Page created: 6 Nov 2019
|
Page updated: 25 Mar 2020
| 1 min read
8.0 Product PingDirectory Administration User task Product documentation Content Type Configuration Administrator Audience IT Administrator Software Deployment Method Directory Capability
-
Run dsconfig to remove the global ACI that limits access to
the
userPassword
orauthPassword
attribute. This is present for backwards compatibility.$ bin/dsconfig set-access-control-handler-prop \ --remove 'global-aci:(targetattr="userPassword || authPassword") (version 3.0; acl "Prevent clients from retrieving passwords from the server"; deny (read,search,compare) userdn="ldap:///anyone";)'
-
Run dsconfig to add the
userPassword
attribute as a global sensitive attribute, which is applied to all client connection policies. Do this by adding the built-in "Sensitive Password Attributes" Sensitive Attribute definition to the Global Configuration.$ bin/dsconfig set-global-configuration-prop \ --add "sensitive-attribute:Sensitive Password Attributes"
-
If the server is designated to synchronize passwords with a Sync
Server, then it is necessary to configure a client connection policy for the
Sync User to exclude the global sensitive attribute. The following is an example
on how to create a new policy if the Data Sync Server binds with the default DN of
cn=Sync User,cn=Root DNs,cn=config.
$ bin/dsconfig create-connection-criteria \ --criteria-name "Requests by Sync Users" \ --type simple \ --set user-auth-type:internal \ --set user-auth-type:sasl \ --set user-auth-type:simple \ --set "included-user-base-dn:cn=Sync User,cn=Root DNs,cn=config" $ bin/dsconfig create-client-connection-policy \ --policy-name "Data Sync Server Connection Policy" \ --set enabled:true \ --set evaluation-order-index:9998 \ --set "connection-criteria:Requests by Sync Users" \ --set "exclude-global-sensitive-attribute:Sensitive Password Attributes"