PingDirectory

Restricting access through operational attributes in user entries

The PingDirectory server also defines a number of operational attributes that can be placed in user entries to indicate the context in which their account can be used.

These attributes include the following.

Attribute Description

ds-auth-allowed-address

Can be used to provide a set of address masks in the same format used by the allowed-client property in the connection handler configuration to indicate which clients are allowed to authenticate as the user. If any allowed addresses are defined and a client attempts to authenticate as the user from a client whose address does not match one of these patterns, then the bind attempt is rejected.

ds-auth-allowed-authentication-type

Can be used to restrict the ways in which the user can authenticate to the server. Values can be either simple to indicate that the user can authenticate with LDAP simple authentication or “sasl <mechanism>” such as “sasl EXTERNAL” to indicate that the user can authenticate with the specified SASL mechanism. If any allowed authentication types are defined and a client attempts to authenticate using a mechanism that is not included in this list, then the bind attempt is rejected.

ds-auth-require-secure-authentication

Can be used to indicate whether the user is required to authenticate to the server in a secure manner that does not reveal the credentials to a network observer whether by authenticating over a secure connection or by using an authentication mechanism that protects the credentials in transit. If this is set to true and a client attempts to authenticate as the user in an insecure manner, then the bind attempt is rejected.

ds-auth-require-secure-connection

Can be used to indicate whether the user is required to communicate with the server over an encrypted connection. While this is similar to the ds-auth-require-secure-authentication property, if it is set to true, then the user is only allowed to authenticate over a secure connection: it will not allow the client to authenticate over an insecure connection even if the authentication mechanism does not reveal the user’s credentials to an external observer.

ds-auth-is-proxyable

Indicates whether the user’s account can be used as an alternate authorization identity, such as using the proxied authorization request control, or as the authorization identity of a SASL bind. Values of this attribute can be one of the following:

allowed

Indicates that the account can optionally be used as an alternate authorization identity. This is the default behavior used for accounts that do not include the ds-auth-is-proxyable attribute.

prohibited

Indicates that the account cannot be used as an alternate authorization identity. Operations can only be processed as this user by clients that have directly authenticated as that user.

required

Indicates that the account can only be used as an alternate authorization identity and is not allowed to directly authenticate to the server.

ds-auth-is-proxyable-by

The distinguished names (DNs) of the users that are allowed to request this account as an alternate authorization identity. If one or more ds-auth-is-proxyable-by values are configured, then any attempt to proxy as the user from some account whose DN is not listed is rejected.

ds-auth-is-proxyable-by-group

The DNs of the groups whose members are allowed to request this account as an alternate authorization identity. If one or more group DNs are provided, then any attempt to proxy as the user from an account that is not a member of any of those groups is rejected.

ds-auth-is-proxyable-by-url

A set of LDAP URLs that can be used to identify users that will be allowed to request this account as an alternate authorization identity. If one or more LDAP URLs are provided, then any attempt to proxy as the user from an account that does not match the criteria represented by any of those URLs is rejected.

ds-auth-may-proxy-as

The DNs of the accounts that the user can request as an alternate authorization identity. If one or more ds-auth-may-proxy-as values are provided and the client attempts to proxy as any user whose DN is not listed, then that attempt is rejected.

ds-auth-may-proxy-as-group

The DNs of the groups whose members can be used as alternate authorization identities by the user. If one or more group DNs are provided and the user attempts to proxy as a user that is not a member of any of those groups, then that attempt is rejected.

ds-auth-may-proxy-as-url

A set of LDAP URLs that can be used to identify accounts that the user can request as an alternate authorization identity. If one or more LDAP URLs are provided, then an attempt to proxy as an account whose entry does not match the criteria from any of those LDAP URLs is rejected.

These operational attributes can be set as real or virtual attributes in the target user’s entry.