Administrators can set a global sensitive attribute across all client connection policies. However, there may be cases when a specific directory server must exclude the sensitive attribute as it may not be needed for client connection requests. For example, in most environments it is good to declare the userPassword attribute to be a sensitive attribute in a manner that prevents it from being read by external clients. Further, this solution is more secure than protecting the password attribute using the server's default global ACI, which only exists for backwards compatibility purposes. If the Data Sync Server is installed, then it does need to be able to access passwords for synchronization purposes. In this case, the administrator can set userPassword to be a sensitive attribute in all client connection policies, but exclude it in a policy specifically created for use by the Data Sync Server. The Directory Server provides an exclude-global-sensitive-attribute property for this purpose.

  1. Run dsconfig to remove the global ACI that limits access to the userPassword or authPassword attribute. This is present for backwards compatibility.
    $ bin/dsconfig set-access-control-handler-prop \
      --remove 'global-aci:(targetattr="userPassword || authPassword")
      (version 3.0; acl "Prevent clients from retrieving passwords from the server"; 
      deny (read,search,compare) userdn="ldap:///anyone";)'
  2. Run dsconfig to add the userPassword attribute as a global sensitive attribute, which is applied to all client connection policies. Do this by adding the built-in "Sensitive Password Attributes" Sensitive Attribute definition to the Global Configuration.
    $ bin/dsconfig set-global-configuration-prop \
      --add "sensitive-attribute:Sensitive Password Attributes"
  3. If the server is designated to synchronize passwords with a Sync Server, then it is necessary to configure a client connection policy for the Sync User to exclude the global sensitive attribute. The following is an example on how to create a new policy if the Data Sync Server binds with the default DN of cn=Sync User,cn=Root DNs,cn=config.
    $ bin/dsconfig create-connection-criteria \
      --criteria-name "Requests by Sync Users" \
      --type simple \
      --set user-auth-type:internal \
      --set user-auth-type:sasl \
      --set user-auth-type:simple \
      --set "included-user-base-dn:cn=Sync User,cn=Root DNs,cn=config"
    
    $ bin/dsconfig create-client-connection-policy \
      --policy-name "Data Sync Server Connection Policy" \
      --set enabled:true \
      --set evaluation-order-index:9998 \
      --set "connection-criteria:Requests by Sync Users" \
      --set "exclude-global-sensitive-attribute:Sensitive Password Attributes"