PingDirectory

Excluding a global sensitive attribute on a client connection policy

Administrators can exclude a global sensitive attribute on a client connection policy when it’s not needed for client connection requests.

About this task

Administrators can set a global sensitive attribute across all client connection policies. However, there can be cases when a specific PingDirectory server must exclude the sensitive attribute because it’s not needed for client connection requests.

For example, in most environments, it’s good to declare the userPassword attribute to be a sensitive attribute that prevents external clients reading it. This solution is more secure than protecting the password attribute using the server’s default global access control instruction (ACI), which only exists for backwards compatibility purposes. If the PingDirectory server is installed, then it does need to access passwords for synchronization purposes. In this case, the administrator can set userPassword to be a sensitive attribute in all client connection policies, but exclude it in a policy specifically created for use by the server. The PingDirectory server provides an exclude-global-sensitive-attribute property for this purpose.

Steps

  1. To remove the global ACI that limits access to the userPassword or authPassword attribute, run the dsconfig tool.

    The global ACI is present for backwards compatibility.

    Example:

    $ bin/dsconfig set-access-control-handler-prop \
      --remove 'global-aci:(targetattr="userPassword || authPassword")
      (version 3.0; acl "Prevent clients from retrieving passwords from the server";
      deny (read,search,compare) userdn="ldap:///anyone";)'
  2. To add the userPassword attribute as a global sensitive attribute, run the dsconfig tool and add the built-in "sensitive-attribute:Sensitive Password Attributes" definition to the global configuration.

    This applies to all client connection policies.

    Example:

    $ bin/dsconfig set-global-configuration-prop \
      --add "sensitive-attribute:Sensitive Password Attributes"
  3. If the server is designated to synchronize passwords with a Sync Server, configure a client connection policy for the Sync User to exclude the global sensitive attribute.

    Example:

    The following example shows how to create a new policy if the Data Sync Server binds with the default distinguished name (DN) of cn=Sync User,cn=Root DNs,cn=config.

    $ bin/dsconfig create-connection-criteria \
      --criteria-name "Requests by Sync Users" \
      --type simple \
      --set user-auth-type:internal \
      --set user-auth-type:sasl \
      --set user-auth-type:simple \
      --set "included-user-base-dn:cn=Sync User,cn=Root DNs,cn=config"
    
    $ bin/dsconfig create-client-connection-policy \
      --policy-name "Data Sync Server Connection Policy" \
      --set enabled:true \
      --set evaluation-order-index:9998 \
      --set "connection-criteria:Requests by Sync Users" \
      --set "exclude-global-sensitive-attribute:Sensitive Password Attributes"