How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I only allow selected users to search, update and delete LDAP entries in DS 5.x and 6.x?

Last updated Apr 8, 2021

The purpose of this article is to provide information on using ACIs to allow selected users to search, update and delete LDAP entries in DS.


Overview

DS 7 introduces security enhancements including stricter access control, which denies anonymous access to most LDAP operations, controls and extended operations. See Security Guide › Access Control for further information. The ACI being removed in this article does not exist in DS 7 and later.

Controlling access

You can configure DS to allow selected users to search, update and delete LDAP entries using access controls (ACIs). By default, there are a number of global ACIs configured that allow generic anonymous access, and authenticated read and search access. Global ACIs affect access across all backend databases. See Administration Guide › Default Global ACIs for further information. You can modify or remove these ACIs, if required, to prevent this access.

Caution

You should test any changes you make to the default global ACIs first in a pre-production environment to ensure there is no adverse impact.

A typical default global ACI to remove when configuring access is the one that permits anonymous read access. You can remove this with dsconfig. For example:

$ ./dsconfig set-access-control-handler-prop --remove 'global-aci:(targetattr!="userPassword||authPassword||debugsearchindex||changes||changeNumber||changeType||changeTime||targetDN||newRDN||newSuperior||deleteOldRDN")(version 3.0; acl "Anonymous read access"; allow (read,search,compare) userdn="ldap:///anyone";)' --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --trustAll --no-prompt

You can remove other ACIs as needed using this dsconfig command, where you just replace this ACI with the one you want to remove.

Allowing selected access

When granting access to selected users, it is preferable to use local ACIs (that is, for specific backends) rather than global ACIs as this gives greater control over access. Granting access to all backends via a global ACI may also be considered a security risk.

Note

It is good practice to put the ACI in the actual backend, as this means it will be replicated and also included when you export the data. Global ACIs are not replicated and are easy to forget when you're creating new instances.

You can add local ACIs using the ldapmodify command. The following example command provides the admin user (uid=admin) with access to search, update and delete LDAP entries under dc=example,dc=com:

dn: dc=example,dc=com objectClass: domain objectClass: top dc: example aci: (target="ldap:///dc=example,dc=com")(targetattr = "* || +")(version 3.0; acl "Admin user access to suffix"; allow (all, export, import)(userdn="ldap:///uid=admin,ou=People,dc=example,dc=com");)

You can add a global ACI that achieves the same thing as above but for all backends, using the dsconfig command:

$ ./dsconfig set-access-control-handler-prop --add 'global-aci:(target="ldap:///dc=example,dc=com")(targetscope="subtree")(targetattr="* || +")(version 3.0; acl "Admin user access to suffix"; allow (all, export, import) userdn="ldap:///uid=admin,ou=People,dc=example,dc=com ";)' --hostname ds1.example.com --port 4444 --trustAll --bindDN "cn=Directory Manager" --bindPassword password --no-prompt

See Also

Administration Guide › ACI: Disable Anonymous Access

Administration Guide › Configuring Privileges and Access Control

Administration Guide › How ACI is Evaluated

Reference › dsconfig

Configuration Reference › set-access-control-handler-prop

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.