Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact UnboundID support in order to understand the potential impact of that change.
The LDAP Mapped SCIM HTTP Servlet Extension may be used to present a System for Cross-Domain Identity Management (SCIM) protocol interface to the Identity Data Store. It can expose resources using SCIM core schema as well as raw LDAP schema via the Identity Access API.
↓Parent Component
↓Relations To this Component
↓Properties
↓dsconfig Usage
The LDAP Mapped SCIM HTTP Servlet Extension component inherits from the SCIM HTTP Servlet Extension
The following components have a direct aggregation relation from LDAP Mapped SCIM Servlet Extensions:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | ↓ temporary-directory |
| ↓ cross-origin-policy | ↓ temporary-directory-permissions |
| ↓ base-context-path | ↓ max-results |
| ↓ oauth-token-handler | ↓ bulk-max-operations |
| ↓ resource-mapping-file | ↓ bulk-max-payload-size |
| ↓ include-ldap-objectclass | ↓ bulk-max-concurrent-requests |
| ↓ exclude-ldap-objectclass | ↓ debug-enabled |
| ↓ entity-tag-ldap-attribute | ↓ debug-level |
| ↓ debug-type | |
| ↓ include-stack-trace | |
| ↓ basic-auth-enabled | |
| ↓ include-ldap-base-dn | |
| ↓ exclude-ldap-base-dn |
| Description | A description for this HTTP Servlet Extension |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The cross-origin request policy to use for the HTTP Servlet Extension. A cross-origin policy is a group of attributes defining the level of cross-origin request supported by the HTTP Servlet Extension. |
| Default Value | No cross-origin policy is defined and no CORS headers are recognized or returned. |
| Allowed Values | The DN of any HTTP Servlet Cross Origin Policy. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The context path to use to access the SCIM interface. The value must start with a forward slash and must represent a valid HTTP context path. |
| Default Value | / |
| Allowed Values | The value must start with a forward slash and must represent a valid HTTP context path. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | The LDAP Mapped SCIM HTTP Servlet Extension must be disabled and re-enabled for changes to this setting to take effect. This modification requires that you disable and then re-enable this component for the change to take effect |
| Description | Specifies the OAuth Token Handler implementation that should be used to validate OAuth 2.0 bearer tokens when they are included in a SCIM request. Token handlers must be implemented using a Server SDK Extension. The API allows you to verify and authenticate bearer tokens from different authorization servers as needed. SSL/TLS connection security is required on the HTTP Connection Handler when using OAuth bearer tokens, in order to protect the confidentiality of the token. |
| Default Value | None |
| Allowed Values | The DN of any Oauth Token Handler. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The LDAP Mapped SCIM HTTP Servlet Extension must be disabled and re-enabled for changes to this setting to take effect. The OAuth Token Handler changes will not take effect until the associated HTTP Connection Handler is disabled and re-enabled, or until the server is restarted. |
| Description | The path to an XML file defining the resources supported by the SCIM interface and the SCIM-to-LDAP attribute mappings to use. This file defines how to map SCIM resources to/from LDAP entries. There is an out-of-the-box file provided under config/scim-resources.xml and an XML schema file provided under config/scim-resources.xsd. Note that the Identity Access API can expose any objectclass as a REST endpoint (via the include-ldap-objectclass property), and you may configure this alongside the core SCIM endpoints defined in the resource mapping file. You may also remove the resources defined in the mapping file if you only wish to use the Identity Access API and not any core SCIM resources. |
| Default Value | config/scim-resources.xml |
| Allowed Values | Unknown |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the LDAP object classes that should be exposed directly as SCIM resources. When specified, the object classes in this list will be available as HTTP endpoints, in addition to the endpoints configured in the scim-resources.xml file. The special value '*' can be used to expose all structural object classes in the Identity Data Store schema. Specifying a large number of object classes may require more memory if the Identity Data Store has been allocated less than 512MB. |
| Default Value | None |
| Allowed Values | The name or OID of an objectclass to be included, or '*' to include all. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | If you have specified a large number of object classes or used the '*' value you should ensure that the Identity Data Store has been allocated a sufficient amount of memory (typically at least 512MB) to host the HTTP endpoints. |
| Description | Specifies the LDAP object classes that should be not be exposed directly as SCIM resources. When specified, all object classes except those in this list will be available as HTTP endpoints, in addition to the endpoints configured in the scim-resources.xml file. |
| Default Value | None |
| Allowed Values | The name or OID of an objectclass to be excluded. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the LDAP attribute whose value should be used as the entity tag value to enable SCIM resource versioning support. If possible, the ds-entry-checksum virtual attribute should be used as the entity tag. Access control must be configured so that the attribute is accessible by the authenticated user for all operations. |
| Default Value | SCIM resource versioning support will be disabled and no entity tags will be included in responses. |
| Allowed Values | The name or OID of an attribute type defined in the server schema. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
temporary-directory (Advanced Property)
| Description | Specifies the location of the directory that is used to create temporary files containing SCIM request data. |
