Authentication and authorization with the Configuration API
This topic explains how to customize authentication and authorization access using the Configuration API.
Authentication
Clients must use HTTP basic authentication to authenticate to the Configuration API. If the username value isn’t a distinguished name (DN), then it resolves to a DN value using the identity mapper associated with the Configuration servlet. By default, the Configuration API uses an identity mapper that allows an entry’s UID value to be used as a username. To customize this behavior, either customize the default identity mapper or specify a different identity mapper using the Configuration servlet’s identity-mapper property. The following code provides an example:
$ bin/dsconfig set-http-servlet-extension-prop \
--extension-name Configuration \
--set "identity-mapper:Alternative Identity Mapper"Authorization
To access configuration information, users must have the appropriate privileges:
-
To access the
cn=configbackend, users must have thebypass-aclprivilege or be allowed access to the configuration using an ACI. -
To read configuration information, users must have the
config-readprivilege. -
To update the configuration, users must have the
config-writeprivilege.