Upgrade Delegated Admin to improve security.
In Delegated Admin 3.3.0 and earlier, the setup script assigned a cross-origin resource sharing (CORS) policy to the Delegated Admin HTTP servlet extension. This policy is potentially insecure because the CORS setting Allowed-Origin permits requests that use a wildcard to allow requests from any origin.
Unless you have made changes to secure this policy, remove it.
dsconfig set-http-servlet-extension-prop --extension-name "Delegated Admin" --reset "cross-origin-policy"
dsconfig delete-http-servlet-cross-origin-policy --policy-name "Delegated Admin Cross-Origin Policy"
Beginning with Delegated Admin 3.2.0 and PingDirectory Server 7.2.1.0, the following configuration changes were made:
- delegated-admin-resource-type was replaced with rest-resource-type.
- delegated-administrator was replaced with delegated-admin-rights and delegated-admin-resource-rights.
As a result, Delegated Admin 3.0.2 or earlier requires PingDirectory Server 7.2.0.1 or earlier. Similarly, Delegated Admin 3.2.0 or later requires PingDirectory Server 7.2.1.0 or later.
The update tool converts earlier configurations to new configuration definitions. This tool is used during the process of upgrading PingDirectory Server.
The migrated Delegated Admin configuration features a
group
REST resource type for the structural object classes
groupOfNames
and groupOfUniqueNames
. If the original
user's resource type configuration includes a value for Org Search Filter
,
then the migrated configuration also features a generic orgs
REST resource
type with the structural object class organizationalUnit
as the parent
resource type of users. If necessary, change the structural object class on the resource
type configuration after the Delegated Admin update
completes.
If you change the structural object class, you must stop the server to proceed with the update.
The delegated-admin-template.dsconfig file has been updated to allow
for generate-password
extended requests and password validation details
request controls. This change is not applied during an update. You must run the following
two dsconfig commands when updating PingDirectory Delegated Admin to Version 4.0.0.
dsconfig set-access-control-handler-prop --add \
'global-aci:(extop="1.3.6.1.4.1.30221.2.6.62")(version 3.0; \
acl "Authenticated access to the generate-password extended \
request for the Delegated Admin API"; allow (read) userdn="ldap:///all";)'
dsconfig set-access-control-handler-prop \
--add 'global-aci:(targetcontrol="1.3.6.1.4.1.30221.2.5.40")\
(version 3.0;acl "Authenticated access to the password validation details request \
control for the Delegated Admin API"; allow (read) userdn="ldap:///all";)'
For additional considerations, see the Planning your upgrade guide.
To upgrade Delegated Admin on PingDirectory Server, perform the following steps:
- Extract the contents of the Delegated Admin upgrade .zip file.
- Rename the original delegator folder to retain a backup copy of the earlier version.
- Copy the extracted folder named delegator to the PingDirectory Server folder named webapps.
- Copy the {OriginalDelegatorFolder}/app/config.js configuration file to the new delegator folder.
- Restart PingDirectory Server.
For more information, see the PingDirectory Server Administration Guide.