The Consent Service uses an internal LDAP connection to operate against consent records that are stored as LDAP entries. The Consent Service authenticates the LDAP connection using a service account that must be created and dedicated solely to the Consent Service.

The Consent Service configuration script configures the internal service account using a topology administrator user. If needed, this can be changed to a root distinguished name (DN) user or a user DN whose entry is in the user backend. In all cases, the service account should exist in every LDAP server in the topology.

This service account must have:

  • Full read and write access to the Consent Service base DN.
  • The ability to read users' isMemberOf attribute.
  • The right to use the following LDAP controls:
    • IntermediateClientRequestControl (
    • NameWithEntryUUIDRequestControl (
    • RejectUnindexedSearchRequestControl (
    • PermissiveModifyRequestControl (1.2.840.113556.1.4.1413)
    • PostReadRequestControl (

For more information about configuring access, see Managing access control.

  1. To ensure the correct access, create a user with the bypass-acl privilege.

    The following dsconfig command creates a topology admin user with the bypass-acl privilege.

    $ dsconfig create-topology-admin-user \
      --user-name "Consent Service Account" \
      --set "description:Consent API service account" \
      --set "alternate-bind-dn:cn=consent service account" \
      --set first-name:Consent \
      --set inherit-default-root-privileges:false \
      --set last-name:Service \
      --set password:CHANGE-ME \
      --set privilege:bypass-acl

    The bypass-acl privilege grants a broad level of access, so you might not want to grant this privilege to the Consent Service account.

  2. Set this user as the bind-dn for the Consent Service.
  3. To enable a targeted set of functionality for the Consent Service, add the following access control instruction (ACI).

    The following example grants the access to the cn=consent service account DN using global ACIs.

    # Grant access to the consent record base DN ou=consents,dc=example,dc=com
    dsconfig set-access-control-handler-prop --add 'global-aci:(target="ldap:///ou=consents,dc=example,dc=com")(targetattr="*||+")(version 3.0; acl "Consent Service account access to consent record data"; allow(all) userdn="ldap:///cn=consent service account";)'
    # Grant access to the LDAP request controls used by the Consent Service.
    dsconfig set-access-control-handler-prop --add 'global-aci:(targetcontrol="||||||1.2.840.113556.1.4.1413||")(version 3.0; acl "Consent Service account access to selected controls"; allow (read) userdn="ldap:///cn=consent service account";)'