Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
LDAP Mapping SCIM Resource Types map attributes in a SCIM2 schema to native LDAP attributes. The LDAP Mapping SCIM Resource Type determines the attributes that can be accessed by a SCIM2 client application.
The attributes that comprise a LDAP Mapping SCIM Resource Type are defined by specifying a core schema and one or more schema extensions. The core schema defines attributes that may appear at the top level of a SCIM 2.0 resource exposed by the LDAP Mapping SCIM Resource Type while schema extensions define attributes that are namespaced by the schema's URI. Schema extensions may be configured as optional or required.
The LDAP Mapping SCIM Resource Type component inherits from the Mapping SCIM Resource Type
The following components have a direct composition relation from LDAP Mapping SCIM Resource Types:
The properties supported by this managed object are as follows:
| General Configuration Basic Properties: | Advanced Properties: |
|---|---|
| description | include-operational-attribute |
| enabled | |
| endpoint | |
| lookthrough-limit | |
| schema-checking-option | |
| structural-ldap-objectclass | |
| auxiliary-ldap-objectclass | |
| include-base-dn | |
| include-filter | |
| create-dn-pattern | |
| core-schema | |
| required-schema-extension | |
| optional-schema-extension |
| Property Group | General Configuration |
| Description | A description for this SCIM Resource Type |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Indicates whether the SCIM Resource Type is enabled. If a SCIM Resource Type is not enabled, then its contents are not accessible when processing operations. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | The HTTP addressable endpoint of this SCIM Resource Type relative to the '/scim/v2' base URL. Do not include a leading '/'. |
| Default Value | None |
| Allowed Values | A HTTP addressable endpoint consisting only of letters, digits, '_' and '-' characters. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | The maximum number of resources that the SCIM Resource Type should "look through" in the course of processing a search request. This setting is provided as a way to bound the upper-limit on searches, so that clients do not exhaust the server resources. Every search operation requires that the full result set be passed through the policy engine to determine which subset of resources will be returned. This is also important in order to provide the client with paging information, such as how many total results they are allowed to access. If the number of raw search results for a given request exceeds this value, an error will be returned to the client indicating that the search matched too many results. |
| Default Value | 500 |
| Allowed Values | An integer value. Lower limit is 1. Upper limit is 100000 . |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Options to alter the way schema checking is performed during create or modify requests. |
| Default Value | None |
| Allowed Values | allow-undefined-attributes - Allow undefined attributes in the SCIM resource. The default SCIM 2.0 compliant behavior is to reject create or modify requests containing undefined attributes. allow-undefined-sub-attributes - Allow undefined sub-attributes in one or more values of a complex attribute. SCIM 2.0 compliant behavior is to reject create or modify requests containing undefined sub-attributes. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Specifies the LDAP structural object class that should be exposed by this SCIM Resource Type. |
| Default Value | None |
| Allowed Values | The name or OID of the objectclass to expose. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Specifies an auxiliary LDAP object class that should be exposed by this SCIM Resource Type. |
| Default Value | None |
| Allowed Values | The name or OID of the auxiliary objectclass to expose. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | The Directory Server must be restarted for changes to this setting to take effect. Changes to this property will not take effect until the server is restarted. |
| Property Group | General Configuration |
| Description | Specifies the base DN of the branch of the LDAP directory that can be accessed by this SCIM Resource Type. Along with the include-filter property, this property determines whether an entry is included in this SCIM Resource Type. |
| Default Value | None |
| Allowed Values | A valid DN. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | The set of LDAP filters that define the LDAP entries that should be included in this SCIM Resource Type. Along with the include-base-dn property, this property determines whether an entry is included in this SCIM Resource Type. If the include-base-dn property does not exclude an entry, then it will be included if it matches any of the filters specified here. If no filters are specified, then only the include-base-dn property is used to determine if an entry is included by this SCIM Resource Type. |
| Default Value | All entries are included by this SCIM Resource Type. |
| Allowed Values | A valid LDAP search filter |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Specifies the template to use for the DN when creating new entries. If no value is specified, this SCIM Resource Type will not support create operations. The template may reference any LDAP attribute that is present in the mapped entry by using bracket notation. For example, the pattern "uid={uid},dc=example,dc=com" will substitute the entry's 'uid' value as the RDN. Substitutions are allowed for any DN components, not just the RDN. The Ping Identity Directory Server 'name with entryUUID' request control can be used to name entries by specifying the entryUUID attribute in the RDN in the DN pattern. For example, the DN pattern could be "entryUUID=server-generated,dc=example,dc=com". The RDN value - 'server-generated' in this example - is a placeholder value that is ignored. The actual value is generated by the Ping Identity Directory Server. |
| Default Value | None |
| Allowed Values | The pattern to use to construct the DN value. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | The core schema enforced on core attributes at the top level of a SCIM resource representation exposed by thisMapping SCIM Resource Type. |
| Default Value | None |
| Allowed Values | The DN of any SCIM Schema. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Required additive schemas that are enforced on extension attributes in a SCIM resource representation for this Mapping SCIM Resource Type. |
| Default Value | None |
| Allowed Values | The DN of any SCIM Schema. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Optional additive schemas that are enforced on extension attributes in a SCIM resource representation for this Mapping SCIM Resource Type. |
| Default Value | None |
| Allowed Values | The DN of any SCIM Schema. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
include-operational-attribute (Advanced Property)
| Property Group | General Configuration |
| Description | Specifies the set of operational LDAP attributes to be provided by this SCIM Resource Type. By default, operational attributes are not provided by the SCIM Resource Type. However, there may be cases where you wish to create an attribute mapping that depends on an operational attribute from the LDAP server. Specifying it here will cause it to appear in the schema exposed by the SCIM Resource Type and allow the attribute to be mapped to a SCIM Resource Type attribute. |
| Default Value | None |
| Allowed Values | An LDAP attribute name or OID |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured SCIM Resource Types:
dsconfig list-scim-resource-types
[--property {propertyName}] ...
To view the configuration for an existing SCIM Resource Type:
dsconfig get-scim-resource-type-prop
--type-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing SCIM Resource Type:
dsconfig set-scim-resource-type-prop
--type-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new LDAP Mapping SCIM Resource Type:
dsconfig create-scim-resource-type
--type-name {name}
--type ldap
--set enabled:{propertyValue}
--set endpoint:{propertyValue}
--set core-schema:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing SCIM Resource Type:
dsconfig delete-scim-resource-type
--type-name {name}