General Consent Service configuration
The Consent Service configuration is used to control authorization behavior and determines where consent records are stored in the PingDirectory server.
You configure the Consent Service properties using the dsconfig set-consent-service-prop
command. You can use the Consent Service configuration script to configure the Consent Service properties, as show in the following example.
$ bin/dsconfig set-consent-service-prop \
--set enabled:true \
--set base-dn:ou=consents,dc=example,dc=com \
--set "bind-dn:cn=consent service account" \
--set unprivileged-consent-scope:urn:pingdirectory:consent \
--set privileged-consent-scope:urn:pingdirectory:consent_admin \
--set "consent-record-identity-mapper:User ID Identity Mapper"
Property | Description | Required to enable service |
---|---|---|
|
If set to |
Yes |
|
Specifies a container distinguished name (DN) for consent record entries. |
Yes |
|
Specifies an internal service account used by the Consent Service to perform LDAP operations. |
Yes |
|
Specifies one or more DNs of requesters that are considered privileged when using basic authentication. If not defined, a requester is only considered privileged if it’s mapped to a DN with the |
No |
|
Specifies the name of the scope required for bearer tokens representing unprivileged requesters. |
Yes |
|
Specifies the name of the scope required for bearer tokens representing privileged requesters. |
Yes |
|
Specifies one or more identity mappers used to map consent record By default, these values are inferred from the authentication context, such as the bearer token subject. |
No |
|
Specifies an |
No |
For the Consent Service to report itself as available to clients:
-
The Consent Service must be enabled.
-
The Consent Service base DN must be configured and must exist.
-
The internal service account must be configured and exist.
-
The internal service account must have the right to read, add, modify, and delete entries under the Consent Service base DN.