LDAP Mapped SCIM HTTP Servlet Extension

The LDAP Mapped SCIM HTTP Servlet Extension may be used to present a System for Cross-Domain Identity Management (SCIM) protocol interface to the Directory Server. It can expose resources using SCIM core schema as well as raw LDAP schema via the Identity Access API.

NOTE: The Directory REST API provides the most complete REST interface to the Directory Server and is strongly recommended when SCIM-compliance is not required.

Parent Component Relations from This Component Properties dsconfig Usage

Parent Component

The LDAP Mapped SCIM HTTP Servlet Extension component inherits from the SCIM HTTP Servlet Extension

Relations from This Component

The following components have a direct aggregation relation from LDAP Mapped SCIM Servlet Extensions:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  temporary-directory
 cross-origin-policy  temporary-directory-permissions
 response-header  max-results
 correlation-id-response-header  bulk-max-operations
 base-context-path  bulk-max-payload-size
 oauth-token-handler  bulk-max-concurrent-requests
 identity-mapper  debug-enabled
 resource-mapping-file  debug-level
 include-ldap-objectclass  debug-type
 exclude-ldap-objectclass  include-stack-trace
 entity-tag-ldap-attribute  basic-auth-enabled
 include-ldap-base-dn
 exclude-ldap-base-dn

Basic Properties

description

Description
A description for this HTTP Servlet Extension
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

cross-origin-policy

Description
The cross-origin request policy to use for the HTTP Servlet Extension. A cross-origin policy is a group of attributes defining the level of cross-origin request supported by the HTTP Servlet Extension.
Default Value
No cross-origin policy is defined and no CORS headers are recognized or returned.
Allowed Values
The DN of any HTTP Servlet Cross Origin Policy.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

response-header

Description
Specifies HTTP header fields and values added to response headers for all requests. Values specified here must specify both the header field name and the value in conformance with RFC 2616. Fields may only be specified once; multiple values for the same header should be comma-separated. See RFC 7231 for a standard set of field names.
Any response headers configured for this HTTP Servlet Extension will be combined with response headers configured on the corresponding Connection Handler. In the case of duplicates, the headers configured on this HTTP Servlet Extension will be used instead of the headers configured on the Connection Handler.
Default Value
None
Allowed Values
Colon-separated header field name and value
Multi-Valued
Yes
Required
No
Admin Action Required
HTTP Connection Handlers hosting this HTTP Servlet Extension must be disabled and then re-enabled, or the server restarted, in order for this change to take effect.

correlation-id-response-header

Description
Specifies the name of the HTTP response header that will contain a correlation ID value. Example values are "Correlation-Id", "X-Amzn-Trace-Id", and "X-Request-Id". This property can be used to specify a custom response header name for correlation IDs. The value specified here will override the correlation-id-response-header property of the HTTP Connection Handler hosting this HTTP Servlet Extension.

If the use-correlation-id-header property of the HTTP Connection Handler hosting this HTTP Servlet Extension is not enabled, then this property will be ignored.

Default Value
The correlation-id-response-header property of the HTTP Connection Handler hosting this HTTP Servlet Extension will be used.
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

base-context-path

Description
The context path to use to access the SCIM interface. The value must start with a forward slash and must represent a valid HTTP context path.
Default Value
/
Allowed Values
The value must start with a forward slash and must represent a valid HTTP context path.
Multi-Valued
No
Required
Yes
Admin Action Required
The LDAP Mapped SCIM HTTP Servlet Extension must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server

oauth-token-handler

Description
Specifies the OAuth Token Handler implementation that should be used to validate OAuth 2.0 bearer tokens when they are included in a SCIM request. Token handlers must be implemented using a Server SDK Extension. The API allows you to verify and authenticate bearer tokens from different authorization servers as needed. SSL/TLS connection security is required on the HTTP Connection Handler when using OAuth bearer tokens, in order to protect the confidentiality of the token.
Default Value
None
Allowed Values
The DN of any OAuth Token Handler.
Multi-Valued
No
Required
No
Admin Action Required
The LDAP Mapped SCIM HTTP Servlet Extension must be disabled and re-enabled for changes to this setting to take effect. The OAuth Token Handler changes will not take effect until the associated HTTP Connection Handler is disabled and re-enabled, or until the server is restarted.

identity-mapper

Description
Specifies the name of the identity mapper that is to be used to match the username included in the HTTP Basic authentication header to the corresponding user in the directory.
Default Value
None
Allowed Values
The DN of any Identity Mapper. The referenced identity mapper must be enabled.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

resource-mapping-file

Description
The path to an XML file defining the resources supported by the SCIM interface and the SCIM-to-LDAP attribute mappings to use. This file defines how to map SCIM resources to/from LDAP entries. There is an out-of-the-box file provided under config/scim-resources.xml and an XML schema file provided under config/scim-resources.xsd.

Note that the Identity Access API can expose any objectclass as a REST endpoint (via the include-ldap-objectclass property), and you may configure this alongside the core SCIM endpoints defined in the resource mapping file. You may also remove the resources defined in the mapping file if you only wish to use the Identity Access API and not any core SCIM resources.

