In DA 3.3.0 and earlier, the setup script assigned a cross-origin resource sharing (CORS) policy to the Delegated Admin HTTP servlet extension. This policy is potentially insecure because the CORS setting Allowed-Origin permits requests that use a wildcard to allow requests from any origin. Unless you have made changes to secure this policy, remove it, as follows:

dsconfig set-http-servlet-extension-prop --extension-name "Delegated Admin" --reset "cross-origin-policy"
dsconfig delete-http-servlet-cross-origin-policy --policy-name "Delegated Admin Cross-Origin Policy"
Important:

Beginning with Delegated Admin 3.2.0 and PingDirectory Server 7.2.1.0, the following configuration changes were made:

  • delegated-admin-resource-type was replaced with rest-resource-type.
  • delegated-administrator was replaced with delegated-admin-rights and delegated-admin-resource-rights.

As a result, Delegated Admin 3.0.2 or earlier requires PingDirectory Server 7.2.0.1 or earlier. Similarly, Delegated Admin 3.2.0 or later requires PingDirectory Server 7.2.1.0 or later.

The update tool converts earlier configurations to new configuration definitions. This tool is also used during the process of upgrading PingDirectory Server.

The migrated Delegated Admin configuration features a group REST resource type for the structural object classes groupOfNames and groupOfUniqueNames. If the original user's resource type configuration includes a value for Org Search Filter, then the migrated configuration also features a generic orgs REST resource type, with the structural object class organizationalUnit as the parent resource type of users. If necessary, change the structural object class on the resource type configuration after the Delegated Admin update completes.

Note:

If you change the structural object class, you must stop the server to proceed with the update.

Note:

The delegated-admin-template.dsconfig file has been updated to allow for generate-password extended requests and password validation details request controls. This change is not applied during an update. You must run the following two dsconfig commands when updating PingDirectory Delegated Admin to Version 4.0.0:

dsconfig set-access-control-handler-prop --add \
'global-aci:(extop="1.3.6.1.4.1.30221.2.6.62")(version 3.0; \
acl "Authenticated access to the generate-password extended \
request for the Delegated Admin API"; allow (read) userdn="ldap:///all";)'
dsconfig set-access-control-handler-prop \
--add 'global-aci:(targetcontrol="1.3.6.1.4.1.30221.2.5.40")\
(version 3.0;acl "Authenticated access to the password validation details request \
control for the Delegated Admin API"; allow (read) userdn="ldap:///all";)'
Tip:

For additional considerations, see the Planning your upgrade guide.

To upgrade Delegated Admin on PingDirectory Server, perform the following steps:

  1. Extract the contents of the Delegated Admin upgrade .zip file.
  2. Rename the original delegator folder to retain a backup copy of the earlier version.
  3. Copy the extracted folder named delegator to the PingDirectory Server folder named webapps.
  4. Copy the {OriginalDelegatorFolder}/app/config.js configuration file to the new delegator folder.
  5. Restart PingDirectory Server.

For more information, see the PingDirectory Server Administration Guide.