Administrators can exclude a global sensitive attribute on a client connection policy when it's not needed for client connection requests.
Administrators can set a global sensitive attribute across all client connection policies. However, there can be cases when a specific PingDirectory server must exclude the sensitive attribute because it's not needed for client connection requests.
For example, in most environments, it's good to declare the
userPassword attribute to be a sensitive attribute that prevents
external clients reading it. This solution is more secure than protecting the
password attribute using the server's default global access control
instruction (ACI), which only exists for backwards compatibility purposes. If the
PingDirectory server is installed, then it does need
to access passwords for synchronization purposes. In this case, the administrator can
userPassword to be a sensitive attribute in all client connection
policies, but exclude it in a policy specifically created for use by the server. The
PingDirectory server provides an
exclude-global-sensitive-attribute property for this purpose.
To remove the global ACI that limits access to the
authPasswordattribute, run the dsconfig tool.Note:
The global ACI is present for backwards compatibility.
$ bin/dsconfig set-access-control-handler-prop \ --remove 'global-aci:(targetattr="userPassword || authPassword") (version 3.0; acl "Prevent clients from retrieving passwords from the server"; deny (read,search,compare) userdn="ldap:///anyone";)'
To add the
userPasswordattribute as a global sensitive attribute, run the dsconfig tool and add the built-in
"sensitive-attribute:Sensitive Password Attributes"definition to the global configuration.
This applies to all client connection policies.
$ bin/dsconfig set-global-configuration-prop \ --add "sensitive-attribute:Sensitive Password Attributes"
If the server is designated to synchronize passwords with a Sync Server, configure
a client connection policy for the Sync User to exclude the global sensitive
The following example shows how to create a new policy if the Data Sync Server binds with the default distinguished name (DN) of
cn=Sync User,cn=Root DNs,cn=config.
$ bin/dsconfig create-connection-criteria \ --criteria-name "Requests by Sync Users" \ --type simple \ --set user-auth-type:internal \ --set user-auth-type:sasl \ --set user-auth-type:simple \ --set "included-user-base-dn:cn=Sync User,cn=Root DNs,cn=config" $ bin/dsconfig create-client-connection-policy \ --policy-name "Data Sync Server Connection Policy" \ --set enabled:true \ --set evaluation-order-index:9998 \ --set "connection-criteria:Requests by Sync Users" \ --set "exclude-global-sensitive-attribute:Sensitive Password Attributes"