jspωiki
ACL (eDirectory Attribute)

Overview #

ACL (eDirectory Attribute) is an AttributeTypes that represents an Access Control List within EDirectory

ACL (eDirectory Attribute) is assigned on the LDAP Entry to which the subjectname (ie Trustee)

Details of the ACL (eDirectory Attribute) are defined on the syntax Object ACL.

X-NDS_ACL_TEMPLATES when set defines default values for ACL (eDirectory Attribute).

Marking an ACL as Read Filtered. The arf_acl.ldif can be used by an administrator to mark the ACL (eDirectory Attribute) as a read filtered attribute. When the ACL (eDirectory Attribute) is marked as a read filtered attribute, the server does not return the attribute on the entry if all attributes are requested. However, the if the LDAP search is done to return operational attributes or if the request specifically asks for ACL (eDirectory Attribute), the marked attribute is returned. rrf_acl.ldif can be used to turn off the read filtered flag on an ACL attribute. These LDIFs affect the ACL attribute on the schema, so only a user with Supervisor rights on tree root can extend them.

By default, an ACL is not marked as read filtered, so the performance benefit for requests to return all attributes is not seen.

LDAP Attribute Definition#

The ACL (eDirectory Attribute) AttributeTypes is defined as:

ACL (eDirectory Attribute) EDirectory Performance Tuning#

eDirectory Access Control List

An LDAP SearchRequest in eDirectory returns results depending on the number of attributes returned for a user (inetOrgPerson).

When an object is created in eDirectory, default ACL (eDirectory Attribute)s might be added on the object. This depends on ACL templates in the schema definition for the objectClass to which this object belongs. For example, in the default configuration for inetOrgPerson, there can be up to six ACLs added on the user object. When an LDAP search request is made to return this user object with all attributes, it takes slightly longer to return this object to the client than returning this user object without ACL attributes.

Though default ACLs can be turned off, administrators may not want to turn them off because they are required for better access control. However, you can improve the search performance by not requesting them or by marking them as read filtered attributes. These changes do not break any applications because most applications use effective privileges and do not rely on specific ACLs.

Not requesting ACLs: An ACL attribute is not needed by several applications, so the applications can be modified to request specific attributes in which the application is interested. This results in better performance of the LDAP search.

Marking an ACL as read filtered: If an application cannot be modified, the arf_acl.ldif can be used by an administrator to mark the ACL attribute as a read filtered attribute. When the ACL is marked as a read filtered attribute, the server does not return the attribute on the entry if all attributes are requested. However, the if the LDAP search is done to return operational attributes or if the request specifically asks for ACL attributes, the marked attribute is returned. rrf_acl.ldif can be used to turn off the read filtered flag on an ACL attribute. These LDIFs affect the ACL attribute on the schema, so only a user with Supervisor rights on tree root can extend them.

By default, an ACL is not marked as read filtered, so the performance benefit for requests to return all attributes is not seen.

Category#

%category eDirectory%

More Information#

There might be more information for this subject on one of the following: