The default scim-resources.xml
configuration maps the SCIM resource ID to the
LDAP entryUUID
attribute. The entryUUID
attribute, whose
read-only value is assigned by the Directory Server, meets the requirements of the
SCIM specification regarding resource ID immutability. However, configuring a mapping to the
attribute may result in inefficient group processing, since LDAP groups use the entry DN as the
basis of group membership. The resource configuration allows the SCIM resource ID to be mapped to
the LDAP entry DN. However, the entry DN does not meet the requirements of the SCIM specification
regarding resource ID immutability. LDAP permits entries to be renamed or moved, thus modifying
the DN. Likewise, you can use the Identity Access API to change the value of an entry's RDN
attribute, thereby triggering a MODDN operation.
A resource may also be configured such that its SCIM resource ID is provided by an arbitrary attribute in the request body during POST operations. This SCIM attribute must be mapped to an LDAP attribute so that the SCIM resource ID may be stored in the Directory Server. By default, it is the responsibility of the SCIM client to guarantee ID uniqueness. However, the UID Unique Attribute Plugin may be used by the Directory Server to enforce attribute value uniqueness. For information about the UID Unique Attribute Plugin, see "Working with the UID Unique Attribute plugin" in the PingDirectory Server Administration Guide.
<resourceIDMapping>
Element".