Simple Connection Criteria

Simple Connection Criteria define a set of criteria that may be used to determine whether a client connection matches a given set of criteria. The criteria used for this matching may include the address of the client, the protocol they are using to communicate with the server, whether that communication is secure, whether the client is authenticated, whether the authentication was secure, and the identity of the authenticated user.

Parent Component Relations from This Component Properties dsconfig Usage

Parent Component

The Simple Connection Criteria component inherits from the Connection Criteria

Relations from This Component

The following components have a direct aggregation relation from Simple Connection Criteria:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  None
 included-client-address
 excluded-client-address
 included-connection-handler
 excluded-connection-handler
 included-protocol
 excluded-protocol
 communication-security-level
 user-auth-type
 authentication-security-level
 included-user-sasl-mechanism
 excluded-user-sasl-mechanism
 included-user-base-dn
 excluded-user-base-dn
 all-included-user-group-dn
 any-included-user-group-dn
 not-all-included-user-group-dn
 none-included-user-group-dn
 all-included-user-filter
 any-included-user-filter
 not-all-included-user-filter
 none-included-user-filter
 all-included-user-privilege
 any-included-user-privilege
 not-all-included-user-privilege
 none-included-user-privilege

Basic Properties

description

Description
A description for this Connection Criteria
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

included-client-address

Description
Specifies an address mask that may be used to specify a set of clients that should be included in this Simple Connection Criteria. If at least one included client address mask is provided, then this Simple Connection Criteria will only match client connections in which the client address matches at least one of the included client address masks. If at least one excluded client address mask is provided, then this Simple Connection Criteria will not match any client connections in which the client address matches at least one of the excluded client address masks. If no included client address masks and no excluded client address masks are provided, then the client address will not be considered when determining whether a client connection matches this Simple Connection Criteria.
Default Value
None
Allowed Values
An IP address mask
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

excluded-client-address

Description
Specifies an address mask that may be used to specify a set of clients that should be excluded from this Simple Connection Criteria. If at least one included client address mask is provided, then this Simple Connection Criteria will only match client connections in which the client address matches at least one of the included client address masks. If at least one excluded client address mask is provided, then this Simple Connection Criteria will not match any client connections in which the client address matches at least one of the excluded client address masks. If no included client address masks and no excluded client address masks are provided, then the client address will not be considered when determining whether a client connection matches this Simple Connection Criteria.
Default Value
None
Allowed Values
An IP address mask
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

included-connection-handler

Description
Specifies a connection handler for clients that should be included in this Simple Connection Criteria. If at least one included connection handler is provided, then this Simple Connection Criteria will only match client connections associated with one of the included connection handlers. If at least one excluded connection handler is provided, then this Simple Connection Criteria will not match any client associated with any of the excluded connection handlers. If no included connection handlers and no excluded connection handlers are defined, then the connection handler associated with the client connection will not be considered when determining whether that connection matches this Simple Connection Criteria.
Default Value
None
Allowed Values
The DN of any Connection Handler. The associated connection handler must be enabled.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

excluded-connection-handler

Description
Specifies a connection handler for clients that should be excluded from this Simple Connection Criteria. If at least one included connection handler is provided, then this Simple Connection Criteria will only match client connections associated with one of the included connection handlers. If at least one excluded connection handler is provided, then this Simple Connection Criteria will not match any client associated with any of the excluded connection handlers. If no included connection handlers and no excluded connection handlers are defined, then the connection handler associated with the client connection will not be considered when determining whether that connection matches this Simple Connection Criteria.
Default Value
None
Allowed Values
The DN of any Connection Handler. The associated connection handler must be enabled.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

included-protocol

Description
Specifies the name of a communication protocol that should be used by clients included in this Simple Connection Criteria. If at least one included protocol is provided, then this Simple Connection Criteria will only match client connections in which the protocol used by the client matches one of the included protocols. If at least one excluded protocol is provided, then this Simple Connection Criteria will not match any client connections in which the protocol used by the client matches one of the excluded protocols. If no included protocols and no excluded protocols are provided, then the communication protocol will not be considered when determining whether a client connection matches this Simple Connection Criteria.
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

excluded-protocol

Description
Specifies the name of a communication protocol that should be used by clients excluded from this Simple Connection Criteria. If at least one included protocol is provided, then this Simple Connection Criteria will only match client connections in which the protocol used by the client matches one of the included protocols. If at least one excluded protocol is provided, then this Simple Connection Criteria will not match any client connections in which the protocol used by the client matches one of the excluded protocols. If no included protocols and no excluded protocols are provided, then the communication protocol will not be considered when determining whether a client connection matches this Simple Connection Criteria.
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

communication-security-level

Description
Indicates whether this Simple Connection Criteria should require or allow clients using a secure communication channel. Note that the determination as to whether a client connection is using a secure communication channel will be made by the connection handler that accepted the client connection and will be based on the information available to the Directory Server for that connection and a client connection will only be classified as "secure" if it is known that the communication between the client and the server cannot be easily intercepted and interpreted or altered in an undetectable manner (e.g., if the communication is protected with SSL/TLS). Client communication which may be protected by some external mechanism (e.g., IPsec) which is not visible to the Directory Server may still be classified as "insecure" by the server.
Also note that while the StartTLS extended operation may be used to secure connections in a manner that will satisfy the "secure-only" value of this property, such connections will initially be established as insecure, and they will remain insecure until the StartTLS extended operation has been completed. As a result, if you intend to create a simple connection criteria object that will only match secure connections, you should be aware that StartTLS-secured connections are initially considered insecure. For example, if you intend to use the criteria in conjunction with a client connection policy so that the policy will only be used for secure connections, there must also be a client connection policy that will can be used for insecure connections and will allow those connections to issue StartTLS extended requests so that they may be transformed into secure connections (at which point the server will re-evaluate which connection criteria should be applied to the newly-secured connections).
Default Value
any
Allowed Values
any - The security of the client communication will not be considered when determining whether a client connection matches this Simple Connection Criteria.

secure-only - This Simple Connection Criteria will only include clients which are known to be using a secure communication channel.

insecure-only - This Simple Connection Criteria will only include clients which are not known to be using a secure communication channel.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

user-auth-type

Description
Specifies the authentication types for client connections that may be included in this Simple Connection Criteria. Note that including a user auth type of "none" in this set indicates that unauthenticated client connections (which includes connections whose last authentication attempt was not successful) may be included in this Simple Connection Criteria. If an unauthenticated client connection is allowed, then other authentication-related properties (including the authentication security level, SASL mechanism, user DN, group membership, and user entry contents) will not be taken into account when determining whether that client connection matches this Simple Connection Criteria.
Default Value
none
simple
sasl
internal
Allowed Values
none - Client connections on which no authentication has been performed, or whose last authentication attempt was unsuccessful, may be included in this Simple Connection Criteria.

simple - Client connections whose last authentication attempt was a successful simple bind may be included in this Simple Connection Criteria.

sasl - Client connections whose last authentication attempt was a successful SASL bind may be included in this Simple Connection Criteria.

internal - Client connections whose authentication was performed internally within the server may be included in this Simple Connection Criteria.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

authentication-security-level

Description
Indicates whether this Simple Connection Criteria should require or allow clients that authenticated using a secure manner. This will only be taken into account for client connections that have authenticated to the server and will be ignored for unauthenticated client connections. Note that the determination as to whether or not the authentication method was secure is based on both the connection security level and the authentication method used. If the authentication was performed over a secure communication channel, then it will be considered secure and the authentication method will not be taken into account. If the authentication was not performed over a secure communication channel, then the determination will be based on the authentication method. Simple authentication performed over an insecure communication channel will never be considered secure. SASL authentication performed over an insecure communication channel may be considered secure if the associated SASL mechanism handler uses an authentication mechanism which does not expose the client credentials in any usable form and which does not allow an observer to replay the client communication to authenticate to the server.
Default Value
any
Allowed Values
any - The security of the client authentication will not be considered when determining whether a client connection matches this Simple Connection Criteria.

secure-only - This Simple Connection Criteria will only include clients which have authenticated over a secure communication channel or using a secure authentication method.

insecure-only - This Simple Connection Criteria will only include clients which are not known to be using a secure communication channel and did not authenticate using a secure authentication method.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

included-user-sasl-mechanism

Description
Specifies the name of a SASL mechanism that should be used by clients included in this Simple Connection Criteria. This will only be taken into account for client connections that have authenticated to the server using a SASL mechanism and will be ignored for unauthenticated client connections and for client connections that authenticated using some other method (e.g., those performing simple or internal authentication). If at least one included SASL mechanism name is provided, then this Simple Connection Criteria will only match client connections in which the name of the SASL mechanism used matches one of the included SASL mechanisms. If at least one excluded SASL mechanism name is provided, then this Simple Connection Criteria will not match any client connections in which the SASL mechanism used matches one of the excluded SASL mechanisms. If no included SASL mechanism names and no excluded SASL mechanism names are provided, then the SASL mechanism used will not be considered when determining whether a client connection matches this Simple Connection Criteria.
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

