Global ACIs are a set of ACIs that apply to entries anywhere in the server or scoped to only apply to a specific set of entries.
Global ACIs work in conjunction with ACRs stored in user data and provide a convenient way to define ACIs that span disparate portions of the directory information tree (DIT).
In the Server, global ACIs are defined within the server
configuration, in the global-aci
property of the configuration object for the
access control handler. To view and manage global ACIs, use configuration tools like
dsconfig and the administrative console.
The global ACIs available by default in the Server include:
- Allow anyone, including unauthenticated users, to access key attributes of the root
DSA-specific entry (DSE), including:
namingContexts
subschemaSubentry
supportedAuthPasswordSchemes
supportedControl
supportedExtension
supportedFeatures
supportedLDAPVersion
supportedSASLMechanisms
vendorName
vendorVersion
- Allow anyone, including unauthenticated users, to access key attributes of the subschema
subentry, including:
attributeTypes
dITContentRules
dITStructureRules
ldapSyntaxes
matchingRules
matchingRuleUse
nameForms
objectClasses
- Allow anyone, including unauthenticated users, to include the following controls in
requests made to the server:
- Authorization identity request
- Manage DSA IT
- Password policy
- Real attributes only
- Virtual attributes only
- Allow anyone, including unauthenticated users, to request the following extended
operations:
- Get symmetric key
- Password modify request
- Password policy state
- StartTLS
- Who Am I?