PingDirectory

Setting up a DN reference attribute

A REST resource type can reference or edit other REST resource types based on a distinguished name (DN) without the full DN value. The following task, performed by the system administrator, grants the Delegated Admin administrator this ability.

About this task

In this task, the Delegated Admin attribute used for reference must be in DN syntax, such as manager, entryDN, or seeAlso.

Steps

  1. To use a resource type for DN reference:

    Choose from:

  2. To add a reference Delegated Admin attribute, run dsconfig with the create-delegated-admin-attribute option using the following syntax.

    Example:

    dsconfig create-delegated-admin-attribute \
        --type-name users  \
        --attribute-type <attribute of DN syntax> \
        --set "display-name:<display name>"  \
        --set display-order-index: <>  \
        --set reference-resource-type:<rest-resource-type>

    Example:

    The following example uses the values from Creating and configuring a new REST resource type:

    dsconfig create-delegated-admin-attribute \
        --type-name users  \
        --attribute-type manager  \
        --set "display-name:Select Manager"  \
        --set display-order-index:4  \
        --set reference-resource-type:Managers

Creating and configuring a new REST resource type

You can create and configure a new REST resource type in order to set up a reference delegated admin attribute.

About this task

To set up a reference delegated admin attribute, you must have a REST resource type defined and configured.

This example task creates a new REST resource type called Managers.

Steps

  1. To create the new REST resource type, run dsconfig with the create-rest-resource-type option.

    Example:

    In the following example, the new resource type of Managers is created:

    dsconfig create-rest-resource-type \
        --type-name Managers  \
        --type user  \
        --set 'description:Rest type for users who are managers\n\It is used as reference type for the field Manager.'  \
        --set enabled:true  \
        --set resource-endpoint:managers  \
        --set structural-ldap-objectclass:inetOrgPerson  \
        --set search-base-dn:dc=example,dc=com  \
        --set "include-filter:(employeeType=manager)"  \
        --set parent-dn:ou=people,dc=example,dc=com  \
        --set create-rdn-attribute-type:uid  \
        --set display-name:Managers  \
        --set 'search-filter-pattern:(|(cn=%%)(mail=%%)(uid=%%)(sn=%%))'  \
        --set primary-display-attribute-type:cn
  2. To add Delegated Admin attributes for the resource type, run dsconfig with the create-delegated-admin-attribute option.

    Example:

    The following example adds Delegated Admin attributes for the Managers resource type:

    dsconfig create-delegated-admin-attribute
        --type-name Managers
        --attribute-type cn
        --set "display-name:Full Name"
    
    dsconfig create-delegated-admin-attribute
        --type-name Managers
        --attribute-type uid
        --set "display-name:Manager ID"
    
    dsconfig create-delegated-admin-attribute
        --type-name Managers
        --attribute-type mail
        --set display-name:Email
    
    dsconfig create-delegated-admin-attribute
        --type-name Managers
        --attribute-type employeeType
        --set "display-name:Employee Type (must be manager)"
    
    dsconfig create-delegated-admin-attribute
        --type-name Managers
        --attribute-type sn
        --set "display-name:Last name"
    
    dsconfig create-delegated-admin-attribute
        --type-name Managers
        --attribute-type givenName
        --set "display-name:First Name"
  3. To distinguish your resource type from other resources, run dsconfig with the create-delegated-admin-attribute.

    Example:

    In the following example, Managers are distinguished from other users using the employeeType attribute:

    dsconfig create-delegated-admin-attribute
        --type-name users
        --attribute-type employeeType
        --set "display-name:Employee type (manager, other)"
        --set display-order-index:4
  4. To add Delegated Admin resource rights to your set of existing Delegated Admin rights, run dsconfig with the create-delegated-admin-resource-rights option.

    Example:

    In the following example, Delegated Admin are granted reference Admin Permission for the Managers REST resource type to allow viewing access:

    dsconfig create-delegated-admin-resource-rights
        --rights-name <existing-rights-name>
        --rest-resource-type Managers
        --set enabled:true
        --set admin-permission:reference
        --set admin-scope:all-resources-in-base

    Example:

    In the following example, Delegated Admin administrators are granted read and update Admin Permissions for Managers REST resource type to allow edit access:

    dsconfig create-delegated-admin-resource-rights
        --rights-name DArights
        --rest-resource-type Managers
        --set enabled:true
        --set admin-permission:read
        --set admin-permission:update
        --set admin-scope:all-resources-in-base

Next steps

After you have created and configured a new REST resource type, add a reference Delegated Admin attribute. For more information, see step 2 in Setting up a DN reference attribute.