PingDirectory

Authentication and authorization with the Configuration API

Use this topic for how to make changes for customizing authentication and authorization access with the Configuration API.

Authentication

Clients must use HTTP basic authentication to authenticate to the Configuration API. If the username value is not a distinguished name (DN), then it resolves to a DN value using the identity mapper associated with the Configuration servlet. By default, the Configuration API uses an identity mapper that allows an entry’s UID value to be used as a username. To customize this behavior, either customize the default identity mapper or specify a different identity mapper using the Configuration servlet’s identity-mapper property. The following code provides an example.

$ bin/dsconfig set-http-servlet-extension-prop \
  --extension-name Configuration \
  --set "identity-mapper:Alternative Identity Mapper”

Authorization

To access configuration information, users must have the appropriate privileges:

  • To access the cn=config backend, users must have the bypass-acl privilege or be allowed access to the configuration using an ACI.

  • To read configuration information, users must have the config-read privilege.

  • To update the configuration, users must have the config-write privilege.