Viewing the ACIs for an Entry
264
Red Hat Directory Server Administrator’s Guide • May 2005
“Get effective rights” is an extended
ldapsearch
which returns the access control
permissions set on each attribute within an entry. The effective rights can be
retrieved by sending an LDAP control along with a search operation. The results
show the effective rights on each returned entry and each attribute of each
returned entry.
The access control information is divided into two groups of access: rights for an
entry and rights for an attribute. “Rights for an entry” means the rights, such as
modify or delete, that are limited to that specific entry. “Rights for an attribute”
means the access right to every instance of that attribute throughout the directory.
Some of the situations when this kind of detailed access control may be necessary
include the following:
• An administrator can use the get effective rights command for minute access
control, such as allowing certain groups or users access to entries and
restricting others. For instance, members of the
QA Managers
group may have
the right to search and read attributes like
manager
and
salary
but only
HR
Group
members have the rights to modify or delete them.
• A user can run the get effective rights command to see what attributes he can
view or modify on his personal entry. For instance, a user should have access
to attributes such as
homePostalAddress
and
cn
but may only have read
access to
manager
and
salary
.
An
ldapsearch
run with the
-J
tool will return the access controls placed on a
particular entry. The
entryLevelRights
and
attributeLevelRights
returns are
added as attributes to the bottom of the query results. If the
ldapsearch
is run
without
-J
, then the entry information is returned as normal, without the
entryLevelRights
or
attributeLevelRights
information.
A get effective rights result looks like the following:
dn: uid=tmorris, ou=People, dc=example,dc=com
l: Santa Clara
userPassword: {SSHA}bz0uCmHZM5b357zwrCUCJs1IOHtMD6yqPyhxBA==
entryLevelRights: vadn
attributeLevelRights: l:rscwo, userPassword:wo
In this example, Ted Morris has the right to add, view, delete, or rename the DN
on his own entry, as shown by the returns in
entryLevelRights
. For attributes,
he has the right to read, search, compare, self-modify, or self-delete the location
(
l
) attribute but only self-write and self-delete rights to his password, as shown in
the
attributeLevelRights
return.
Summary of Contents for DIRECTORY SERVER 7.1
Page 1: ...Administrator s Guide Red Hat Directory Server Version7 1 May 2005 Updated February 2009 ...
Page 20: ...20 Red Hat Directory Server Administrator s Guide May 2005 Glossary 619 Index 635 ...
Page 22: ...22 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 26: ...26 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 78: ...Maintaining Referential Integrity 78 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 200: ...Assigning Class of Service 200 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 488: ...488 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 528: ...PTA Plug in Syntax Examples 528 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 572: ...572 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 612: ...Examples of LDAP URLs 612 Red Hat Directory Server Administrator s Guide May 2005 ...
Page 634: ...634 Red Hat Directory Server Administrator s Guide May 2005 ...