The Consent Service uses an internal LDAP connection to operate against consent records that are stored as LDAP entries. It authenticates this LDAP connection using a service account, which must be created and dedicated solely to the Consent Service.
The Consent Service configuration script configures the internal service account using a topology admin user. If needed, this can be changed to a root DN user or a user DN whose entry is in the user backend. In all cases, the service account should exist in every LDAP server in the topology.
This service account must have full read and write access to the Consent Service base DN, the ability to read users' isMemberOf attribute, and the right to use the following LDAP controls:
- IntermediateClientRequestControl (1.3.6.1.4.1.30221.2.5.2)
- NameWithEntryUUIDRequestControl (1.3.6.1.4.1.30221.2.5.44)
- RejectUnindexedSearchRequestControl (1.3.6.1.4.1.30221.2.5.54)
- PermissiveModifyRequestControl (1.2.840.113556.1.4.1413)
- PostReadRequestControl (1.3.6.1.1.13.2)
For more information about configuring access, see the "Managing Access Control" chapter of the PingDirectory Server Administration Guide.