The LDAP Mapped SCIM HTTP Servlet Extension may be used to present a System for Cross-Domain Identity Management (SCIM) protocol interface to the Directory Server. It can expose resources using SCIM core schema as well as raw LDAP schema via the Identity Access API.
NOTE: The Directory REST API provides the most complete REST interface to the Directory Server and is strongly recommended when SCIM-compliance is not required.
The LDAP Mapped SCIM HTTP Servlet Extension component inherits from the SCIM HTTP Servlet Extension
The following components have a direct aggregation relation from LDAP Mapped SCIM Servlet Extensions:
The properties supported by this managed object are as follows:
| Description | A description for this HTTP Servlet Extension |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The cross-origin request policy to use for the HTTP Servlet Extension. A cross-origin policy is a group of attributes defining the level of cross-origin request supported by the HTTP Servlet Extension. |
| Default Value | No cross-origin policy is defined and no CORS headers are recognized or returned. |
| Allowed Values | The DN of any HTTP Servlet Cross Origin Policy. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies HTTP header fields and values added to response headers for all requests. Values specified here must specify both the header field name and the value in conformance with RFC 2616. Fields may only be specified once; multiple values for the same header should be comma-separated. See RFC 7231 for a standard set of field names. Any response headers configured for this HTTP Servlet Extension will be combined with response headers configured on the corresponding Connection Handler. In the case of duplicates, the headers configured on this HTTP Servlet Extension will be used instead of the headers configured on the Connection Handler. |
| Default Value | None |
| Allowed Values | Colon-separated header field name and value |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | HTTP Connection Handlers hosting this HTTP Servlet Extension must be disabled and then re-enabled, or the server restarted, in order for this change to take effect. |
correlation-id-response-header
| Description | Specifies the name of the HTTP response header that will contain a correlation ID value. Example values are "Correlation-Id", "X-Amzn-Trace-Id", and "X-Request-Id". This property can be used to specify a custom response header name for correlation IDs. The value specified here will override the correlation-id-response-header property of the HTTP Connection Handler hosting this HTTP Servlet Extension. If the use-correlation-id-header property of the HTTP Connection Handler hosting this HTTP Servlet Extension is not enabled, then this property will be ignored. |
| Default Value | The correlation-id-response-header property of the HTTP Connection Handler hosting this HTTP Servlet Extension will be used. |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The context path to use to access the SCIM interface. The value must start with a forward slash and must represent a valid HTTP context path. |
| Default Value | / |
| Allowed Values | The value must start with a forward slash and must represent a valid HTTP context path. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | The LDAP Mapped SCIM HTTP Servlet Extension must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server |
| Description | Specifies the OAuth Token Handler implementation that should be used to validate OAuth 2.0 bearer tokens when they are included in a SCIM request. Token handlers must be implemented using a Server SDK Extension. The API allows you to verify and authenticate bearer tokens from different authorization servers as needed. SSL/TLS connection security is required on the HTTP Connection Handler when using OAuth bearer tokens, in order to protect the confidentiality of the token. |
| Default Value | None |
| Allowed Values | The DN of any OAuth Token Handler. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The LDAP Mapped SCIM HTTP Servlet Extension must be disabled and re-enabled for changes to this setting to take effect. The OAuth Token Handler changes will not take effect until the associated HTTP Connection Handler is disabled and re-enabled, or until the server is restarted. |
| Description | Specifies the name of the identity mapper that is to be used to match the username included in the HTTP Basic authentication header to the corresponding user in the directory. |
| Default Value | None |
| Allowed Values | The DN of any Identity Mapper. The referenced identity mapper must be enabled. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The path to an XML file defining the resources supported by the SCIM interface and the SCIM-to-LDAP attribute mappings to use. This file defines how to map SCIM resources to/from LDAP entries. There is an out-of-the-box file provided under config/scim-resources.xml and an XML schema file provided under config/scim-resources.xsd. Note that the Identity Access API can expose any objectclass as a REST endpoint (via the include-ldap-objectclass property), and you may configure this alongside the core SCIM endpoints defined in the resource mapping file. You may also remove the resources defined in the mapping file if you only wish to use the Identity Access API and not any core SCIM resources. |
| Default Value | config/scim-resources.xml |
| Allowed Values | A filesystem path |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the LDAP object classes that should be exposed directly as SCIM resources. When specified, the object classes in this list will be available as HTTP endpoints, in addition to the endpoints configured in the scim-resources.xml file. The special value '*' can be used to expose all structural object classes in the Directory Server schema. Specifying a large number of object classes may require more memory if the Directory Server has been allocated less than 512MB. |
| Default Value | None |
| Allowed Values | The name or OID of an objectclass to be included, or '*' to include all. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | If you have specified a large number of object classes or used the '*' value you should ensure that the Directory Server has been allocated a sufficient amount of memory (typically at least 512MB) to host the HTTP endpoints. |
| Description | Specifies the LDAP object classes that should be not be exposed directly as SCIM resources. When specified, all object classes except those in this list will be available as HTTP endpoints, in addition to the endpoints configured in the scim-resources.xml file. |
| Default Value | None |
