ACL filters
The access granted to a subject can be altered by using filters on aclEntry and entryOwner with the aclFilter and ownerFilter scope of protection. The server compatibility must be 6 or greater to use search filters in aclEntry and entryOwner attribute values. See serverCompatLevel {3 | 4 | 5 | 6 | 7| 8} for more information about server compatibility level.
The syntax of specifying a filter in an aclEntry attribute is:
The syntax of specifying a filter in an entryOwner attribute is:
where,
filter :- An IETF RFC 2254 compliant LDAP search filter by using the attributes below.
operation :- union | replace | intersect
action :- grant|deny
- ibm-filterSubject
- This attribute is used to filter a distinguished name. It can be a bind DN, an alternate DN, a pseudo DN, or a group DN. The attribute can be used, for example, in a filter to reduce ACL permissions for a specific group.
- ibm-filterIP
- This attribute is used to filter the IPv4 or IPv6 address of a client connection. The value can
be any syntactically valid IPv4 or IPv6 address, with or without a trailing wildcard. The supported
syntax for IPv6 addresses is defined in IETF RFC 2373. The wildcard can be specified
within any IPv4 octet or in any IPv6 group, and must be the final character in the string. For
example, the following are all valid:
- 124.*
- 124.153.242*
- 05DC:0001:0000:0000:0000:0000:0000:2*
- 5DC:1::2*
Note: The final two addresses listed above are equivalent. All addresses are fully expanded. In other words, insignificant leading zeros are added to each IPv4 octet or IPv6 group to expand it to the maximum number of digits, except for any octet or group with a wildcard is not expanded. If a wildcard is specified with the::
IPv6 syntax, the wildcard is shifted to the final group of the address. Following are some examples:Table 1. ibm-filterIP expansion examples Address Fully expanded address 1.002.03.4 001.002.003.004 01.02.03* 001.002.03* 1:2:3:4:5:6:7:8 0001:0002:0003:0004:0005:0006:0007:0008 1::8 0001:0000:0000:0000:0000:0000:0000:0008 01:2:30:4:05:6:700:08* 0001:0002:0030:0004:0005:0006:0700:08* ::FFFF:129.100.242.10 0000:0000:0000:0000:0000:FFFF:129.100.242.010 1::* 0001:0000:0000:0000:0000:0000:0000:* - ibm-filterTimeOfDay
- This attribute is used to filter the time of day that the directory
entry is accessed. The value is the
hh:mm
format of 24 hour time, withhh
ranging from 00 to 23 and mm ranging from 00 to 59. This can be used, for example, to grant access only during a certain time of day. - ibm-filterDayOfWeek
- This attribute is used to filter the day of week that the directory entry is accessed. The value is an integer mapping the days of the week as follows: Sunday = 0, Monday = 1, Tuesday = 2, Wednesday = 3, Thursday = 4, Friday = 5, Saturday = 6. This can be used, for example, to grant access only during certain days of the week.
- ibm-filterBindMechanism
- This attribute is used to filter the bind mechanism used to connect to the LDAP server. The following string values can be used to represent bind mechanisms: SIMPLE, EXTERNAL, CRAM-MD5, DIGEST-MD5, and GSSAPI. This can be used, for example, to deny access for SIMPLE binds.
- ibm-filterConnectionEncrypted
- This attribute is used to filter whether encryption is used to access the LDAP server. The valid values are TRUE and FALSE. This can be used, for example, to deny access for non-SSL binds or SSL binds done with no cipher specifications.
- replace
- The effective permission is replaced by the ACL filter permission. For example, to grant clients from a given subnetwork a specific set of permissions only, use replace.
- union
- The effective permission is joined with the ACL filter permission. This is used to expand permissions when granting, and reduce permissions when denying. For example, to grant clients from a given subnetwork a set of permissions, at a minimum, use union.
- intersect
- The effective permission is intersected with the ACL filter permission. This is used to reduce permissions. For example, to grant clients from a given subnetwork a set of permissions, if and only if they already have those permissions, use intersect.
The action value is required for ownerFilter values, and must be set to either grant, to grant entry owner access to the entry, or deny, to deny entry owner access when the LDAP search filter evaluates to true.
Filters using incorrect filter syntax, filter attributes, or operation values fail when an attempt is made to add or modify the incorrect aclEntry or entryOwner attribute value.
Note that unlike the aclEntry attribute, the entryOwner attribute cannot reduce permissions for an administrator.