PingDirectory

ACI bind rules

Bind rules are used to identify the set of requesters to which an ACI applies.

ACIs can have multiple bind rules to specify multiple conditions that can be satisfied. Bind rules can be combined using either the and or the or keyword such as userdn="ldap:///uid=admin,dc=example,dc=com or groupdn="ldap:///cn=administrators,ou=Groups,dc=example,dc=com. The not keyword is also used to negate the result of a bind rule.

userdn

The userdn bind rule is used to target a requester based on their authenticated identity. The value of this bind rule must be in the form of an Lightweight Directory Access Protocol (LDAP) URL although in some cases it might not actually be a valid URL (for example, because the distinguished name (DN) element is not actually a valid DN). The LDAP URL can take several forms, including:

  • It can have an LDAP URL that contains just a DN, without any wildcard, scope, or filter: “ldap:///uid=admin,dc=example,dc=com”.

  • It can contain an LDAP URL that contains a DN that has a pattern with asterisks as wildcards. Wildcards can be used as follows:

    • In place of an entire attribute value: userdn="ldap:///uid=*,ou=People,dc=example,dc=com

    • In place of a portion of an attribute value: userdn="ldap:///uid=admin-*,ou=People,dc=example,dc=com

    • In place of an attribute type: userdn="ldap:///*=jdoe,ou=People,dc=example,dc=com

    • In place of a single entire RDN component: userdn="ldap:///uid=admin,*,dc=example,dc=com

    • Two consecutive asterisks in place of any number of entire RDN components: userdn="ldap:///uid=admin,**,dc=example,dc=com

  • It can have an LDAP URL that contains a parameterized DN. See the Parameterized ACIs section for more information about this.

  • It can have an LDAP URL in which the DN is the string anyone: userdn="ldap:///anyone. This indicates that the ACI applies to any client, regardless of whether they are authenticated.

  • It can have an LDAP URL in which the DN is the string all: userdn="ldap:///all. This indicates that the ACI applies to any authenticated client (regardless of the authentication identity), but not to unauthenticated or anonymous clients.

  • It can have an LDAP URL in which the DN is the string self: userdn="ldap:///self. This indicates that the ACI applies to any operation in which the authenticated user is targeting their own entry.

  • It can have an LDAP URL in which the DN is the string parent: userdn="ldap:///parent. This indicates that the ACI applies to any operation that targets an entry whose immediate parent is the requester’s own entry. That is, it allows a requester to perform operations on entries immediately below their own.

  • It can be a full LDAP URL, including a base DN (without wildcards or parameterization), scope, and filter suh as userdn="ldap:///dc=example,dc=com??sub?(objectClass=person)".

The userdn bind rule can also contain multiple LDAP URLs. In that case, each URL should be separated by two consecutive vertical bar characters ||: (“userdn="ldap:///uid=jdoe,ou=People,dc=example, dc=com || uid=jpublic,ou=People,dc=example,dc=com"”).

The != operator can be used as an alternative to the = operator: userdn!="ldap:///uid=admin,ou=People,dc=example,dc=com". In that case, the bind rule matches if the provided value does not match the authenticated identity.

groupdn

The groupdn bind rule is used to target a requester based on their group membership. The value of this bind rule must be an LDAP URL, such as groupdn="ldap:///cn=Admin Users,ou=Groups,dc=example,dc=com". Only the DN element of the URL is used, and that DN must not contain any wildcards or parameterization.

The groupdn bind rule considers both direct group membership and nested membership such as if the user is a member of a group that is itself a member of a group listed in the groupdn value.

As with the userdn bind rule, the value of the groupdn bind rule can include multiple LDAP URLs separated by two consecutive vertical bar characters.

The != operator can be used as an alternative to the = operator: groupdn!="ldap:///cn=Administrators,ou=Groups,dc=example,dc=com". In that case, the bind rule matches if authenticated user is not a member of the specified group.

connectioncriteria

The connectioncriteria bind rule allows or denies an operation based on whether the client connection matches a given connection criteria definition.

If present in an access control rule, the operator must be either "=" or "!=". The value must be enclosed in quotation marks, and it must be the name or full DN of the configuration object that defines the desired connection criteria.

