mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
parent: d7b918dd | patch | commit | ignore whitespace
Mark Craig
11.56.2015 73e8c616a2b67f8b6002eae5b7ae34654a2941c5 
OPENDJ-2534 Add FR transaction ID control OID to global-aci

This patch adds the ForgeRock Transaction ID request control OID
to the global-aci for "Anonymous control access".

The intention is to allow transmission of Common Audit transaction IDs
out of the box from LDAP client applications to OpenDJ directory server.

In order to let bind operations transmit the transaction ID,
even anonymous users are granted use of the request control.
This does let any LDAP client send spurious transaction IDs.
Since OpenDJ does not trust transaction IDs by default, however,
the administrator must decide to trust them before they are used.

If we decide not to make this change to the global-aci,
the administrator configuring Common Audit can make the change instead.
The step would need documenting in the procedures for Common Audit,
which are part of a pending PR for opendj-docs.
1 files modified
2 ■■■ changed files
opendj-server-legacy/resource/config/config.ldif 2 ●●● patch | view | raw | blame | history 
 opendj-server-legacy/resource/config/config.ldif


@@ -92,7 +92,7 @@


# @aci Anonymous extended operation access: Anonymous and authenticated users can request the LDAP extended operations that are specified by OID. Modification or removal may affect applications.


ds-cfg-global-aci: (extop="1.3.6.1.4.1.26027.1.6.1 || 1.3.6.1.4.1.26027.1.6.3 || 1.3.6.1.4.1.4203.1.11.1 || 1.3.6.1.4.1.1466.20037 || 1.3.6.1.4.1.4203.1.11.3") (version 3.0; acl "Anonymous extended operation access"; allow(read) userdn="ldap:///anyone";)


# @aci Anonymous control access: Anonymous and authenticated users can use the LDAP controls that are specified by OID. Modification or removal may affect applications.


ds-cfg-global-aci: (targetcontrol="2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 1.2.840.113556.1.4.1413") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)


ds-cfg-global-aci: (targetcontrol="2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 1.2.840.113556.1.4.1413 || 1.3.6.1.4.1.36733.2.1.5.1") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)


# @aci Authenticated users control access: Authenticated users can use the LDAP controls that are specified by OID. Modification or removal may affect applications.


ds-cfg-global-aci: (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9") (version 3.0; acl "Authenticated users control access"; allow(read) userdn="ldap:///all";)


# @aci Anonymous read access: Anonymous and authenticated users can read the user data attributes that are specified by their names. Modification or removal is permitted.