excluded-user-sasl-mechanism

Description
Specifies the name of a SASL mechanism that should be used by clients excluded from this Simple Connection Criteria. This will only be taken into account for client connections that have authenticated to the server using a SASL mechanism and will be ignored for unauthenticated client connections and for client connections that authenticated using some other method (e.g., those performing simple or internal authentication). If at least one included SASL mechanism name is provided, then this Simple Connection Criteria will only match client connections in which the name of the SASL mechanism used matches one of the included SASL mechanisms. If at least one excluded SASL mechanism name is provided, then this Simple Connection Criteria will not match any client connections in which the SASL mechanism used matches one of the excluded SASL mechanisms. If no included SASL mechanism names and no excluded SASL mechanism names are provided, then the SASL mechanism used will not be considered when determining whether a client connection matches this Simple Connection Criteria.
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

included-user-base-dn

Description
Specifies a base DN below which authenticated user entries may exist for clients included in this Simple Connection Criteria. This will only be taken into account for client connections that have authenticated to the server and will be ignored for unauthenticated client connections. Refer to the authz version of this property in Simple Result Criteria if operations are being proxied (performed using proxied authorization), and you need to match the originating user of the operation rather than the proxy user (the user the proxy authenticated as). If at least one included user base DN is provided, then this Simple Connection Criteria will only match client connections in which the entry for the authenticated user exists at or below one of the included user base DNs. If at least one excluded user base DN is provided, then this Simple Connection Criteria will not match any client connections in which the entry for the authenticated user exists at or below one of the excluded user base DNs. If no included user base DNs and no excluded user base DNs are provided, then the location of the authenticated user entry will not be considered when determining whether a client connection matches this Simple Connection Criteria.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

excluded-user-base-dn

Description
Specifies a base DN below which authenticated user entries may exist for clients excluded from this Simple Connection Criteria. This will only be taken into account for client connections that have authenticated to the server and will be ignored for unauthenticated client connections. Refer to the authz version of this property in Simple Result Criteria if operations are being proxied (performed using proxied authorization), and you need to match the originating user of the operation rather than the proxy user (the user the proxy authenticated as). If at least one included user base DN is provided, then this Simple Connection Criteria will only match client connections in which the entry for the authenticated user exists at or below one of the included user base DNs. If at least one excluded user base DN is provided, then this Simple Connection Criteria will not match any client connections in which the entry for the authenticated user exists at or below one of the excluded user base DNs. If no included user base DNs and no excluded user base DNs are provided, then the location of the authenticated user entry will not be considered when determining whether a client connection matches this Simple Connection Criteria.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

all-included-user-group-dn

Description
Specifies the DN of a group in which authenticated users must exist for clients included in this Simple Connection Criteria. If any group DNs are provided, then the authenticated user must be a member of all of those groups. This will only be taken into account for client connections that have authenticated to the server and will be ignored for unauthenticated client connections. Refer to the authz version of this property in Simple Result Criteria if operations are being proxied (performed using proxied authorization), and you need to match the originating user of the operation rather than the proxy user (the user the proxy authenticated as). If one or more all-included user group DNs are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user is a member of all of the specified groups. If one or more any-included user group DNs are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user is a member of at least one of the specified groups. If one or more not-all-included user group DNs are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user is not a member of at least one of the specified groups. If one or more none-included user group DNs are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user is not a member of any of the specified groups. If no all-included, any-included, not-all-included, or none-included group DNs are provided, then group membership for the authenticated client connection will not be considered when determining whether a client connection matches this Simple Connection Criteria.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

any-included-user-group-dn

Description
Specifies the DN of a group in which authenticated users may exist for clients included in this Simple Connection Criteria. If any group DNs are provided, then the authenticated user must be a member of at least one of those groups. This will only be taken into account for client connections that have authenticated to the server and will be ignored for unauthenticated client connections. Refer to the authz version of this property in Simple Result Criteria if operations are being proxied (performed using proxied authorization), and you need to match the originating user of the operation rather than the proxy user (the user the proxy authenticated as). If one or more all-included user group DNs are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user is a member of all of the specified groups. If one or more any-included user group DNs are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user is a member of at least one of the specified groups. If one or more not-all-included user group DNs are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user is not a member of at least one of the specified groups. If one or more none-included user group DNs are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user is not a member of any of the specified groups. If no all-included, any-included, not-all-included, or none-included group DNs are provided, then group membership for the authenticated client connection will not be considered when determining whether a client connection matches this Simple Connection Criteria.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