Default Value
config/scim-resources.xml
Allowed Values
A filesystem path
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

include-ldap-objectclass

Description
Specifies the LDAP object classes that should be exposed directly as SCIM resources. When specified, the object classes in this list will be available as HTTP endpoints, in addition to the endpoints configured in the scim-resources.xml file. The special value '*' can be used to expose all structural object classes in the Directory Server schema. Specifying a large number of object classes may require more memory if the Directory Server has been allocated less than 512MB.
Default Value
None
Allowed Values
The name or OID of an objectclass to be included, or '*' to include all.
Multi-Valued
Yes
Required
No
Admin Action Required
If you have specified a large number of object classes or used the '*' value you should ensure that the Directory Server has been allocated a sufficient amount of memory (typically at least 512MB) to host the HTTP endpoints.

exclude-ldap-objectclass

Description
Specifies the LDAP object classes that should be not be exposed directly as SCIM resources. When specified, all object classes except those in this list will be available as HTTP endpoints, in addition to the endpoints configured in the scim-resources.xml file.
Default Value
None
Allowed Values
The name or OID of an objectclass to be excluded.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

entity-tag-ldap-attribute

Description
Specifies the LDAP attribute whose value should be used as the entity tag value to enable SCIM resource versioning support. If possible, the ds-entry-checksum virtual attribute should be used as the entity tag. Access control must be configured so that the attribute is accessible by the authenticated user for all operations.
Default Value
SCIM resource versioning support will be disabled and no entity tags will be included in responses.
Allowed Values
The name or OID of an attribute type defined in the server schema.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


Advanced Properties

temporary-directory (Advanced Property)

Description
Specifies the location of the directory that is used to create temporary files containing SCIM request data.
Default Value
scim-data-tmp
Allowed Values
A filesystem path
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

temporary-directory-permissions (Advanced Property)

Description
Specifies the permissions that should be applied to the directory that is used to create temporary files.
Default Value
700
Allowed Values
A valid UNIX mode string. The mode string must contain three digits between zero and seven.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

max-results (Advanced Property)

Description
The maximum number of resources that are returned in a response.
Default Value
100
Allowed Values
An integer value. Lower limit is 1. Upper limit is 2147483647 .
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

bulk-max-operations (Advanced Property)

Description
The maximum number of operations that are permitted in a bulk request.
Default Value
10000
Allowed Values
An integer value. Lower limit is 1. Upper limit is 2147483647 .
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

bulk-max-payload-size (Advanced Property)

Description
The maximum payload size in bytes of a bulk request.
Default Value
10 MB
Allowed Values
A positive integer representing a size.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

bulk-max-concurrent-requests (Advanced Property)

Description
The maximum number of bulk requests that may be processed concurrently by the server. Any bulk request that would cause this limit to be exceeded is rejected with HTTP status code 503.
Default Value
10
Allowed Values
An integer value. Lower limit is 1. Upper limit is 2147483647 .
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

debug-enabled (Advanced Property)

Description
Enables debug logging of the SCIM SDK. Debug messages will be forwarded to the Directory Server debug logger with the scope of com.unboundid.directory.server.extensions.scim.SCIMHTTPServletExtension.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
The Directory Server debug logger must be enabled and correctly configured for the debug messages to be forwarded.

debug-level (Advanced Property)

Description
The minimum debug level that should be used for messages to be logged.
Default Value
info
Allowed Values
severe - Indicates that error messages should be logged.

warning - Indicates that warning and error messages should be logged.

info - Indicates that info, warning, and error messages should be logged.

config - Indicates that config, info, warning, and error messages should be logged.

fine - Indicates that fine, config, info, warning, and error messages should be logged.

finer - Indicates that finer, fine, config, info, warning, and error messages should be logged.

finest - Indicates that finest, finer, fine, config, info, warning, and error messages should be logged.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

debug-type (Advanced Property)

Description
The types of debug messages that should be logged.
Default Value
coding-error
exception
Allowed Values
coding-error - Indicates that messages related to incorrect use of the SCIM SDK should be logged.

exception - Indicates that messages related to exceptions that were caught within the SCIM SDK should be logged.

other - Indicates that all other messages not covered by any other message type should be logged.
Multi-Valued
Yes
Required
Yes
Admin Action Required
None. Modification requires no further action

include-stack-trace (Advanced Property)

Description
Indicates whether a stack trace of the thread which called the debug method should be included in debug log messages.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

basic-auth-enabled (Advanced Property)

Description
Enables HTTP Basic authentication, using a username and password.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
The LDAP Mapped SCIM HTTP Servlet Extension must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server

include-ldap-base-dn (Advanced Property)

Description
Specifies the base DNs for the branches of the DIT that should be exposed via the Identity Access API. The Identity Access API is enabled via the include-ldap-objectclass and exclude-ldap-objectclass properties, and by default does not restrict entries by their location in the DIT. This property allows you to limit the scope of the API to data within specific subtrees. If any values are specified, then only entries under those base DNs will be exposed.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

exclude-ldap-base-dn (Advanced Property)

Description
Specifies the base DNs for the branches of the DIT that should not be exposed via the Identity Access API. The Identity Access API is enabled via the include-ldap-objectclass and exclude-ldap-objectclass properties, and by default does not restrict entries by their location in the DIT. This property allows you to limit the scope of the API by restricting data within specific subtrees. If any values are specified, then any entries under those base DNs will not be exposed.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured HTTP Servlet Extensions:

dsconfig list-http-servlet-extensions
     [--property {propertyName}] ...

To view the configuration for an existing HTTP Servlet Extension:

dsconfig get-http-servlet-extension-prop
     --extension-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing HTTP Servlet Extension:

dsconfig set-http-servlet-extension-prop
     --extension-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new LDAP Mapped SCIM HTTP Servlet Extension:

dsconfig create-http-servlet-extension
     --extension-name {name}
     --type ldap-mapped
     [--set {propertyName}:{propertyValue}] ...

To delete an existing HTTP Servlet Extension:

dsconfig delete-http-servlet-extension
     --extension-name {name}