Page created: 26 Jul 2021
|
Page updated: 14 Jan 2022
| 1 min read
9.0 Product PingDirectory Directory Capability Product documentation Content Type Administration User task IT Administrator Administrator Audience Software Deployment Method Configuration
Resource versioning is enabled by default in new installations. Upgraded servers that had SCIM enabled need additional configuration to enable resource versioning.
-
Enable the ds-entry-checksum
virtual attribute.
$ bin/dsconfig set-virtual-attribute-prop \ --name ds-entry-checksum \ --set enabled:true
-
Remove any existing access controls required by SCIM for read access to
operational attributes:
$ bin/dsconfig set-access-control-handler-prop \ --remove 'global-aci:(targetattr="entryUUID || entryDN || ds-entry-unique-id || createTimestamp || ds-create-time || modifyTimestamp || ds-update-time")(version 3.0;acl "Authenticated read access to operational attributes used by the SCIM servlet extension"; allow (read,search,compare) userdn="ldap:///all"'
-
Add new access controls required by SCIM for read access to
operational attributes with the addition of the ds-entry-checksum:
$ bin/dsconfig set-access-control-handler-prop \ --add 'global-aci:(targetattr="entryUUID || entryDN || ds-entry-unique-id || createTimestamp || ds-create-time || modifyTimestamp || ds-update-time || ds-entry-checksum")(version 3.0;acl "Authenticated read access to operational attributes used by the SCIM servlet extension"; allow (read,search,compare) userdn="ldap:///all"'
-
Enable SCIM resource versioning using the entry checksum virtual attribute:
$ bin/dsconfig set-http-servlet-extension-prop \ --extension-name SCIM \ --set entity-tag-ldap-attribute:ds-entry-checksum
If enabled, the value of the ds-entry-checksum attribute is returned as the ETag header value when accessing the resource through SCIM, and is checked against the If-Match header when updating the resource. When accessing the resource through LDAP, use the ds-entry-checksum attribute instead.