Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
The Consent Service contains the properties that affect the overall operation of the Directory Server Consent API.
The following components have a direct aggregation relation from Consent Services:
The properties supported by this managed object are as follows:
General Configuration Basic Properties: | Advanced Properties: |
---|---|
enabled | None |
base-dn | |
bind-dn | |
search-size-limit | |
consent-record-identity-mapper | |
Authorization Basic Properties: | Advanced Properties: |
service-account-dn | None |
unprivileged-consent-scope | |
privileged-consent-scope | |
audience |
Property Group | General Configuration |
Description | Indicates whether the Consent Service is enabled. If the Consent Service is not enabled, then it is not available for processing consent requests. Note that the Consent HTTP Servlet Extension must also be assigned to an active HTTP Connection Handler. |
Default Value | false |
Allowed Values | true false |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Property Group | General Configuration |
Description | The base DN under which consent records are stored. |
Default Value | If this property is not specified, then Consent Service will be considered unavailable. |
Allowed Values | A valid DN. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | General Configuration |
Description | The DN of an internal service account used by the Consent Service to make internal LDAP requests. The Consent Service uses the DN specified by the bind-dn property to make internal LDAP requests for consent record entries. This DN must have read, write, add, and delete access to the DN specified by the base-dn property. |
Default Value | If this property is not specified, then Consent Service will be considered unavailable. |
Allowed Values | A valid DN. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | General Configuration |
Description | The maximum number of consent resources that may be returned from a search request. If the number of search results for a given request exceeds this value, an error will be returned to the client indicating that the search matched too many results. |
Default Value | 100 |
Allowed Values | An integer value. Lower limit is 1. Upper limit is 100000 . |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
consent-record-identity-mapper
Property Group | General Configuration |
Description | If specified, the Identity Mapper(s) that may be used to map consent record subject and actor values to DNs. This is typically only needed if privileged API clients will be used. This property specifies one or more Identity Mappers that are used to map explicitly provided subject and actor values to DNs. Typically, this is only needed when a privileged client manages consent records on behalf of other users. Unprivileged clients, which only act on consent records for the currently authenticated user, typically omit the subject and actor fields so that the Consent Service may infer those values, including corresponding DNs, from the authentication context. When a consent record is created or updated and the subject or actor fields are not omitted by the client, the Consent Service will consult this list of Identity Mappers to determine the equivalent DN for any subject or actor value in the request, checking each Identity Mapper in sequence until a matching DN is found. If a matching DN is found, it will be used as the value of the subjectDN or actorDN field as appropriate. |
Default Value | Subject and actor values in consent record requests will be mapped to DN values exclusively based on the authenticated identity. |
Allowed Values | The DN of any Identity Mapper. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Authorization |
Description | The set of account DNs that the Consent Service will consider to be privileged. Any DN in this group may authenticate to the Consent Service using HTTP Basic auth (if it is enabled). Such accounts will be considered privileged and will be granted full access to consent resources. If using bearer token authentication, then a client is instead considered privileged based on the privileged-consent-scope property. |
Default Value | If no service account DNs are specified, then no clients authenticating using HTTP Basic auth will be considered to be privileged by the Consent Service. |
Allowed Values | A valid DN. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Authorization |
Description | The name of a scope that must be present in an access token accepted by the Consent Service for unprivileged clients. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Authorization |
Description | The name of a scope that must be present in an access token accepted by the Consent Service if the client is to be considered privileged. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Authorization |
Description | A string or URI that identifies the Consent Service in the context of OAuth2 authorization. If present, this value must be present in the audience claim of any access tokens accepted by the Consent Service. Providing an audience value is recommended, as it ensures that the Consent Service does not accept access tokens intended for another service. |
Default Value | If this property is not specified, then the Consent Service will ignore the audience claim of any access tokens that it accepts. |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
To view the Consent Service configuration:
dsconfig get-consent-service-prop [--tab-delimited] [--script-friendly] [--property {propertyName}] ...
To update the Consent Service configuration:
dsconfig set-consent-service-prop (--set|--add|--remove) {propertyName}:{propertyValue} [(--set|--add|--remove) {propertyName}:{propertyValue}] ...