The get effective rights request control
After you have defined your access control policy, we recommend that you verify that it is working as expected.
While you can do this by issuing requests against the server to ensure that operations are permitted and rejected as appropriate, the PingDirectory server also provides support for a get effective rights request control that can be used to determine what access a given user has to a specified entry.
This control can be used programmatically through the UnboundID LDAP SDK for Java, but it can also be done from the command line using the ldapsearch
tool. The tool provides the following arguments pertaining this feature:
--getEffectiveRightsAuthzID
-
Identifies the user whose access control rights should be examined. This should be an authorization ID that either identifies the user by distinguished name (DN) (prefixed by
dn:
) or username (prefixed byu:
). --getEffectiveRightsAttribute
-
Specifies the name of an attribute for which you wish to obtain the specified user’s effective rights. This argument can be used multiple times to provide multiple attribute names.
For example:
$ bin/ldapsearch --hostname ds.example.com \
--port 636 \
--useSSL \
--bindDN "cn=Directory Manager" \
--baseDN dc=example,dc=com \
--scope base \
--getEffectiveRightsAuthzID dn:uid=test.user,ou=People,dc=example,dc=com \
--getEffectiveRightsAttribute objectClass \
--getEffectiveRightsAttribute dc \
"(objectClass=*)" \
aclRights
Enter the bind password:
dn: dc=example,dc=com
aclRights;attributeLevel;objectclass:search:1,read:1,compare:1,write:0,
selfwrite_add:0,selfwrite_delete:0,proxy:0
aclRights;attributeLevel;dc: search:1,read:1,compare:1,write:0,
selfwrite_add:0,selfwrite_delete:0,proxy:0
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0
# Result Code: 0 (success)
# Number of Entries Returned: 1
Each search result entry that is returned includes an aclRights
attribute that indicates what rights the target user has when interacting with that entry. If you do not use the --getEffectiveRightsAttribute
argument to specify any attribute names, then only the aclRights;entryLevel
attribute is used to show the rights the user has when interacting with the entry itself will be returned. Otherwise, there is an additional aclRights;attributeLevel
value for each requested attribute showing the rights for that attribute.