Page created: 24 Jul 2019 |
Page updated: 6 Nov 2019
Before you enable the SCIM servlet extension, add access controls on each of
the backend Directory Servers to allow read access to operational attributes used by the SCIM
Servlet Extension. We recommend using the following non-interactive command to add access
control instructions, rather than its dsconfig interactive
$ bin/dsconfig set-access-control-handler-prop \ --add 'global-aci:(targetattr="entryUUID || entryDN || ds-entry-unique-id || createTimestamp || modifyTimestamp") (version 3.0;acl "Authenticated read access to operational attributes \ used by the SCIM servlet extension"; allow (read,search,compare) userdn="ldap:///all";)'
On the Directory Proxy Server, enable the SCIM servlet extension by running the dsconfig batch
$ bin/dsconfig --batch-file config/scim-config-proxy.dsconfig
The dsconfig batch file must be edited to use the correct
request processor name and base DN name(s) for the
set-root-dse-backend-propcommands, respectively, as described in the "Configuring LDAP Control Support on All Request Processors" and "SCIM Servlet Extension Authentication" sections later in the chapter.