Administrators can exclude a global sensitive attribute on a client connection policy when it's not needed for client connection requests.
Administrators can set a global sensitive attribute across all client connection policies. However, there can be cases when a specific PingDirectory server must exclude the sensitive attribute because it's not needed for client connection requests.
For example, in most environments, it's good to declare the
userPassword
attribute to be a sensitive attribute that prevents
external clients reading it. This solution is more secure than protecting the
password
attribute using the server's default global access control
instruction (ACI), which only exists for backwards compatibility purposes. If the
PingDirectory server is installed, then it does need
to access passwords for synchronization purposes. In this case, the administrator can
set userPassword
to be a sensitive attribute in all client connection
policies, but exclude it in a policy specifically created for use by the server. The
PingDirectory server provides an
exclude-global-sensitive-attribute
property for this purpose.