To allow a user to manipulate soft deletes, the user must be able to use the appropriate controls. By default, only the Directory Manager has these controls. The user also needs to have the soft-delete-read privilege assigned. ACIs are required to allow this user to:
  • Modify target entries.
  • Use the soft delete/undelete controls.
  • Use the soft deleted entry access control (to modify soft deleted entries).
  • Use the hard delete request control to permanently delete an soft-deleted entry.
  • For example, take the uid=admin,dc=example,dc=com user that is installed with the sample user data during setup. This user already has an ACI in place giving it access to user entries:
    (targetattr="*")(version 3.0; acl "Grant full access for the admin user"; 
    allow (all) userdn="ldap:///uid=admin,dc=example,dc=com”;)
  • The other ACIs need to be added to the base suffix (or other point in the DIT as required to possibly restrict the scope):
    (targetcontrol="1.3.6.1.4.1.30221.2.5.20||1.3.6.1.4.1.30221.2.5.21") 
    (version 3.0; acl "Allow admins to use the Soft Delete Request Control and Soft Delete Response Control";
    allow (read) userdn="ldap:///uid=admin,dc=example,dc=com";)
         
    (targetcontrol="1.3.6.1.4.1.30221.2.5.22") (version 3.0; acl "Allow admins to use the Hard Delete 
    Request Control";allow (read) userdn="ldap:///uid=admin,dc=example,dc=com";)
         
    (targetcontrol="1.3.6.1.4.1.30221.2.5.23") (version 3.0; acl "Allow admins to use the Undelete 
    Request Control";allow (read) userdn="ldap:///uid=admin,dc=example,dc=com";)     
         
    (targetcontrol="1.3.6.1.4.1.30221.2.5.24") (version 3.0; acl "Allow admins to use the Soft-Deleted 
    Entry Access RequestControl"; allow (read) userdn="ldap:///uid=admin,dc=example,dc=com”;)
  • Add the ds-privilege-name attribute to the user with the value soft-delete-read. Once this is complete, the user can soft delete (and undelete) entries.
    $ ./bin/ldapmodify -s -p 1389 -D uid=admin,dc=example,dc=com -w password
    # Successfully connected to localhost:1389.
         
    dn: uid=user.10,ou=people,dc=example,dc=com
    changetype: delete
    
    # Deleting entry uid=user.10,ou=people,dc=example,dc=com ...
    # Result Code:  0 (success)
    # Soft Delete Response Control:
    #      OID:  1.3.6.1.4.1.30221.2.5.21
    #      Soft-Deleted Entry DN:  entryUUID=8dbe8cb4-1aa3-41c5-88ec-a6280eeff918+uid=user.10,ou=People,dc=example,dc=com