PingDirectory

Configuring soft deletes as a global configuration

Configure the soft delete feature by creating a soft delete policy and then setting the configuration property on the server. The presence of the soft-delete policy enables the feature on the server and allows the global configuration property to send the necessary soft delete requests.

About this task

For this configuration, use the --useSoftDelete option used with the ldapmodify or ldapdelete commands to send the delete using the soft delete request control. Without the --useSoftDelete option, any delete is processed as a hard delete.

To configure soft deletes as a global configuration:

Steps

  1. Configure a soft delete policy using the dsconfig command.

    The soft delete configuration requires a soft delete policy, which enables the feature on the server.

    Example:

    $ bin/dsconfig create-soft-delete-policy \
      --policy-name default-soft-delete-policy
  2. Configure the soft delete as a global configuration property using the dsconfig command.

    This command sets up the soft delete controls necessary to send them as a request.

    Example:

    $ bin/dsconfig set-global-configuration-prop \
      --set soft-delete-policy:default-soft-delete-policy

Configuring a user to use soft or hard delete controls

To use soft deletes, a user must have access to the appropriate controls. By default, only the Directory Manager has access to these controls.

About this task

The user must also have the soft-delete-read privilege. Access control instructions (ACIs) allow the user to:

  • Modify target entries

  • Use the soft delete and undelete controls

  • Use the soft-deleted entry access control to modify soft-deleted entries

  • Use the hard delete request control to permanently delete an soft-deleted entry

The uid=admin,dc=example,dc=com user that is installed with the sample data during setup already has an ACI giving it access to user entries as follows.

(targetattr="*")(version 3.0; acl "Grant full access for the admin user";
allow (all) userdn="ldap:///uid=admin,dc=example,dc=com”;)

Steps

  1. Add the following ACIs to the base suffix or other point in the directory information tree (DIT) to restrict the scope as required.

    Example:

    (targetcontrol="1.3.6.1.4.1.30221.2.5.20||1.3.6.1.4.1.30221.2.5.21")
    (version 3.0; acl "Allow admins to use the Soft Delete Request Control and Soft Delete Response Control";
    allow (read) userdn="ldap:///uid=admin,dc=example,dc=com";)
    
    (targetcontrol="1.3.6.1.4.1.30221.2.5.22") (version 3.0; acl "Allow admins to use the Hard Delete
    Request Control";allow (read) userdn="ldap:///uid=admin,dc=example,dc=com";)
    
    (targetcontrol="1.3.6.1.4.1.30221.2.5.23") (version 3.0; acl "Allow admins to use the Undelete
    Request Control";allow (read) userdn="ldap:///uid=admin,dc=example,dc=com";)
    
    (targetcontrol="1.3.6.1.4.1.30221.2.5.24") (version 3.0; acl "Allow admins to use the Soft-Deleted
    Entry Access RequestControl"; allow (read) userdn="ldap:///uid=admin,dc=example,dc=com”;)
  2. Add the ds-privilege-name attribute to the user with the value soft-delete-read.

    Example:

    $ ./bin/ldapmodify -s -p 1389 -D uid=admin,dc=example,dc=com -w password
    # Successfully connected to localhost:1389.
    
    dn: uid=user.10,ou=people,dc=example,dc=com
    changetype: delete
    
    # Deleting entry uid=user.10,ou=people,dc=example,dc=com ...
    # Result Code:  0 (success)
    # Soft Delete Response Control:
    #      OID:  1.3.6.1.4.1.30221.2.5.21
    #      Soft-Deleted Entry DN:  entryUUID=8dbe8cb4-1aa3-41c5-88ec-a6280eeff918+uid=user.10,ou=People,dc=example,dc=com