JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Fusion Middleware Architecture Reference for Oracle Unified Directory 11g Release 1 (11.1.1)
search filter icon
search icon

Document Information


1.  Introduction

2.  The Directory Server Access Control Model

Access Control Principles

Access Control Overview

ACI Structure

Directory Server Global ACIs

ACI Evaluation

ACI Limitations

Access Control and Replication

See Also

ACI Syntax

ACI Syntax Overview

Defining Targets

Targeting a Directory Entry

To Target Attributes

To Target an Entry and Attributes

To Target Entries or Attributes Using LDAP Filters

To Target Attribute Values Using LDAP Filters

To Target a Single Directory Entry

To Specify the Scope of an ACI

To Target LDAP Controls

To Target LDAP Extended Operations

Defining Permissions

To Allow or Deny Access

To Assign Rights

Rights Required for LDAP Operations

Permissions Syntax

Bind Rules

Bind Rules Overview

Using Boolean Bind Rules

See Also

Bind Rule Syntax

Bind Rule Syntax Overview

Defining User Access (userdn Keyword)

Defining General Access (all Keyword)

Defining Anonymous Access (anyone Keyword)

Defining Self Access (self Keyword)

Defining Parent Access (parent Keyword)

Specifying Users With LDAP URLs

Specifying Users With Wildcards

Specifying Users With a Logical OR of LDAP URLs

Excluding Specific LDAP URLs

Defining Group Access (groupdn Keyword)

Specifying a Group With a Single LDAP URL

Specifying a Group With a Logical OR of LDAP URLs

Defining Access Based on Value Matching (userattr Keyword)

Bind-Type Format

Attribute-Value Format

USERDN Bind Type Example

GROUPDN Bind Type Example

LDAPURL Bind Type Example

Attribute Value Example


Inheritance Example

Add Permissions

Defining Access From a Specific IP Address (ip Keyword)

Defining Access From a Specific Domain (dns Keyword)

Defining Access at a Specific Time of Day or Day of Week (timeofday and dayofweek Keywords)

Defining Access Based on Authentication Method (authmethod Keyword)

Authentication Method Examples

Defining Access Based on a Connection's Security Strength Factor (ssf Keyword)

DIGEST-MD5 QOP Key Size Mapping

TLS Cipher Key Size Mapping


Compatibility With the Oracle Directory Server Enterprise Edition Access Control Model

Global ACI

All Attributes targetattr Rule (targetattr="*")

Distinguished Name (DN) Wildcard Matching

Privilege Subsystem Impact

The targetscope Keyword

LDAP Modify Increment

Macro Support

The roledn Keyword

3.  Understanding the Directory Server Schema

4.  Directory Server Index Databases

5.  Directory Server Replication

6.  Directory Server Root Users and the Privilege Subsystem

7.  Supported Controls and Operations

Access Control Principles

This section describes the principles of the access control mechanism provided with the directory server.

Access Control Overview

When the directory server receives a request, it uses the authentication information provided by the user in the bind operation, and the access control instructions (ACIs) defined in the server to allow or deny access to directory information. The server can allow or deny permissions such as read, write, search, or compare. The permission level granted to a user might depend on the authentication information that the user provides.

Using access control, you can control access to the entire directory, a subtree of the directory, specific entries in the directory (including entries that define configuration tasks), a specific set of entry attributes, or specific entry attribute values. You can set permissions for a particular user, for all users who belong to a specific group or role, or for all users of the directory. Finally, you can define access for a specific client, identified by its IP address or DNS name.

ACI Structure

Access control instructions are stored in the directory as attributes of entries. The aci attribute is an operational attribute that is available for use on every entry in the directory, regardless of whether it is defined for the object class of the entry. This attribute is used by the directory server to evaluate what rights are granted or denied when the directory server receives an LDAP request from a client. The aci attribute is returned in an ldapsearch operation only if it is specifically requested.

An ACI statement includes three main parts:


Determines the entry or attributes to which permissions apply.


Defines what operations are allowed or denied.

Bind Rule

Determines who is subject to the ACI, based on their bind DN.