For example, you can use a modification like the following to allow any client matching the "Root Users and Topology Administrators" connection criteria to have full read and write access to entries below dc=example,dc=com:

dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "Full read and write access for
  administrators"; allow (read,search,compare,write)
  connectioncriteria="Root Users and Topology Administrators";)

secure

The secure bind rule allows or denies an operation based on whether the client is communicating with the server over a secure connection; for example, using LDAPS or StartTLS over LDAP.

If present in an access control rule, the operator must be either "=" or "!=", and the value must be either "true" or "false" including the quotation marks. With this in mind, the secure bind rule takes the following forms:

  • secure="true" indicates that the ACI will apply only if the connection was received over a secure connection.

  • secure="false" indicates that the ACI will only apply if the connection was received over a non-secure connection.

  • secure!="true" indicates that the ACI will apply only if the connection was received over a non-secure connection.

  • secure!="false" indicates that the ACI will apply only if the connection was received over a secure connection.

For example, you can use a modification like the following to allow users below dc=example,dc=com to update their own passwords over a secure connection:

dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="userPassword")(version 3.0; acl "Allow users to update
  their own passwords over a secure connection"; allow (write)
  userdn="ldap:///self" and secure="true";)

userattr

The userattr bind rule can be used to target a requester based on their relation to the value of an attribute in the target entry. The value of the bind rule should contain the name of an attribute followed by the octothorpe character (#) and a keyword or attribute value.

There are four forms that userattr values can take:

  • An attribute name followed by an octothorpe and the keyword USERDN, which indicates that the specified attribute should have a value that matches the DN of the authenticated user. For example, userattr="manager#USERDN" can be used to allow an operation if it targets an entry whose manager attribute has a value that matches the DN of the authenticated user.

  • An attribute name followed by an octothorpe and the keyword GROUPDN, which indicates that the specified attribute should have a value that matches the DN of a group in which the authenticated user is a member. For example, userattr="allowedEditors#GROUPDN" can be used to allow an operation if it targets an entry whose allowedEditors attribute has a value that matches the DN of a group that contains the authenticated user either directly or indirectly through a nested group.

  • An attribute name followed by an octothorpe and the keyword LDAPURL, in which case the value of the specified attribute must be an LDAP URL that is compared against the authenticated user’s entry. For example, userattr="allowedEditorCriteria#LDAPURL" can be used to allow an operation if it targets an entry whose allowedEditorCriteria attribute has a value that is an LDAP URL whose base, scope, and filter matches the authenticated user’s entry.

  • An attribute name followed by an octothorpe and any value that is not one of USERDN, GROUPDN, or LDAPURL. In this case, that value is assumed to be an attribute value, and the operation can be authorized if both the authenticated user’s entry and the target user’s entry have that attribute value for the specified attribute. For example, userattr="ou#Sales" can be used to allow a user with an ou value of Sales to process operations against other users with an ou value of Sales.

When using the USERDN keyword, you can optionally specify a parent component to indicate that the target entry can be up to four levels below the authenticated user’s entry. In this case, the word parent should be followed by an opening square bracket ([), a comma-delimited list of digits between 0 and 4 (inclusive), a closing square bracket (]), a period, and the rest of the value. A value of zero matches if the attribute value contains a DN that matches that of the authenticated user, while A value of four matches if the attribute value contains a DN that is exactly four levels below the authenticated user’s entry. For example, userattr="parent[0,1,2,3,4].manager#USERDN" can be used to allow an operation if it targets a user whose manager attribute contains a value that matches the DN of the authenticated user or is up to four levels below that DN.

The != operator can be used as an alternative to the = operator such as userattr!="manager#USERDN". In that case, the bind rule matches if the provided value does not match for the authenticated user.

authmethod

The authmethod bind rule is used to target a requester based on the mechanism that they used to authenticate to the server. The value for this element can take one of the following forms:

none

This matches if the requester is not authenticated; authmethod="none".

simple

This matches if the requester authenticated using non-anonymous LDAP simple authentication; authmethod="simple".

ssl

This matches if the requester authenticated using a client certificate; authmethod="ssl". This is equivalent to authmethod="SASL EXTERNAL".

sasl <mechanisimName>

This matches if the requester authenticated using the specified SASL mechanism: authmethod="SASL PLAIN".

The ssl value does not necessarily match just because the client is communicating with the server over a secure connection. Instead, it only matches if the client authenticated to the server with a client certificate chain using the SASL EXTERNAL mechanism.

