Global ACIs are a set of ACIs that can apply to entries anywhere in the server (although they can also be scoped so that they only apply to a specific set of entries). They work in conjunction with access control rules stored in user data and provide a convenient way to define ACIs that span disparate portions of the DIT.

In the PingDirectoryProxy Server, global ACIs are defined within the server configuration, in the global-aci property of configuration object for the access control handler. They can be viewed and managed using configuration tools like dsconfig and the Administrative Console.

The global ACIs available by default in the PingDirectoryProxy Server include:
  • Allow anyone (including unauthenticated users) to access key attributes of the root DSE, including: namingContexts, subschemaSubentry, supportedAuthPasswordSchemes, supportedControl, supportedExtension, supportedFeatures, supportedLDAPVersion, supportedSASLMechanisms, vendorName, and vendorVersion.
  • Allow anyone (including unauthenticated users) to access key attributes of the subschema subentry, including: attributeTypes, dITContentRules, dITStructureRules, ldapSyntaxes, matchingRules, matchingRuleUse, nameForms, and objectClasses.
  • Allow anyone (including unauthenticated users) to include the following controls in requests made to the server: authorization identity request, manage DSA IT, password policy, real attributes only, and virtual attributes only.
  • Allow anyone (including unauthenticated users) to request the following extended operations: get symmetric key, password modify request, password policy state, StartTLS, and Who Am I?