PingDirectory

Examples of common access control rules

This section demonstrates access controls that are commonly used in your environment.

To modify access control definitions in the server, a user must have the modify-acl privilege.

Administrator access

The following access control instructions (ACIs) grant members of the cn=admins,ou=groups,dc=example,dc=com group the following permissions:

  • Add, modify, and delete entries

  • Reset passwords

  • Read operational attributes, such as isMemberOf and password policy state

aci: (targetattr="+")(version 3.0; acl "Administrators can read, search or compare operational attributes";
allow (read,search,compare) groupdn="ldap:///cn=admins,ou=groups,dc=example,dc=com";)
aci: (targetattr="*")(version 3.0; acl "Administrators can add, modify and delete entries";
allow (all) groupdn="ldap:///cn=admins,ou=groups,dc=example,dc=com";)

Anonymous and authenticated access

The following ACIs allow anonymous read, search, and compare on select attributes of inetOrgPerson entries while authenticated users can access several more. An authenticated user inherits the privileges of the anonymous ACI and can also change userPassword.

aci: (targetattr="objectclass || uid || cn || mail || sn || givenName")(targetfilter="(objectClass=inetorgperson)")
(version 3.0; acl "Anyone can access names and email addresses of entries representing people";
allow (read,search,compare) userdn="ldap:///anyone";)
aci: (targetattr="departmentNumber || manager || isMemberOf")(targetfilter="(objectClass=inetorgperson)")
(version 3.0; acl "Authenticated users can access these fields for entries representing people";
allow (read,search,compare) userdn="ldap:///all";)
aci: (targetattr="userPassword")(version 3.0; acl "Authenticated users can change password";
allow (write) userdn="ldap:///all";)

To prevent anonymous access to the directory server, set the global configuration property reject-unauthenticated-requests to true.

Delegated access to a manager

The following ACI allows an employee’s manager to edit the value of the employee’s telephoneNumber attribute. This ACI uses the userattr keyword with a bind type of USERDN, which indicates that the target entry’s manager attribute must have a value equal to the distinguished name (DN) of the authenticated user.

aci: (targetattr="telephoneNumber")
(version 3.0; acl "A manager can update telephone numbers of her direct reports";
allow (read,search,compare,write) userattr="manager#USERDN";)

Proxy authorization

The following ACI allows the application cn=OnBehalf,ou=applications,dc=example,dc=com to use the proxied authorization V2 control to request that operations be performed using an alternate authorization identity.

aci: (version 3.0;acl "Application OnBehalf can proxy as another entry";
allow (proxy) userdn="ldap:///cn=OnBehalf,ou=applications,dc=example,dc=com";)

The application user must have the proxied-auth privilege.