not-all-included-user-group-dn

Description
Specifies the DN of a group in which authenticated users should not exist for clients included in this Simple Connection Criteria. If any group DNs are provided, then the authenticated user must not be a member of at least one of those groups (that is, the user may be a member of zero or more of those groups, but not of all of them). This will only be taken into account for client connections that have authenticated to the server and will be ignored for unauthenticated client connections. Refer to the authz version of this property in Simple Result Criteria if operations are being proxied (performed using proxied authorization), and you need to match the originating user of the operation rather than the proxy user (the user the proxy authenticated as). If one or more all-included user group DNs are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user is a member of all of the specified groups. If one or more any-included user group DNs are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user is a member of at least one of the specified groups. If one or more not-all-included user group DNs are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user is not a member of at least one of the specified groups. If one or more none-included user group DNs are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user is not a member of any of the specified groups. If no all-included, any-included, not-all-included, or none-included group DNs are provided, then group membership for the authenticated client connection will not be considered when determining whether a client connection matches this Simple Connection Criteria.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

none-included-user-group-dn

Description
Specifies the DN of a group in which authenticated users must not exist for clients included in this Simple Connection Criteria. If any group DNs are provided, then the authenticated user must not be a member any of those groups. This will only be taken into account for client connections that have authenticated to the server and will be ignored for unauthenticated client connections. Refer to the authz version of this property in Simple Result Criteria if operations are being proxied (performed using proxied authorization), and you need to match the originating user of the operation rather than the proxy user (the user the proxy authenticated as). If one or more all-included user group DNs are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user is a member of all of the specified groups. If one or more any-included user group DNs are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user is a member of at least one of the specified groups. If one or more not-all-included user group DNs are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user is not a member of at least one of the specified groups. If one or more none-included user group DNs are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user is not a member of any of the specified groups. If no all-included, any-included, not-all-included, or none-included group DNs are provided, then group membership for the authenticated client connection will not be considered when determining whether a client connection matches this Simple Connection Criteria.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

all-included-user-filter

Description
Specifies a search filter that must match the entry of the authenticated user for clients included in this Simple Connection Criteria. If any filters are provided, then all of those filters must match the authenticated user entry. This will only be taken into account for client connections that have authenticated to the server and will be ignored for unauthenticated client connections. If one or more all-included user filters are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user entry matches all of the specified filters. If one or more any-included user filters are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user entry matches at least one of the specified filters. If one or more not-all-included user filters are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user entry does not match at least one of the specified filters. If one or more none-included user filters are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user entry does not match any of the specified filters. If no all-included, any-included, not-all-included, or none-included user filters are provided, then the content of the authenticated user entry will not be considered when determining whether a client connection matches this Simple Connection Criteria.
Default Value
None
Allowed Values
A valid LDAP search filter
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

any-included-user-filter

Description
Specifies a search filter that may match the entry of the authenticated user for clients included in this Simple Connection Criteria. If any filters are provided, then at least one of those filters must match the authenticated user entry. This will only be taken into account for client connections that have authenticated to the server and will be ignored for unauthenticated client connections. If one or more all-included user filters are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user entry matches all of the specified filters. If one or more any-included user filters are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user entry matches at least one of the specified filters. If one or more not-all-included user filters are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user entry does not match at least one of the specified filters. If one or more none-included user filters are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user entry does not match any of the specified filters. If no all-included, any-included, not-all-included, or none-included user filters are provided, then the content of the authenticated user entry will not be considered when determining whether a client connection matches this Simple Connection Criteria.
Default Value
None
Allowed Values
A valid LDAP search filter
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

not-all-included-user-filter

Description
Specifies a search filter that should not match the entry of the authenticated user for clients included in this Simple Connection Criteria. If any filters are provided, then at least one of those filters must not match the authenticated user entry (that is, the user entry may match zero or more of those filters, but not all of them). This will only be taken into account for client connections that have authenticated to the server and will be ignored for unauthenticated client connections. If one or more all-included user filters are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user entry matches all of the specified filters. If one or more any-included user filters are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user entry matches at least one of the specified filters. If one or more not-all-included user filters are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user entry does not match at least one of the specified filters. If one or more none-included user filters are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user entry does not match any of the specified filters. If no all-included, any-included, not-all-included, or none-included user filters are provided, then the content of the authenticated user entry will not be considered when determining whether a client connection matches this Simple Connection Criteria.
Default Value
None
Allowed Values
A valid LDAP search filter
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

