After you have defined your access control policy, we recommend that you verify that it is working as expected.
While you can do this by issuing requests against the server to ensure that operations are permitted and rejected as appropriate, the PingDirectory Server also provides support for a get effective rights request control that can be used to determine what access a given user has to a specified entry.
This control can be used programmatically through the UnboundID LDAP SDK for Java, but it can also be done from the command line using the ldapsearch tool. The tool provides the following arguments pertaining this feature:
- Identifies the user whose access control rights should be examined. This should be an
authorization ID that either identifies the user by distinguished name (DN)
dn:) or username (prefixed by
- Specifies the name of an attribute for which you wish to obtain the specified user’s effective rights. This argument can be used multiple times to provide multiple attribute names.
$ bin/ldapsearch --hostname ds.example.com \ --port 636 \ --useSSL \ --bindDN "cn=Directory Manager" \ --baseDN dc=example,dc=com \ --scope base \ --getEffectiveRightsAuthzID dn:uid=test.user,ou=People,dc=example,dc=com \ --getEffectiveRightsAttribute objectClass \ --getEffectiveRightsAttribute dc \ "(objectClass=*)" \ aclRights Enter the bind password: dn: dc=example,dc=com aclRights;attributeLevel;objectclass:search:1,read:1,compare:1,write:0, selfwrite_add:0,selfwrite_delete:0,proxy:0 aclRights;attributeLevel;dc: search:1,read:1,compare:1,write:0, selfwrite_add:0,selfwrite_delete:0,proxy:0 aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0 # Result Code: 0 (success) # Number of Entries Returned: 1
Each search result entry that is returned includes an
aclRights attribute that
indicates what rights the target user has when interacting with that entry. If you do
not use the
--getEffectiveRightsAttribute argument to specify any
attribute names, then only the
aclRights;entryLevel attribute is used
to show the rights the user has when interacting with the entry itself will be returned.
Otherwise, there is an additional
aclRights;attributeLevel value for
each requested attribute showing the rights for that attribute.