PingDirectory

Client connection policy restrictions

Client connection policies can be used to set hard limits on what types of requests clients are allowed to issue.

This applies to all clients associated with the policy, regardless of what privileges they have and what access control rights they have been granted. If a client connection policy prohibits something, then not even root users or topology administrators are permitted to do it if they are using a connection associated with that policy.

The following client connection properties can be used to restrict the set of requests that clients can issue.

Property Description

allowed-operation

The types of operations that clients associated with the policy are allowed to request. Allowed values include any non-empty combination of the following: abandon, add, bind, compare, delete, extended, modify, modify-dn, and search. By default, all operation types are allowed.

required-operation-request-criteria

A set of criteria that requests must match in order to be processed by the server. If required operation request criteria is defined and a client associated with the policy issues a request that does not match that criteria, then the operation is rejected. By default, no required operation request criteria are defined.

prohibited-operation-request-criteria

A set of criteria that requests must not match in order to be processed by the server. If a prohibited operation request criteria is defined and a client associated with the policy issues a request matching that criteria, then the operation is rejected. By default, no prohibited operation request criteria are defined.

prohibited-operation-request-criteria

A set of criteria that requests must not match in order to be processed by the server. If a prohibited operation request criteria is defined and a client associated with the policy issues a request matching that criteria, then the operation is rejected. By default, no prohibited operation request criteria are defined.

allowed-request-control

The OIDs of the controls that clients associated with the policy will be allowed to include in requests. If any allowed request control OIDs are defined, then any request that contains a control other than one of those listed is rejected. By default, no allowed request control OIDs are defined, which indicates that any control not included in the set of denied request controls is permitted.

denied-request-control

The OIDs of the controls that clients associated with the policy are not allowed to include in requests. If any denied request control OIDs are defined, then any request that contains a control whose OID is contained in this set IS rejected. By default, no denied request control OIDs are defined.

allowed-extended-operation

The OIDs of the extended operations that clients are allowed to request. If any allowed extended operation OIDs are defined, then any extended request that uses an OID other than one of those listed is rejected. By default, no allowed extended operation OIDs are defined, which indicates that any request not included in the set of denied extended operations is permitted.

denied-extended-operation

The OIDs of the extended operations that clients are not allowed to request. If any denied extended operation OIDs are defined, then any request that contains a control whose OID is included in this set is rejected. By default, no denied extended operation OIDs are defined.

allowed-auth-type

The types of authentication that clients are allowed to request. Allowed values include simple and sasl, and both are allowed by default.

allowed-sasl-mechanism

The names of the SASL mechanisms that clients are allowed to use to authenticate. If any allowed SASL mechanism names are defined, then any SASL bind attempt that uses a mechanism not included in this list is rejected. By default, no allowed SASL mechanism names are defined, which indicates that any SASL mechanism not included in the set of denied mechanisms is permitted.

denied-sasl-mechanism

The names of the SASL mechanisms that clients are not allowed to use to authenticate. If any denied SASL mechanism names are defined, then any SASL bind attempt that uses one of those mechanisms is rejected. By default, no denied SASL mechanism names are defined.

allowed-filter-type

The types of search filters that clients are allowed to use for searches with a scope other than baseObject (searches with a baseObject scope are allowed to use any kind of filter, as those searches are always be efficient to process). Allowed values include any non-empty combination of the following: and, or, not, compare, equality, sub-initial, sub-any, sub-final, greater-or-equal, less-or-equal, present, approximate-match, and extensible-match. By default, all filter types are allowed.

minimum-substring-length

The minimum number of consecutive non-wildcard bytes that must be present in each subInitial, subAny, and subFinal element of a substring filter component. Any attempt to use a substring filter with an element containing fewer than this number of non-wildcard bytes is rejected. By default, no minimum substring length is enforced.

allow-unindexed-searches

Indicates whether clients associated with the policy are allowed to request unindexed searches. If this is set to true (which is the default), then unindexed search operations are permitted in cases in which at least one of the following is true:

  • The requester has the unindexed-search privilege.

  • The unindexed-search privilege is disabled in the global configuration.

  • The requester has the unindexed-search-with-control privilege and the request includes the permit unindexed search request control.

  • The unindexed-search-with-control privilege is disabled in the global configuration and the request includes the permit unindexed search request control.

allow-unindexed-searches-with-control

Indicates whether clients associated with the policy are allowed to request unindexed searches as long as the request also includes the permit unindexed search request control. If this is set to true (which is the default), then unindexed search operations are permitted in cases in which the requester has either the unindexed-search privilege or the unindexed-search-with-control privilege (or at least one of those privileges is disabled in the global configuration) and the request includes the permit unindexed search request control.

If this property is set to true, then unindexed searches can be allowed for authorized requests that include the permit unindexed search request control even if the allow-unindexed-searches property is set to false.