JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (
search filter icon
search icon

Document Information


Part I Directory Server Administration

1.  Directory Server Tools

2.  Directory Server Instances and Suffixes

3.  Directory Server Configuration

4.  Directory Server Entries

5.  Directory Server Security

6.  Directory Server Access Control

Creating, Viewing, and Modifying ACIs

To Create, Modify, and Delete ACIs

To View ACI Attribute Values

To View ACIs at the Root Level

ACI Syntax

ACI Targets

Target Syntax

Target Keywords

ACI Permissions

Permission Syntax

Permission Rights

Permissions for Typical LDAP Operations

ACI Bind Rules

Introduction to Bind Rules

Bind Rule Syntax

Bind Rule Keywords

Boolean Bind Rules

To Allow Normal Users to Manage User Accounts Using dsutil Command

Access Control Usage Examples

Granting Anonymous Access

ACI "Anonymous"

ACI "Anonymous World"

Granting Write Access to Personal Entries

ACI "Write"

ACI "Write Subscribers"

Granting Access to a Certain Level

ACI "Read only"

Restricting Access to Key Roles

ACI "Roles"

Granting a Role Full Access to an Entire Suffix

ACI "Full Access"

Granting a Group Full Access to a Suffix


Granting Rights to Add and Delete Group Entries

ACI "Create Group"

ACI "Delete Group"

Allowing Users to Add or Remove Themselves From a Group

ACI "Group Members"

Granting Conditional Access to a Group or Role

ACI "Company333"

Denying Access

ACI "Billing Info Read"

ACI "Billing Info Deny"

Proxy Authorization

Example Proxy Authorization

Setting a Target Using Filtering

Defining Permissions for DNs That Contain a Comma

Viewing Effective Rights

Restricting Access to the Get Effective Rights Control

Using the Get Effective Rights Control

Advanced Access Control: Using Macro ACIs

Macro ACI Example

Macro ACI Syntax

Matching for ($dn) in the Target

Substituting ($dn) in the Subject

Substituting [$dn] in the Subject

Macro Matching for ($attr.attrName)

Logging Access Control Information

To Set Logging for ACIs

Client-Host Access Control Through TCP Wrapping

To Enable TCP Wrapping

To Disable TCP Wrapping

7.  Directory Server Password Policy

8.  Directory Server Backup and Restore

9.  Directory Server Groups, Roles, and CoS

10.  Directory Server Replication

11.  Directory Server Schema

12.  Directory Server Indexing

13.  Directory Server Attribute Value Uniqueness

14.  Directory Server Logging

15.  Directory Server Monitoring

Part II Directory Proxy Server Administration

16.  Directory Proxy Server Tools

17.  Directory Proxy Server Instances

18.  LDAP Data Views

19.  Directory Proxy Server Certificates

20.  Directory Proxy Server Load Balancing and Client Affinity

21.  Directory Proxy Server Distribution

22.  Directory Proxy Server Virtualization

23.  Virtual Data Transformations

24.  Connections Between Directory Proxy Server and Back-End LDAP Servers

25.  Connections Between Clients and Directory Proxy Server

26.  Directory Proxy Server Client Authentication

27.  Directory Proxy Server Logging

28.  Directory Proxy Server Monitoring and Alerts

Part III Directory Service Control Center Administration

29.  Directory Service Control Center Configuration


Client-Host Access Control Through TCP Wrapping

You can control the host or IP address from which connections are accepted or rejected at the TCP level using TCP wrappers. You can limit client-host access through TCP wrapping. This enables you to have non host-based protection for initial TCP connections to a Directory Server.

Although you can set TCP wrapping for Directory Server, TCP wrapping can result in significant performance degradation, especially during a Denial of Service attack. The best performance is achieved by using a host-based firewall that is maintained outside Directory Server, or IP port filtering.

To Enable TCP Wrapping

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

  1. Create a hosts.allow file or a hosts.denyfile, somewhere within the instance path.

    For example, create the file in instance-path/config. Ensure that the formatting of the files that you create comply with hosts_access(4).

  2. Set the path to the access file.
    $ dsconf set-server-prop -h host -p port host-access-dir-path:path-to-file

    For example:

    $ dsconf set-server-prop -h host -p port \
    "host-access-dir-path" property has been set to "/local/ds1/config".
    The "/local/ds1/config" directory on host1 must contain valid hosts.allow
    and/or hosts.deny files.
    Directory Server must be restarted for changes to take effect. 

To Disable TCP Wrapping

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.