You can require a bind user to have allow add
permissions for all of an
entry’s attributes before allowing them to add the entry to PingDirectory.
By default, a bind user can add an entry to PingDirectory if
they have allow add
permissions for at least one of the attributes
in the entry. To increase your control over who is allowed to add entries to your
PingDirectory datastore, you can enable the
evaluate-target-attribute-rights-for-add-operations
property.
Enabling this property causes PingDirectory to require a bind
user to have an allow add
access control instruction (ACI) for each attribute of the entry in the add request. If the
bind user doesn’t meet this condition, or has a deny add
ACI for any target attributes of the entry to be added, PingDirectory denies the add operation.
The evaluate-target-attribute-rights-for-add-operations
property is disabled
by default. Enabling this property causes PingDirectory to evaluate the
targetattr
portion of an access control rule for add
operations.
Before enabling this property in a production environment, you should thoroughly test your existing access control configuration. You might discover cases where you need to add or augment access control rules to ensure that your authorized bind users can continue to add entries as expected.
-
Modify the
evaluate-target-attribute-rights-for-add-operations
property.- Enable the
property.
$ bin/dsconfig set-access-control-handler-prop \ --set evaluate-target-attribute-rights-for-add-operations:true
- Disable the
property.
$ bin/dsconfig set-access-control-handler-prop \ --set evaluate-target-attribute-rights-for-add-operations:false
- Enable the
property.