The Get Effective Rights Control enables you to evaluate existing or new ACIs and to see the effective rights that they grant for a user on a specified entry.
The response to this control is to return the effective rights information about the entries and attributes in the search results. This extra information includes read and write permissions for each entry and for each attribute in each entry. The permissions can be requested for the bind DN used for the search or for an arbitrary DN, allowing administrators to test the permissions of directory users.
The ldapsearch command utility provides two ways to use the Get Effective Rights Control:
You cannot use the -g option with the -J option.
To view effective rights, you should specify the virtual attributes aclRights and aclRightsInfo, which are generated by the server in response to the effective rights request. Thus, you should not use these attributes in search commands of any kind.
$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b dc=example,dc=com -J effectiverights "(objectclass=*)" aclRights dn: dc=example,dc=com aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0 dn: ou=Groups, dc=example,dc=com aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0 dn: ou=People, dc=example,dc=com aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0 dn: cn=Accounting Managers,ou=groups,dc=example,dc=com aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0 dn: cn=HR Managers,ou=groups,dc=example,dc=com aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0 ...
$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b dc=example,dc=com --getEffectiveRightsAuthzid "dn:uid=scarter,ou=People,dc=example,dc=com" "(uid=scarter)" aclRights dn: uid=scarter,ou=People,dc=example,dc=com aclRights;entryLevel: add:0,delete:0,read:1,write:1,proxy:0
ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b dc=example,dc=com --getEffectiveRightsAuthzid "dn:uid=scarter,ou=People,dc=example,dc=com" "(uid=scarter)" aclRightsInfo dn: uid=scarter,ou=People,dc=example,dc=com aclRightsInfo;logs;entryLevel;add: acl_summary(main): access not allowed(add) on entry/attr(uid=scarter,ou=People,dc=example,dc=com, NULL) to (uid=scarter,ou=People,dc=example,dc=com) (not proxied) ( reason: no acis matched the subject ) aclRightsInfo;logs;entryLevel;proxy: acl_summary(main): access not allowed(proxy ) on entry/attr(uid=scarter,ou=People,dc=example,dc=com, NULL) to (uid=scarter, ou=People,dc=example,dc=com) (not proxied) ( reason: no acis matched the subject ) aclRightsInfo;logs;entryLevel;write: acl_summary(main): access allowed(write) on entry/attr(uid=scarter,ou=People,dc=example,dc=com, NULL) to (uid=scarter,ou=People,dc=example,dc=com) (not proxied) ( reason: evaluated allow , deciding_aci : Allow self entry modification) aclRightsInfo;logs;entryLevel;read: acl_summary(main): access allowed(read) on entry/attr(uid=scarter,ou=People,dc=example,dc=com, NULL) to (uid=scarter,ou=People,dc=example,dc=com) (not proxied) ( reason: evaluated allow , deciding_aci: Anonymous extended operation access) aclRightsInfo;logs;entryLevel;delete: acl_summary(main): access not allowed(delete) on entry/attr(uid=scarter,ou=People,dc=example,dc=com, NULL) to (uid=scarter,ou=People,dc=example,dc=com) (not proxied) ( reason: no acis matched the subject )