Administrators can exclude a global sensitive attribute on a client connection policy when it's not needed for client connection requests.
Administrators can set a global sensitive attribute across all client connection policies. However, there can be cases when a specific directory server must exclude the sensitive attribute because it's not needed for client connection requests.
For example, in most environments, it's good to declare the
userPassword
attribute to be a sensitive attribute that prevents
external clients reading it. This solution is more secure than protecting the
password
attribute using the server's default global access control
instruction (ACI), which only exists for backwards compatibility purposes. If the
Data Sync Server is installed, then it does need to access
passwords for synchronization purposes. In this case, the administrator can set
userPassword
to be a sensitive attribute in all client connection
policies, but exclude it in a policy specifically created for use by the Data Sync Server. The Directory Server provides an
exclude-global-sensitive-attribute
property for this purpose.