Bind rules are used to identify the set of requesters to which an ACI applies.
ACIs can have multiple bind rules to specify multiple conditions that can be satisfied.
Bind rules can be combined using either the and
or the
or
keyword such as
userdn="ldap:///uid=admin,dc=example,dc=com
or
groupdn="ldap:///cn=administrators,ou=Groups,dc=example,dc=com
. The
not
keyword is also used to negate the result of a bind rule.
userdn
The userdn
bind rule is used to target a requester based on their
authenticated identity. The value of this bind rule must be in the form of an
LDAP URL although in some cases it might not
actually be a valid URL (for example, because the distinguished name (DN) element is
not actually a valid DN). The LDAP URL can take several forms, including:
- It can have an LDAP URL that contains just a DN, without any wildcard,
scope, or filter:
“ldap:///uid=admin,dc=example,dc=com”
. - It can contain an LDAP URL that contains a DN that has a pattern with
asterisks as wildcards. Wildcards can be used as follows:
- In place of an entire attribute value:
userdn="ldap:///uid=*,ou=People,dc=example,dc=com
- In place of a portion of an attribute value:
userdn="ldap:///uid=admin-*,ou=People,dc=example,dc=com
- In place of an attribute type:
userdn="ldap:///*=jdoe,ou=People,dc=example,dc=com
- In place of a single entire RDN component:
userdn="ldap:///uid=admin,*,dc=example,dc=com
- Two consecutive asterisks in place of any number of entire RDN
components:
userdn="ldap:///uid=admin,**,dc=example,dc=com
- In place of an entire attribute value:
- It can have an LDAP URL that contains a parameterized DN. See the Parameterized ACIs section for more information about this.
- It can have an LDAP URL in which the DN is the string
anyone
:userdn="ldap:///anyone
. This indicates that the ACI applies to any client, regardless of whether they are authenticated. - It can have an LDAP URL in which the DN is the string
all
:userdn="ldap:///all
. This indicates that the ACI applies to any authenticated client (regardless of the authentication identity), but not to unauthenticated or anonymous clients. - It can have an LDAP URL in which the DN is the string
self
:userdn="ldap:///self
. This indicates that the ACI applies to any operation in which the authenticated user is targeting their own entry. - It can have an LDAP URL in which the DN is the string
parent
:userdn="ldap:///parent
. This indicates that the ACI applies to any operation that targets an entry whose immediate parent is the requester’s own entry. That is, it allows a requester to perform operations on entries immediately below their own. - It can be a full LDAP URL, including a base DN (without wildcards or
parameterization), scope, and filter suh as
userdn="ldap:///dc=example,dc=com??sub?(objectClass=person)"
.
The userdn
bind rule can also contain multiple LDAP URLs.
In that case, each URL should be separated by two consecutive vertical bar
characters ||
:
(“userdn="ldap:///uid=jdoe,ou=People,dc=example,dc=com ||
uid=jpublic,ou=People,dc=example,dc=com"”)
.
The !=
operator can be used as an alternative to the
=
operator:
userdn!="ldap:///uid=admin,ou=People,dc=example,dc=com"
. In
that case, the bind rule matches if the provided value does not match the
authenticated identity.
groupdn
The groupdn
bind rule is used to target a requester based
on their group membership. The value of this bind rule must be an LDAP URL, such as
groupdn="ldap:///cn=Admin Users,ou=Groups,dc=example,dc=com"
.
Only the DN element of the URL is used, and that DN must not contain any wildcards
or parameterization.
The groupdn
bind rule considers both direct group
membership and nested membership such as if the user is a member of a group that is
itself a member of a group listed in the groupdn
value.
As with the userdn
bind rule, the value of the
groupdn
bind rule can include multiple LDAP URLs separated by
two consecutive vertical bar characters.
The !=
operator can be used as an alternative to the
=
operator:
groupdn!="ldap:///cn=Administrators,ou=Groups,dc=example,dc=com"
.
In that case, the bind rule matches if authenticated user is not a member of the
specified group.
connectioncriteria
The connectioncriteria
bind rule allows or denies an operation based
on whether the client connection matches a given connection criteria definition.
If present in an access control rule, the operator must be either "=" or "!=". The value must be enclosed in quotation marks, and it must be the name or full DN of the configuration object that defines the desired connection criteria.
