Enabling resource versioning
About this task
Resource versioning is enabled by default in new installations. Upgraded servers that had System for Cross-domain Identity Management (SCIM) enabled need additional configuration to enable resource versioning.
Steps
-
Enable the
ds-entry-checksum
virtual attribute.Example:
$ bin/dsconfig set-virtual-attribute-prop \ --name ds-entry-checksum \ --set enabled:true
-
Remove any existing access controls required by SCIM for read access to operational attributes.
Example:
$ bin/dsconfig set-access-control-handler-prop \ --remove 'global-aci:(targetattr="entryUUID || entryDN || ds-entry-unique-id || createTimestamp || ds-create-time || modifyTimestamp || ds-update-time") (version 3.0;acl "Authenticated read access to operational attributes used by the SCIM servlet extension"; allow (read,search,compare) userdn="ldap:///all"'
-
On the backend directory server, enable new access controls required by SCIM for read access to operational attributes with the following command.
If this access control instruction (ACI) is not present, problems will occur when a SCIM client tries to authenticate with a non-root distinguished name (DN).
$ bin/dsconfig set-access-control-handler-prop \ --add 'global-aci:(targetattr="entryUUID || entryDN || ds-entry-unique-id || createTimestamp || ds-create-time || modifyTimestamp || ds-update-time || ds-entry-checksum") (version 3.0;acl "Authenticated read access to operational attributes used by the SCIM servlet extension"; allow (read,search,compare) userdn="ldap:///all"'