PingDirectory

Sensitive attributes

PingDirectory servers allow you to create sensitive attribute definitions, which provide enhanced protection for interactions with a specified set of attributes.

You can prevent the values of sensitive attributes from being retrieved at all, or you can ensure that they are only retrieved over secure connections, and similar protections are available for other kinds of read and write operations. Sensitive attribute definitions can be imposed for all clients, even for root users and topology administrators.

Sensitive attribute definitions include the following configuration properties.

Property Description

attribute-type

The names or OIDs of the attribute types that are to be governed by this sensitive attribute definition. If the same attribute type is included in multiple sensitive attribute definitions, it is subject to the most strict intersection of those definitions.

include-default-sensitive-operational-attributes

Indicates whether the server should automatically declare a predefined set of special operational attributes as sensitive under the conditions of this sensitive attribute definition. At present, this includes the ds-sync-hist attribute, which is used to hold historical information for replication conflict resolution, and it can include former values for some attributes in the entry. This is true by default.

allow-in-returned-entries

Indicates whether to allow the specified attributes to be included in search result entries that are returned to clients (or other forms of entries that can be returned, like the “before” and “after” versions of an entry when used with the pre-read and post-read request controls). Allowed values include:

  • secure-only — Only allow the attributes to be returned to clients over a secure connection (for example, one encrypted with TLS). The attributes are stripped from search result entries over an insecure connection.

  • suppress — Do not allow the attributes to be returned to clients, even over a secure connection. The attributes are always stripped from search result entries.

  • allow — Allow the attributes to be returned to clients over a secure or insecure connection.

allow-in-filter

Indicates whether to allow the specified attributes to be included in search filters. If an attribute can be used in a filter, then clients with the ability to read the entry might be able to determine its values through brute force, by simply trying different values until a match is found. They can also be used to find all entries with a given value. Allowed values include:

  • secure-only — Only allow the attributes to be used in filters for requests sent over a secure connection. Search requests that use a sensitive attribute in the filter are rejected if they are received over an insecure connection.

  • reject — Reject any search request that includes the sensitive attribute in a filter, even over a secure connection.

  • allow — Allow the attributes to be used in filters over a secure or insecure connection.

allow-in-add

Indicates whether to allow the specified attributes to be included in add requests. Allowed values include secure-only, reject, and allow.

allow-in-compare

Indicates whether to allow the specified attributes to be used in compare assertions. As with search filters, compare assertions can be used to try to discover attribute values through brute force. Allowed values include secure-only, reject, and allow.

allow-in-modify

Indicates whether to allow the specified attributes to be updated in modify requests. Allowed values include secure-only, reject, and allow.

By default, the server includes sensitive attribute definitions that prevent clients from accessing passwords and other sensitive authentication information like generated one-time passwords and TOTP shared secrets. They prevent clients from retrieving attribute values or using them in search filters or compare assertions, even over a secure connection, and they only allow the values to be included in add and modify requests that are received over a secure connection. However, these sensitive attribute definitions are not enforced by default.

To ensure that the server enforces the restrictions imposed by sensitive attribute definitions, they must be associated with one or more client connection policies. The following property in the global configuration can enable specified sensitive attribute definitions across all client connection policies:

sensitive-attribute

The set of sensitive attribute definitions that should be enabled by default across all client connection policies.

You can also customize the set of client connection policies in which sensitive attribute definitions should be enforced. This is done through the following properties in the client connection policy configuration:

sensitive-attribute

The set of sensitive attribute definitions that should be enabled for connections using that client connection policy.

exclude-global-sensitive-attribute

The set of sensitive attribute definitions that are enabled in the global configuration that should not be enforced for clients using that client connection policy.

We recommend preventing clients (even root users or topology administrators) from being able to retrieve passwords or other kinds of authentication secrets, and to only allow them to be updated over secure connections. This can be done by updating the global configuration to enable those sensitive attribute definitions across all client connection policies using a change, as in the following example.

dsconfig set-global-configuration-prop \
     --add "sensitive-attribute:Sensitive Password Attributes" \
     --add "sensitive-attribute:Delivered One-Time Password" \
     --add "sensitive-attribute:TOTP Shared Secret"

However, you might have an application that has a legitimate need to access encoded passwords. For example, you might want to use the PingDataSync server to synchronize passwords from PingDirectory to other data stores. In such cases, the best solution might be to create a custom client connection policy with connection criteria that only matches that application, and then configure it to exclude the appropriate sensitive attribute from the global configuration, as in the following example.

dsconfig set-client-connection-policy-prop \
     --policy-name "Synchronization Application" \
     --add "exclude-global-sensitive-attribute:Sensitive Password Attributes"

See the config/use-sensitive-attributes-to-prevent-password-access.dsconfig sample batch file for more information.