| Default Value | scim-data-tmp |
| Allowed Values | Unknown |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
temporary-directory-permissions (Advanced Property)
| Description | Specifies the permissions that should be applied to the directory that is used to create temporary files. |
| Default Value | 700 |
| Allowed Values | A valid UNIX mode string. The mode string must contain three digits between zero and seven. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
max-results (Advanced Property)
| Description | The maximum number of resources that are returned in a response. |
| Default Value | 100 |
| Allowed Values | An integer value. Lower limit is 1. Upper limit is 2147483647 . |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
bulk-max-operations (Advanced Property)
| Description | The maximum number of operations that are permitted in a bulk request. |
| Default Value | 10000 |
| Allowed Values | An integer value. Lower limit is 1. Upper limit is 2147483647 . |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
bulk-max-payload-size (Advanced Property)
| Description | The maximum payload size in bytes of a bulk request. |
| Default Value | 10 MB |
| Allowed Values | A positive integer representing a size. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
bulk-max-concurrent-requests (Advanced Property)
| Description | The maximum number of bulk requests that may be processed concurrently by the server. Any bulk request that would cause this limit to be exceeded is rejected with HTTP status code 503. |
| Default Value | 10 |
| Allowed Values | An integer value. Lower limit is 1. Upper limit is 2147483647 . |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
debug-enabled (Advanced Property)
| Description | Enables debug logging of the SCIM SDK. Debug messages will be forwarded to the Identity Data Store debug logger with the scope of com.unboundid.directory.server.extensions.scim.SCIMHTTPServletExtension. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The Identity Data Store debug logger must be enabled and correctly configured for the debug messages to be forwarded. |
debug-level (Advanced Property)
| Description | The minimum debug level that should be used for messages to be logged. |
| Default Value | info |
| Allowed Values | severe - Indicates that error messages should be logged. warning - Indicates that warning and error messages should be logged. info - Indicates that info, warning, and error messages should be logged. config - Indicates that config, info, warning, and error messages should be logged. fine - Indicates that fine, config, info, warning, and error messages should be logged. finer - Indicates that finer, fine, config, info, warning, and error messages should be logged. finest - Indicates that finest, finer, fine, config, info, warning, and error messages should be logged. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
debug-type (Advanced Property)
| Description | The types of debug messages that should be logged. |
| Default Value | coding-error exception |
| Allowed Values | coding-error - Indicates that messages related to incorrect use of the SCIM SDK should be logged. exception - Indicates that messages related to exceptions that were caught within the SCIM SDK should be logged. other - Indicates that all other messages not covered by any other message type should be logged. |
| Multi-Valued | Yes |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
include-stack-trace (Advanced Property)
| Description | Indicates whether a stack trace of the thread which called the debug method should be included in debug log messages. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
basic-auth-enabled (Advanced Property)
| Description | Enables HTTP Basic authentication, using a username and password. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The LDAP Mapped SCIM HTTP Servlet Extension must be disabled and re-enabled for changes to this setting to take effect. This modification requires that you disable and then re-enable this component for the change to take effect |
include-ldap-base-dn (Advanced Property)
| Description | Specifies the base DNs for the branches of the DIT that should be exposed via the Identity Access API. The Identity Access API is enabled via the include-ldap-objectclass and exclude-ldap-objectclass properties, and by default does not restrict entries by their location in the DIT. This property allows you to limit the scope of the API to data within specific subtrees. If any values are specified, then only entries under those base DNs will be exposed. |
| Default Value | None |
| Allowed Values | A valid DN. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
exclude-ldap-base-dn (Advanced Property)
| Description | Specifies the base DNs for the branches of the DIT that should not be exposed via the Identity Access API. The Identity Access API is enabled via the include-ldap-objectclass and exclude-ldap-objectclass properties, and by default does not restrict entries by their location in the DIT. This property allows you to limit the scope of the API by restricting data within specific subtrees. If any values are specified, then any entries under those base DNs will not be exposed. |
| Default Value | None |
| Allowed Values | A valid DN. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured HTTP Servlet Extensions:
dsconfig list-http-servlet-extensions
[--property {propertyName}] ...
To view the configuration for an existing HTTP Servlet Extension:
dsconfig get-http-servlet-extension-prop
--extension-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing HTTP Servlet Extension:
dsconfig set-http-servlet-extension-prop
--extension-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new LDAP Mapped SCIM HTTP Servlet Extension:
dsconfig create-http-servlet-extension
--extension-name {name}
--type ldap-mapped
[--set {propertyName}:{propertyValue}] ...
To delete an existing HTTP Servlet Extension:
dsconfig delete-http-servlet-extension
--extension-name {name}