Enabling resource versioning
About this task
Resource versioning is enabled by default in new installations. Upgraded servers that had SCIM enabled need additional configuration to enable resource versioning.
Steps
-
Enable the
ds-entry-checksum
virtual attribute.Example:
$ bin/dsconfig set-virtual-attribute-prop \ --name ds-entry-checksum \ --set enabled:true
-
Remove any existing access controls required by SCIM for read access to operational attributes:
Example:
$ bin/dsconfig set-access-control-handler-prop \ --remove 'global-aci:(targetattr="entryUUID || entryDN || ds-entry-unique-id || createTimestamp || ds-create-time || modifyTimestamp || ds-update-time")(version 3.0;acl "Authenticated read access to operational attributes used by the SCIM servlet extension"; allow (read,search,compare) userdn="ldap:///all"'
-
Add new access controls required by SCIM for read access to operational attributes with the addition of the
ds-entry-checksum
:Example:
$ bin/dsconfig set-access-control-handler-prop \ --add 'global-aci:(targetattr="entryUUID || entryDN || ds-entry-unique-id || createTimestamp || ds-create-time || modifyTimestamp || ds-update-time || ds-entry-checksum")(version 3.0;acl "Authenticated read access to operational attributes used by the SCIM servlet extension"; allow (read,search,compare) userdn="ldap:///all"'
-
Enable SCIM resource versioning using the entry checksum virtual attribute:
Example:
$ bin/dsconfig set-http-servlet-extension-prop \ --extension-name SCIM \ --set entity-tag-ldap-attribute:ds-entry-checksum
Result:
If enabled, the value of the
ds-entry-checksum
attribute is returned as theETag
header value when accessing the resource through SCIM, and is checked against theIf-Match
header when updating the resource. When accessing the resource through LDAP, use theds-entry-checksum
attribute instead.