ACI bind rules
Bind rules are used to identify the set of requesters to which an ACI applies.
ACIs can have multiple bind rules to specify multiple conditions that can be satisfied. Bind rules can be combined using either the and
or the or
keyword such as userdn="ldap:///uid=admin,dc=example,dc=com
or groupdn="ldap:///cn=administrators,ou=Groups,dc=example,dc=com
. The not
keyword is also used to negate the result of a bind rule.
userdn
The userdn
bind rule is used to target a requester based on their authenticated identity. The value of this bind rule must be in the form of an Lightweight Directory Access Protocol (LDAP) URL although in some cases it might not actually be a valid URL (for example, because the distinguished name (DN) element is not actually a valid DN). The LDAP URL can take several forms, including:
-
It can have an LDAP URL that contains just a DN, without any wildcard, scope, or filter:
“ldap:///uid=admin,dc=example,dc=com”
. -
It can contain an LDAP URL that contains a DN that has a pattern with asterisks as wildcards. Wildcards can be used as follows:
-
In place of an entire attribute value:
userdn="ldap:///uid=*,ou=People,dc=example,dc=com
-
In place of a portion of an attribute value:
userdn="ldap:///uid=admin-*,ou=People,dc=example,dc=com
-
In place of an attribute type:
userdn="ldap:///*=jdoe,ou=People,dc=example,dc=com
-
In place of a single entire RDN component:
userdn="ldap:///uid=admin,*,dc=example,dc=com
-
Two consecutive asterisks in place of any number of entire RDN components:
userdn="ldap:///uid=admin,**,dc=example,dc=com
-
-
It can have an LDAP URL that contains a parameterized DN. See the Parameterized ACIs section for more information about this.
-
It can have an LDAP URL in which the DN is the string
anyone
:userdn="ldap:///anyone
. This indicates that the ACI applies to any client, regardless of whether they are authenticated. -
It can have an LDAP URL in which the DN is the string
all
:userdn="ldap:///all
. This indicates that the ACI applies to any authenticated client (regardless of the authentication identity), but not to unauthenticated or anonymous clients. -
It can have an LDAP URL in which the DN is the string
self
:userdn="ldap:///self
. This indicates that the ACI applies to any operation in which the authenticated user is targeting their own entry. -
It can have an LDAP URL in which the DN is the string
parent
:userdn="ldap:///parent
. This indicates that the ACI applies to any operation that targets an entry whose immediate parent is the requester’s own entry. That is, it allows a requester to perform operations on entries immediately below their own. -
It can be a full LDAP URL, including a base DN (without wildcards or parameterization), scope, and filter suh as
userdn="ldap:///dc=example,dc=com??sub?(objectClass=person)"
.
The userdn
bind rule can also contain multiple LDAP URLs. In that case, each URL should be separated by two consecutive vertical bar characters ||
: (“userdn="ldap:///uid=jdoe,ou=People,dc=example, dc=com || uid=jpublic,ou=People,dc=example,dc=com"”)
.
The !=
operator can be used as an alternative to the =
operator: userdn!="ldap:///uid=admin,ou=People,dc=example,dc=com"
. In that case, the bind rule matches if the provided value does not match the authenticated identity.
groupdn
The groupdn
bind rule is used to target a requester based on their group membership. The value of this bind rule must be an LDAP URL, such as groupdn="ldap:///cn=Admin Users,ou=Groups,dc=example,dc=com"
. Only the DN element of the URL is used, and that DN must not contain any wildcards or parameterization.
The groupdn
bind rule considers both direct group membership and nested membership such as if the user is a member of a group that is itself a member of a group listed in the groupdn
value.
As with the userdn
bind rule, the value of the groupdn
bind rule can include multiple LDAP URLs separated by two consecutive vertical bar characters.
The !=
operator can be used as an alternative to the =
operator: groupdn!="ldap:///cn=Administrators,ou=Groups,dc=example,dc=com"
. In that case, the bind rule matches if authenticated user is not a member of the specified group.
connectioncriteria
The connectioncriteria
bind rule allows or denies an operation based on whether the client connection matches a given connection criteria definition.
If present in an access control rule, the operator must be either "=
" or "!=
". The value must be enclosed in quotation marks, and it must be the name or full DN of the configuration object that defines the desired connection criteria.
