Configuring soft deletes as a global configuration
Configure the soft delete feature by creating a soft delete policy and then setting the configuration property on the server. The presence of the soft-delete policy enables the feature on the server and allows the global configuration property to send the necessary soft delete requests.
About this task
For this configuration, use the --useSoftDelete
option used with the ldapmodify
or ldapdelete
commands to send the delete using the soft delete request control. Without the --useSoftDelete
option, any delete is processed as a hard delete.
To configure soft deletes as a global configuration:
Steps
-
Configure a soft delete policy using the
dsconfig
command.The soft delete configuration requires a soft delete policy, which enables the feature on the server.
Example:
$ bin/dsconfig create-soft-delete-policy \ --policy-name default-soft-delete-policy
-
Configure the soft delete as a global configuration property using the
dsconfig
command.This command sets up the soft delete controls necessary to send them as a request.
Example:
$ bin/dsconfig set-global-configuration-prop \ --set soft-delete-policy:default-soft-delete-policy
Configuring a user to use soft or hard delete controls
To use soft deletes, a user must have access to the appropriate controls. By default, only the Directory Manager has access to these controls.
About this task
The user must also have the soft-delete-read
privilege. Access control instructions (ACIs) allow the user to:
-
Modify target entries
-
Use the soft delete and undelete controls
-
Use the soft-deleted entry access control to modify soft-deleted entries
-
Use the hard delete request control to permanently delete an soft-deleted entry
The uid=admin,dc=example,dc=com
user that is installed with the sample data during setup already has an ACI giving it access to user entries as follows.
(targetattr="*")(version 3.0; acl "Grant full access for the admin user"; allow (all) userdn="ldap:///uid=admin,dc=example,dc=com”;)
Steps
-
Add the following ACIs to the base suffix or other point in the directory information tree (DIT) to restrict the scope as required.
Example:
(targetcontrol="1.3.6.1.4.1.30221.2.5.20||1.3.6.1.4.1.30221.2.5.21") (version 3.0; acl "Allow admins to use the Soft Delete Request Control and Soft Delete Response Control"; allow (read) userdn="ldap:///uid=admin,dc=example,dc=com";) (targetcontrol="1.3.6.1.4.1.30221.2.5.22") (version 3.0; acl "Allow admins to use the Hard Delete Request Control";allow (read) userdn="ldap:///uid=admin,dc=example,dc=com";) (targetcontrol="1.3.6.1.4.1.30221.2.5.23") (version 3.0; acl "Allow admins to use the Undelete Request Control";allow (read) userdn="ldap:///uid=admin,dc=example,dc=com";) (targetcontrol="1.3.6.1.4.1.30221.2.5.24") (version 3.0; acl "Allow admins to use the Soft-Deleted Entry Access RequestControl"; allow (read) userdn="ldap:///uid=admin,dc=example,dc=com”;)
-
Add the
ds-privilege-name
attribute to the user with the valuesoft-delete-read
.Example:
$ ./bin/ldapmodify -s -p 1389 -D uid=admin,dc=example,dc=com -w password # Successfully connected to localhost:1389. dn: uid=user.10,ou=people,dc=example,dc=com changetype: delete # Deleting entry uid=user.10,ou=people,dc=example,dc=com ... # Result Code: 0 (success) # Soft Delete Response Control: # OID: 1.3.6.1.4.1.30221.2.5.21 # Soft-Deleted Entry DN: entryUUID=8dbe8cb4-1aa3-41c5-88ec-a6280eeff918+uid=user.10,ou=People,dc=example,dc=com