PingDirectory

Configuring the Identity Access API

After you have run the <server-root>/config/scim-config-ds.dsconfig script, the resources defined in the scim-resources.xml will be available as well as the Identity Access API.

To allow SCIM access to the raw LDAP data, you must set a combination of configuration properties on the SCIM Servlet Extension using the dsconfig tool.

  • include-ldap-objectclass. Specifies a multi-valued property that lists the object classes for entries that will be exposed. The object class used here will be the one that clients need to use when referencing Identity Access API resources. This property allows the special value "*" to allow all object classes. If "*" is used, then the SCIM servlet uses the same case used in the server LDAP Schema.

  • exclude-ldap-objectclass. Specifies a multi-valued property that lists the object classes for entries that will not be exposed. When this property is specified, all object classes will be exposed except those in this list.

  • include-ldap-base-dn. Specifies a multi-valued property that lists the base DNs that will be exposed. If specified, only entries under these base DNs will be accessible. No parent-child relationships in the DNs are allowed here.

  • exclude-ldap-base-dn. Specifies a multi-valued property that lists the base DNs that will not be exposed. If specified, entries under these base DNs will not be accessible. No parent-child relationships in the DNs are allowed here.

Using a combination of these properties, SCIM endpoints will be available for all included object classes, just as if they were SCIM Resources defined in the scim-resources.xml file.

Configuring the Identity Access API

Steps

  1. Ensure that you have run the scim-config-ds.dsconfig script to configure the SCIM interface. Be sure to enable the entryDN virtual attribute.

  2. Set a combination of properties to allow the SCIM clients access to the raw LDAP data: include-ldap-objectclass, exclude-ldap-objectclass, include-ldap-base-dn, or exclude-ldap-base-dn.

    Example:

    $ bin/dsconfig set-http-servlet-extension-prop \
      --extension-name SCIM --set 'include-ldap-objectclass:*' \
      --set include-ldap-base-dn:ou=People,dc=example,dc=com

    Result:

    The SCIM clients now have access to the raw LDAP data via LDAP object class-based resources as well as core SCIM resources as defined in the scim.resource.xml file.

Disabling core SCIM resources

Steps

  1. Open the config/scim-resources.xml file, and comment out or remove the <resource> elements that you would like to disable.

  2. Disable and re-enable the HTTP Connection Handler, or restart the server to make the changes take effect. In general, changing the scim-resources.xml file requires a HTTP Connection Handler restart or server restart.

    When making other changes to the SCIM configuration by modifying the SCIM HTTP Servlet Extension using dsconfig, the changes take effect immediately without any restart required.

Verifying the Identity Access API configuration

Steps

  • Perform a curl request to verify the Identity Access API configuration.

    Result:

    $ curl -k -u "cn=directory manager:password" \
      -H "Accept: application/json" \
      "https://example.com/top/56c9fd6b-f870-35ef-9959-691c783b7318?
         attributes=entryDN,uid,givenName,sn,entryUUID"
         {"schemas":["urn:scim:schemas:core:1.0","urn:unboundid:schemas:scim:ldap:1.0"],
          "id":"56c9fd6b-f870-35ef-9959-691c783b7318",
          "meta":{"lastModified":"2013-01-11T23:38:26.489Z",
          "location":"https://example.com:443/v1/top/56c9fd6b-f870-35ef-9959-691c783b7318"},
          "urn:unboundid:schemas:scim:ldap:1.0":{"givenName":["Rufus"],"uid":["user.1"],
          "sn":["Firefly"],"entryUUID":["56c9fd6b-f870-35ef-9959-691c783b7318"],
          "entrydn":"uid=user.1,ou=people,dc=example,dc=com"}}