For example, you can use a modification like the following to allow any client
matching the "Root Users and Topology Administrators" connection criteria to have
full read and write access to entries below dc=example,dc=com
:
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "Full read and write access for
administrators"; allow (read,search,compare,write)
connectioncriteria="Root Users and Topology Administrators";)
secure
The secure
bind rule allows or denies an operation based on whether
the client is communicating with the server over a secure connection; for example,
using LDAPS or StartTLS over LDAP.
If present in an access control rule, the operator must be either
"=" or "!=", and the value must be
either "true" or "false" including the
quotation marks. With this in mind, the secure
bind rule takes the
following forms:
secure="true"
indicates that the ACI will apply only if the connection was received over a secure connection.secure="false"
indicates that the ACI will only apply if the connection was received over a non-secure connection.secure!="true"
indicates that the ACI will apply only if the connection was received over a non-secure connection.secure!="false"
indicates that the ACI will apply only if the connection was received over a secure connection.
For example, you can use a modification like the following to allow users below
dc=example,dc=com
to update their own passwords over a secure
connection:
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="userPassword")(version 3.0; acl "Allow users to update
their own passwords over a secure connection"; allow (write)
userdn="ldap:///self" and secure="true";)
userattr
The userattr bind rule can be used to target a requester based on their relation to the value of an attribute in the target entry. The value of the bind rule should contain the name of an attribute followed by the octothorpe character (#) and a keyword or attribute value.
There are four forms that userattr values can take:
- An attribute name followed by an octothorpe and the keyword
USERDN
, which indicates that the specified attribute should have a value that matches the DN of the authenticated user. For example,userattr="manager#USERDN"
can be used to allow an operation if it targets an entry whose manager attribute has a value that matches the DN of the authenticated user. - An attribute name followed by an octothorpe and the keyword
GROUPDN
, which indicates that the specified attribute should have a value that matches the DN of a group in which the authenticated user is a member. For example,userattr="allowedEditors#GROUPDN"
can be used to allow an operation if it targets an entry whoseallowedEditors
attribute has a value that matches the DN of a group that contains the authenticated user either directly or indirectly through a nested group. - An attribute name followed by an octothorpe and the keyword
LDAPURL
, in which case the value of the specified attribute must be an LDAP URL that is compared against the authenticated user’s entry. For example,userattr="allowedEditorCriteria#LDAPURL"
can be used to allow an operation if it targets an entry whoseallowedEditorCriteria
attribute has a value that is an LDAP URL whose base, scope, and filter matches the authenticated user’s entry. - An attribute name followed by an octothorpe and any value that is not
one of
USERDN
,GROUPDN
, orLDAPURL
. In this case, that value is assumed to be an attribute value, and the operation can be authorized if both the authenticated user’s entry and the target user’s entry have that attribute value for the specified attribute. For example,userattr="ou#Sales"
can be used to allow a user with an ou value ofSales
to process operations against other users with an ou value ofSales
.
When using the USERDN
keyword, you can optionally specify
a parent component to indicate that the target entry can be up to four levels below
the authenticated user’s entry. In this case, the word parent should be followed by
an opening square bracket ([), a comma-delimited list of digits between 0 and 4
(inclusive), a closing square bracket (]), a period, and the rest of the value. A
value of zero matches if the attribute value contains a DN that matches that of the
authenticated user, while A value of four matches if the attribute value contains a
DN that is exactly four levels below the authenticated user’s entry. For example,
userattr="parent[0,1,2,3,4].manager#USERDN"
can be used to
allow an operation if it targets a user whose manager attribute contains a value
that matches the DN of the authenticated user or is up to four levels below that
DN.
The !=
operator can be used as an alternative to the
=
operator such as userattr!="manager#USERDN"
.
In that case, the bind rule matches if the provided value does not match for the
authenticated user.
authmethod
The authmethod
bind rule is used to target a requester based on the
mechanism that they used to authenticate to the server. The value for this element
can take one of the following forms:
none
- This matches if the requester is not authenticated;
authmethod="none"
. simple
- This matches if the requester authenticated using non-anonymous LDAP simple
authentication;
authmethod="simple"
. ssl
- This matches if the requester authenticated using a client certificate;
authmethod="ssl"
. This is equivalent toauthmethod="SASL EXTERNAL"
. sasl <mechanisimName>
- This matches if the requester authenticated using the specified SASL
mechanism:
authmethod="SASL PLAIN"
.
The ssl
value does not necessarily match just because the client
is communicating with the server over a secure connection. Instead, it only
matches if the client authenticated to the server with a client certificate
chain using the SASL EXTERNAL mechanism.
