The access control instruction (ACI) syntax that the PingDirectory server uses is similar to that used by other types of directory servers and is designed to make it easy to migrate data containing access control rules from other servers.
Each ACI has the following format:
- A set of one or more targets. The targets specify the data, attributes and entries,
to which the ACI applies. Each ACI target is enclosed in parentheses and has the
form (
name="value"
). Defined target names include:extop
— Provides a list of extended request OIDs to which the ACI applies.requestcriteria
— Determines whether an access control rule applies to an operation based on whether that operation matches a given request criteria definition.target
— Provides an LDAP URL whose distinguished name (DN) identifies the base of the subtree to which the ACI applies.targetattr
— Provides a list of attributes to which the ACI applies.targetcontrol
— Provides a list of request control OIDs to which the ACI applies.targetfilter
— Specifies a filter used to restrict the set of entries to which the ACI applies within the scope.targattrfilters
— Provides criteria for identifying the values within an attribute to which the ACI applies.targetscope
— Specifies the scope, relative to the target base DN, to which the ACI applies.
- An opening parenthesis.
- The string
version 3.0
to indicate the ACI syntax version. The PingDirectory server only supports 3.0. - A semicolon followed by a space.
- The keyword
acl
followed by a space and a description for the access control instruction surrounded by quotation marks, such asacl
"Allow users to update their own entries"
. - A semicolon followed by a space.
- The keyword
allow
ordeny
followed by a comma-delimited list of rights enclosed in parentheses. For example,allow
(read
,search
,compare
). Available rights include:read
— Indicates that the ACI grants or denies permission to retrieve attributes in search result entries.search
— Indicates that the ACI grants or denies permission to use attributes in a search filter.compare
— Indicates that the ACI grants or denies permission to request a compare assertion against target attributes.write
— Indicates that the ACI grants or denies permission to update attributes within target entries.selfwrite
— Indicates that the ACI grants or denies permission to allow the requester to update attributes to add or remove their own DN.add
— Indicates that the ACI grants or denies permission to add entries.delete
— Indicates that the ACI grants or denies permission to delete entries.export
— Indicates that the ACI grants or denies permission to move an entry out from under its current parent.import
— Indicates that the ACI grants or denies permission to move an entry beneath its proposed new parent.all
— Indicates that the ACI grants or denies permission to all of the above rights. It does not include theproxy
right.proxy
— Indicates that the ACI grants or denies permission for one user to request that an operation be authorized as a different user, such as using a proxied authorization request control or SASL alternate authorization.
- A semicolon followed by a space.
- The bind rule component for the ACI, which identifies the set of requesters to which
the ACI applies. Multiple bind rules can be joined with the keywords
and
andor
, and the keywordnot
can be used to negate the result of a rule. Available bind rules include:authmethod
— Identifies the requester by the type of authentication that they used.connectioncriteria
— Allows or denies an operation based on whether the client connection matches a given connection criteria definition.dayofweek
— Identifies the requester by the current day of the week.dns
— Identifies the requester by the resolved name of the client system.groupdn
— Identifies the requester by group membership.ip
— Identifies the requester by the IP address of the client system.oauthscope
— Identifies the requester by the set of OAuth scopes that they have.secure
— Allows or denies an operation based on whether the client is communicating with the server over a secure connection; for example, using LDAPS or StartTLS over LDAP.timeofday
— Identifies the requester by the current time of day.userattr
— Identifies the requester by their relation to the value of a specified attribute.userdn
— Identifies the requester by DN or by a predefined keyword that is interpreted by the server.
- A semicolon followed by a closing parenthesis.
For example, the following ACI will allow a user to update their own password.
(targetattr="userPassword")(version 3.0; acl "Allow a user to update their own password"; allow (write) userdn="ldap:///self";)