none-included-user-filter

Description
Specifies a search filter that must not match the entry of the authenticated user for clients included in this Simple Connection Criteria. If any filters are provided, then none of those filters may match the authenticated user entry. This will only be taken into account for client connections that have authenticated to the server and will be ignored for unauthenticated client connections. If one or more all-included user filters are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user entry matches all of the specified filters. If one or more any-included user filters are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user entry matches at least one of the specified filters. If one or more not-all-included user filters are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user entry does not match at least one of the specified filters. If one or more none-included user filters are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user entry does not match any of the specified filters. If no all-included, any-included, not-all-included, or none-included user filters are provided, then the content of the authenticated user entry will not be considered when determining whether a client connection matches this Simple Connection Criteria.
Default Value
None
Allowed Values
A valid LDAP search filter
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

all-included-user-privilege

Description
Specifies the name of a privilege that must be held by the authenticated user for clients included in this Simple Connection Criteria. If any privilege names are provided, then the authenticated user must have all of those privileges. This will only be taken into account for client connections that have authenticated to the server and will be ignored for unauthenticated client connections. If one or more all-included user privileges are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user has all of the specified privileges. If one or more any-included user privileges are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user has at least one of the specified privileges. If one or more not-all-included user privileges are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user does not have at least one of the specified privileges. If one or more none-included user privileges are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user does not have any of the specified privileges. If no all-included, any-included, not-all-included, or none-included user privileges are provided, then the privileges held by the authenticated user will not be considered when determining whether a client connection matches this Simple Connection Criteria. Note that any privilege which has been disabled in the server is assumed to be held by all users.
Default Value
None
Allowed Values
audit-data-security - Allows the associated user to execute data security auditing tasks.

bypass-acl - Allows the associated user to bypass all access control checks performed by the server for any type of operation.

bypass-read-acl - Allows the associated user to bypass access control checks performed by the server for bind, compare, and search operations. Access control evaluation may still be enforced for other types of operations.

modify-acl - Allows the associated user to modify the server's access control configuration.

config-read - Allows the associated user to read the server configuration.

config-write - Allows the associated user to update the server configuration. The config-read privilege is also required.

jmx-read - Allows the associated user to perform JMX read operations.

jmx-write - Allows the associated user to perform JMX write operations.

jmx-notify - Allows the associated user to subscribe to receive JMX notifications.

ldif-import - Allows the user to request that the server process LDIF import tasks.

ldif-export - Allows the user to request that the server process LDIF export tasks.

backend-backup - Allows the user to request that the server process backup tasks.

backend-restore - Allows the user to request that the server process restore tasks.

server-shutdown - Allows the user to request that the server shut down.

server-restart - Allows the user to request that the server perform an in-core restart.

proxied-auth - Allows the user to use the proxied authorization control, or to perform a bind that specifies an alternate authorization identity.

disconnect-client - Allows the user to terminate other client connections.

password-reset - Allows the user to reset user passwords.

update-schema - Allows the user to make changes to the server schema.

privilege-change - Allows the user to make changes to the set of defined root privileges, as well as to grant and revoke privileges for users.

unindexed-search - Allows the user to request that the server process a search that cannot be optimized using server indexes.

unindexed-search-with-control - Allows the user to request that the server process a search that cannot be optimized using server indexes but includes the permit unindexed search request control.

bypass-pw-policy - Allows the associated user to bypass password policy processing performed by the server.

lockdown-mode - Allows the associated user to request that the server enter or leave lockdown mode, or to perform operations while the server is in lockdown mode.

stream-values - Allows the associated user to perform a stream values extended operation to obtain all entry DNs and/or all values for one or more attributes for a specified portion of the DIT.

third-party-task - Allows the associated user to invoke tasks created by third-party developers.

use-admin-session - Allows the associated user to use an administrative session to request that operations be processed using a dedicated pool of worker threads.

soft-delete-read - Allows the associated user access to soft-deleted entries.

metrics-read - Allows the associated user access to data in the metrics backend.

manage-topology - Allows the associated user to manage the set of server instances that are part of a topology.

permit-get-password-policy-state-issues - Allows the associated user to issue a bind request that includes the get password policy state issues request control. The bind request must also include the retain identity request control.

permit-proxied-mschapv2-details - Allows the associated user to issue a bind request that includes the proxied MS-CHAPv2 details request control. The bind request must also include the retain identity request control.

permit-externally-processed-authentication - Allows the associated user to issue a SASL bind request using the UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION mechanism.

permit-export-reversible-passwords - Allows the associated user to invoke an extended operation that can cause the server to export passwords stored with a reversible scheme.

permit-forwarding-client-connection-policy - Allows the associated user to request that an operation be processed using a specified client connection policy.

exec-task - Allows the associated user to schedule an exec task.

collect-support-data - Allows the requester to invoke the collect-support-data tool via an administrative task or an extended operation.

file-servlet-access - Allows the requester to access the content exposed by file servlet instances that require this privilege.

permit-replace-certificate-request - Allows the requester to issue requests to manage server listener or inter-server certificates.

