-deleted entry

The uid=admin,dc=example,dc=com user that is installed with the sample data during setup already has an ACI giving it access to user entries as follows.

(targetattr="*")(version 3.0; acl "Grant full access for the admin user";
allow (all) userdn="ldap:///uid=admin,dc=example,dc=com”;)

Steps

  1. Add the following ACIs to the base suffix or other point in the directory information tree (DIT) to restrict the scope as required.

    Example:

    (targetcontrol="1.3.6.1.4.1.30221.2.5.20||1.3.6.1.4.1.30221.2.5.21")
    (version 3.0; acl "Allow admins to use the Soft Delete Request Control and Soft Delete Response Control";
    allow (read) userdn="ldap:///uid=admin,dc=example,dc=com";)
    
    (targetcontrol="1.3.6.1.4.1.30221.2.5.22") (version 3.0; acl "Allow admins to use the Hard Delete
    Request Control";allow (read) userdn="ldap:///uid=admin,dc=example,dc=com";)
    
    (targetcontrol="1.3.6.1.4.1.30221.2.5.23") (version 3.0; acl "Allow admins to use the Undelete
    Request Control";allow (read) userdn="ldap:///uid=admin,dc=example,dc=com";)
    
    (targetcontrol="1.3.6.1.4.1.30221.2.5.24") (version 3.0; acl "Allow admins to use the Soft-Deleted
    Entry Access RequestControl"; allow (read) userdn="ldap:///uid=admin,dc=example,dc=com”;)
  2. Add the ds-privilege-name attribute to the user with the value soft-delete-read.

    Example:

    $ ./bin/ldapmodify -s -p 1389 -D uid=admin,dc=example,dc=com -w password
    # Successfully connected to localhost:1389.
    
    dn: uid=user.10,ou=people,dc=example,dc=com
    changetype: delete
    
    # Deleting entry uid=user.10,ou=people,dc=example,dc=com ...
    # Result Code:  0 (success)
    # Soft Delete Response Control:
    #      OID:  1.3.6.1.4.1.30221.2.5.21
    #      Soft-Deleted Entry DN:  entryUUID=8dbe8cb4-1aa3-41c5-88ec-a6280eeff918+uid=user.10,ou=People,dc=example,dc=com