Note: this component has a complexity level of "expert", which means that objects of this type are not expected to be created or altered. Please contact UnboundID support for assistance if you believe that you have a need to create or modify this type of object.
The DSEE Compat Access Control Handler provides an implementation that uses syntax compatible with the Sun Java System Directory Server Enterprise Edition access control handler.
↓Parent Component
↓Properties
↓dsconfig Usage
The DSEE Compat Access Control Handler component inherits from the Access Control Handler
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ enabled | None |
| ↓ global-aci | |
| ↓ allowed-bind-control | |
| ↓ allowed-bind-control-oid |
| Description | Indicates whether this Access Control Handler is enabled. If set to FALSE, then no access control is enforced, and any client (including unauthenticated or anonymous clients) could be allowed to perform any operation if not subject to other restrictions, such as those enforced by the privilege subsystem. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Defines global access control rules. Global access control rules apply to all entries anywhere in the data managed by the Identity Data Store. The global access control rules may be overridden by more specific access control rules placed in the data. |
| Default Value | No global access control rules are defined, which means that no access is allowed for any data in the server unless specifically granted by access control rules in the data. |
| Allowed Values | A valid access control rule |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies a set of controls that clients should be allowed to include in bind requests. As bind requests are evaluated as the unauthenticated user, any controls included in this set will be permitted for any bind attempt. If you wish to grant permission for any bind controls not listed here, then the allowed-bind-control-oid property may be used to accomplish that. Note that the ability to use certain bind controls may be required for optimal performance and/or functionality of other UnboundID products. This includes the administrative-operation, get-authorization-entry, get-user-resource-limits, intermediate-client, operation-purpose, and retain-identity request controls. If you wish to disable support for any of these controls for bind operations, please contact UnboundID support to understand the potential adverse effects of that change. |
| Default Value | None |
| Allowed Values | administrative-operation - The administrative operation request control (1.3.6.1.4.1.30221.2.5.11), which may be used to indicate that the associated operation is being issued for performing some kind of administrative operation rather than a request directly issued by a client. authorization-identity - The authorization identity request control (2.16.840.1.113730.3.4.16), which may be used to request that the server include the authorization identity for the authenticated user (generally in the form "dn:" followed by the user DN) in the bind response. get-authorization-entry - The get authorization entry request control (1.3.6.1.4.1.30221.2.5.6), which may be used to request that the server return the entries for the authentication and/or authorization identities in the bind response. get-backend-set-id - The get backend set ID request control (1.3.6.1.4.1.30221.2.5.33), which may be used to request that the operation response include information about which entry-balancing backend set was used to process the request. get-server-id - The get server ID request control (1.3.6.1.4.1.30221.2.5.14), which may be used to request that the operation response include information about which specific backend server was used to process the request. get-user-resource-limits - The get user resource limits request control (1.3.6.1.4.1.30221.2.5.25), which may be used to request that the bind response include extended information about the authenticated user, including the effective time limit, size limit, idle time limit, lookthrough limit, privileges, etc. intermediate-client - The intermediate client request control (1.3.6.1.4.1.30221.2.5.2), which may be used to provide information to the server about the path a request took to reach it (e.g., information about any Identity Proxy that the request passed through), and request that the response to the client include information about the path taken by the response. operation-purpose - The operation purpose request control (1.3.6.1.4.1.30221.2.5.19), which may be used to provide human-readable information about the purpose for the associated operation for inclusion in the server access log. password-policy - The password policy request control (1.3.6.1.4.1.42.2.27.8.5.1), which may be used to obtain additional information about the password policy state for a user, or information about the reason for an authentication failure. retain-identity - The retain identity request control (1.3.6.1.4.1.30221.2.5.3), which may be used to request that the server process a bind operation but without altering the authentication state for the connection (i.e., perform all processing associated with the bind to verify the supplied credentials and account usability, but continue to process subsequent requests under the previous authorization identity). route-to-backend-set - The route to backend set request control (1.3.6.1.4.1.30221.2.5.35), which may be used to request that the Identity Proxy send the request to a specific backend set for processing. route-to-server - The route to server request control (1.3.6.1.4.1.30221.2.5.16), which may be used to request that the Identity Proxy send the request to a specific backend server for processing.. suppress-operational-attribute-update - The suppress operational attribute update request control (1.3.6.1.4.1.30221.2.5.27), which may be used to request that the server not update certain metadata associated with the target user entry, including last access time, last login time, and last login IP address. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the OIDs of any additional controls (not covered by the allowed-bind-control property) that should be permitted in bind requests. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To view the Access Control Handler configuration:
dsconfig get-access-control-handler-prop
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the Access Control Handler configuration:
dsconfig set-access-control-handler-prop
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...