Overview[1]#
Object ACL is a LDAPSyntaxes used in EDirectory that Contains Access Control information for the object and its attributes.- NAME: Object ACL
- OID: 2.16.840.1.113719.1.1.5.1.17
- X-NDS_SYNTAX: 17
Every LDAP Entry in the NDS tree has an ACL (eDirectory Attribute). This attribute holds information about which trustees have access to the LDAP Entry itself (entry rights) and which trustees have access to the attributes for the entry. This information is stored in sets of information containing the following:
- The trustee name (subjectName)
- The affected attribute-Entry Rights, All Attributes Rights, or a specific attributeType (protectedAttrName)
- The privileges (privileges)
Required Access Privileges#
The table below shows the Required Access Privileges for various operations.| Operation | Object Privileges | LDAP | Attribute Privileges | LDAP | ||
|---|---|---|---|---|---|---|
| Compare attribute value | NONE | AND | Read or Compare | |||
| Read attribute value | NONE | 1 | AND | Read | ||
| List subordinates | Browse | 1 | AND | NONE | ||
| Add object | 2 | Add (on the parent object) | AND | NONE | ||
| Search | Browse on each object | AND | Compare on each attribute in filter; Read on each attribute returned. | |||
| Add attribute to object | NONE | AND | Write | |||
| Add value to attribute | NONE | AND | Write | |||
| Delete attribute | NONE | AND | Write | |||
| Delete value of attribute | NONE | AND | Write | |||
| Delete object | Delete | 4 | AND | Write on each present attribute | ||
| Move object | Delete (at the source location); Add (at the destination) | AND | Write on each present attribute | |||
| Write self | NONE | AND | Self | |||
| Modify Name (RDN) | Rename | 8 | AND | NONE |
LDAP Format[1][2]#
Object ACL is a proprietary LDAPSyntaxes defined for EDirectory. This syntax is described in the Novell LDAP Library Documentation for Developers
. The content is a string which defines one permission entry in an entry's access control list. From LDAP is shows as an Component Syntax attribute and shows like:
<privileges> # <scope> # <subjectname> # <protectedattrname>
Remarks[1]#
An Object ACL value can protect either an object or an attribute. The protected object is always the one that contains the ACL attribute. If an ACL (eDirectory Attribute) entry is to apply to the object as a whole, the protectedattrname name should be left empty (NULL). If a specific attribute is to be protected, it should be named in the ACL (eDirectory Attribute) entry.You can match an ACL value against either a subject (trustee) or a privilege set, or both. If the subject name is not to be considered in the comparison, specify it as NULL. If the privilege set is not to be considered in the comparison, specify an “approximate match” with a privilege set value of zero.
The Object ACL syntax supports both matching for EQUALITY and APPROXIMATE matching. The difference between matching for equality and approximate matching concerns the privileges field of the comparison value.
When matching for EQUALITY, the privilege set must match exactly for the comparison to succeed.
When APPROXIMATE matching has been selected, any bits in the privilege field in the filter that are set must also be set in the target. Any other bits in the target are ignored.
Values with the same protectedAttrName and subjectName fields are considered to be duplicate, and so are not permitted.
For information on bit mask for the privileges field and on the special values available for protectedAttrName and subjectName fields, see the Object_ACL_T structure.
