PingDirectory

Configuring SCIM 1.1 for PingDirectoryProxy

Steps

  1. To allow read access to operational attributes used by the SCIM Servlet Extension, add access controls on each of the backend servers before you enable the System for Cross-domain Identity Management (SCIM) servlet extension.

    Example:

    Instead of the dsconfig interactive equivalent, the following example uses the non-interactive command to add access control instructions (ACIs) .

    $ bin/dsconfig set-access-control-handler-prop \
  --add 'global-aci:(targetattr="entryUUID || entryDN || ds-entry-unique-id ||
    createTimestamp || modifyTimestamp")
    (version 3.0;acl "Authenticated read access to operational attributes \
    used by the SCIM servlet extension"; allow (read,search,compare)
    userdn="ldap:///all";)'

  2. To enable the SCIM servlet extension, run the dsconfig batch file on the server.

    Example:

    $ bin/dsconfig --batch-file config/scim-config-proxy.dsconfig

  3. Edit the dsconfig batch file to use the correct request processor name and base distingushed names (DNs) for the set-request-processor-prop and set-root-dse-backend-prop commands.

    Learn more in Configuring LDAP control support on all request processors and SCIM 1.1 servlet extension authentication.

Enabling resource versioning

About this task

Resource versioning is enabled by default in new installations. Upgraded servers that had SCIM enabled need additional configuration to enable resource versioning.

Steps

  1. Enable the ds-entry-checksum virtual attribute.

    Example:

    $ bin/dsconfig set-virtual-attribute-prop \
--name ds-entry-checksum \
--set enabled:true

  2. Remove any existing access controls required by SCIM for read access to operational attributes.

    Example:

    $ bin/dsconfig set-access-control-handler-prop \
--remove 'global-aci:(targetattr="entryUUID || entryDN || ds-entry-unique-id || createTimestamp || ds-create-time || modifyTimestamp || ds-update-time")
(version 3.0;acl "Authenticated read access to operational attributes used by the SCIM servlet extension"; allow (read,search,compare) userdn="ldap:///all"'

  3. On the backend directory server, enable new access controls required by SCIM for read access to operational attributes with the following command.

    If this access control instruction (ACI) is not present, problems will occur when a SCIM client tries to authenticate with a non-root distinguished name (DN).

    		 
    $ bin/dsconfig set-access-control-handler-prop \
--add  'global-aci:(targetattr="entryUUID || entryDN || ds-entry-unique-id || createTimestamp || ds-create-time || modifyTimestamp || ds-update-time || ds-entry-checksum")
(version 3.0;acl "Authenticated read access to operational attributes used by the SCIM servlet extension"; allow (read,search,compare) userdn="ldap:///all"'

Configuring LDAP control support on all request processors

You must configure support for the required LDAP controls on all request processors handling LDAP requests that result from SCIM requests.

About this task

Change the request processor name that was provided as an example and repeat the command for all additional request processors.

Steps

  • Use dsconfig to change the request processor name (provided as an example) and repeat the command for all additional request processors.

    Use your deployment’s request processor name.

    Example:

    $ bin/dsconfig set-request-processor-prop \
  --processor-name dc_example_dc_com-req-processor \
  --add supported-control-oid:1.2.840.113556.1.4.319 \
  --add supported-control-oid:1.2.840.113556.1.4.473 \
  --add supported-control-oid:2.16.840.1.113730.3.4.9