permit-verify-password-request - Allows the requester to issue requests to verify user passwords without performing any other password policy processing.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

any-included-user-privilege

Description
Specifies the name of a privilege that may be held by the authenticated user for clients included in this Simple Connection Criteria. If any privilege names are provided, then the authenticated user must have at least one of those privileges. This will only be taken into account for client connections that have authenticated to the server and will be ignored for unauthenticated client connections. If one or more all-included user privileges are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user has all of the specified privileges. If one or more any-included user privileges are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user has at least one of the specified privileges. If one or more not-all-included user privileges are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user does not have at least one of the specified privileges. If one or more none-included user privileges are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user does not have any of the specified privileges. If no all-included, any-included, not-all-included, or none-included user privileges are provided, then the privileges held by the authenticated user will not be considered when determining whether a client connection matches this Simple Connection Criteria. Note that any privilege which has been disabled in the server is assumed to be held by all users.
Default Value
None
Allowed Values
audit-data-security - Allows the associated user to execute data security auditing tasks.

bypass-acl - Allows the associated user to bypass all access control checks performed by the server for any type of operation.

bypass-read-acl - Allows the associated user to bypass access control checks performed by the server for bind, compare, and search operations. Access control evaluation may still be enforced for other types of operations.

modify-acl - Allows the associated user to modify the server's access control configuration.

config-read - Allows the associated user to read the server configuration.

config-write - Allows the associated user to update the server configuration. The config-read privilege is also required.

jmx-read - Allows the associated user to perform JMX read operations.

jmx-write - Allows the associated user to perform JMX write operations.

jmx-notify - Allows the associated user to subscribe to receive JMX notifications.

ldif-import - Allows the user to request that the server process LDIF import tasks.

ldif-export - Allows the user to request that the server process LDIF export tasks.

backend-backup - Allows the user to request that the server process backup tasks.

backend-restore - Allows the user to request that the server process restore tasks.

server-shutdown - Allows the user to request that the server shut down.

server-restart - Allows the user to request that the server perform an in-core restart.

proxied-auth - Allows the user to use the proxied authorization control, or to perform a bind that specifies an alternate authorization identity.

disconnect-client - Allows the user to terminate other client connections.

password-reset - Allows the user to reset user passwords.

update-schema - Allows the user to make changes to the server schema.

privilege-change - Allows the user to make changes to the set of defined root privileges, as well as to grant and revoke privileges for users.

unindexed-search - Allows the user to request that the server process a search that cannot be optimized using server indexes.

unindexed-search-with-control - Allows the user to request that the server process a search that cannot be optimized using server indexes but includes the permit unindexed search request control.

bypass-pw-policy - Allows the associated user to bypass password policy processing performed by the server.

lockdown-mode - Allows the associated user to request that the server enter or leave lockdown mode, or to perform operations while the server is in lockdown mode.

stream-values - Allows the associated user to perform a stream values extended operation to obtain all entry DNs and/or all values for one or more attributes for a specified portion of the DIT.

third-party-task - Allows the associated user to invoke tasks created by third-party developers.

use-admin-session - Allows the associated user to use an administrative session to request that operations be processed using a dedicated pool of worker threads.

soft-delete-read - Allows the associated user access to soft-deleted entries.

metrics-read - Allows the associated user access to data in the metrics backend.

manage-topology - Allows the associated user to manage the set of server instances that are part of a topology.

permit-get-password-policy-state-issues - Allows the associated user to issue a bind request that includes the get password policy state issues request control. The bind request must also include the retain identity request control.

permit-proxied-mschapv2-details - Allows the associated user to issue a bind request that includes the proxied MS-CHAPv2 details request control. The bind request must also include the retain identity request control.

permit-externally-processed-authentication - Allows the associated user to issue a SASL bind request using the UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION mechanism.

permit-export-reversible-passwords - Allows the associated user to invoke an extended operation that can cause the server to export passwords stored with a reversible scheme.

permit-forwarding-client-connection-policy - Allows the associated user to request that an operation be processed using a specified client connection policy.

exec-task - Allows the associated user to schedule an exec task.

collect-support-data - Allows the requester to invoke the collect-support-data tool via an administrative task or an extended operation.

file-servlet-access - Allows the requester to access the content exposed by file servlet instances that require this privilege.

permit-replace-certificate-request - Allows the requester to issue requests to manage server listener or inter-server certificates.

