PingDirectory

Working with parameterized ACIs

The PingDirectory server supports the use of parameterized access control instructions (ACIs) to control access to subtrees with homogenous administrative group or user patterns, which can be used in multi-tenant deployments.

A single parameterized ACI can take the place of specifying identical ACIs on each tenant’s subtree. For example, consider the following parameterized ACI.

(target="ldap:///o=($1),dc=example,dc=com")(version 3.0; acl \
"Subtree Admin Group members may search for and read entries in their subtree."; allow \
(search, read) groupdn="ldap:///cn=Subtree Admin Group,ou=groups,o=($1),dc=example,dc=com";)

This parameterized ACI enables:

  • Members of a group with the distinguished name (DN) "cn=Subtree Admin Group,ou=groups,o=Customers, dc=example,dc=com" to search for and read entries in the "o=Customers, dc=example,dc=com" subtree.

  • Members of a group with the DN "cn=Subtree Admin Group,ou=groups,o=Partners, dc=example,dc=com" to search for and read entries in the "o=Partners, dc=example,dc=com" subtree

The same access is granted for any substitution value for the ($1) parameter variable. If an operation tries to read the uid=user.1,o=acme,dc=example,dc=com entry, this ACI is considered. This ACI would allow a read action if the operation’s user is a member of the cn=Subtree Admin Group,ou=groups,o=acme,dc=example,dc=com group.

You can replace attribute values from the target DN with different variables, ($#), and then reference those variables in the group DN or user DN. Construct the string representation of a parameter variable as follows:

  1. An open parenthesis

  2. A dollar sign

  3. A positive integer

  4. A closing parenthesis

Consider the following example.

"population=($2),ou=Populations,environment=($1),ou=Environments,o=Acme"

The ($2) variable is the population ID in the DN of the target entry, and ($1) is the environment ID in the DN of the target entry. Those values from the target entry’s DN are substituted into the group DN or user DN value.

Parameter variables present in a parameterized ACI’s target will be associated with the actual values from the resource DN. Each actual value will be substituted for its respective parameter variable in the ACI’s target and group bind rule DNs when performing access control on the resource entry.

Parameter variables can be used in multiple relative distinguished names (RDNs) in a parameterized target. A given RDN can have at most one parameter variable as its attribute value. A given parameter variable can appear only once in the parameterized target.

The following values are examples of valid parameterized target DNs:

  • ou=($1),dc=example,dc=com

  • population=($2),ou=Populations,environment=($1),ou=Environments,o=Acme

  • o=($1) (for a global ACI)

An ACI on an entry only applies to that entry’s subtree. If an ACI with a parameterized target is stored on an entry, that entry’s DN must appear in a non-parameterized form as the rightmost RDN of the parameterized target’s DN. For example, if an ACI with a parameterized target is stored on the dc=example,dc=com entry, that parameterized target must end in dc=example,dc=com in a non-parameterized form. Global ACIs do not have this restriction. Each global ACI can have parameter variables in any or all of its parameterized target’s RDNs.

Additional restrictions for parameterized targets include:

  • They cannot be pattern ACIs, meaning they cannot contain wildcards (*).

  • RDNs that are parameterized must be single-valued. For example, a given parameterized RDN cannot consist of two or more type-value pairs joined by +.