After you have defined your access control policy, we recommend that you verify that it is working as expected.
While you can do this by issuing requests against the server to ensure that operations are permitted and rejected as appropriate, the PingDirectory server also provides support for a get effective rights request control that can be used to determine what access a given user has to a specified entry.
This control can be used programmatically through the UnboundID LDAP SDK for Java, but it can also be done from the command line using the ldapsearch tool. The tool provides the following arguments pertaining this feature:
- Identifies the user whose access control rights should be examined. This should
be an authorization ID that either identifies the user by distinguished name
(DN) (prefixed by
dn:) or username (prefixed by
- Specifies the name of an attribute for which you wish to obtain the specified user’s effective rights. This argument can be used multiple times to provide multiple attribute names.
$ bin/ldapsearch --hostname ds.example.com \ --port 636 \ --useSSL \ --bindDN "cn=Directory Manager" \ --baseDN dc=example,dc=com \ --scope base \ --getEffectiveRightsAuthzID dn:uid=test.user,ou=People,dc=example,dc=com \ --getEffectiveRightsAttribute objectClass \ --getEffectiveRightsAttribute dc \ "(objectClass=*)" \ aclRights Enter the bind password: dn: dc=example,dc=com aclRights;attributeLevel;objectclass:search:1,read:1,compare:1,write:0, selfwrite_add:0,selfwrite_delete:0,proxy:0 aclRights;attributeLevel;dc: search:1,read:1,compare:1,write:0, selfwrite_add:0,selfwrite_delete:0,proxy:0 aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0 # Result Code: 0 (success) # Number of Entries Returned: 1
Each search result entry that is returned includes an
attribute that indicates what rights the target user has when interacting with that
entry. If you do not use the
--getEffectiveRightsAttribute argument to
specify any attribute names, then only the
attribute is used to show the rights the user has when interacting with the entry itself
will be returned. Otherwise, there is an additional
aclRights;attributeLevel value for each requested attribute showing
the rights for that attribute.