Chapter 6. Managing Access Control
180
Get effective rights
is an extended
ldapsearch
which returns the access control permissions set
on each attribute within an entry. The effective rights can be retrieved by sending an LDAP control
along with a search operation. The results show the effective rights on each returned entry and each
attribute of each returned entry.
The access control information is divided into two groups of access: rights for an entry and rights
for an attribute.
Rights for an entry
means the rights, such as modify or delete, that are limited to
that specific entry.
Rights for an attribute
means the access right to every instance of that attribute
throughout the directory.
Some of the situations when this kind of detailed access control may be necessary include the
following:
• An administrator can use the get effective rights command for minute access control, such as
allowing certain groups or users access to entries and restricting others. For instance, members
of the
QA Managers
group may have the right to search and read attributes like
manager
and
salary
but only
HR Group
members have the rights to modify or delete them.
• A user can run the get effective rights command to see what attributes he can view or
modify on his personal entry. For instance, a user should have access to attributes such as
homePostalAddress
and
cn
but may only have read access to
manager
and
salary
.
An
ldapsearch
run with the
-J
option (which sets the get effective rights control) returns the access
controls placed on a particular entry. The
entryLevelRights
and
attributeLevelRights
returns are added as attributes to the bottom of the query results. If
ldapsearch
is run without
-J
, then the entry information is returned as normal, without the
entryLevelRights
or
attributeLevelRights
information.
A get effective rights result looks like the following:
dn: uid=tmorris, ou=People, dc=example,dc=com
l: Santa Clara
userPassword: {SSHA}bz0uCmHZM5b357zwrCUCJs1IOHtMD6yqPyhxBA==
entryLevelRights: vadn
attributeLevelRights: l:rscwo, userPassword:wo
In this example, Ted Morris has the right to add, view, delete, or rename the DN on his own entry, as
shown by the return values in
entryLevelRights
. For attributes, he has the right to read, search,
compare, self-modify, or self-delete the location (
l
) attribute but only self-write and self-delete rights to
his password, as shown in the
attributeLevelRights
return value.
Information is not given for attributes in an entry that do not have a value; for example, if the
userPassword
value is removed, then a future effective rights search on the entry above would not
return any effective rights for
userPassword
, even though self-write and self-delete rights could be
allowed. Likewise, if the
street
attribute were added with read, compare, and search rights, then
street: rsc
would appear in the
attributeLevelRights
results.
Table 6.6, “Permissions That Can Be Set on Entries”
and
Table 6.7, “Permissions That Can Be Set on
Attributes”
summarize the permissions that can be set on entries and on attributes that are retrieved
by the get effective rights operation.
Permission
Description
a
Add.
Содержание DIRECTORY SERVER 8.0
Страница 18: ...xviii ...
Страница 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...
Страница 30: ...12 ...
Страница 112: ...94 ...
Страница 128: ...110 ...
Страница 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...
Страница 224: ...206 ...
Страница 324: ...306 ...
Страница 334: ...316 ...
Страница 358: ...340 ...
Страница 410: ...392 ...
Страница 420: ...402 ...
Страница 444: ...426 ...
Страница 454: ...436 ...
Страница 464: ...446 ...
Страница 484: ...466 ...
Страница 512: ...494 ...
Страница 522: ...504 ...