PingDirectory

Enabling resource versioning

About this task

Resource versioning is enabled by default in new installations. Upgraded servers that had SCIM enabled need additional configuration to enable resource versioning.

Steps

  1. Enable the ds-entry-checksum virtual attribute.

    Example:

    $ bin/dsconfig set-virtual-attribute-prop \
        --name ds-entry-checksum \
        --set enabled:true
  2. Remove any existing access controls required by SCIM for read access to operational attributes:

    Example:

    $ bin/dsconfig set-access-control-handler-prop \
        --remove 'global-aci:(targetattr="entryUUID || entryDN || ds-entry-unique-id || createTimestamp || ds-create-time || modifyTimestamp || ds-update-time")(version 3.0;acl "Authenticated read access to operational attributes used by the SCIM servlet extension"; allow (read,search,compare) userdn="ldap:///all"'
  3. Add new access controls required by SCIM for read access to operational attributes with the addition of the ds-entry-checksum:

    Example:

    $ bin/dsconfig set-access-control-handler-prop \
        --add  'global-aci:(targetattr="entryUUID || entryDN || ds-entry-unique-id || createTimestamp || ds-create-time || modifyTimestamp || ds-update-time || ds-entry-checksum")(version 3.0;acl "Authenticated read access to operational attributes used by the SCIM servlet extension"; allow (read,search,compare) userdn="ldap:///all"'
  4. Enable SCIM resource versioning using the entry checksum virtual attribute:

    Example:

    $ bin/dsconfig set-http-servlet-extension-prop \
        --extension-name SCIM \
        --set entity-tag-ldap-attribute:ds-entry-checksum

    Result:

    If enabled, the value of the ds-entry-checksum attribute is returned as the ETag header value when accessing the resource through SCIM, and is checked against the If-Match header when updating the resource. When accessing the resource through LDAP, use the ds-entry-checksum attribute instead.