The number before the first # is in decimal. Convert the decimal value to hexadecimal (base 16) and select the privileges from the following table (starting with the largest value, or at the bottom):
eDirectory Privileges Field#
Entry level Permissions#
| Decimal | Hexadecimal | Description |
|---|---|---|
| 1 | 1 | entry_browse - lets the trustee see the Subjectname in the tree. This does not include the right to see protectedAttrName values. |
| 2 | 2 | entry_add - applies only when the target object is a container. Allows the trustee to create new objects below the container and also includes the Browse privilege. |
| 4 | 4 | entry_delete - lets the trustee Delete the target from the directory. |
| 8 | 8 | entry_rename - lets the trustee change the name of the target |
| 16 | 10 | entry_supervisor - includes all rights to the object and all of its properties. |
| 64 | 40 | entry_inherit_ctl - allow the Subjectname to control whether [Entry Rights] granted in an ACL (eDirectory Attribute) are inherited. If inherited, the Subjectname can exercise the rights granted in the ACL on subordinate objects. NetWare 5.x allows you to either allow inheritance or block inheritance. |
Attribute level Permissions#
| Decimal | Hexadecimal | Description |
|---|---|---|
| 1 | 1 | attr_compare - lets the trustee compare the value of a property to a given value. This right allows searching and returns only a true or false result. It does not allow the trustee to actually see the value of the property. |
| 2 | 2 | attr_read - lets the trustee see the values of a property. It includes the Compare right |
| 4 | 4 | attr_write - lets the trustee create, change, and delete the values of a property. |
| 8 | 8 | attr_self - lets the trustee add or remove itself as a property value. Only applies to properties with object names as values, such as membership lists or Access Control Lists (ACLs). |
| 32 | 20 | attr_supervisor - gives the trustee complete power over the property. |
| 64 | 40 | attr_inherit_ctl - controls whether the Subjectname inherits the other rights granted to a specific attribute or to [All Attributes Rights]. The bit can be set to allow or to block inheritance on both [All Attributes Rights] and specific attributes. Also enables the creation of managers who have rights to manage specific attributes, such as phone numbers, addresses, and passwords, without granting Supervisor rights to the objects. If the right is granted at the container level, the right can be inheritable to an entire branch of the eDirectory tree. |
Privilege for both Entries and Attrs#
| Decimal | Hexadecimal | Description |
|---|---|---|
| 536870912 | 20000000 | Dynamic Groups |
| 1073741824 | 40000000 | iManager Role Based Svcs |
Privilege for both Entries and Attributes example So in the case of:
ACL: 1073741863#subtree#cn=MyOrg,cn=User Management,cn=Role Based Service,ou=ENT,o=MyOrg#cn
The ACL value is 1073741863 (decimal) which converts to 40000027 hex (or 0x40000027). Starting at the bottom of the above table, this translates to:
- 0x40000000 = iManager Role Base Services granted privilege.
- 0x00000020 = Supervisor Permission to the attribute indicated (attr_supervisor)
- 0x00000004 = Write Permission to the attribute indicated (attr_write)
- 0x00000002 = Read Permission to the attribute indicated (attr_read)
- 0x00000001 = Compare Permission to the attribute indicated (attr_compare)
Scope Field#
The scope determines if the regarding permission is to be inherited to child objects. If the permission is only set for the object itself, the string 'entry' is used, otherwise the string 'subtree' is used.Subjectname Field#
The object distinguish name is the DN of the trustee which has the regarding permission. Subjectname field is the complete name of the specific object in the eDirectory tree that is being granted rights.The Subjectname Field can also be one of the following special entry names:
- [Root] - used to grant rights to all authenticated entries.
- [Public] - used to grant rights to all entries in the eDirectory tree, even if the entry has not authenticated to the eDirectory tree.
- [Creator] - used to grant rights to the client that created the object.
- [Self] - used to allow objects to add or delete themselves as values of attributes.
- [Inheritance Mask] - used to mask or filter privileges granted to an object.
Referential Integrity is imposed on the Subjectname Field which identifies the EDirectory object referred to by the Field and must refer to a DN of an object that exists in the eDirectory tree. eDirectory verifies that this field refers to an existing object.
protectedAttrName field#
The attribute string specifies the attribute for which the permission is set. In addition to attribute names, the following to generic strings are allowed:- [All Attributes Rights] - indicates that the rights apply to all the entry's attributes.
- [Entry Rights] - indicates that the rights apply to the entry that the ACL attribute is applied
API Data Structures#
typedef struct
{
pnstr8 protectedAttrName;
pnstr8 subjectName;
nuint32 privileges;
} Object_ACL_T;
Transfer Format#
uint32 Length unicode Name of Protected Attribute Align4 unicode Subject Name Align4 uint32 Privileges
Binary#
ndsAcl ::= SEQUENCE {
privileges uint32,
subjectName LDAPDN,
protectedAttrName LDAPString
}
More Information#
There might be more information for this subject on one of the following:- 2.16.840.1.113719.1.1.5.1.17
- ACL (eDirectory Attribute)
- NewObjectSDSRights
- NspmPasswordACL
- TrusteesOfNewObject
- X-NDS_ACL_TEMPLATES
- [#1] - Novell LDAP Library Documentation for Developers - based on information obtained 2013-04-10
- [#2] - LEX-Attribute Syntaxes - based on information obtained 2015-12-01
- [#3] - !!! What does the numeric value of ACL mean in an LDAP export? - based on information obtained 2021-05-13