Authentication and authorization with the Configuration API
Use this topic for how to make changes for customizing authentication and authorization access with the Configuration API.
Authentication
Clients must use HTTP basic authentication to authenticate to the Configuration API. If the username value is not a distinguished name (DN), then it resolves to a DN value using the identity mapper associated with the Configuration servlet. By default, the Configuration API uses an identity mapper that allows an entry’s UID value to be used as a username. To customize this behavior, either customize the default identity mapper or specify a different identity mapper using the Configuration servlet’s identity-mapper property. The following code provides an example.
$ bin/dsconfig set-http-servlet-extension-prop \
--extension-name Configuration \
--set "identity-mapper:Alternative Identity Mapper”Authorization
To access configuration information, users must have the appropriate privileges:
-
To access the
cn=configbackend, users must have thebypass-aclprivilege or be allowed access to the configuration using an ACI. -
To read configuration information, users must have the
config-readprivilege. -
To update the configuration, users must have the
config-writeprivilege.