PingDirectory

Targeting operational attributes

The Oracle access control model doesn’t differentiate between user attributes and operational attributes.

In the Oracle access control model, using targetattr="*" automatically targets both user and operational attributes. Using an exclusion list like targetattr!="userPassword" automatically targets all operational attributes in addition to all user attributes except userPassword. This presents several significant security holes here users are unintentionally given access to operational attributes. In some cases, it could allow users to exempt themselves from password policy restrictions.

The server treats operational attributes differently from user attributes and never automatically includes operational attributes. For example, targetattr="*" targets all user attributes but no operational attributes, and targetattr!="userPassword" targets all user attributes except userPassword but no operational attributes.

You can target specific operational attributes by including the names in the list, such as targetattr="creatorsName||modifiersName". You can target all operational attributes by using the "+" character. For example, targetattr="+" targets all operational attributes but no user attributes, and targetattr="*||+" targets all user and operational attributes.

Example

The following example searches for all immediate children of ou=People,dc=example,dc=com. The attributes returned are restricted to sn, givenName, and all operational attributes.

ldapsearch --bindDN uid=admin,dc=example,dc=com --bindPassword password \
     --baseDN ou=People,dc=example,dc=com --searchScope one '(objectclass=*)' \
     sn givenName "+"

Example

You can use compound filters to search for a subset of the entries in the ou=People,dc=example,dc=com subtree. The following example limits the returned entry amount to 200, and the server will spend no more than 5 seconds processing the request.

ldapsearch --bindDN uid=admin,dc=example,dc=com --bindPassword password \
     --baseDN ou=People,dc=example,dc=com --searchScope sub --sizeLimit 200 \
     --timeLimit 5 "(&(sn<=Doe)(employeeNumber<=1000))" ds-entry-unique-id \
     entryUUID

Specify "*" in a search attribute list to represent all user attributes. Specifying "+" retrieves all operational attributes.

About this task

The following standards are used in PingDirectory as part of the LDAP specification.

Standard Overview

Describes the use of "+" to represent all operational attributes

Describes the use of "*" to represent all user attributes

Steps

  • To search the cn=schema entry and return all user and operational attributes, run ldapsearch.

    Example:

    bin/ldapsearch --baseDN cn=schema --searchScope base "(objectclass=*)" "*" "+"

Exclude attributes

The accepts syntax, in addition to the RFC 3673, RFC 4511, and RFC 4529 standards, that allows you to exclude attributes from search results.

About this task

To exclude an attribute from the search results in PingDirectory:

Steps

  • Prefix the attribute name with either "^" or "!"

    Example:

    The following example returns organizational units (OUs) that are part of the object class group in Colorado with the exception of OUs in Denver.

    (&(objectClass=group)(&(ou:dn:=Colorado)(!(ou:dn:=Denver))))

    Example:

    The following example returns all users that aren’t device.

    (&(objectClass=user)(!(objectClass=device)))

    To exclude all attributes associated with an object class, prefix the object class name with either "^@" or "!@".