Global Access Control Policy

Provides coarse grained access control for all operations, regardless of whether they are destined for local or proxy backends. Global access control policies are applied in addition to ACIs and privileges.

For a read request (search, compare) to be accepted there must exist a policy granting the read permission to the targeted entry, as well as any attributes included in attribute assertions. Search result entries will also be filtered using the same criteria. Similarly, update requests (add, delete, modify, modify DN) are accepted if there exists a policy granting the write permission to the targeted entry(s), as well as any attributes included with the request. Finally, extended operations and controls are accepted as long as there exists an applicable policy allowing the extended operation or control, irrespective of the targeted entry. By default a policy will match all entries, all types of connection, and all users. The scope may be restricted by specifying any of the request-target-dn-, user-dn-, and connection-* properties.

Dependencies

The following objects have Global Access Control Policies:

Global Access Control Policy Properties

You can use configuration expressions to set property values at startup time. For details, see Property Value Substitution.

Basic Properties

allowed-attribute
allowed-attribute-exception
allowed-control
allowed-extended-operation
authentication-required
connection-client-address-equal-to
connection-client-address-not-equal-to
connection-minimum-ssf
connection-port-equal-to
connection-protocol-equal-to
permission
request-target-dn-equal-to
request-target-dn-equal-to-user-dn
request-target-dn-not-equal-to
user-dn-equal-to
user-dn-not-equal-to

Basic Properties

Use the --advanced option to access advanced properties.

allowed-attribute

Synopsis

Allows clients to read or write the specified attributes, along with their sub-types.

Description

Attributes that are subtypes of listed attributes are implicitly included. In addition, the list of attributes may include the wild-card '*', which represents all user attributes, or the wild-card '+', which represents all operational attributes, or the name of an object class prefixed with '@' to include all attributes defined by the object class.

Default Value

None

Allowed Values

The name of an attribute, an objectclass or a wild-card.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

allowed-attribute-exception

Synopsis

Specifies zero or more attributes which, together with their sub-types, should not be included in the list of allowed attributes.

Description

This property is typically used when the list of attributes specified by the allowed-attribute property is too broad. It is especially useful when creating policies which grant access to all user attributes (*) except certain sensitive attributes, such as userPassword.

Default Value

None

Allowed Values

The name of an attribute, an objectclass or a wild-card.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

allowed-control

Synopsis

Allows clients to use the specified LDAP controls.

Default Value

None

Allowed Values

The name or OID of a control, or a wild-card to allow all controls.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

allowed-extended-operation

Synopsis

Allows clients to use the specified LDAP extended operations.

Default Value

None

Allowed Values

The name or OID of an extended operation, or a wild-card to allow all extensions.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

authentication-required

Synopsis

Restricts the scope of the policy so that it only applies to authenticated users.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

connection-client-address-equal-to

Synopsis

Restricts the scope of the policy so that it only applies to connections which match at least one of the specified client host names or address masks.

Description

Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a sub-network with sub-network mask.

Default Value

None

Allowed Values

An IP address mask.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

connection-client-address-not-equal-to

Synopsis

Restricts the scope of the policy so that it only applies to connections which match none of the specified client host names or address masks.

Description

Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a sub-network with sub-network mask.

Default Value

None

Allowed Values

An IP address mask.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

connection-minimum-ssf

Synopsis

Restricts the scope of the policy so that it only applies to connections having the specified minimum security strength factor.

Description

The security strength factor (ssf) pertains to the cipher key strength for connections using DIGEST-MD5, GSSAPI, SSL, or TLS. For example, to require that the connection must have a cipher strength of at least 256 bits, specify a value of 256.

Default Value

0

Allowed Values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

connection-port-equal-to

Synopsis

Restricts the scope of the policy so that it only applies to connections to any of the specified ports, for example 1389.

Default Value

None

Allowed Values

An integer.

Lower limit: 1.

Upper limit: 65535.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

connection-protocol-equal-to

Synopsis

Restricts the scope of the policy so that it only applies to connections which match any of the specified protocols.

Default Value

None

Allowed Values

The protocol name, such as LDAP, LDAPS, JMX, HTTP, or HTTPS.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

permission

Synopsis

Specifies the type of access allowed by this policy.

Default Value

No access.

Allowed Values

  • read: Read access

  • write: Write access

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

request-target-dn-equal-to

Synopsis

Restricts the scope of the policy so that it only applies to requests which target entries matching at least one of the specified DN patterns.

Description

Valid DN filters are strings composed of zero or more wildcards and RDN components. A double wildcard replaces one or more RDN components (as in uid=dmiller,,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

Default Value

None

Allowed Values

A DN pattern.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

request-target-dn-equal-to-user-dn

Synopsis

Restricts the scope of the policy so that it only applies to requests sent by authenticated users where the request’s target DN is the same as the DN of the authorized user.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

request-target-dn-not-equal-to

Synopsis

Restricts the scope of the policy so that it only applies to requests which target entries matching none of the specified DN patterns.

Description

Valid DN filters are strings composed of zero or more wildcards and RDN components. A double wildcard replaces one or more RDN components (as in uid=dmiller,,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

Default Value

None

Allowed Values

A DN pattern.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

user-dn-equal-to

Synopsis

Restricts the scope of the policy so that it only applies to authenticated users whose authorization DN matches at least one of the specified DN patterns.

Description

Valid DN filters are strings composed of zero or more wildcards and RDN components. A double wildcard replaces one or more RDN components (as in uid=dmiller,,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

Default Value

None

Allowed Values

A DN pattern.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

user-dn-not-equal-to

Synopsis

Restricts the scope of the policy so that it only applies to authenticated users whose authorization DN matches none of the specified DN patterns.

Description

Valid DN filters are strings composed of zero or more wildcards and RDN components. A double wildcard replaces one or more RDN components (as in uid=dmiller,,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

Default Value

None

Allowed Values

A DN pattern.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No