The permission and bind rule portions of the ACI are set as a pair, also called an Access Control Rule (ACR). The specified permission to access the target is granted or denied depending on whether the accompanying rule is evaluated to be true. For more information, see ACI Syntax.

If an entry that contains an ACI does not have child entries, the ACI applies to that entry only. If the entry has child entries, the ACI applies to the entry itself and to all entries below it. Therefore, when the directory server evaluates access permissions to an entry, it verifies the ACIs for every entry between the one that was requested and the base of its root suffix.

The aci attribute is multivalued, which means that you can define several ACIs for the same entry or subtree.

You can create an ACI on an entry that does not apply directly to that entry but to some or all of the entries in the subtree below it. The advantage of this is that you can place at a high level in the directory tree a general ACI that effectively applies to entries that are more likely to be located lower in the tree. For example, at the level of an organizationalUnit entry or a locality entry, you could create an ACI that targets entries that include the inetorgperson object class.

You can use this feature to minimize the number of ACIs in the directory tree by placing general rules at high-level branch points. To limit the scope of more specific rules, place them as close as possible to leaf entries.

Note - ACIs that are placed in the root DSE entry (with the DN "") apply only to that entry.

Directory Server Global ACIs

You can configure access control centrally by using dsconfig to modify the properties of the Access Control Handler.

The following default global ACIs apply to all suffixes that are defined in the directory server because the rules do not specify a target expression:

Property   : Value(s)
global-aci : "(targetattr!="userPassword||authPassword")(version 3.0; acl
: "Anonymous read access"; allow (read,search,compare)
: userdn="ldap:///anyone";)", (targetattr="*")(version 3.0; acl
: "Self entry modification"; allow (write) userdn="ldap:///self";),
: "(targetattr="createTimestamp||creatorsName||modifiersName||modify
: Timestamp||entryDN||entryUUID||subschemaSubentry")(version 3.0;
: acl "User-Visible Operational Attributes"; allow
: (read,search,compare) userdn="ldap:///anyone";)",

For more information, see Managing Global ACIs With dsconfig in Oracle Fusion Middleware Administration Guide for Oracle Unified Directory.

ACI Evaluation

To evaluate the access rights to a particular entry, the server compiles a list of the ACIs present on the entry itself and on the parent entries back up to the base of the entry's root suffix. During evaluation, the server processes the ACIs in this order. ACIs are evaluated in all of the suffixes and subsuffixes between an entry and the base of its root suffix, but not across chained suffixes on other servers.

Note - Access control does not apply to any user who has the bypass-acl privilege. The Directory Manager has this privilege. When a client is bound to the directory as the Directory Manager, the directory server does not evaluate any ACIs before performing operations. As a result, performance of LDAP operations as Directory Manager is not comparable to the expected performance of other users. You should always test directory performance with a typical user identity.

By default, if no ACI applies to an entry, access is denied to all users except those with the bypass-acl privilege. Access must be explicitly granted by an ACI for a user to access any entry in the directory. The default ACIs define anonymous read access and allow users to modify their own entries, except for attributes needed for security. For more information, see Default Global ACIs in Oracle Fusion Middleware Administration Guide for Oracle Unified Directory.

Although the directory server processes the ACIs that are closest to the target entry first, the effect of all ACIs that apply to an entry is cumulative. Access granted by any ACI is allowed unless any other ACI denies it. ACIs that deny access, no matter where they appear in the list, take precedence over ACIs that allow access to the same resource.

For example, if you deny write permission at the directory's root level, none of the users can write to the directory regardless of the specific permissions you grant them. To grant a specific user write permissions to the directory, you must restrict the scope of the original denial for write permission so that it does not include that user.

ACI Limitations

Be aware of the following limitations when you create an access control policy for your directory service:

Access Control and Replication

ACIs are stored as attributes of entries, so if an entry containing ACIs is part of a replicated suffix, the ACIs are replicated like any other attribute.

See Also

Managing Global ACIs With dsconfig in Oracle Fusion Middleware Administration Guide for Oracle Unified Directory