| Allowed Values | The name or OID of an objectclass to be excluded. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the LDAP attribute whose value should be used as the entity tag value to enable SCIM resource versioning support. If possible, the ds-entry-checksum virtual attribute should be used as the entity tag. Access control must be configured so that the attribute is accessible by the authenticated user for all operations. |
| Default Value | SCIM resource versioning support will be disabled and no entity tags will be included in responses. |
| Allowed Values | The name or OID of an attribute type defined in the server schema. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
temporary-directory (Advanced Property)
| Description | Specifies the location of the directory that is used to create temporary files containing SCIM request data. |
| Default Value | scim-data-tmp |
| Allowed Values | A filesystem path |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
temporary-directory-permissions (Advanced Property)
| Description | Specifies the permissions that should be applied to the directory that is used to create temporary files. |
| Default Value | 700 |
| Allowed Values | A valid UNIX mode string. The mode string must contain three digits between zero and seven. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
max-results (Advanced Property)
| Description | The maximum number of resources that are returned in a response. |
| Default Value | 100 |
| Allowed Values | An integer value. Lower limit is 1. Upper limit is 2147483647 . |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
bulk-max-operations (Advanced Property)
| Description | The maximum number of operations that are permitted in a bulk request. |
| Default Value | 10000 |
| Allowed Values | An integer value. Lower limit is 1. Upper limit is 2147483647 . |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
bulk-max-payload-size (Advanced Property)
| Description | The maximum payload size in bytes of a bulk request. |
| Default Value | 10 MB |
| Allowed Values | A positive integer representing a size. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
bulk-max-concurrent-requests (Advanced Property)
| Description | The maximum number of bulk requests that may be processed concurrently by the server. Any bulk request that would cause this limit to be exceeded is rejected with HTTP status code 503. |
| Default Value | 10 |
| Allowed Values | An integer value. Lower limit is 1. Upper limit is 2147483647 . |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
debug-enabled (Advanced Property)
| Description | Enables debug logging of the SCIM SDK. Debug messages will be forwarded to the Directory Server debug logger with the scope of com.unboundid.directory.server.extensions.scim.SCIMHTTPServletExtension. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The Directory Server debug logger must be enabled and correctly configured for the debug messages to be forwarded. |
debug-level (Advanced Property)
| Description | The minimum debug level that should be used for messages to be logged. |
| Default Value | info |
| Allowed Values | severe - Indicates that error messages should be logged. warning - Indicates that warning and error messages should be logged. info - Indicates that info, warning, and error messages should be logged. config - Indicates that config, info, warning, and error messages should be logged. fine - Indicates that fine, config, info, warning, and error messages should be logged. finer - Indicates that finer, fine, config, info, warning, and error messages should be logged. finest - Indicates that finest, finer, fine, config, info, warning, and error messages should be logged. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
debug-type (Advanced Property)
| Description | The types of debug messages that should be logged. |
| Default Value | coding-error exception |
| Allowed Values | coding-error - Indicates that messages related to incorrect use of the SCIM SDK should be logged. exception - Indicates that messages related to exceptions that were caught within the SCIM SDK should be logged. other - Indicates that all other messages not covered by any other message type should be logged. |
| Multi-Valued | Yes |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
include-stack-trace (Advanced Property)
| Description | Indicates whether a stack trace of the thread which called the debug method should be included in debug log messages. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
basic-auth-enabled (Advanced Property)
| Description | Enables HTTP Basic authentication, using a username and password. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The LDAP Mapped SCIM HTTP Servlet Extension must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server |
include-ldap-base-dn (Advanced Property)
| Description | Specifies the base DNs for the branches of the DIT that should be exposed via the Identity Access API. The Identity Access API is enabled via the include-ldap-objectclass and exclude-ldap-objectclass properties, and by default does not restrict entries by their location in the DIT. This property allows you to limit the scope of the API to data within specific subtrees. If any values are specified, then only entries under those base DNs will be exposed. |
| Default Value | None |
| Allowed Values | A valid DN. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
exclude-ldap-base-dn (Advanced Property)
| Description | Specifies the base DNs for the branches of the DIT that should not be exposed via the Identity Access API. The Identity Access API is enabled via the include-ldap-objectclass and exclude-ldap-objectclass properties, and by default does not restrict entries by their location in the DIT. This property allows you to limit the scope of the API by restricting data within specific subtrees. If any values are specified, then any entries under those base DNs will not be exposed. |
| Default Value | None |
| Allowed Values | A valid DN. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured HTTP Servlet Extensions:
dsconfig list-http-servlet-extensions
[--property {propertyName}] ...
To view the configuration for an existing HTTP Servlet Extension:
dsconfig get-http-servlet-extension-prop
--extension-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing HTTP Servlet Extension:
dsconfig set-http-servlet-extension-prop
--extension-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new LDAP Mapped SCIM HTTP Servlet Extension:
dsconfig create-http-servlet-extension
--extension-name {name}
--type ldap-mapped
[--set {propertyName}:{propertyValue}] ...
To delete an existing HTTP Servlet Extension:
dsconfig delete-http-servlet-extension
--extension-name {name}