The Consent Service uses an internal LDAP connection to operate against consent records that are stored as LDAP entries. The Consent Service authenticates the LDAP connection using a service account that must be created and dedicated solely to the Consent Service.

The Consent Service configuration script configures the internal service account using a topology administrator user. If needed, this can be changed to a root distinguished name (DN) user or a user DN whose entry is in the user backend. In all cases, the service account should exist in every LDAP server in the topology.

This service account must have:

  • Full read and write access to the Consent Service base DN.
  • The ability to read users' isMemberOf attribute.
  • The right to use the following LDAP controls:
    • IntermediateClientRequestControl (1.3.6.1.4.1.30221.2.5.2)
    • NameWithEntryUUIDRequestControl (1.3.6.1.4.1.30221.2.5.44)
    • RejectUnindexedSearchRequestControl (1.3.6.1.4.1.30221.2.5.54)
    • PermissiveModifyRequestControl (1.2.840.113556.1.4.1413)
    • PostReadRequestControl (1.3.6.1.1.13.2)

For more information about configuring access, see Managing access control.

  1. To ensure the correct access, create a user with the bypass-acl privilege.

    The following dsconfig command creates a topology admin user with the bypass-acl privilege.

    $ dsconfig create-topology-admin-user \
      --user-name "Consent Service Account" \
      --set "description:Consent API service account" \
      --set "alternate-bind-dn:cn=consent service account" \
      --set first-name:Consent \
      --set inherit-default-root-privileges:false \
      --set last-name:Service \
      --set password:CHANGE-ME \
      --set privilege:bypass-acl
    Tip:

    The bypass-acl privilege grants a broad level of access, so you might not want to grant this privilege to the Consent Service account.

  2. Set this user as the bind-dn for the Consent Service.
  3. To enable a targeted set of functionality for the Consent Service, add the following access control instruction (ACI).

    The following example grants the access to the cn=consent service account DN using global ACIs.

    # Grant access to the consent record base DN ou=consents,dc=example,dc=com
    dsconfig set-access-control-handler-prop --add 'global-aci:(target="ldap:///ou=consents,dc=example,dc=com")(targetattr="*||+")(version 3.0; acl "Consent Service account access to consent record data"; allow(all) userdn="ldap:///cn=consent service account";)'
     
    # Grant access to the LDAP request controls used by the Consent Service.
    dsconfig set-access-control-handler-prop --add 'global-aci:(targetcontrol="1.3.6.1.4.1.30221.2.5.2||1.3.6.1.4.1.30221.2.5.44||1.3.6.1.4.1.30221.2.5.54||1.2.840.113556.1.4.1413||1.3.6.1.1.13.2")(version 3.0; acl "Consent Service account access to selected controls"; allow (read) userdn="ldap:///cn=consent service account";)'