PingDirectory

Simple connection criteria

Simple connection criteria is used to match client connections based on a broad set of properties.

These properties include the following.

Property Description

included-client-address

An optional set of address masks (in the form used by the connection handler’s allowed-client property) that can be used to identify connections that can match this criteria based on the client address.

excluded-client-address

An optional set of address masks (in the form used by the connection handler’s allowed-client property) that can be used to identify connections that do not match this criteria based on the client address.

included-connection-handler

An optional set of connection handlers whose connections are allowed to accept connections that can match this criteria.

excluded-connection-handler

An optional set of connection handlers whose connections do not match this criteria.

included-protocol

An optional set of the communication protocols for connections that might match this criteria.

excluded-protocol

An optional set of the communication protocols for connections that do not match this criteria.

communication-security-level

The communication security level that can be used by connections that might match this criteria. Possible values include:

secure-only

Indicates that this criteria only matches clients that are communicating with the server over a secure connection.

insecure-only

Indicates that this criteria only matches clients that are communicating with the server over an insecure connection.

any

Indicates that this criteria can match both secure and insecure connections. This is the default value that is used for this property.

use-auth-type

The types of authentication that can be used by connections that might match this criteria. By default, this property includes all of the following allowed values:

none

Indicates that this criteria can match connections that are not authenticated.

If this value is included, then any authentication-related properties defined in the criteria are ignored for unauthenticated connections.

simple

Indicates that this criteria can match connections that are authenticated using LDAP simple authentication.

sasl

Indicates that this criteria can match connections that are authenticated using SASL authentication. The included-user-sasl-mechanism and excluded-user-sasl-mechanism properties can be used to further refine which SASL mechanisms can be used by matching connections.

internal

Indicates that this criteria can match connections that were authenticated through an internal mechanism (for example, internal connections created by Server SDK extensions).

authentication-security-level

The types of authentication security that can be used by connections that might match this criteria. This property is ignored for unauthenticated connections. Possible values include:

secure-only

Indicates that this criteria can only match connections in which the authentication was performed in a secure manner. This can include authentication that was processed over a secure connection or in which the authentication can be processed securely even over an insecure connection.

insecure-only

Indicates that this criteria can only match connections in which the authentication was performed in an insecure manner.

any

Indicates that this criteria can match connections in which the authentication was performed in either a secure or insecure manner.

included-user-sasl-mechanism

An optional set of the SASL mechanisms used by clients that can match this criteria. This property is ignored for unauthenticated connections, or connections that did not authenticate with SASL.

excluded-user-sasl-mechanism

An optional set of the SASL mechanisms used by clients that do not match this criteria. This property is ignored for unauthenticated connections, or connections that did not authenticate with SASL.

included-user-base-dn

An optional set of the authenticated user entry base DNs for connections that might match this criteria. This property is ignored for unauthenticated connections.

excluded-user-base-dn

An optional set of the authenticated user entry base DNs for connections that do not match this criteria. This property is ignored for unauthenticated connections.

all-included-user-group-dn

An optional set of the group DNs in which the authenticated user must be a member for connections that might match this criteria. If multiple group DNs are specified, then the authenticated user must be a member of all of those groups. This property will be ignored for unauthenticated connections.

any-included-user-group-dn

An optional set of the group DNs in which the authenticated user must be a member for connections that might match this criteria. If multiple group DNs are specified, then the authenticated user must be a member of at least one of those groups. This property is ignored for unauthenticated connections.

not-all-included-user-group-dn

An optional set of the group DNs in which the authenticated user should not be a member for connections that might match this criteria. If multiple group DNs are specified, then the authenticated user can optionally be a member of one or more of those groups as long as they are not a member of all of them. This property is ignored for unauthenticated connections.

none-included-user-group-dn

An optional set of the group DNs in which the authenticated user must not be a member for connections that might match this criteria. If multiple group DNs are specified, then the authenticated user must not be a member of any of those groups. This property is ignored for unauthenticated connections.

all-included-user-filter

An optional set of filters that must match the authenticated user entry for connections that might match this criteria. If multiple filters are specified, then the user entry must match all of them. This property is ignored for unauthenticated connections.

any-included-user-filter

An optional set of filters that must match the authenticated user entry for connections that might match this criteria. If multiple filters are specified, then the user entry must match at least one of them. This property is ignored for unauthenticated connections.

not-all-included-user-filter

An optional set of filters that should not match the authenticated user entry for connections that might match this criteria. If multiple filters are specified, then the user entry can optionally match one or more of them as long as it does not match all of them. This property is ignored for unauthenticated connections.

none-included-user-filter

An optional set of filters that must not match the authenticated user entry for connections that might match this criteria. If multiple filters are specified, then the user entry must not match any of them. This property is ignored for unauthenticated connections.

all-included-user-privilege

An optional set of privileges that authenticated users should have for connections that might match this criteria. If multiple privileges are specified, then the user must have all of them. This property is ignored for unauthenticated connections.

any-included-user-privilege

An optional set of privileges that authenticated users should have for connections that might match this criteria. If multiple privileges are specified, then the user must have at least one of them. This property is ignored for unauthenticated connections.

not-all-included-user-privilege

An optional set of privileges that authenticated users should not have for connections that might match this criteria. If multiple privileges are specified, then the user can optionally have one or more of them as long as it does not have all of them. This property is ignored for unauthenticated connections.

none-included-user-privilege

An optional set of privileges that authenticated users should not have for connections that might match this criteria. If multiple privileges are specified, then the user must not have any of them. This property ise ignored for unauthenticated connections.

The default settings for the simple connection criteria match any connection. If you set values for multiple properties, then it essentially behaves as a logical AND, and the criteria only match connections that match all of those properties.

A common pitfall encountered with the simple connection criteria is that if the use-auth-type property includes none as one of the values, then any properties that pertain to authenticated users are ignored for unauthenticated clients.

A client connection is initially unauthenticated when it is first established and previously authenticated connections might become unauthenticated again if they perform an anonymous bind or if a bind attempt fails.