73e8c616a2b67f8b6002eae5b7ae34654a2941c5 |
|
11-Dec-2015 |
Mark Craig <mark.craig@forgerock.com> |
OPENDJ-2534 Add FR transaction ID control OID to global-aci
This patch adds the ForgeRock Transaction ID request control OID
to the global-aci for "Anonymous control access".
The intention is to allow transmission of Common Audit transaction IDs
out of the box from LDAP client applications to OpenDJ directory server.
In order to let bind operations transmit the transaction ID,
even anonymous users are granted use of the request control.
This does let any LDAP client send spurious transaction IDs.
Since OpenDJ does not trust transaction IDs by default, however,
the administrator must decide to trust them before they are used.
If we decide not to make this change to the global-aci,
the administrator configuring Common Audit can make the change instead.
The step would need documenting in the procedures for Common Audit,
which are part of a pending PR for opendj-docs. |