Administrators can set a global sensitive attribute across all client connection
policies. However, there may be cases when a specific directory server must exclude the sensitive attribute as it
may not be needed for client connection requests. For example, in most environments it
is good to declare the userPassword
attribute to be a sensitive
attribute in a manner that prevents it from being read by external clients. Further,
this solution is more secure than protecting the password
attribute
using the server's default global ACI, which only exists for backwards compatibility
purposes. If the Data Sync Server is installed, then it does
need to be able to access passwords for synchronization purposes. In this case, the
administrator can set userPassword
to be a sensitive attribute in all
client connection policies, but exclude it in a policy specifically created for use by
the Data Sync Server. The Directory Server
provides an exclude-global-sensitive-attribute
property for this
purpose.
Page created: 22 Jul 2020
|
Page updated: 1 Feb 2021