PingDirectory

Changing the allow add ACI behavior for entries

You can require a bind user to have allow add permissions for all of an entry’s attributes before allowing them to add the entry to PingDirectory.

About this task

By default, a bind user can add an entry to PingDirectory if they have allow add permissions for at least one of the attributes in the entry. To increase your control over who is allowed to add entries to your PingDirectory datastore, you can enable the evaluate-target-attribute-rights-for-add-operations property.

Enabling this property causes PingDirectory to require a bind user to have an allow add access control instruction (ACI) for each attribute of the entry in the add request. If the bind user doesn’t meet this condition, or has a deny add ACI for any target attributes of the entry to be added, PingDirectory denies the add operation.

The evaluate-target-attribute-rights-for-add-operations property is disabled by default. Enabling this property causes PingDirectory to evaluate the targetattr portion of an access control rule for add operations.

Before enabling this property in a production environment, you should thoroughly test your existing access control configuration. You might discover cases where you need to add or augment access control rules to ensure that your authorized bind users can continue to add entries as expected.

Steps

  • Modify the evaluate-target-attribute-rights-for-add-operations property.

    Choose from:

    • Enable the property.

      $ bin/dsconfig set-access-control-handler-prop \
        --set evaluate-target-attribute-rights-for-add-operations:true
    • Disable the property.

      $ bin/dsconfig set-access-control-handler-prop \
        --set evaluate-target-attribute-rights-for-add-operations:false