In DA 3.3.0 and earlier, the setup script assigned a cross-origin resource sharing (CORS) policy to the Delegated Admin HTTP servlet extension. This policy is potentially insecure because the CORS setting Allowed-Origin permits requests that use a wildcard to allow requests from any origin. Unless you have made changes to secure this policy, remove it, as follows:
dsconfig set-http-servlet-extension-prop --extension-name "Delegated Admin" --reset "cross-origin-policy"
dsconfig delete-http-servlet-cross-origin-policy --policy-name "Delegated Admin Cross-Origin Policy"
- delegated-admin-resource-type was replaced with rest-resource-type.
- delegated-administrator was replaced with delegated-admin-rights and delegated-admin-resource-rights.
As a result, Delegated Admin 3.0.2 or earlier requires PingDirectory Server 7.2.0.1 or earlier. Similarly, Delegated Admin 3.2.0 or later requires PingDirectory Server 7.2.1.0 or later.
The update tool converts earlier configurations to new configuration definitions. This tool is also used during the process of upgrading PingDirectory Server.
The migrated Delegated Admin configuration features a
group
REST resource type for the structural object classes groupOfNames
and
groupOfUniqueNames
. If the original user's resource type configuration includes
a value for Org Search Filter
, then the migrated configuration also features a
generic orgs
REST resource type, with the structural object class
organizationalUnit
as the parent resource type of users. If necessary, change
the structural object class on the resource type configuration after the Delegated Admin update completes.
generate-password
extended requests and password validation details
request controls. This change is not applied during an update. You must run the following
two dsconfig commands when updating PingDirectory Delegated Admin to Version
4.0.0:dsconfig set-access-control-handler-prop --add \
'global-aci:(extop="1.3.6.1.4.1.30221.2.6.62")(version 3.0; \
acl "Authenticated access to the generate-password extended \
request for the Delegated Admin API"; allow (read) userdn="ldap:///all";)'
dsconfig set-access-control-handler-prop \
--add 'global-aci:(targetcontrol="1.3.6.1.4.1.30221.2.5.40")\
(version 3.0;acl "Authenticated access to the password validation details request \
control for the Delegated Admin API"; allow (read) userdn="ldap:///all";)'
To upgrade Delegated Admin on PingDirectory Server, perform the following steps:
- Extract the contents of the Delegated Admin upgrade ZIP file.
- Rename the original delegator folder to retain a backup copy of the earlier version.
- Copy the extracted folder named delegator to the PingDirectory Server folder named webapps.
- Copy the configuration file config.js to the new
delegator folder.
config.js is located in {OriginalDelegatorFolder}/app/config.js.
- Restart PingDirectory Server.
For more information, including details about upgrading the RPM package and reverting an update, refer to the PingDirectory Server Administration Guide.