Restricting access through operational attributes in user entries
The PingDirectory server also defines several operational attributes that can be placed in user entries to indicate the context in which their account can be used.
These attributes include the following.
Attribute | Description |
---|---|
|
Can be used to provide a set of address masks in the same format used by the allowed-client property in the connection handler configuration to indicate which clients are allowed to authenticate as the user. If any allowed addresses are defined and a client attempts to authenticate as the user from a client whose address does not match one of these patterns, then the bind attempt is rejected. |
|
Can be used to restrict the ways in which the user can authenticate to the server. Values can be either |
|
Can be used to indicate whether the user is required to authenticate to the server in a secure manner that does not reveal the credentials to a network observer whether by authenticating over a secure connection or by using an authentication mechanism that protects the credentials in transit. If this is set to true and a client attempts to authenticate as the user in an insecure manner, then the bind attempt is rejected. |
|
Can be used to indicate whether the user is required to communicate with the server over an encrypted connection. While this is similar to the |
|
Indicates whether the user’s account can be used as an alternate authorization identity, such as using the proxied authorization request control, or as the authorization identity of a SASL bind. Values of this attribute can be one of the following:
|
|
The distinguished names (DNs) of the users that are allowed to request this account as an alternate authorization identity. If one or more ds-auth-is-proxyable-by values are configured, then any attempt to proxy as the user from some account whose DN is not listed is rejected. |
|
The DNs of the groups whose members are allowed to request this account as an alternate authorization identity. If one or more group DNs are provided, then any attempt to proxy as the user from an account that is not a member of any of those groups is rejected. |
|
A set of LDAP URLs that can be used to identify users that will be allowed to request this account as an alternate authorization identity. If one or more LDAP URLs are provided, then any attempt to proxy as the user from an account that does not match the criteria represented by any of those URLs is rejected. |
|
The DNs of the accounts that the user can request as an alternate authorization identity. If one or more |
|
The DNs of the groups whose members can be used as alternate authorization identities by the user. If one or more group DNs are provided and the user attempts to proxy as a user that is not a member of any of those groups, then that attempt is rejected. |
|
A set of LDAP URLs that can be used to identify accounts that the user can request as an alternate authorization identity. If one or more LDAP URLs are provided, then an attempt to proxy as an account whose entry does not match the criteria from any of those LDAP URLs is rejected. |
These operational attributes can be set as real or virtual attributes in the target user’s entry.