permit-verify-password-request - Allows the requester to issue requests to verify user passwords without performing any other password policy processing.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

not-all-included-user-privilege

Description
Specifies the name of a privilege that should not be held by the authenticated user for clients included in this Simple Connection Criteria. If any privilege names are provided, then the authenticated user must not have at least one of those privileges (that is, the user may hold zero or more of those privileges, but not all of them). This will only be taken into account for client connections that have authenticated to the server and will be ignored for unauthenticated client connections. If one or more all-included user privileges are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user has all of the specified privileges. If one or more any-included user privileges are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user has at least one of the specified privileges. If one or more not-all-included user privileges are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user does not have at least one of the specified privileges. If one or more none-included user privileges are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user does not have any of the specified privileges. If no all-included, any-included, not-all-included, or none-included user privileges are provided, then the privileges held by the authenticated user will not be considered when determining whether a client connection matches this Simple Connection Criteria. Note that any privilege which has been disabled in the server is assumed to be held by all users.
Default Value
None
Allowed Values
audit-data-security - Allows the associated user to execute data security auditing tasks.

bypass-acl - Allows the associated user to bypass all access control checks performed by the server for any type of operation.

bypass-read-acl - Allows the associated user to bypass access control checks performed by the server for bind, compare, and search operations. Access control evaluation may still be enforced for other types of operations.

modify-acl - Allows the associated user to modify the server's access control configuration.

config-read - Allows the associated user to read the server configuration.

config-write - Allows the associated user to update the server configuration. The config-read privilege is also required.

jmx-read - Allows the associated user to perform JMX read operations.

jmx-write - Allows the associated user to perform JMX write operations.

jmx-notify - Allows the associated user to subscribe to receive JMX notifications.

ldif-import - Allows the user to request that the server process LDIF import tasks.

ldif-export - Allows the user to request that the server process LDIF export tasks.

backend-backup - Allows the user to request that the server process backup tasks.

backend-restore - Allows the user to request that the server process restore tasks.

server-shutdown - Allows the user to request that the server shut down.

server-restart - Allows the user to request that the server perform an in-core restart.

proxied-auth - Allows the user to use the proxied authorization control, or to perform a bind that specifies an alternate authorization identity.

disconnect-client - Allows the user to terminate other client connections.

password-reset - Allows the user to reset user passwords.

update-schema - Allows the user to make changes to the server schema.

privilege-change - Allows the user to make changes to the set of defined root privileges, as well as to grant and revoke privileges for users.

unindexed-search - Allows the user to request that the server process a search that cannot be optimized using server indexes.

unindexed-search-with-control - Allows the user to request that the server process a search that cannot be optimized using server indexes but includes the permit unindexed search request control.

bypass-pw-policy - Allows the associated user to bypass password policy processing performed by the server.

lockdown-mode - Allows the associated user to request that the server enter or leave lockdown mode, or to perform operations while the server is in lockdown mode.

stream-values - Allows the associated user to perform a stream values extended operation to obtain all entry DNs and/or all values for one or more attributes for a specified portion of the DIT.

third-party-task - Allows the associated user to invoke tasks created by third-party developers.

use-admin-session - Allows the associated user to use an administrative session to request that operations be processed using a dedicated pool of worker threads.

soft-delete-read - Allows the associated user access to soft-deleted entries.

metrics-read - Allows the associated user access to data in the metrics backend.

manage-topology - Allows the associated user to manage the set of server instances that are part of a topology.

permit-get-password-policy-state-issues - Allows the associated user to issue a bind request that includes the get password policy state issues request control. The bind request must also include the retain identity request control.

permit-proxied-mschapv2-details - Allows the associated user to issue a bind request that includes the proxied MS-CHAPv2 details request control. The bind request must also include the retain identity request control.

permit-externally-processed-authentication - Allows the associated user to issue a SASL bind request using the UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION mechanism.

permit-export-reversible-passwords - Allows the associated user to invoke an extended operation that can cause the server to export passwords stored with a reversible scheme.

permit-forwarding-client-connection-policy - Allows the associated user to request that an operation be processed using a specified client connection policy.

exec-task - Allows the associated user to schedule an exec task.

collect-support-data - Allows the requester to invoke the collect-support-data tool via an administrative task or an extended operation.

file-servlet-access - Allows the requester to access the content exposed by file servlet instances that require this privilege.

permit-replace-certificate-request - Allows the requester to issue requests to manage server listener or inter-server certificates.

