Object ACL


Object ACL is a LDAPSyntaxes used in EDirectory that Contains Access Control information for the object and its attributes.

Every LDAP Entry in the NDS tree has an ACL (eDirectory Attribute). This attribute holds information about which trustees have access to the LDAP Entry itself (entry rights) and which trustees have access to the attributes for the entry. This information is stored in sets of information containing the following:

  • The trustee name (subjectName)
  • The affected attribute-Entry Rights, All Attributes Rights, or a specific attributeType (protectedAttrName)
  • The privileges (privileges)

Required Access Privileges#

The table below shows the Required Access Privileges for various operations.
OperationObject PrivilegesLDAP Attribute PrivilegesLDAP
Compare attribute valueNONE ANDRead or Compare
Read attribute valueNONE1ANDRead
List subordinatesBrowse1ANDNONE
Add object2Add (on the parent object) ANDNONE
SearchBrowse on each object ANDCompare on each attribute in filter; Read on each attribute returned.
Add attribute to objectNONE ANDWrite
Add value to attributeNONE ANDWrite
Delete attributeNONE ANDWrite
Delete value of attributeNONE ANDWrite
Delete objectDelete4ANDWrite on each present attribute
Move objectDelete (at the source location); Add (at the destination) ANDWrite on each present attribute
Write selfNONE ANDSelf
Modify Name (RDN)Rename8ANDNONE

LDAP Format[1][2]#

Object ACL is a proprietary LDAPSyntaxes defined for EDirectory. This syntax is described in the Novell LDAP Library Documentation for Developers. The content is a string which defines one permission entry in an entry's access control list. From LDAP is shows as an Component Syntax attribute and shows like:
<privileges> # <scope> # <subjectname> # <protectedattrname>
The ACL (eDirectory Attribute) is assigned on the entry to which the subjectname is granted access. (ie the Target Resource)


An Object ACL value can protect either an object or an attribute. The protected object is always the one that contains the ACL attribute. If an ACL (eDirectory Attribute) entry is to apply to the object as a whole, the protectedattrname name should be left empty (NULL). If a specific attribute is to be protected, it should be named in the ACL (eDirectory Attribute) entry.

You can match an ACL value against either a subject (trustee) or a privilege set, or both. If the subject name is not to be considered in the comparison, specify it as NULL. If the privilege set is not to be considered in the comparison, specify an “approximate match” with a privilege set value of zero.

The Object ACL syntax supports both matching for EQUALITY and APPROXIMATE matching. The difference between matching for equality and approximate matching concerns the privileges field of the comparison value.

When matching for EQUALITY, the privilege set must match exactly for the comparison to succeed.

When APPROXIMATE matching has been selected, any bits in the privilege field in the filter that are set must also be set in the target. Any other bits in the target are ignored.

Values with the same protectedAttrName and subjectName fields are considered to be duplicate, and so are not permitted.

For information on bit mask for the privileges field and on the special values available for protectedAttrName and subjectName fields, see the Object_ACL_T structure.

We have never been able to perform a search on the ACL (eDirectory Attribute) from LDAP that was not exact match.

eDirectory Privileges Field#

The privilege value depends on the setting for the protectedAttrName:
  • [Entry Rights] permissions, the following bits are important:
    • 1-Browse - lets the trustee see the Subjectname in the tree. This does not include the right to see protectedAttrName values.
    • 2-Create - applies only when the target object is a container. Allows the trustee to create new objects below the container and also includes the Browse privilege.
    • 4-Delete - lets the trustee delete the target from the directory.
    • 8-Rename - lets the trustee change the name of the target
    • 16-Supervisor - includes all rights to the object and all of its properties.
    • 64-Inheritance Control - allow the Subjectname to control whether [Entry Rights] granted in an ACL (eDirectory Attribute) are inherited. If inherited, the Subjectname can exercise the rights granted in the ACL on subordinate objects. NetWare 5.x allows you to either allow inheritance or block inheritance. (NetWare 5.x utilities and their documentation call this right Inheritable.)
  • [All Attribute Rights] permissions, the following bits are important:
    • 1-Compare - lets the trustee compare the value of a property to a given value. This right allows searching and returns only a true or false result. It does not allow the trustee to actually see the value of the property.
    • 2-Read - lets the trustee see the values of a property. It includes the Compare right
    • 4-Write - lets the trustee create, change, and delete the values of a property.
    • 8-Add Self - lets the trustee add or remove itself as a property value. Only applies to properties with object names as values, such as membership lists or Access Control Lists (ACLs).
    • 32-Supervisor - gives the trustee complete power over the property.
    • 64-Inheritance Control - controls whether the Subjectname inherits the other rights granted to a specific attribute or to [All Attributes Rights]. The bit can be set to allow or to block inheritance on both [All Attributes Rights] and specific attributes. Also enables the creation of managers who have rights to manage specific attributes, such as phone numbers, addresses, and passwords, without granting Supervisor rights to the objects. If the right is granted at the container level, the right can be inheritable to an entire branch of the eDirectory tree.

Scope Field#

The scope determines if the regarding permission is to be inherited to child objects. If the permission is only set for the object itself, the string 'entry' is used, otherwise the string 'subtree' is used.

Subjectname Field#

The object distinguish name is the DN of the trustee which has the regarding permission. Subjectname field is the complete name of the specific object in the eDirectory tree that is being granted rights.

The Subjectname Field can also be one of the following special entry names:

  • [Root] - used to grant rights to all authenticated entries.
  • [Public] - used to grant rights to all entries in the eDirectory tree, even if the entry has not authenticated to the eDirectory tree.
  • [Creator] - used to grant rights to the client that created the object.
  • [Self] - used to allow objects to add or delete themselves as values of attributes.
  • [Inheritance Mask] - used to mask or filter privileges granted to an object.

Referential Integrity is imposed on the Subjectname Field which identifies the EDirectory object referred to by the Field and must refer to a DN of an object that exists in the eDirectory tree. eDirectory verifies that this field refers to an existing object.

protectedAttrName field#

The attribute string specifies the attribute for which the permission is set. In addition to attribute names, the following to generic strings are allowed:
  • [All Attributes Rights] - indicates that the rights apply to all the entry's attributes.
  • [Entry Rights] - indicates that the rights apply to the entry that the ACL attribute is applied

API Data Structures#

typedef struct 
   pnstr8          protectedAttrName; 
   pnstr8          subjectName; 
   nuint32         privileges; 
} Object_ACL_T;

Transfer Format#

uint32     Length 
unicode    Name of Protected Attribute 
unicode    Subject Name 
uint32     Privileges


ndsAcl ::= SEQUENCE {
   privileges          uint32,
   subjectName         LDAPDN,
   protectedAttrName   LDAPString

More Information#

There might be more information for this subject on one of the following: