The user must also have the soft-delete-read privilege. Access control instructions (ACIs) allow the user to:

  • Modify target entries
  • Use the soft delete and undelete controls
  • Use the soft-deleted entry access control to modify soft-deleted entries
  • Use the hard delete request control to permanently delete an soft-deleted entry

The uid=admin,dc=example,dc=com user that is installed with the sample data during setup already has an ACI giving it access to user entries as follows.

(targetattr="*")(version 3.0; acl "Grant full access for the admin user"; 
allow (all) userdn="ldap:///uid=admin,dc=example,dc=com”;)
  1. To restrict the scope, add the following ACIs to the base suffix or other point in the directory information tree (DIT) as required.
    (targetcontrol="1.3.6.1.4.1.30221.2.5.20||1.3.6.1.4.1.30221.2.5.21") 
    (version 3.0; acl "Allow admins to use the Soft Delete Request Control and Soft Delete Response Control";
    allow (read) userdn="ldap:///uid=admin,dc=example,dc=com";)
         
    (targetcontrol="1.3.6.1.4.1.30221.2.5.22") (version 3.0; acl "Allow admins to use the Hard Delete 
    Request Control";allow (read) userdn="ldap:///uid=admin,dc=example,dc=com";)
         
    (targetcontrol="1.3.6.1.4.1.30221.2.5.23") (version 3.0; acl "Allow admins to use the Undelete 
    Request Control";allow (read) userdn="ldap:///uid=admin,dc=example,dc=com";)     
         
    (targetcontrol="1.3.6.1.4.1.30221.2.5.24") (version 3.0; acl "Allow admins to use the Soft-Deleted 
    Entry Access RequestControl"; allow (read) userdn="ldap:///uid=admin,dc=example,dc=com”;)
  2. Add the ds-privilege-name attribute to the user with the value soft-delete-read.
    $ ./bin/ldapmodify -s -p 1389 -D uid=admin,dc=example,dc=com -w password
    # Successfully connected to localhost:1389.
         
    dn: uid=user.10,ou=people,dc=example,dc=com
    changetype: delete
    
    # Deleting entry uid=user.10,ou=people,dc=example,dc=com ...
    # Result Code:  0 (success)
    # Soft Delete Response Control:
    #      OID:  1.3.6.1.4.1.30221.2.5.21
    #      Soft-Deleted Entry DN:  entryUUID=8dbe8cb4-1aa3-41c5-88ec-a6280eeff918+uid=user.10,ou=People,dc=example,dc=com