Overview#

Some Examples using ldapsearch with the Get Effective Rights Control

The Get Effective Rights Control enables you to evaluate existing or new ACIs and to see the effective rights that they grant for a user on a specified entry.

The response to this control is to return the effective rights information about the entries and attributes in the search results. This extra information includes read and write permissions for each entry and for each attribute in each entry. The permissions can be requested for the bind DN used for the search or for an arbitrary DN, allowing administrators to test the permissions of directory users.

The ldapsearch command utility provides two ways to use the Get Effective Rights Control:

  • Use -J effectiverights or the OID -J "1.3.6.1.4.1.42.2.27.9.5.2". The request only takes an authorization ID (authzid). If you specify a NULL value for the authorization ID (authzid), the bind user is used as the authzid.
  • Use -g dn:"dn". The command option shows the effective rights of the user binding with the given DN. You can use this option together with the -e option to include the effective rights on the named attributes. You can use the option to determine if a user has permission to add an attribute that does not currently exist in an entry.

You cannot use the -g option with the -J option.

To view effective rights, you should specify the virtual attributes aclRights and aclRightsInfo, which are generated by the server in response to the effective rights request. Thus, you should not use these attributes in search commands of any kind.

Example 1#

Use the ldapsearch command to display the effective rights of all users.
$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b dc=example,dc=com -J effectiverights "(objectclass=*)" aclRights  

dn: dc=example,dc=com 
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0

dn: ou=Groups, dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0

dn: ou=People, dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0

dn: cn=Accounting Managers,ou=groups,dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0

dn: cn=HR Managers,ou=groups,dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0

...

Example 2#

Use the ldapsearch command to display the effective rights of a specific user. This example uses the --getEffectiveRightsAuthzid option. You can also use the --control or -J option, such as -J geteffectiverights.
$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b dc=example,dc=com --getEffectiveRightsAuthzid "dn:uid=scarter,ou=People,dc=example,dc=com" "(uid=scarter)" aclRights

dn: uid=scarter,ou=People,dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:1,write:1,proxy:0

Example 3#

Use the ldapsearch command to display effective rights information for a specific user. The aclRightsInfo attribute provides more detailed logging information that explains how effective rights are granted or denied.
ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b dc=example,dc=com --getEffectiveRightsAuthzid "dn:uid=scarter,ou=People,dc=example,dc=com"  "(uid=scarter)" aclRightsInfo

dn: uid=scarter,ou=People,dc=example,dc=com
aclRightsInfo;logs;entryLevel;add: acl_summary(main): access not allowed(add) on 
entry/attr(uid=scarter,ou=People,dc=example,dc=com, NULL) to 
 (uid=scarter,ou=People,dc=example,dc=com) 
(not proxied) ( reason: no acis matched the subject )
aclRightsInfo;logs;entryLevel;proxy: acl_summary(main): access not allowed(proxy ) on 
entry/attr(uid=scarter,ou=People,dc=example,dc=com, NULL) to 
 (uid=scarter, ou=People,dc=example,dc=com) 
(not proxied) ( reason: no acis matched the subject )
aclRightsInfo;logs;entryLevel;write: acl_summary(main): access allowed(write) on  
entry/attr(uid=scarter,ou=People,dc=example,dc=com, NULL) to 
 (uid=scarter,ou=People,dc=example,dc=com) 
(not proxied) ( reason: evaluated allow , deciding_aci : Allow self entry modification)
aclRightsInfo;logs;entryLevel;read: acl_summary(main): access allowed(read) on 
entry/attr(uid=scarter,ou=People,dc=example,dc=com, NULL) to 
 (uid=scarter,ou=People,dc=example,dc=com) 
(not proxied) ( reason: evaluated allow , deciding_aci: Anonymous extended 
 operation access)
aclRightsInfo;logs;entryLevel;delete: acl_summary(main): access not allowed(delete) on 
entry/attr(uid=scarter,ou=People,dc=example,dc=com, NULL) to 
 (uid=scarter,ou=People,dc=example,dc=com) 
(not proxied) ( reason: no acis matched the subject )

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-4) was last changed on 07-Jun-2013 11:58 by jim