A backend is private if one of the following applies:

  • Its content is generated by the server itself, such as the root DSE, monitor, and backup backends.
  • It is used in the operation of the server, such as the configuration, schema, task, and trust store backends.
  • Its content is maintained by the server, such as the LDAP changelog backend.

A public backend is intended to hold user-defined content, such as user accounts, groups, application data, and device data.

The server access control model also supports the distinction between public backends and private backends. Many private backends do not allow writes of any kind from clients, and some of the private backends that do allow writes only allow changes to a specific set of attributes. As a result, you should define any ACI intended to permit or restrict access to information in private backends as global ACIs, rather than attempting to add those instructions to the data for that private backend.