JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Directory Server Enterprise Edition Reference 11 g Release 1 (
search filter icon
search icon

Document Information


1.  Directory Server Enterprise Edition File Reference

Software Layout for Directory Server Enterprise Edition

Directory Server Instance Default Layout

Directory Proxy Server Instance Default Layout

Part I Directory Server Reference

2.  Directory Server Overview

3.  Directory Server LDAP URLs

4.  Directory Server LDIF and Search Filters

5.  Directory Server Security

How Directory Server Provides Security

How Directory Server Provides Access Control

Introduction to ACIs

Scope and Hierarchy in ACIs

ACI Limitations

Default ACIs

ACIs and Replication

Effective Rights

Tuning Access Control Instructions

How Directory Server Provides Authentication

Anonymous Access

Password-Based Authentication

Steps in Password-Based Authentication

Password Policy

Proxy Authorization

Account Inactivation

Global Account Lockout

Certificate-based Authentication

Introduction to Certificate-based Authentication

Certificates and Certificate Authorities (CA)

Types of Certificates

Contents of a Certificate

Certificate Management

SASL-based Authentication

How Directory Server Provides Encryption

Secure Sockets Layer (SSL)

Overview of SSL

Cryptographic Algorithms Used With SSL

SSL Handshake

Digital Signatures

Key Encryption

Symmetric-Key Encryption

Public-Key Encryption

Key Length and Encryption Strength

Attribute Encryption

6.  Directory Server Monitoring

7.  Directory Server Replication

8.  Directory Server Data Caching

9.  Directory Server Indexing

10.  Directory Server Logging

11.  Directory Server Groups and Roles

12.  Directory Server Class of Service

13.  Directory Server DSMLv2

14.  Directory Server Internationalization Support

Part II Directory Proxy Server Reference

15.  Directory Proxy Server Overview

16.  Directory Proxy Server Load Balancing and Client Affinity

17.  Directory Proxy Server Distribution

18.  Directory Proxy Server Virtualization

19.  Connections Between Directory Proxy Server and Backend LDAP Servers

20.  Connections Between Clients and Directory Proxy Server

21.  Directory Proxy Server Client Authentication

22.  Security in Directory Proxy Server

23.  Directory Proxy Server Logging

24.  Directory Proxy Server Alerts and Monitoring


How Directory Server Provides Access Control

Directory Server uses access control instructions (ACIs) to define what rights to grant or deny to requests from LDAP clients. When a directory server receives a request, it uses the ACIs defined in the server, and any authentication information provided by the user to allow or deny access to directory information. The server can allow or deny permissions such as read, write, search, or compare.

For information about ACIs in Directory Server, see the following sections:

Introduction to ACIs

ACIs are stored in the aci operational attribute. The aci attribute is available for use on every entry in the directory, regardless of whether the aci attribute is defined for the object class of the entry. The aci attribute is multi-valued, therefore multiple ACIs can be defined for the same portion of a directory.

ACIs can be used to control access to the following portions of a directory:

ACIs can be used to define access for the following users:

Scope and Hierarchy in ACIs

ACIs can be created at any node in a directory tree, including the root DSE.

The scope of an ACI can be the target entry, the target entry and its immediate children, or the target entry and all of its children. When no scope is specified, the ACI applies to the target entry and all of its children.

When a server evaluates access permissions to an entry, it verifies the ACIs for the entry and the ACIs for the parent entries back up to the base of the entry’s root suffix.

Access to an entry in a server must be explicitly granted by an ACI. By default, ACIs define anonymous read access and allow users to modify their own entries, except for attributes needed for security. If no ACI applies to an entry, access is denied to all users except the Directory Manager.

Access granted by an ACI is allowed unless any other ACI in the hierarchy denies it. ACIs that deny access, no matter where they appear in the hierarchy, take precedence over ACIs that allow access to the same resource.

The Directory Manager is the only privileged user to whom access control does not apply. When a client is bound to the directory as the Directory Manager, the server does not evaluate any ACIs before performing operations.

In previous versions of Directory Server, ACIs could not be added or deleted directly under the root DSE. Now this limitation has been removed in Directory Server.

ACI Limitations

The following restrictions apply to ACIs

Default ACIs

The following default ACIs are defined on the root DSE:

ACIs and Replication

ACIs are stored as attributes of entries. Therefore, if an entry that contains ACIs is part of a replicated suffix, the ACIs are replicated like any other attribute.

ACIs are always evaluated locally, on the directory server that services the incoming LDAP requests.

When a consumer server receives an update request, the consumer server returns a referral to the master server for evaluation of whether the request can be serviced on the master.

Effective Rights

The effective rights feature can be used to obtain the following information:

To use the effective rights feature, you must have the access control rights to use the effective rights control and read access to the aclRights attribute.

If a proxy control is attached to an effective rights control-based search operation, the effective rights operation is authorized as the proxy user. Therefore the proxy user needs to have the right to use the effective rights control. The entries that the proxy user has the right to search and view are returned. For more information, see Chapter 6, Directory Server Access Control, in Oracle Directory Server Enterprise Edition Administration Guide.

Tuning Access Control Instructions

Directory Server offers performance and scalability improvements for Access Control Instructions. The improvements include better memory management. The improvements also include support for macro ACIs. Improvements notwithstanding, Directory Server uses significant system resources to evaluate complex ACIs. Extensive use of complex ACIs can therefore negatively impact performance.

Macro ACIs help you limit the number of ACIs used. By limiting the number of ACIs, you render access control easier to manage and reduce the load on the system. Macros are placeholders that represent a DN, or a portion of a DN, in an ACI. A macro can be used in an ACI target, in an ACI bind rule, or in both. When Directory Server receives a request, it checks which ACI macros match against the resource targeted for the resulting operation. If a macro matches, Directory Server replaces it with the value of the actual DN. Directory Server then evaluates the ACI normally.

Testing has demonstrated that a Directory Server instance can support more than 50,000 ACIs. Nevertheless, keep the number of ACIs as small as possible. Keeping the number of ACIs small limits negative impact on performance. Keeping the number small also reduces the complexity of managing access controls. For deployments involving complex ACI environments, consider using Directory Proxy Server to provide some access control features.