Resource versioning is enabled by default in new installations. Upgraded servers that had SCIM enabled need additional configuration to enable resource versioning.
-
Enable the ds-entry-checksum
virtual attribute.
$ bin/dsconfig set-virtual-attribute-prop \ --name ds-entry-checksum \ --set enabled:true
-
Remove any existing access controls required by SCIM for read access to
operational attributes:
$ bin/dsconfig set-access-control-handler-prop \ --remove 'global-aci:(targetattr="entryUUID || entryDN || ds-entry-unique-id || createTimestamp || ds-create-time || modifyTimestamp || ds-update-time")(version 3.0;acl "Authenticated read access to operational attributes used by the SCIM servlet extension"; allow (read,search,compare) userdn="ldap:///all"'
-
Add new access controls required by SCIM for read access to
operational attributes with the addition of the ds-entry-checksum:
$ bin/dsconfig set-access-control-handler-prop \ --add 'global-aci:(targetattr="entryUUID || entryDN || ds-entry-unique-id || createTimestamp || ds-create-time || modifyTimestamp || ds-update-time || ds-entry-checksum")(version 3.0;acl "Authenticated read access to operational attributes used by the SCIM servlet extension"; allow (read,search,compare) userdn="ldap:///all"'
-
Enable SCIM resource versioning using the entry checksum virtual attribute:
$ bin/dsconfig set-http-servlet-extension-prop \ --extension-name SCIM \ --set entity-tag-ldap-attribute:ds-entry-checksum
If enabled, the value of the ds-entry-checksum attribute is returned as the ETag header value when accessing the resource through SCIM, and is checked against the If-Match header when updating the resource. When accessing the resource through LDAP, use the ds-entry-checksum attribute instead.