Targeting operational attributes
The Oracle access control model doesn’t differentiate between user attributes and operational attributes.
In the Oracle access control model, using targetattr="*"
automatically targets both user and operational attributes. Using an exclusion list like targetattr!="userPassword"
automatically targets all operational attributes in addition to all user attributes except userPassword
. This presents several significant security holes here users are unintentionally given access to operational attributes. In some cases, it could allow users to exempt themselves from password policy restrictions.
The server treats operational attributes differently from user attributes and never automatically includes operational attributes. For example, targetattr="*"
targets all user attributes but no operational attributes, and targetattr!="userPassword"
targets all user attributes except userPassword
but no operational attributes.
You can target specific operational attributes by including the names in the list, such as targetattr="creatorsName||modifiersName"
. You can target all operational attributes by using the "+"
character. For example, targetattr="+"
targets all operational attributes but no user attributes, and targetattr="*||+"
targets all user and operational attributes.
Example
The following example searches for all immediate children of ou=People,dc=example,dc=com
. The attributes returned are restricted to sn
, givenName
, and all operational attributes.
ldapsearch --bindDN uid=admin,dc=example,dc=com --bindPassword password \ --baseDN ou=People,dc=example,dc=com --searchScope one '(objectclass=*)' \ sn givenName "+"
Example
You can use compound filters to search for a subset of the entries in the ou=People,dc=example,dc=com
subtree. The following example limits the returned entry amount to 200, and the server will spend no more than 5 seconds processing the request.
ldapsearch --bindDN uid=admin,dc=example,dc=com --bindPassword password \ --baseDN ou=People,dc=example,dc=com --searchScope sub --sizeLimit 200 \ --timeLimit 5 "(&(sn<=Doe)(employeeNumber<=1000))" ds-entry-unique-id \ entryUUID
Returning all user and operational attributes in a schema search
Specify "*"
in a search attribute list to represent all user attributes. Specifying "+"
retrieves all operational attributes.
About this task
The following standards are used in PingDirectory as part of the LDAP specification.
Standard | Overview |
---|---|
Describes the use of |
|
Describes the use of |
Steps
-
To search the
cn=schema
entry and return all user and operational attributes, runldapsearch
.Example:
bin/ldapsearch --baseDN cn=schema --searchScope base "(objectclass=*)" "*" "+"
Exclude attributes
The server accepts syntax, in addition to the RFC 3673, RFC 4511, and RFC 4529 standards, that allows you to exclude attributes from search results.
About this task
To exclude an attribute from the search results in PingDirectory:
Steps
-
Prefix the attribute name with either
"^"
or"!"
Example:
The following example returns organizational units (OUs) that are part of the object class
group
in Colorado with the exception of OUs in Denver.(&(objectClass=group)(&(ou:dn:=Colorado)(!(ou:dn:=Denver))))
Example:
The following example returns all users that aren’t
device
.(&(objectClass=user)(!(objectClass=device)))
To exclude all attributes associated with an object class, prefix the object class name with either
"^@"
or"!@"
.