The != operator can be used as an alternative to the =operator: authmethod!="simple". In that case, the bind rule matches if the client is not authenticated using the specified mechanism.

ip

The ip bind rule can be used to target a requester based on the IP address of the client system. The value can be a comma-delimited list of any of the following IP address patterns:

  • A specific IPv4 address: ip="1.2.3.4".

  • An IPv4 address that uses the asterisk as a wildcard character to specify a range of addresses: ip="1.2.3.*".

  • An IPv4 address is followed by a plus sign and a subnet mask to specify a range of addresses: ip="1.2.3.0+255.255.255.0".

  • An IPv4 address using CIDR notation to specify a range of addresses: ip="1.2.3.0/24".

  • An IPv6 address as described in RFC 2373: ip="0:0:0:0:0:0:0:1". IPv6 shorthand notation is also allowed: ip="::1".

The != operator can be used as an alternative to the “=” operator: ip!="1.2.3.0/24". In that case, the bind rule matches if the client does not match the given IP address pattern.

dns

The dns bind rule can be used to target a requester based on a resolvable host name. The value can be a comma-delimited list of host names in either of the following forms:

  • A complete resolvable host name: dns="client.example.com".

  • A host name that uses the asterisk as a wildcard in the leftmost component: dns="*.example.com".

The != operator can be used as an alternative to the = operator: dns!="*.example.com". In that case, the bind rule matches if the client host name does not match the provided pattern.

In general, we do not recommend using the dns bind rule. DNS might be vulnerable to spoofing attacks, which could help an attacker gain unauthorized access to the system. Further, if name resolution is slow (for example, as a result of a network problem or an intentional denial of service attack), then that can adversely affect the performance of the PingDirectory server.

dayofweek

The dayofweek bind rule is used to make access control decisions based on the current day of the week, as determined by the server’s current time zone. The value should be a comma-delimited list containing one or more of the following values: sun, mon, tue, wed, thu, fri, sat. For example, dayofweek="mon,tue,wed,thu,fri".

The != operator can be used as an alternative to the = operator: dayofweek!="sat,sun". In that case, the bind rule matches if the current day of the week is not included in the provided list.

timeofday

The timeofday bind rule is used to make access control decisions based on the current time of the day, as determined by the server’s current time zone.

The value of this bind rule must be a four-digit number. The first two digits must represent the hour, with a value between 00 and 23. The last two digits must represent the minute, with a value between 00 and 59. For example, a value of 0123 represents a time of 1:23 a.m. in the server’s time zone.

The operator for this bind rule can be one of the following:

=

The bind rule matches if the current time has the same hour and minute as specified in the value: timeofday="0123".

!=

The bind rule matches if the current time has a different hour or minute than specified in the value: timeofday!="0123".

<

The bind rule matches if the current time is between midnight (inclusive) and the time specified in the value (exclusive). That is, if the current time is earlier in the day than the specified time: timeofday<"0123".

The bind rule matches if the current time is between midnight (inclusive) and the time specified in the value (inclusive). That is, if the current time is earlier in the day or the same as the specified time: timeofday⇐"0123".

>

The bind rule matches if the current time is between the time specified in the value (exclusive) and 11:59 p.m. (inclusive). That is, if the current time is later in the day than the specified time: timeofday>"0123".

>=

The bind rule matches if the current time is between the time specified in the value (inclusive) and 11:59 p.m. (inclusive). That is, if the current time is later in the day or the same as the specified time: timeofday>="0123".

oauthscope

The oauthscope bind rule is used to make access control decisions based on the set of scopes associated with an OAuth 2.0 access token that the client used to authenticate.

This bind rule is primarily used for clients that have authenticated with the OAUTHBEARER SASL mechanism or for clients that have authenticated to Delegated Admin using an OAuth token. It does not currently apply to clients using SCIM or the Directory REST API even if they have authenticated with an OAuth token.

The value for this bind rule might have one of the following forms:

  • It can be the name of a single scope to match: oauthscope="admin_user".

  • It can be a substring assertion that contains one or more asterisks to use as wildcards: oauthscope="admin_*".

  • It can be a single asterisk to indicate that any scope is sufficient: oauthscope="*".

The != operator can be used as an alternative to the = operator: oauthscope!="admin_user". In that case, the bind rule matches if the user does not have the specified scope.