permit-verify-password-request - Allows the requester to issue requests to verify user passwords without performing any other password policy processing.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

none-included-user-privilege

Description
Specifies the name of a privilege that must not be held by the authenticated user for clients included in this Simple Connection Criteria. If any privilege names are provided, then the authenticated user must not have any of those privileges. This will only be taken into account for client connections that have authenticated to the server and will be ignored for unauthenticated client connections. If one or more all-included user privileges are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user has all of the specified privileges. If one or more any-included user privileges are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user has at least one of the specified privileges. If one or more not-all-included user privileges are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user does not have at least one of the specified privileges. If one or more none-included user privileges are provided, then this Simple Connection Criteria will only match client connections in which the authenticated user does not have any of the specified privileges. If no all-included, any-included, not-all-included, or none-included user privileges are provided, then the privileges held by the authenticated user will not be considered when determining whether a client connection matches this Simple Connection Criteria. Note that any privilege which has been disabled in the server is assumed to be held by all users.
Default Value
None
Allowed Values
audit-data-security - Allows the associated user to execute data security auditing tasks.

bypass-acl - Allows the associated user to bypass all access control checks performed by the server for any type of operation.

bypass-read-acl - Allows the associated user to bypass access control checks performed by the server for bind, compare, and search operations. Access control evaluation may still be enforced for other types of operations.

modify-acl - Allows the associated user to modify the server's access control configuration.

config-read - Allows the associated user to read the server configuration.

config-write - Allows the associated user to update the server configuration. The config-read privilege is also required.

jmx-read - Allows the associated user to perform JMX read operations.

jmx-write - Allows the associated user to perform JMX write operations.

jmx-notify - Allows the associated user to subscribe to receive JMX notifications.

ldif-import - Allows the user to request that the server process LDIF import tasks.

ldif-export - Allows the user to request that the server process LDIF export tasks.

backend-backup - Allows the user to request that the server process backup tasks.

backend-restore - Allows the user to request that the server process restore tasks.

server-shutdown - Allows the user to request that the server shut down.

server-restart - Allows the user to request that the server perform an in-core restart.

proxied-auth - Allows the user to use the proxied authorization control, or to perform a bind that specifies an alternate authorization identity.

disconnect-client - Allows the user to terminate other client connections.

password-reset - Allows the user to reset user passwords.

update-schema - Allows the user to make changes to the server schema.

privilege-change - Allows the user to make changes to the set of defined root privileges, as well as to grant and revoke privileges for users.

unindexed-search - Allows the user to request that the server process a search that cannot be optimized using server indexes.

unindexed-search-with-control - Allows the user to request that the server process a search that cannot be optimized using server indexes but includes the permit unindexed search request control.

bypass-pw-policy - Allows the associated user to bypass password policy processing performed by the server.

lockdown-mode - Allows the associated user to request that the server enter or leave lockdown mode, or to perform operations while the server is in lockdown mode.

stream-values - Allows the associated user to perform a stream values extended operation to obtain all entry DNs and/or all values for one or more attributes for a specified portion of the DIT.

third-party-task - Allows the associated user to invoke tasks created by third-party developers.

use-admin-session - Allows the associated user to use an administrative session to request that operations be processed using a dedicated pool of worker threads.

soft-delete-read - Allows the associated user access to soft-deleted entries.

metrics-read - Allows the associated user access to data in the metrics backend.

manage-topology - Allows the associated user to manage the set of server instances that are part of a topology.

permit-get-password-policy-state-issues - Allows the associated user to issue a bind request that includes the get password policy state issues request control. The bind request must also include the retain identity request control.

permit-proxied-mschapv2-details - Allows the associated user to issue a bind request that includes the proxied MS-CHAPv2 details request control. The bind request must also include the retain identity request control.

permit-externally-processed-authentication - Allows the associated user to issue a SASL bind request using the UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION mechanism.

permit-export-reversible-passwords - Allows the associated user to invoke an extended operation that can cause the server to export passwords stored with a reversible scheme.

permit-forwarding-client-connection-policy - Allows the associated user to request that an operation be processed using a specified client connection policy.

exec-task - Allows the associated user to schedule an exec task.

collect-support-data - Allows the requester to invoke the collect-support-data tool via an administrative task or an extended operation.

file-servlet-access - Allows the requester to access the content exposed by file servlet instances that require this privilege.

permit-replace-certificate-request - Allows the requester to issue requests to manage server listener or inter-server certificates.

permit-verify-password-request - Allows the requester to issue requests to verify user passwords without performing any other password policy processing.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Connection Criteria:

dsconfig list-connection-criteria
     [--property {propertyName}] ...

To view the configuration for an existing Connection Criteria:

dsconfig get-connection-criteria-prop
     --criteria-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Connection Criteria:

dsconfig set-connection-criteria-prop
     --criteria-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Simple Connection Criteria:

dsconfig create-connection-criteria
     --criteria-name {name}
     --type simple
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Connection Criteria:

dsconfig delete-connection-criteria
     --criteria-name {name}