Once you set up a number of ACIs, you might find it difficult to understand by inspection what rights a user actually has to a given entry. The Get Effective Rights control can help.
![[Note]](common/images/admon/note.png) |
Note |
|---|---|
|
The control OID, |
In this example, Babs Jensen is the owner of a small group of people who are willing to carpool.
$ ldapsearch --port 1389 --bindDN "uid=bjensen,ou=people,dc=example,dc=com" --bindPassword hifalutin --baseDN "ou=Self Service,ou=Groups,dc=example,dc=com" "cn=*" dn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com objectClass: groupOfNames objectClass: top member: uid=bjensen,ou=People,dc=example,dc=com description: People who are willing to carpool owner: uid=bjensen,ou=People,dc=example,dc=com cn: Carpoolers
Performing the same search with the get effective rights control, and
asking for the aclRights attribute, shows what rights
Babs has on the entry.
$ ldapsearch --control effectiverights --port 1389 --bindDN "uid=bjensen,ou=people,dc=example,dc=com" --bindPassword hifalutin --baseDN "ou=Self Service,ou=Groups,dc=example,dc=com" "cn=*" aclRights dn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com aclRights;entryLevel: add:0,delete:1,read:1,write:0,proxy:0
Requesting the aclRightsInfo attribute results in
information about the ACIs applied to arrive at the results.
$ ldapsearch --control effectiverights --port 1389 --bindDN "uid=bjensen,ou=people,dc=example,dc=com" --bindPassword hifalutin --baseDN "ou=Self Service,ou=Groups,dc=example,dc=com" "cn=*" aclRights aclRightsInfo dn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com aclRightsInfo;logs;entryLevel;read: acl_summary(main): access allowed(read) on e ntry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, objectClas s) to (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: evaluat ed allow , deciding_aci: Anonymous read-search access) aclRightsInfo;logs;entryLevel;write: acl_summary(main): access not allowed(write ) on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL ) to (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: no acis matched the subject ) aclRightsInfo;logs;entryLevel;add: acl_summary(main): access not allowed(add) on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL) to (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: no acis matc hed the subject ) aclRightsInfo;logs;entryLevel;delete: acl_summary(main): access allowed(delete) on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL) to (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: evaluated allow , deciding_aci: Owner can delete self service groups) aclRights;entryLevel: add:0,delete:1,read:1,write:0,proxy:0 aclRightsInfo;logs;entryLevel;proxy: acl_summary(main): access not allowed(proxy ) on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL ) to (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: no acis matched the subject )
You can also request the effective rights for another user by using the
--getEffectiveRightsAuthzid (short form: -g)
option, which takes the authorization identity of the other user as an
argument. The following example shows Directory Manager checking anonymous
user rights to the same entry. Notice that the authorization identity for an
anonymous user is expressed as "dn:".
$ ldapsearch --getEffectiveRightsAuthzid "dn:" --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "ou=Self Service,ou=groups,dc=example,dc=com" "cn=*" aclRightsInfo dn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com aclRightsInfo;logs;entryLevel;read: acl_summary(main): access allowed(read) on e ntry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, objectClas s) to (anonymous) (not proxied) ( reason: evaluated allow , deciding_aci: Anony mous read-search access) aclRightsInfo;logs;entryLevel;write: acl_summary(main): access not allowed(write ) on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL ) to (anonymous) (not proxied) ( reason: no acis matched the subject ) aclRightsInfo;logs;entryLevel;add: acl_summary(main): access not allowed(add) on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL) to (anonymous) (not proxied) ( reason: no acis matched the subject ) aclRightsInfo;logs;entryLevel;delete: acl_summary(main): access not allowed(dele te) on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NU LL) to (anonymous) (not proxied) ( reason: no acis matched the subject ) aclRightsInfo;logs;entryLevel;proxy: acl_summary(main): access not allowed(proxy ) on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL ) to (anonymous) (not proxied) ( reason: no acis matched the subject )
When you need to check access to an attribute that might not yet exist
on the entry, you can further use the
--getEffectiveRightsAttribute (short form:
-e) option, which takes an attribute list as an argument.
The following example shows Directory Manager checking anonymous user
access to the description attribute for the Self Service groups organizational
unit entry. The description attribute is not present on the entry, yet.
$ ldapsearch --port 1389 --baseDN "ou=Self Service,ou=groups,dc=example,dc=com" "ou=Self Service" description dn: ou=Self Service,ou=Groups,dc=example,dc=com $ ldapsearch --getEffectiveRightsAuthzid "dn:" --getEffectiveRightsAttribute description --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "ou=Self Service,ou=groups,dc=example,dc=com" "ou=Self Service" aclRights dn: ou=Self Service,ou=Groups,dc=example,dc=com aclRights;attributeLevel;description: search:1,read:1,compare:1,write:0,selfwrit e_add:0,selfwrite_delete:0,proxy:0 aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0
