Authentication and authorization with the Configuration API
Use this topic for how to make changes for customizing authentication and authorization access with the Configuration API.
Authentication
Clients must use HTTP basic authentication to authenticate to the Configuration API. If the username value is not a distinguished name (DN), then it resolves to a DN value using the identity mapper associated with the Configuration servlet. By default, the Configuration API uses an identity mapper that allows an entry’s UID value to be used as a username. To customize this behavior, either customize the default identity mapper or specify a different identity mapper using the Configuration servlet’s identity-mapper
property. The following code provides an example.
$ bin/dsconfig set-http-servlet-extension-prop \
--extension-name Configuration \
--set "identity-mapper:Alternative Identity Mapper”
Authorization
To access configuration information, users must have the appropriate privileges:
-
To access the
cn=config
backend, users must have thebypass-acl
privilege or be allowed access to the configuration using an ACI. -
To read configuration information, users must have the
config-read
privilege. -
To update the configuration, users must have the
config-write
privilege.