Changing the allow add ACI behavior for entries
You can require a bind user to have allow add
permissions for all of an entry’s attributes before allowing them to add the entry to PingDirectory.
About this task
By default, a bind user can add an entry to PingDirectory if they have allow add
permissions for at least one of the attributes in the entry. To increase your control over who is allowed to add entries to your PingDirectory datastore, you can enable the evaluate-target-attribute-rights-for-add-operations
property.
Enabling this property causes PingDirectory to require a bind user to have an allow add
access control instruction (ACI) for each attribute of the entry in the add request. If the bind user doesn’t meet this condition, or has a deny add
ACI for any target attributes of the entry to be added, PingDirectory denies the add operation.
The Before enabling this property in a production environment, you should thoroughly test your existing access control configuration. You might discover cases where you need to add or augment access control rules to ensure that your authorized bind users can continue to add entries as expected. |
Steps
-
Modify the
evaluate-target-attribute-rights-for-add-operations
property.Choose from:
-
Enable the property.
$ bin/dsconfig set-access-control-handler-prop \ --set evaluate-target-attribute-rights-for-add-operations:true
-
Disable the property.
$ bin/dsconfig set-access-control-handler-prop \ --set evaluate-target-attribute-rights-for-add-operations:false
-