ACL filters

The access granted to a subject can be altered by using filters on aclEntry and entryOwner with the aclFilter and ownerFilter scope of protection. The server compatibility must be 6 or greater to use search filters in aclEntry and entryOwner attribute values. See serverCompatLevel {3 | 4 | 5 | 6 | 7| 8} for more information about server compatibility level.

The syntax of specifying a filter in an aclEntry attribute is:

aclFilter:filter:operation[granted_rights]

See aclEntry attribute for more information about granted_rights.

The syntax of specifying a filter in an entryOwner attribute is:

ownerFilter:filter:action

where,

filter :- An IETF RFC 2254 compliant LDAP search filter by using the attributes below.

operation :- union | replace | intersect

action :- grant|deny

A filter can use only the following attributes:

ibm-filterSubject

This attribute is used to filter a distinguished name. It can be a bind DN, an alternate DN, a pseudo DN, or a group DN. The attribute can be used, for example, in a filter to reduce ACL permissions for a specific group.

ibm-filterIP

This attribute is used to filter the IPv4 or IPv6 address of a client connection. The value can be any syntactically valid IPv4 or IPv6 address, with or without a trailing wildcard. The supported syntax for IPv6 addresses is defined in IETF RFC 2373. The wildcard can be specified within any IPv4 octet or in any IPv6 group, and must be the final character in the string. For example, the following are all valid:

124.*
124.153.242*
05DC:0001:0000:0000:0000:0000:0000:2*
5DC:1::2*

Note: The final two addresses listed above are equivalent. All addresses are fully expanded. In other words, insignificant leading zeros are added to each IPv4 octet or IPv6 group to expand it to the maximum number of digits, except for any octet or group with a wildcard is not expanded. If a wildcard is specified with the :: IPv6 syntax, the wildcard is shifted to the final group of the address. Following are some examples:

Table 1. **ibm-filterIP** expansion examples
Address	Fully expanded address
1.002.03.4	001.002.003.004
01.02.03*	001.002.03*
1:2:3:4:5:6:7:8	0001:0002:0003:0004:0005:0006:0007:0008
1::8	0001:0000:0000:0000:0000:0000:0000:0008
01:2:30:4:05:6:700:08*	0001:0002:0030:0004:0005:0006:0700:08*
::FFFF:129.100.242.10	0000:0000:0000:0000:0000:FFFF:129.100.242.010
1::*	0001:0000:0000:0000:0000:0000:0000:*

ibm-filterTimeOfDay

This attribute is used to filter the time of day that the directory entry is accessed. The value is the hh:mm format of 24 hour time, with hh ranging from 00 to 23 and mm ranging from 00 to 59. This can be used, for example, to grant access only during a certain time of day.

ibm-filterDayOfWeek

This attribute is used to filter the day of week that the directory entry is accessed. The value is an integer mapping the days of the week as follows: Sunday = 0, Monday = 1, Tuesday = 2, Wednesday = 3, Thursday = 4, Friday = 5, Saturday = 6. This can be used, for example, to grant access only during certain days of the week.

ibm-filterBindMechanism

This attribute is used to filter the bind mechanism used to connect to the LDAP server. The following string values can be used to represent bind mechanisms: SIMPLE, EXTERNAL, CRAM-MD5, DIGEST-MD5, and GSSAPI. This can be used, for example, to deny access for SIMPLE binds.

ibm-filterConnectionEncrypted

This attribute is used to filter whether encryption is used to access the LDAP server. The valid values are TRUE and FALSE. This can be used, for example, to deny access for non-SSL binds or SSL binds done with no cipher specifications.

The operation value is required for aclFilter values, and specifies the way that ACL filters are applied:

replace: The effective permission is replaced by the ACL filter permission. For example, to grant clients from a given subnetwork a specific set of permissions only, use replace.
union: The effective permission is joined with the ACL filter permission. This is used to expand permissions when granting, and reduce permissions when denying. For example, to grant clients from a given subnetwork a set of permissions, at a minimum, use union.
intersect: The effective permission is intersected with the ACL filter permission. This is used to reduce permissions. For example, to grant clients from a given subnetwork a set of permissions, if and only if they already have those permissions, use intersect.

The action value is required for ownerFilter values, and must be set to either grant, to grant entry owner access to the entry, or deny, to deny entry owner access when the LDAP search filter evaluates to true.

Filters using incorrect filter syntax, filter attributes, or operation values fail when an attempt is made to add or modify the incorrect aclEntry or entryOwner attribute value.

Note that unlike the aclEntry attribute, the entryOwner attribute cannot reduce permissions for an administrator.