JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Fusion Middleware Architecture Reference for Oracle Unified Directory 11g Release 1 (11.1.1)
search filter icon
search icon

Document Information


1.  Introduction

2.  The Directory Server Access Control Model

Access Control Principles

Access Control Overview

ACI Structure

Directory Server Global ACIs

ACI Evaluation

ACI Limitations

Access Control and Replication

See Also

ACI Syntax

ACI Syntax Overview

Defining Targets

Targeting a Directory Entry

To Target Attributes

To Target an Entry and Attributes

To Target Entries or Attributes Using LDAP Filters

To Target Attribute Values Using LDAP Filters

To Target a Single Directory Entry

To Specify the Scope of an ACI

To Target LDAP Controls

To Target LDAP Extended Operations

Defining Permissions

To Allow or Deny Access

To Assign Rights

Rights Required for LDAP Operations

Permissions Syntax

Bind Rules

Bind Rules Overview

Using Boolean Bind Rules

See Also

Bind Rule Syntax

Bind Rule Syntax Overview

Defining User Access (userdn Keyword)

Defining General Access (all Keyword)

Defining Anonymous Access (anyone Keyword)

Defining Self Access (self Keyword)

Defining Parent Access (parent Keyword)

Specifying Users With LDAP URLs

Specifying Users With Wildcards

Specifying Users With a Logical OR of LDAP URLs

Excluding Specific LDAP URLs

Defining Group Access (groupdn Keyword)

Specifying a Group With a Single LDAP URL

Specifying a Group With a Logical OR of LDAP URLs

Defining Access Based on Value Matching (userattr Keyword)

Bind-Type Format

Attribute-Value Format

USERDN Bind Type Example

GROUPDN Bind Type Example

LDAPURL Bind Type Example

Attribute Value Example


Inheritance Example

Add Permissions

Defining Access From a Specific IP Address (ip Keyword)

Defining Access From a Specific Domain (dns Keyword)

Defining Access at a Specific Time of Day or Day of Week (timeofday and dayofweek Keywords)

Defining Access Based on Authentication Method (authmethod Keyword)

Authentication Method Examples

Defining Access Based on a Connection's Security Strength Factor (ssf Keyword)

DIGEST-MD5 QOP Key Size Mapping

TLS Cipher Key Size Mapping


Compatibility With the Oracle Directory Server Enterprise Edition Access Control Model

Global ACI

All Attributes targetattr Rule (targetattr="*")

Distinguished Name (DN) Wildcard Matching

Privilege Subsystem Impact

The targetscope Keyword

LDAP Modify Increment

Macro Support

The roledn Keyword

3.  Understanding the Directory Server Schema

4.  Directory Server Index Databases

5.  Directory Server Replication

6.  Directory Server Root Users and the Privilege Subsystem

7.  Supported Controls and Operations

Bind Rules

Depending on the ACIs defined for the directory, for certain operations, you need to bind to the directory. The following sections describe how bind rules are used to control access:

Bind Rules Overview

Binding means logging in or authenticating yourself to the directory by providing a bind DN and password, or, if using SSL, a certificate. The credentials provided in the bind operation and the circumstances of the bind determine whether access to the directory is allowed or denied.

Every permission set in an ACI has a corresponding bind rule that details the required credentials and bind parameters.

A simple bind rule might require that the person accessing the directory belong to a specific group. A complex bind rule can state that a person must belong to a specific group and must log in from a machine with a specific IP address between 8 a.m. and 5 p.m.

Bind rules define who can access the directory, when, and from where. More specifically, bind rules can specify the following:

Additionally, bind rules can be complex constructions that combine these criteria by using Boolean operators, as described in Bind Rule Syntax.

The directory server evaluates the logical expressions used in ACIs according to a three-valued logic similar to the one used to evaluate LDAP filters, as described in RFC 4511 Lightweight Directory Access Protocol (LDAP): The Protocol. In summary, this means that if any component in the expression evaluates to Undefined (for example if the evaluation of the expression aborted due to a resource limitation), then the directory server handles this case correctly: it does not erroneously grant access because an Undefined value occurred in a complex Boolean expression.

Using Boolean Bind Rules

Bind rules can be complex expressions that use the Boolean expressions AND,OR, and NOT to set very precise access rules. When creating boolean bind rules, always use parentheses to define the order in which rules are to be evaluated. A trailing semicolon is a required delimiter that must appear after the final rule.

For example, to bind with bindRuleA, and with either bindRuleB, or with either bindRuleC and bindRuleD, use the following syntax:

(bindRuleA and (bindRuleB or (bindRuleC and bindRuleD));)

Using another example, the following bind rule is evaluated to be true if the bind DN client is accessed from within the domain and is a member of either the administrators group or both the mail administrators and calendar administrators groups.

(dns = "*" and (groupdn = "ldap:///cn=administrators,dc=example,dc=com" or
(groupdn = "ldap:///cn=mail administrators,dc=example,dc=com" and
groupdn = "ldap:///cn=calendar administrators,dc=example,dc=com"));)

The || operator is allowed only in the groupdn bind rule keyword expression. For all other bind rule expressions, the or operator must be used.

See Also

Bind Rule Syntax