PingDirectory

ACI rights

The rights section of an ACI defines the permissions that are granted or denied to requesters identified by the bind rule for operations against the data specified by the target.

Every ACI must allow or deny one or more rights.

read

The read right covers access to attributes within search result entries. If a client does not have the read right for an attribute in a search result entry, then it is stripped out of the entry when it is returned to the client.

The search right covers permission to use attributes in a search filter. When performing a search (regardless of its scope), the requester must have search permission for all attributes in the filter.

If the requester has search permission for all attributes used in the filter, but only for a portion of the subtree used as the scope for the search, then only entries that reside in portions of the DIT where the search right is granted can be retrieved. For example, if a user has the search right for the cn attribute below ou=People,dc=example,dc=com, then a search based at dc=example,dc=com with a filter that contains the cn attribute only returns matching entries below ou=People,dc=example,dc=com even if there are other entries matching the filter below dc=example,dc=com but outside of ou=People,dc=example,dc=com.

compare

The compare right covers permission to perform a compare assertion for a specified set of attributes.

A compare assertion includes an entry DN, an attribute name, and an assertion value. If the specified entry has the given attribute with the provided assertion value, then the server returns a result of compareTrue (result code 6). If the entry does not have the indicated attribute value, then the server returns a result of compareFalse (result code 5). However, if the requester does not have permission to perform that compare assertion, then the server returns a result of insufficientAccessRights (result code 50).

write

The write right covers permission to update attributes in an entry. This includes modify operations, and it also includes modify DN operations that do not specify a newSuperior (that is, modify distinguished name (DN) operations that only attempt to rename an entry and do not attempt to move it beneath a new parent). This does not include adding new entries or deleting existing entries.

selfwrite

The selfwrite right is a limited subset of the write permission. It covers permission for a user to add their own DN to the set of values for specified attributes or for a user to remove their own DN from the set of values for those attributes. This is typically used to allow a user to add themselves to or remove themselves from static groups.

The selfwrite right should only be used for attributes that have a syntax of either distinguished name or name and optional UID. Attempts to use it for attributes with other syntaxes can fail or result in unexpected behavior.

add

The add right covers permission to add new entries to the server. The requester must have add permission for at least one attribute included in the entry to be added.

delete

The delete right covers permission to remove entries from the server. For the delete operation, the requester only needs to have the delete right for the target entry and not for individual attributes within the entry. However, the server enforces any targattrfilters restrictions for attribute values contained in the entry to be deleted. If a targattrfilters restriction is used to limit the set of values that the requester can delete, then they are only allowed to delete entries containing those values.

export and import

Although you might assume otherwise from their names, the export and import rights do not have any relation to exporting data to LDIF or importing data from LDIF. Instead, these rights cover permission to move entries within the DIT (using a modify DN operation that includes a newSuperior). The export right is required to move an entry out from under its current parent, and the import right is required to move the entry below its new parent.

These rights are not required to perform a modify DN operation that does not attempt to move the entry below a new parent. That is covered by the write right.

all

The all right is a shorthand notation that includes the capabilities of all of the other access control rights except the proxy right. Using the all right is equivalent to using read, search, compare, write, selfwrite, add, delete, export, and import.

proxy

The proxy right covers the ability to process an operation under the authority of an alternate authorization identity. This includes:

  • Requests that include a proxied authorization request control

  • Requests that include an intermediate client request control with a userIdentity

  • SASL bind requests that request an alternate authorization identity

Because the ability to impersonate another use is a very sensitive operation, the requester must have the proxied-auth privilege for the operation to be allowed.

Changing the allow add ACI behavior for entries

You can require a bind user to have allow add permissions for all of an entry’s attributes before allowing them to add the entry to PingDirectory.

About this task

By default, a bind user can add an entry to PingDirectory if they have allow add permissions for at least one of the attributes in the entry. To increase your control over who is allowed to add entries to your PingDirectory datastore, you can enable the evaluate-target-attribute-rights-for-add-operations property.

Enabling this property causes PingDirectory to require a bind user to have an allow add access control instruction (ACI) for each attribute of the entry in the add request. If the bind user doesn’t meet this condition, or has a deny add ACI for any target attributes of the entry to be added, PingDirectory denies the add operation.

The evaluate-target-attribute-rights-for-add-operations property is disabled by default. Enabling this property causes PingDirectory to evaluate the targetattr portion of an access control rule for add operations.

Before enabling this property in a production environment, you should thoroughly test your existing access control configuration. You might discover cases where you need to add or augment access control rules to ensure that your authorized bind users can continue to add entries as expected.

Steps

  • Modify the evaluate-target-attribute-rights-for-add-operations property.

    Choose from:

    • Enable the property.

      $ bin/dsconfig set-access-control-handler-prop \
        --set evaluate-target-attribute-rights-for-add-operations:true
    • Disable the property.

      $ bin/dsconfig set-access-control-handler-prop \
        --set evaluate-target-attribute-rights-for-add-operations:false