Each policy contains the following:

  • A set of connection criteria that define which client is associated with the policy based on information the server has about the client, including:
    • Client address
    • Protocol used
    • Secure communication mechanism
    • Location of the client's entry in the PingDirectoryProxy server
    • Contents of the client's entry

    These criteria are the same as those used for filtered logging. For example, different client connection policies could be established for different classes of users, such as root and non-root users.

  • A set of constraints on the type of operations a client can request. You can specify whether a particular type of operation is allowed for clients.

    For some operation types, such as extended operations, you can allow only a particular subset of an operation type, such as a particular extended operation.

  • A set of subtree views that define information about the parts of the directory information tree (DIT) the client can access.

When a client connection is established, only one client connection policy is applied. If the criteria for several policies match the same client connection, the evaluation order index is used as a tiebreaker. If no policy matches, the client connection is terminated. If the client binds, changing its identity, or uses StartTLS to convert from an insecure connection to a secure connection, then the connection is evaluated again to determine if it matches the same or a different client connection policy. The connection is terminated if it no longer matches any policy.

For more information about configuring a client connection policy, see Configuring Client Connection Policies.