The Consent Service uses an internal LDAP connection to operate against consent records that are stored as LDAP entries. It authenticates this LDAP connection using a service account, which must be created and dedicated solely to the Consent Service.

The Consent Service configuration script configures the internal service account using a topology admin user. If needed, this can be changed to a root DN user or a user DN whose entry is in the user backend. In all cases, the service account should exist in every LDAP server in the topology.

This service account must have full read and write access to the Consent Service base DN, the ability to read users' isMemberOf attribute, and the right to use the following LDAP controls:

  • IntermediateClientRequestControl (1.3.6.1.4.1.30221.2.5.2)
  • NameWithEntryUUIDRequestControl (1.3.6.1.4.1.30221.2.5.44)
  • RejectUnindexedSearchRequestControl (1.3.6.1.4.1.30221.2.5.54)
  • PermissiveModifyRequestControl (1.2.840.113556.1.4.1413)
  • PostReadRequestControl (1.3.6.1.1.13.2)

For more information about configuring access, see the "Managing Access Control" chapter of the PingDirectory Server Administration Guide.

  • To ensure the correct access, create a user with the bypass-acl privilege. The following dsconfig command creates a topology admin user with the bypass-acl privilege. After this is created, set this user as the bind-dn for the Consent Service.
    $ dsconfig create-topology-admin-user \
      --user-name "Consent Service Account" \
      --set "description:Consent API service account" \
      --set "alternate-bind-dn:cn=consent service account" \
      --set first-name:Consent \
      --set inherit-default-root-privileges:false \
      --set last-name:Service \
      --set password:CHANGE-ME \
      --set privilege:bypass-acl
  • Because the bypass-acl privilege grants a broad level of access, you may not want to grant this privilege to the Consent Service account. If desired, add the following ACI to enable a targetted set of functionality for the Consent Service. The following example grants this access to the DN cn=consent service account using global ACIs:
    # Grant access to the consent record base DN ou=consents,dc=example,dc=com
    dsconfig set-access-control-handler-prop --add 'global-aci:(target="ldap:///ou=consents,dc=example,dc=com")(targetattr="*||+")(version 3.0; acl "Consent Service account access to consent record data"; allow(all) userdn="ldap:///cn=consent service account";)'
     
    # Grant access to the LDAP request controls used by the Consent Service.
    dsconfig set-access-control-handler-prop --add 'global-aci:(targetcontrol="1.3.6.1.4.1.30221.2.5.2||1.3.6.1.4.1.30221.2.5.44||1.3.6.1.4.1.30221.2.5.54||1.2.840.113556.1.4.1413||1.3.6.1.1.13.2")(version 3.0; acl "Consent Service account access to selected controls"; allow (read) userdn="ldap:///cn=consent service account";)'