Data Governance Server Documentation Index
Configuration Reference Home

DSEE Compat Access Control Handler

Note: this component has a complexity level of "expert", which means that objects of this type are not expected to be created or altered. Please contact support for assistance if you believe that you have a need to create or modify this type of object.

The DSEE Compat Access Control Handler provides an implementation that uses syntax compatible with the Sun Java System Directory Server Enterprise Edition access control handler.

Parent Component
Properties
dsconfig Usage

Parent Component

The DSEE Compat Access Control Handler component inherits from the Access Control Handler

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
↓ enabled  None
↓ global-aci
↓ allowed-bind-control
↓ allowed-bind-control-oid

Basic Properties

enabled

Description
Indicates whether this Access Control Handler is enabled. If set to FALSE, then no access control is enforced, and any client (including unauthenticated or anonymous clients) could be allowed to perform any operation if not subject to other restrictions, such as those enforced by the privilege subsystem.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

global-aci

Description
Defines global access control rules. Global access control rules apply to all entries anywhere in the data managed by the Directory Server. The global access control rules may be overridden by more specific access control rules placed in the data.
Default Value
No global access control rules are defined, which means that no access is allowed for any data in the server unless specifically granted by access control rules in the data.
Allowed Values
A valid access control rule
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

allowed-bind-control

Description
Specifies a set of controls that clients should be allowed to include in bind requests. As bind requests are evaluated as the unauthenticated user, any controls included in this set will be permitted for any bind attempt. If you wish to grant permission for any bind controls not listed here, then the allowed-bind-control-oid property may be used to accomplish that. Note that the ability to use certain bind controls may be required for optimal performance and/or functionality of other Ping Identity products. This includes the administrative-operation, get-authorization-entry, get-user-resource-limits, intermediate-client, operation-purpose, and retain-identity request controls. If you wish to disable support for any of these controls for bind operations, please contact Ping Identity support to understand the potential adverse effects of that change.
Default Value
None
Allowed Values
administrative-operation - The administrative operation request control (1.3.6.1.4.1.30221.2.5.11), which may be used to indicate that the associated operation is being issued for performing some kind of administrative operation rather than a request directly issued by a client.

authorization-identity - The authorization identity request control (2.16.840.1.113730.3.4.16), which may be used to request that the server include the authorization identity for the authenticated user (generally in the form "dn:" followed by the user DN) in the bind response.

get-authorization-entry - The get authorization entry request control (1.3.6.1.4.1.30221.2.5.6), which may be used to request that the server return the entries for the authentication and/or authorization identities in the bind response.

get-backend-set-id - The get backend set ID request control (1.3.6.1.4.1.30221.2.5.33), which may be used to request that the operation response include information about which entry-balancing backend set was used to process the request.

get-password-policy-state-issues - The get password policy state issues request control (1.3.6.1.4.1.30221.2.5.46), which may be used to request that the bind response include information about any notices, warnings, or errors about the authenticating user's password policy state. The bind request must also contain the retain identity request control, and the connection must be authenticated as a user with the permit-get-password-policy-state-issues privilege.

get-server-id - The get server ID request control (1.3.6.1.4.1.30221.2.5.14), which may be used to request that the operation response include information about which specific backend server was used to process the request.

get-user-resource-limits - The get user resource limits request control (1.3.6.1.4.1.30221.2.5.25), which may be used to request that the bind response include extended information about the authenticated user, including the effective time limit, size limit, idle time limit, lookthrough limit, privileges, etc.

intermediate-client - The intermediate client request control (1.3.6.1.4.1.30221.2.5.2), which may be used to provide information to the server about the path a request took to reach it (e.g., information about any Directory Proxy Server that the request passed through), and request that the response to the client include information about the path taken by the response.

operation-purpose - The operation purpose request control (1.3.6.1.4.1.30221.2.5.19), which may be used to provide human-readable information about the purpose for the associated operation for inclusion in the server access log.

password-policy - The password policy request control (1.3.6.1.4.1.42.2.27.8.5.1), which may be used to obtain additional information about the password policy state for a user, or information about the reason for an authentication failure.

retain-identity - The retain identity request control (1.3.6.1.4.1.30221.2.5.3), which may be used to request that the server process a bind operation but without altering the authentication state for the connection (i.e., perform all processing associated with the bind to verify the supplied credentials and account usability, but continue to process subsequent requests under the previous authorization identity).

route-to-backend-set - The route to backend set request control (1.3.6.1.4.1.30221.2.5.35), which may be used to request that the Directory Proxy Server send the request to a specific backend set for processing.

route-to-server - The route to server request control (1.3.6.1.4.1.30221.2.5.16), which may be used to request that the Directory Proxy Server send the request to a specific backend server for processing..

suppress-operational-attribute-update - The suppress operational attribute update request control (1.3.6.1.4.1.30221.2.5.27), which may be used to request that the server not update certain metadata associated with the target user entry, including last access time, last login time, and last login IP address.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

allowed-bind-control-oid

Description
Specifies the OIDs of any additional controls (not covered by the allowed-bind-control property) that should be permitted in bind requests.
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To view the Access Control Handler configuration:

dsconfig get-access-control-handler-prop
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the Access Control Handler configuration:

dsconfig set-access-control-handler-prop
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...