The Sun/Oracle access control model does not differentiate between user attributes and operational
attributes. With Sun/Oracle, using targetattr="*"
will automatically target both user
and operational attributes. Using an exclusion list like
targetattr!="userPassword"
will automatically target all operational
attributes in addition to all user attributes except userPassword
. This
behavior is responsible for several significant security holes in which users are
unintentionally given access to operational attributes. In some cases, it allows users to do
things like exempt themselves from password policy restrictions.
In the PingDirectory Server, operational attributes are treated differently from
user attributes and operational attributes are never automatically included. As such,
targetattr="*"
will target all user attributes but no operational
attributes, and targetattr!="userPassword"
will target all users attributes
except userPassword
, but no operational attributes. Specific operational
attributes can be targeted by including the names in the list, like
targetattr="creatorsName||modifiersName"
. All operational attributes can be
targeted using the "+"
character. So, targetattr="+"
targets
all operational attributes but no user attributes and targetattr="*||+"
targets all user and operational attributes.