The !=
operator can be used as an alternative to the
=
operator: authmethod!="simple"
. In that case,
the bind rule matches if the client is not authenticated using the specified
mechanism.
ip
The ip bind rule can be used to target a requester based on the IP address of the client system. The value can be a comma-delimited list of any of the following IP address patterns:
- A specific IPv4 address:
ip="1.2.3.4"
. - An IPv4 address that uses the asterisk as a wildcard character to
specify a range of addresses:
ip="1.2.3.*"
. - An IPv4 address is followed by a plus sign and a subnet mask to
specify a range of addresses:
ip="1.2.3.0+255.255.255.0"
. - An IPv4 address using CIDR notation to specify a range of addresses:
ip="1.2.3.0/24"
. - An IPv6 address as described in RFC
2373:
ip="0:0:0:0:0:0:0:1"
. IPv6 shorthand notation is also allowed:ip="::1"
.
The !=
operator can be used as an alternative to the “=” operator:
ip!="1.2.3.0/24"
. In that case, the bind rule matches if the
client does not match the given IP address pattern.
dns
The dns
bind rule can be used to target a requester based
on a resolvable host name. The value can be a comma-delimited list of host names in
either of the following forms:
- A complete resolvable host name:
dns="client.example.com"
. - A host name that uses the asterisk as a wildcard in the leftmost
component:
dns="*.example.com"
.
The !=
operator can be used as an alternative to the
=
operator: dns!="*.example.com"
. In that
case, the bind rule matches if the client host name does not match the provided
pattern.
In general, we do not recommend using the dns
bind rule. DNS might be
vulnerable to spoofing attacks, which could help an attacker gain unauthorized
access to the system. Further, if name resolution is slow (for example, as a result
of a network problem or an intentional denial of service attack), then that can
adversely affect the performance of the PingDirectory
server.
dayofweek
The dayofweek
bind rule is used to make access control
decisions based on the current day of the week, as determined by the server’s
current time zone. The value should be a comma-delimited list containing one or more
of the following values: sun
, mon
,
tue
, wed
, thu
,
fri
, sat
. For example,
dayofweek="mon,tue,wed,thu,fri"
.
The !=
operator can be used as an alternative to the
=
operator: dayofweek!="sat,sun"
. In that
case, the bind rule matches if the current day of the week is not included in the
provided list.
timeofday
The timeofday
bind rule is used to make access control
decisions based on the current time of the day, as determined by the server’s
current time zone.
The value of this bind rule must be a four-digit number. The first two
digits must represent the hour, with a value between 00
and
23
. The last two digits must represent the minute, with a value
between 00
and 59
. For example, a value of
0123
represents a time of 1:23 a.m. in the server’s time
zone.
The operator for this bind rule can be one of the following:
=
- The bind rule matches if the current time has the same hour and minute as
specified in the value:
timeofday="0123"
. !=
- The bind rule matches if the current time has a different hour or minute
than specified in the value:
timeofday!="0123"
. <
-
The bind rule matches if the current time is between midnight (inclusive) and the time specified in the value (exclusive). That is, if the current time is earlier in the day than the specified time:
timeofday<"0123"
. <=
- The bind rule matches if the current time is between midnight (inclusive)
and the time specified in the value (inclusive). That is, if the current
time is earlier in the day or the same as the specified time:
timeofday<="0123"
. >
- The bind rule matches if the current time is between the time specified in
the value (exclusive) and 11:59 p.m. (inclusive). That is, if the current
time is later in the day than the specified time:
timeofday>"0123"
. >=
-
The bind rule matches if the current time is between the time specified in the value (inclusive) and 11:59 p.m. (inclusive). That is, if the current time is later in the day or the same as the specified time:
timeofday>="0123"
.
oauthscope
The oauthscope bind rule is used to make access control decisions based on the set of scopes associated with an OAuth 2.0 access token that the client used to authenticate.
This bind rule is primarily used for clients that have authenticated with the OAUTHBEARER SASL mechanism or for clients that have authenticated to Delegated Admin using an OAuth token. It does not currently apply to clients using SCIM or the Directory REST API even if they have authenticated with an OAuth token.
The value for this bind rule might have one of the following forms:
- It can be the name of a single scope to match:
oauthscope="admin_user"
. - It can be a substring assertion that contains one or more asterisks to
use as wildcards:
oauthscope="admin_*"
. - It can be a single asterisk to indicate that any scope is sufficient:
oauthscope="*"
.
The !=
operator can be used as an alternative to the
=
operator: oauthscope!="admin_user"
. In that
case, the bind rule matches if the user does not have the specified scope.