Global ACIs work in conjunction with ACRs stored in user data and provide a convenient way to define ACIs that span disparate portions of the directory information tree (DIT).

In the Server, global ACIs are defined within the server configuration, in the global-aci property of the configuration object for the access control handler. To view and manage global ACIs, use configuration tools like dsconfig and the administrative console.

The global ACIs available by default in the Server include:

  • Allow anyone, including unauthenticated users, to access key attributes of the root DSA-specific entry (DSE), including:
    • namingContexts
    • subschemaSubentry
    • supportedAuthPasswordSchemes
    • supportedControl
    • supportedExtension
    • supportedFeatures
    • supportedLDAPVersion
    • supportedSASLMechanisms
    • vendorName
    • vendorVersion
  • Allow anyone, including unauthenticated users, to access key attributes of the subschema subentry, including:
    • attributeTypes
    • dITContentRules
    • dITStructureRules
    • ldapSyntaxes
    • matchingRules
    • matchingRuleUse
    • nameForms
    • objectClasses
  • Allow anyone, including unauthenticated users, to include the following controls in requests made to the server:
    • Authorization identity request
    • Manage DSA IT
    • Password policy
    • Real attributes only
    • Virtual attributes only
  • Allow anyone, including unauthenticated users, to request the following extended operations:
    • Get symmetric key
    • Password modify request
    • Password policy state
    • StartTLS
    • Who Am I?