<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview 
[{$pagename}] is an [AttributeTypes] that represents an [Access Control List] within [EDirectory]


[{$pagename}] is assigned on the [LDAP Entry] to which the [subjectname|Object ACL#Subjectname Field] (ie [Trustee])

Details of the [{$pagename}] are defined on the syntax [Object ACL].

[X-NDS_ACL_TEMPLATES] when set defines default values for [{$pagename}]. 

Marking an ACL as Read Filtered. The arf_acl.ldif can be used by an administrator to mark the [{$pagename}] as a read filtered attribute. When the [{$pagename}] is marked as a read filtered attribute, the server does not return the attribute on the entry if all attributes are requested. However, the if the [LDAP] search is done to return [operational attributes] or if the request specifically asks for [{$pagename}], the marked attribute is returned. rrf_acl.ldif can be used to turn off the read filtered flag on an ACL attribute. These [LDIFs] affect the ACL attribute on the schema, so only a user with Supervisor rights on tree root can extend them.

By default, an ACL is not marked as read filtered, so the performance benefit for requests to return all attributes is not seen.

!! [LDAP] [Attribute] Definition
The [{$pagename}] [AttributeTypes] is defined as:
* [OID] of [2.16.840.1.113719.1.1.4.1.2]
* [NAME|Attribute-Name]: [{$pagename}]
* [DESC]: Contains [Access Control List] information for the object and its attributes.
* [EQUALITY]: []
* [ORDERING]: []
* [SYNTAX]: [2.16.840.1.113719.1.1.5.1.17] ([Object ACL])
* [SINGLE-VALUE] (only if present)
* [NO-USER-MODIFICATION] (only if present)
* [USAGE]: [UserApplications] 
* [Extended Flags]: 
** [X-ORIGIN]: [eDirectory]
** [X-NDS_NONREMOVABLE]: 1 
** [X-NDS_FILTERED_REQUIRED]: 1 
* Used as [MUST] in:
** 
* Used as [MAY] in:
** [Top]

!! [{$pagename}] [EDirectory Performance Tuning]
[eDirectory] [Access Control List]

An [LDAP] [SearchRequest] in [eDirectory] returns results depending on the number of attributes returned for a user (inetOrgPerson).

When an object is created in [eDirectory], default [{$pagename}]s might be added on the object. This depends on ACL templates in the schema definition for the [objectClass] to which this object belongs. For [example], in the default configuration for inetOrgPerson, there can be up to six ACLs added on the user object. When an LDAP search request is made to return this user object with all attributes, it takes slightly longer to return this object to the client than returning this user object without ACL attributes.

Though default ACLs can be turned off, administrators may not want to turn them off because they are required for better access control. However, you can improve the search performance by not requesting them or by marking them as read filtered attributes. These changes do not break any applications because most applications use effective privileges and do not rely on specific ACLs.

Not requesting ACLs: An ACL attribute is not needed by several applications, so the applications can be modified to request specific attributes in which the application is interested. This results in better performance of the LDAP search.

Marking an ACL as read filtered: If an application cannot be modified, the arf_acl.ldif can be used by an administrator to mark the ACL attribute as a read filtered attribute. When the ACL is marked as a read filtered attribute, the server does not return the attribute on the entry if all attributes are requested. However, the if the LDAP search is done to return operational attributes or if the request specifically asks for ACL attributes, the marked attribute is returned. rrf_acl.ldif can be used to turn off the read filtered flag on an ACL attribute. These LDIFs affect the ACL attribute on the schema, so only a user with Supervisor rights on tree root can extend them.

By default, an ACL is not marked as read filtered, so the performance benefit for requests to return all attributes is not seen.

!! Category
%%category [eDirectory]%%

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Improving eDirectory Searches and Reads|https://www.netiq.com/documentation/edirectory-91/edir_tuning/data/bbcqkjb.html|target='_blank'] - based on information obtained 2019-06-11 

</pre>