Administrators can set a global sensitive attribute across all client connection
policies. However, there may be cases when a specific directory server must exclude the sensitive attribute as it
may not be needed for client connection requests. For example, in most environments it
is good to declare the
userPassword attribute to be a sensitive
attribute in a manner that prevents it from being read by external clients. Further,
this solution is more secure than protecting the
using the server's default global ACI, which only exists for backwards compatibility
purposes. If the Data Sync Server is installed, then it does
need to be able to access passwords for synchronization purposes. In this case, the
administrator can set
userPassword to be a sensitive attribute in all
client connection policies, but exclude it in a policy specifically created for use by
the Data Sync Server. The Directory Server
exclude-global-sensitive-attribute property for this
Run dsconfig to remove the global ACI that limits access to the
authPasswordattribute. This is present for backwards compatibility.
$ bin/dsconfig set-access-control-handler-prop \ --remove 'global-aci:(targetattr="userPassword || authPassword") (version 3.0; acl "Prevent clients from retrieving passwords from the server"; deny (read,search,compare) userdn="ldap:///anyone";)'
Run dsconfig to add the
userPasswordattribute as a global sensitive attribute, which is applied to all client connection policies. Do this by adding the built-in "Sensitive Password Attributes" Sensitive Attribute definition to the Global Configuration.
$ bin/dsconfig set-global-configuration-prop \ --add "sensitive-attribute:Sensitive Password Attributes"
If the server is designated to synchronize passwords with a Sync Server, then it is
necessary to configure a client connection policy for the Sync User to exclude the
global sensitive attribute. The following is an example on how to create a new policy
if the Data Sync Server binds with the default DN of cn=Sync User,cn=Root
$ bin/dsconfig create-connection-criteria \ --criteria-name "Requests by Sync Users" \ --type simple \ --set user-auth-type:internal \ --set user-auth-type:sasl \ --set user-auth-type:simple \ --set "included-user-base-dn:cn=Sync User,cn=Root DNs,cn=config" $ bin/dsconfig create-client-connection-policy \ --policy-name "Data Sync Server Connection Policy" \ --set enabled:true \ --set evaluation-order-index:9998 \ --set "connection-criteria:Requests by Sync Users" \ --set "exclude-global-sensitive-attribute:Sensitive Password Attributes"