PingDirectory

Access control filtering on the sync pipe

PingDataSync provides an advanced Sync Pipe configuration property, filter-changes-by-user, which performs access control filtering on a changelog entry for a specific user.

Since the changelog entry contains data from the target entry, the access controls filter out attributes that the user does not have the privileges to see before it is returned. For example, values in the changes, ds-changelog-before-values, ds-changelog-after-values, ds-changelog-entry-key-attr-values, and deletedEntryAttrs are filtered out through access control instructions.

This property is only available for notification mode and can be configured using the create-sync-pipe-config or dsconfig commands.

The source server must be a PingDirectory server or Nokia 8661 Directory Server, or a PingDirectoryProxy server or Nokia 8661 Directory Proxy Server that points to a PingDirectory server or Nokia 8661 Directory Server.

Considerations for access control filtering

  • The directory server will not return the changelog entry if the user is not allowed to see the target entry.

  • The directory server strips out any attributes that the user is not allowed to see.

  • If no changes are left in the entry, no changelog entry will be returned.

  • If only some attributes are stripped out, the changelog entry will be returned.

  • Access control filtering on a specific attribute value is not supported. Either all attribute values are returned or none.

  • If a sensitive attribute policy is used to filter attributes when a client normally accesses the directory server, this policy will not be taken into consideration during notifications since the Sync User is always connecting using the same method. Configure access controls to filter out attributes, not based on the type of connection made to the server, but based on who is accessing the data. The filter-changes-by-user property will be able to evaluate if that person should have access to these attributes.

Configure the sync pipe to filter changes by access control instructions

Steps

  1. Set the filter-changes-by-user property to filter changes based on access controls for a specific user.

    $ bin/dsconfig set-sync-pipe-prop \
      --pipe-name "Notifications Sync Pipe" \
      --set "filter-changes-by-user:uid=admin,dc=example,dc=com"
  2. On the source directory server, set the report-excluded-changelog-attributes property to include the names of users that have been removed through access control filtering. This will allow PingDataSync to warn about attributes that were supposed to be synchronized but were filtered out. This step is recommended but not required.

    $ bin/dsconfig set-backend-prop \
      --backend-name "changelog" \
      --set "report-excluded-changelog-attributes:attribute-names"

    PingDataSync only uses the attribute-names setting for the PingDirectory server’s report-excluded-changelog-attributes property. It does not use the attribute-counts setting for the property.