Resource versioning is enabled by default in new installations. Upgraded servers that had SCIM enabled need additional configuration to enable resource versioning.

  1. Enable the ds-entry-checksum virtual attribute.
    $ bin/dsconfig set-virtual-attribute-prop \
        --name ds-entry-checksum \
        --set enabled:true
  2. Remove any existing access controls required by SCIM for read access to operational attributes:
    $ bin/dsconfig set-access-control-handler-prop \
        --remove 'global-aci:(targetattr="entryUUID || entryDN || ds-entry-unique-id || createTimestamp || ds-create-time || modifyTimestamp || ds-update-time")(version 3.0;acl "Authenticated read access to operational attributes used by the SCIM servlet extension"; allow (read,search,compare) userdn="ldap:///all"'
  3. Add new access controls required by SCIM for read access to operational attributes with the addition of the ds-entry-checksum:
    $ bin/dsconfig set-access-control-handler-prop \
        --add  'global-aci:(targetattr="entryUUID || entryDN || ds-entry-unique-id || createTimestamp || ds-create-time || modifyTimestamp || ds-update-time || ds-entry-checksum")(version 3.0;acl "Authenticated read access to operational attributes used by the SCIM servlet extension"; allow (read,search,compare) userdn="ldap:///all"'
  4. Enable SCIM resource versioning using the entry checksum virtual attribute:
    $ bin/dsconfig set-http-servlet-extension-prop \
        --extension-name SCIM \
        --set entity-tag-ldap-attribute:ds-entry-checksum
    If enabled, the value of the ds-entry-checksum attribute is returned as the ETag header value when accessing the resource through SCIM, and is checked against the If-Match header when updating the resource. When accessing the resource through LDAP, use the ds-entry-checksum attribute instead.