To use soft deletes, a user must have access to the appropriate controls. By default, only the Directory Manager has access to these controls.
The user must also have the soft-delete-read privilege. Access control instructions (ACIs) allow the user to:
- Modify target entries
- Use the soft delete and undelete controls
- Use the soft-deleted entry access control to modify soft-deleted entries
- Use the hard delete request control to permanently delete an soft-deleted entry
The uid=admin,dc=example,dc=com user that is installed with the sample data during setup already has an ACI giving it access to user entries as follows.
(targetattr="*")(version 3.0; acl "Grant full access for the admin user";
allow (all) userdn="ldap:///uid=admin,dc=example,dc=com”;)