Configuring the Identity Access API
After you have run the <server-root>/config/scim-config-ds.dsconfig
script, the resources defined in the scim-resources.xml
will be available as well as the Identity Access API.
To allow SCIM access to the raw LDAP data, you must set a combination of configuration properties on the SCIM Servlet Extension using the dsconfig
tool.
-
include-ldap-objectclass. Specifies a multi-valued property that lists the object classes for entries that will be exposed. The object class used here will be the one that clients need to use when referencing Identity Access API resources. This property allows the special value "*" to allow all object classes. If "*" is used, then the SCIM servlet uses the same case used in the server LDAP Schema.
-
exclude-ldap-objectclass. Specifies a multi-valued property that lists the object classes for entries that will not be exposed. When this property is specified, all object classes will be exposed except those in this list.
-
include-ldap-base-dn. Specifies a multi-valued property that lists the base DNs that will be exposed. If specified, only entries under these base DNs will be accessible. No parent-child relationships in the DNs are allowed here.
-
exclude-ldap-base-dn. Specifies a multi-valued property that lists the base DNs that will not be exposed. If specified, entries under these base DNs will not be accessible. No parent-child relationships in the DNs are allowed here.
Using a combination of these properties, SCIM endpoints will be available for all included object classes, just as if they were SCIM Resources defined in the scim-resources.xml
file.
Configuring the Identity Access API
Steps
-
Ensure that you have run the
scim-config-ds.dsconfig
script to configure the SCIM interface. Be sure to enable the entryDN virtual attribute. -
Set a combination of properties to allow the SCIM clients access to the raw LDAP data:
include-ldap-objectclass
,exclude-ldap-objectclass
,include-ldap-base-dn
, orexclude-ldap-base-dn
.Example:
$ bin/dsconfig set-http-servlet-extension-prop \ --extension-name SCIM --set 'include-ldap-objectclass:*' \ --set include-ldap-base-dn:ou=People,dc=example,dc=com
Result:
The SCIM clients now have access to the raw LDAP data via LDAP object class-based resources as well as core SCIM resources as defined in the
scim.resource.xml
file.
Disabling core SCIM resources
Steps
-
Open the
config/scim-resources.xml
file, and comment out or remove the<resource>
elements that you would like to disable. -
Disable and re-enable the HTTP Connection Handler, or restart the server to make the changes take effect. In general, changing the
scim-resources.xml
file requires a HTTP Connection Handler restart or server restart.When making other changes to the SCIM configuration by modifying the SCIM HTTP Servlet Extension using
dsconfig
, the changes take effect immediately without any restart required.
Verifying the Identity Access API configuration
Steps
-
Perform a curl request to verify the Identity Access API configuration.
Result:
$ curl -k -u "cn=directory manager:password" \ -H "Accept: application/json" \ "https://example.com/top/56c9fd6b-f870-35ef-9959-691c783b7318? attributes=entryDN,uid,givenName,sn,entryUUID" {"schemas":["urn:scim:schemas:core:1.0","urn:unboundid:schemas:scim:ldap:1.0"], "id":"56c9fd6b-f870-35ef-9959-691c783b7318", "meta":{"lastModified":"2013-01-11T23:38:26.489Z", "location":"https://example.com:443/v1/top/56c9fd6b-f870-35ef-9959-691c783b7318"}, "urn:unboundid:schemas:scim:ldap:1.0":{"givenName":["Rufus"],"uid":["user.1"], "sn":["Firefly"],"entryUUID":["56c9fd6b-f870-35ef-9959-691c783b7318"], "entrydn":"uid=user.1,ou=people,dc=example,dc=com"}}