The Directory Server Access Control Model
Access Control and Replication
To Target an Entry and Attributes
To Target Entries or Attributes Using LDAP Filters
To Target Attribute Values Using LDAP Filters
To Target a Single Directory Entry
To Specify the Scope of an ACI
To Target LDAP Extended Operations
Rights Required for LDAP Operations
Defining User Access (userdn Keyword)
Defining General Access (all Keyword)
Defining Anonymous Access (anyone Keyword)
Defining Self Access (self Keyword)
Defining Parent Access (parent Keyword)
Specifying Users With LDAP URLs
Specifying Users With Wildcards
Specifying Users With a Logical OR of LDAP URLs
Defining Group Access (groupdn Keyword)
Specifying a Group With a Single LDAP URL
Specifying a Group With a Logical OR of LDAP URLs
Defining Access Based on Value Matching (userattr Keyword)
Defining Access From a Specific IP Address (ip Keyword)
Defining Access From a Specific Domain (dns Keyword)
Defining Access at a Specific Time of Day or Day of Week (timeofday and dayofweek Keywords)
Defining Access Based on Authentication Method (authmethod Keyword)
Authentication Method Examples
DIGEST-MD5 QOP Key Size Mapping
Compatibility With the Sun Java System Directory Server Access Control Model
All Attributes targetattr Rule (targetattr="*")
Distinguished Name (DN) Wildcard Matching
Understanding the Directory Server Schema
Understanding Directory Server Plug-Ins
You can use bind rules to specify that binding can only occur based on a specific level of Security Strength Factor (SSF) enforced on the established connection. A connection's SSF is based on the key strength of the cipher enforced on the connection and pertains only to TLS/SSL or DIGEST-MD5/GSSAPI confidentiality or integrity connections.
The LDIF syntax for setting a bind rule based on the Security Strength Factor is shown here:
ssf operator "strength"
where operator can be one of the following symbols:
= (equal to)
!= (not equal to)
> (greater than)
>= (greater than or equal to)
< (less than)
<= less than or equal to
The strength is a value representing the cipher key strength required on the connection and is a value (1 to 1024). DIGEST-MD5/GSSAPI connections with integrity enforced have an SSF of 1. TLS/SSL and DIGEST-MD5/GSSAPI confidentiality connections can have variable values of SSF based on the cipher negotiation performed between the directory server and client. The higher a connection's negotiated SSF is, the stronger the encryption is on the connection, as shown in these examples:
ssf = "1"; is true for access if integrity ssf = 1 only is enforced on the connection.
ssf != "40"; is true for access if ssf not equal 40 is enforced on the connection.
ssf > "128"; is true for access if ssf greater than 128 is enforced on the connection.
ssf >= "128"; is true for access if ssf greater than or equal 128 is enforced on the connection.
ssf < "56"; is true for access if ssf less than 56 is enforced on the connection.
Clear connections have an SSF of 0.