LDAPWiki: Object ACL

Overview[1]#

Object ACL is a LDAPSyntaxes used in EDirectory that Contains Access Control information for the object and its attributes.

NAME: Object ACL
OID: 2.16.840.1.113719.1.1.5.1.17
X-NDS_SYNTAX: 17

Every LDAP Entry in the NDS tree has an ACL (eDirectory Attribute). This attribute holds information about which trustees have access to the LDAP Entry itself (entry rights) and which trustees have access to the attributes for the entry. This information is stored in sets of information containing the following:

The trustee name (subjectName)
The affected attribute-Entry Rights, All Attributes Rights, or a specific attributeType (protectedAttrName)
The privileges (privileges)

Required Access Privileges#

The table below shows the Required Access Privileges for various operations.

Operation	Object Privileges	LDAP		Attribute Privileges	LDAP
Compare attribute value	NONE		AND	Read or Compare
Read attribute value	NONE	1	AND	Read
List subordinates	Browse	1	AND	NONE
Add object	2	Add (on the parent object)		AND	NONE
Search	Browse on each object		AND	Compare on each attribute in filter; Read on each attribute returned.
Add attribute to object	NONE		AND	Write
Add value to attribute	NONE		AND	Write
Delete attribute	NONE		AND	Write
Delete value of attribute	NONE		AND	Write
Delete object	Delete	4	AND	Write on each present attribute
Move object	Delete (at the source location); Add (at the destination)		AND	Write on each present attribute
Write self	NONE		AND	Self
Modify Name (RDN)	Rename	8	AND	NONE

LDAP Format[1][2]#

Object ACL is a proprietary LDAPSyntaxes defined for EDirectory. This syntax is described in the Novell LDAP Library Documentation for Developers

. The content is a string which defines one permission entry in an entry's access control list. From LDAP is shows as an Component Syntax attribute and shows like:

<privileges> # <scope> # <subjectname> # <protectedattrname>

The ACL (eDirectory Attribute) is assigned on the entry to which the subjectname is granted access. (ie the Target Resource)

Remarks[1]#

An Object ACL value can protect either an object or an attribute. The protected object is always the one that contains the ACL attribute. If an ACL (eDirectory Attribute) entry is to apply to the object as a whole, the protectedattrname name should be left empty (NULL). If a specific attribute is to be protected, it should be named in the ACL (eDirectory Attribute) entry.

You can match an ACL value against either a subject (trustee) or a privilege set, or both. If the subject name is not to be considered in the comparison, specify it as NULL. If the privilege set is not to be considered in the comparison, specify an “approximate match” with a privilege set value of zero.

The Object ACL syntax supports both matching for EQUALITY and APPROXIMATE matching. The difference between matching for equality and approximate matching concerns the privileges field of the comparison value.

When matching for EQUALITY, the privilege set must match exactly for the comparison to succeed.

When APPROXIMATE matching has been selected, any bits in the privilege field in the filter that are set must also be set in the target. Any other bits in the target are ignored.

Values with the same protectedAttrName and subjectName fields are considered to be duplicate, and so are not permitted.

For information on bit mask for the privileges field and on the special values available for protectedAttrName and subjectName fields, see the Object_ACL_T structure.

We have never been able to perform a search on the ACL (eDirectory Attribute) from LDAP that was not exact match.

eDirectory Privileges Field#

The privilege value depends on the setting for the protectedAttrName:

[Entry Rights] permissions, the following bits are important:
- 1-Browse - lets the trustee see the Subjectname in the tree. This does not include the right to see protectedAttrName values.
- 2-Create - applies only when the target object is a container. Allows the trustee to create new objects below the container and also includes the Browse privilege.
- 4-Delete - lets the trustee delete the target from the directory.
- 8-Rename - lets the trustee change the name of the target
- 16-Supervisor - includes all rights to the object and all of its properties.
- 64-Inheritance Control - allow the Subjectname to control whether [Entry Rights] granted in an ACL (eDirectory Attribute) are inherited. If inherited, the Subjectname can exercise the rights granted in the ACL on subordinate objects. NetWare 5.x allows you to either allow inheritance or block inheritance. (NetWare 5.x utilities and their documentation call this right Inheritable.)
[All Attribute Rights] permissions, the following bits are important:
- 1-Compare - lets the trustee compare the value of a property to a given value. This right allows searching and returns only a true or false result. It does not allow the trustee to actually see the value of the property.
- 2-Read - lets the trustee see the values of a property. It includes the Compare right
- 4-Write - lets the trustee create, change, and delete the values of a property.
- 8-Add Self - lets the trustee add or remove itself as a property value. Only applies to properties with object names as values, such as membership lists or Access Control Lists (ACLs).
- 32-Supervisor - gives the trustee complete power over the property.
- 64-Inheritance Control - controls whether the Subjectname inherits the other rights granted to a specific attribute or to [All Attributes Rights]. The bit can be set to allow or to block inheritance on both [All Attributes Rights] and specific attributes. Also enables the creation of managers who have rights to manage specific attributes, such as phone numbers, addresses, and passwords, without granting Supervisor rights to the objects. If the right is granted at the container level, the right can be inheritable to an entire branch of the eDirectory tree.

Scope Field#

The scope determines if the regarding permission is to be inherited to child objects. If the permission is only set for the object itself, the string 'entry' is used, otherwise the string 'subtree' is used.

Subjectname Field#

The object distinguish name is the DN of the trustee which has the regarding permission. Subjectname field is the complete name of the specific object in the eDirectory tree that is being granted rights.

The Subjectname Field can also be one of the following special entry names:

[Root] - used to grant rights to all authenticated entries.
[Public] - used to grant rights to all entries in the eDirectory tree, even if the entry has not authenticated to the eDirectory tree.
[Creator] - used to grant rights to the client that created the object.
[Self] - used to allow objects to add or delete themselves as values of attributes.
[Inheritance Mask] - used to mask or filter privileges granted to an object.

Referential Integrity is imposed on the Subjectname Field which identifies the EDirectory object referred to by the Field and must refer to a DN of an object that exists in the eDirectory tree. eDirectory verifies that this field refers to an existing object.

protectedAttrName field#

The attribute string specifies the attribute for which the permission is set. In addition to attribute names, the following to generic strings are allowed:

[All Attributes Rights] - indicates that the rights apply to all the entry's attributes.
[Entry Rights] - indicates that the rights apply to the entry that the ACL attribute is applied

API Data Structures#

typedef struct 
{
   pnstr8          protectedAttrName; 
   pnstr8          subjectName; 
   nuint32         privileges; 
} Object_ACL_T;

Transfer Format#

uint32     Length 
unicode    Name of Protected Attribute 
Align4 
unicode    Subject Name 
Align4 
uint32     Privileges

Binary#

ndsAcl ::= SEQUENCE {
   privileges          uint32,
   subjectName         LDAPDN,
   protectedAttrName   LDAPString
}

More Information#

There might be more information for this subject on one of the following:

[#1] - Novell LDAP Library Documentation for Developers - based on information obtained 2013-04-10
[#2] - LEX-Attribute Syntaxes - based on information obtained 2015-12-01