For example, you can use a modification like the following to allow any client matching the "Root Users and Topology Administrators" connection criteria to have full read and write access to entries below dc=example,dc=com
:
dn: dc=example,dc=com changetype: modify add: aci aci: (targetattr="*")(version 3.0; acl "Full read and write access for administrators"; allow (read,search,compare,write) connectioncriteria="Root Users and Topology Administrators";)
secure
The secure
bind rule allows or denies an operation based on whether the client is communicating with the server over a secure connection; for example, using LDAPS or StartTLS over LDAP.
If present in an access control rule, the operator must be either "=
" or "!=
", and the value must be either "true"
or "false"
including the quotation marks. With this in mind, the secure
bind rule takes the following forms:
-
secure="true"
indicates that the ACI will apply only if the connection was received over a secure connection. -
secure="false"
indicates that the ACI will only apply if the connection was received over a non-secure connection. -
secure!="true"
indicates that the ACI will apply only if the connection was received over a non-secure connection. -
secure!="false"
indicates that the ACI will apply only if the connection was received over a secure connection.
For example, you can use a modification like the following to allow users below dc=example,dc=com
to update their own passwords over a secure connection:
dn: dc=example,dc=com changetype: modify add: aci aci: (targetattr="userPassword")(version 3.0; acl "Allow users to update their own passwords over a secure connection"; allow (write) userdn="ldap:///self" and secure="true";)
userattr
The userattr bind rule can be used to target a requester based on their relation to the value of an attribute in the target entry. The value of the bind rule should contain the name of an attribute followed by the octothorpe character (#) and a keyword or attribute value.
There are four forms that userattr values can take:
-
An attribute name followed by an octothorpe and the keyword
USERDN
, which indicates that the specified attribute should have a value that matches the DN of the authenticated user. For example,userattr="manager#USERDN"
can be used to allow an operation if it targets an entry whose manager attribute has a value that matches the DN of the authenticated user. -
An attribute name followed by an octothorpe and the keyword
GROUPDN
, which indicates that the specified attribute should have a value that matches the DN of a group in which the authenticated user is a member. For example,userattr="allowedEditors#GROUPDN"
can be used to allow an operation if it targets an entry whoseallowedEditors
attribute has a value that matches the DN of a group that contains the authenticated user either directly or indirectly through a nested group. -
An attribute name followed by an octothorpe and the keyword
LDAPURL
, in which case the value of the specified attribute must be an LDAP URL that is compared against the authenticated user’s entry. For example,userattr="allowedEditorCriteria#LDAPURL"
can be used to allow an operation if it targets an entry whoseallowedEditorCriteria
attribute has a value that is an LDAP URL whose base, scope, and filter matches the authenticated user’s entry. -
An attribute name followed by an octothorpe and any value that is not one of
USERDN
,GROUPDN
, orLDAPURL
. In this case, that value is assumed to be an attribute value, and the operation can be authorized if both the authenticated user’s entry and the target user’s entry have that attribute value for the specified attribute. For example,userattr="ou#Sales"
can be used to allow a user with an ou value ofSales
to process operations against other users with an ou value ofSales
.
When using the USERDN
keyword, you can optionally specify a parent component to indicate that the target entry can be up to four levels below the authenticated user’s entry. In this case, the word parent should be followed by an opening square bracket ([), a comma-delimited list of digits between 0 and 4 (inclusive), a closing square bracket (]), a period, and the rest of the value. A value of zero matches if the attribute value contains a DN that matches that of the authenticated user, while A value of four matches if the attribute value contains a DN that is exactly four levels below the authenticated user’s entry. For example, userattr="parent[0,1,2,3,4].manager#USERDN"
can be used to allow an operation if it targets a user whose manager attribute contains a value that matches the DN of the authenticated user or is up to four levels below that DN.
The !=
operator can be used as an alternative to the =
operator such as userattr!="manager#USERDN"
. In that case, the bind rule matches if the provided value does not match for the authenticated user.
authmethod
The authmethod
bind rule is used to target a requester based on the mechanism that they used to authenticate to the server. The value for this element can take one of the following forms:
none
-
This matches if the requester is not authenticated;
authmethod="none"
. simple
-
This matches if the requester authenticated using non-anonymous LDAP simple authentication;
authmethod="simple"
. ssl
-
This matches if the requester authenticated using a client certificate;
authmethod="ssl"
. This is equivalent toauthmethod="SASL EXTERNAL"
. sasl <mechanisimName>
-
This matches if the requester authenticated using the specified SASL mechanism:
authmethod="SASL PLAIN"
.
The |
The !=
operator can be used as an alternative to the =
operator: authmethod!="simple"
. In that case, the bind rule matches if the client is not authenticated using the specified mechanism.
ip
The ip bind rule can be used to target a requester based on the IP address of the client system. The value can be a comma-delimited list of any of the following IP address patterns:
-
A specific IPv4 address:
ip="1.2.3.4"
. -
An IPv4 address that uses the asterisk as a wildcard character to specify a range of addresses:
ip="1.2.3.*"
. -
An IPv4 address is followed by a plus sign and a subnet mask to specify a range of addresses:
ip="1.2.3.0+255.255.255.0"
. -
An IPv4 address using CIDR notation to specify a range of addresses:
ip="1.2.3.0/24"
. -
An IPv6 address as described in RFC 2373:
ip="0:0:0:0:0:0:0:1"
. IPv6 shorthand notation is also allowed:ip="::1"
.
The !=
operator can be used as an alternative to the “=” operator: ip!="1.2.3.0/24"
. In that case, the bind rule matches if the client does not match the given IP address pattern.
dns
The dns
bind rule can be used to target a requester based on a resolvable host name. The value can be a comma-delimited list of host names in either of the following forms:
-
A complete resolvable host name:
dns="client.example.com"
. -
A host name that uses the asterisk as a wildcard in the leftmost component:
dns="*.example.com"
.
The !=
operator can be used as an alternative to the =
operator: dns!="*.example.com"
. In that case, the bind rule matches if the client host name does not match the provided pattern.
In general, we do not recommend using the dns
bind rule. DNS might be vulnerable to spoofing attacks, which could help an attacker gain unauthorized access to the system. Further, if name resolution is slow (for example, as a result of a network problem or an intentional denial of service attack), then that can adversely affect the performance of the PingDirectory server.
dayofweek
The dayofweek
bind rule is used to make access control decisions based on the current day of the week, as determined by the server’s current time zone. The value should be a comma-delimited list containing one or more of the following values: sun
, mon
, tue
, wed
, thu
, fri
, sat
. For example, dayofweek="mon,tue,wed,thu,fri"
.
The !=
operator can be used as an alternative to the =
operator: dayofweek!="sat,sun"
. In that case, the bind rule matches if the current day of the week is not included in the provided list.
timeofday
The timeofday
bind rule is used to make access control decisions based on the current time of the day, as determined by the server’s current time zone.
The value of this bind rule must be a four-digit number. The first two digits must represent the hour, with a value between 00
and 23
. The last two digits must represent the minute, with a value between 00
and 59
. For example, a value of 0123
represents a time of 1:23 a.m. in the server’s time zone.
The operator for this bind rule can be one of the following:
=
-
The bind rule matches if the current time has the same hour and minute as specified in the value:
timeofday="0123"
. !=
-
The bind rule matches if the current time has a different hour or minute than specified in the value:
timeofday!="0123"
. <
-
The bind rule matches if the current time is between midnight (inclusive) and the time specified in the value (exclusive). That is, if the current time is earlier in the day than the specified time:
timeofday<"0123"
. ⇐
-
The bind rule matches if the current time is between midnight (inclusive) and the time specified in the value (inclusive). That is, if the current time is earlier in the day or the same as the specified time:
timeofday⇐"0123"
. >
-
The bind rule matches if the current time is between the time specified in the value (exclusive) and 11:59 p.m. (inclusive). That is, if the current time is later in the day than the specified time:
timeofday>"0123"
. >=
-
The bind rule matches if the current time is between the time specified in the value (inclusive) and 11:59 p.m. (inclusive). That is, if the current time is later in the day or the same as the specified time:
timeofday>="0123"
.
oauthscope
The oauthscope
bind rule is used to make access control decisions based on the set of scopes associated with an OAuth 2.0 access token that the client used to authenticate.
This bind rule is primarily used for clients that have authenticated with the OAUTHBEARER SASL mechanism or for clients that have authenticated to Delegated Admin using an OAuth token. It does not currently apply to clients using SCIM or the Directory REST API even if they have authenticated with an OAuth token.
The value for this bind rule might have one of the following forms:
-
It can be the name of a single scope to match:
oauthscope="admin_user"
. -
It can be a substring assertion that contains one or more asterisks to use as wildcards:
oauthscope="admin_*"
. -
It can be a single asterisk to indicate that any scope is sufficient:
oauthscope="*"
.
The !=
operator can be used as an alternative to the =
operator: oauthscope!="admin_user"
. In that case, the bind rule matches if the user does not have the specified scope.