PingDirectory

Creating an internal service account

Create an internal LDAP connection to operate against consent records that are stored as LDAP entries.

About this task

The Consent Service uses an internal LDAP connection to operate against consent records that are stored as LDAP entries. The Consent Service authenticates the LDAP connection using a service account that must be created and dedicated solely to the Consent Service.

The Consent Service configuration script configures the internal service account using a topology administrator user. If needed, this can be changed to a root distinguished name (DN) user or a user DN whose entry is in the user backend. In all cases, the service account should exist in every LDAP server in the topology.

This service account must have:

  • Full read and write access to the Consent Service base DN.

  • The ability to read users' isMemberOf attribute.

  • The right to use the following LDAP controls:

    • IntermediateClientRequestControl (1.3.6.1.4.1.30221.2.5.2)

    • NameWithEntryUUIDRequestControl (1.3.6.1.4.1.30221.2.5.44)

    • RejectUnindexedSearchRequestControl (1.3.6.1.4.1.30221.2.5.54)

    • PermissiveModifyRequestControl (1.2.840.113556.1.4.1413)

    • PostReadRequestControl (1.3.6.1.1.13.2)

For more information about configuring access, see Managing access control.

Steps

  1. To ensure the correct access, create a user with the bypass-acl privilege.

    Example:

    The following dsconfig command creates a topology admin user with the bypass-acl privilege.

    $ dsconfig create-topology-admin-user \
      --user-name "Consent Service Account" \
      --set "description:Consent API service account" \
      --set "alternate-bind-dn:cn=consent service account" \
      --set first-name:Consent \
      --set inherit-default-root-privileges:false \
      --set last-name:Service \
      --set password:CHANGE-ME \
      --set privilege:bypass-acl

    The bypass-acl privilege grants a broad level of access, so you might not want to grant this privilege to the Consent Service account.

  2. Set this user as the bind-dn for the Consent Service.

  3. To enable a targeted set of functionality for the Consent Service, add the following access control instruction (ACI).

    Example:

    The following example grants the access to the cn=consent service account DN using global ACIs.

    # Grant access to the consent record base DN ou=consents,dc=example,dc=com
    dsconfig set-access-control-handler-prop --add 'global-aci:(target="ldap:///ou=consents,dc=example,dc=com")(targetattr="*||+")(version 3.0; acl "Consent Service account access to consent record data"; allow(all) userdn="ldap:///cn=consent service account";)'
    
    # Grant access to the LDAP request controls used by the Consent Service.
    dsconfig set-access-control-handler-prop --add 'global-aci:(targetcontrol="1.3.6.1.4.1.30221.2.5.2||1.3.6.1.4.1.30221.2.5.44||1.3.6.1.4.1.30221.2.5.54||1.2.840.113556.1.4.1413||1.3.6.1.1.13.2")(version 3.0; acl "Consent Service account access to selected controls"; allow (read) userdn="ldap:///cn=consent service account";)'