Netscape Directory Server 6.21 - Get Effective Rights

Netscape Directory Server
Get Effective Rights - Feature Overview

Updated on: May 27, 2004

The new Get Effective Rights feature of Netscape Directory Server 6.21 allows an administrator to see what a user's access control rights are on any given entry in the database. The effective rights can be retrieved by sending an LDAP control along with your search operation. The results will show you the effective rights on each returned entry, and each attribute of each returned entry.

Retrieving Effective Rights with ldapsearch
To retrieve the effective rights with ldapsearch, you must pass the new LDAP control with the ldapsearch utility's -J option. The format of the information that you pass with the -J option is:

-J <control OID>:<boolean criticality>:<dnAuthId>

The control is specified by it's oid, which is defined as "1.3.6.1.4.1.42.2.27.9.5.2". You must also pass the boolean criticality of the control. Valid values are "true" or "false". This specifies whether the search operation should return an error if the server does not support this control, or if it should just be ignored and let the search return as normal. Lastly, you must supply the dnAuthId. This is the dn of the user whose rights you want to check. An example of using ldapsearch to retrieve effective rights looks like:

ldapsearch -D "cn=Directory Manager" -w password -b "cn=HR Managers,ou=groups,dc=corp,dc=com" -J "1.3.6.1.4.1.42.2.27.9.5.2:false:dn: uid=tmorris,ou=Accounting,ou=HR,dc=corp,dc=com" "(objectClass=*)"

This example will return the rights of "uid=tmorris" on all entries under "cn=HR Managers,ou=groups,dc=corp,dc=com".

Interpreting Effective Rights
When the results of a search are returned where effective rights are requested, each entry will have two extra attributes at the end of it. These attributes are named entryLevelRights and attributeLevelRights. These two attributes will tell you the effective rights of the requested user dn on each returned entry. The value of each of these attributes will be made up of a series of letters representing the actual rights that one has. The possible rights are as follows:

    Entry Level Rights
       a - add
       d - delete
       n - rename DN
       v - view entry

    Attribute Level Rights
       r - read
       s - search
       c - compare
       w - modify (add)
       o - obliterate (delete)
       W - self add
       O - self delete

An example of an entry returned from ldapsearch with effective rights shown looks like:

    dn: cn=HR Managers,ou=groups,dc=corp,dc=com
    objectclass: top
    objectclass: groupOfUniqueNames
    cn: HR Managers
    ou: groups
    description: People who can manage HR entries
    entryLevelRights: v
    attributeLevelRights: objectClass:rsc, cn:rsc, ou:rsc, description:rsc

These results show that the requested user dn is allowed to view the entry, and can read, search, and compare each attribute that is present in the entry.