HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

261

262

263

264

265

266

267

268

269

270

base match the filter, then the search returns every matching entry, with the rights for the

requester over each entry.

• 1.3.6.1.4.1.42.2.27.9.5.2 is the OID for the get effective rights control.

• criticality specifies whether the search operation should return an error if the server

does not support this control (true) or if it should be ignored and let the search return as

normal (false).

• The GER_subject is the person whose rights are being checked. If the GER subject is left

blank (dn:), then the rights of an anonymous user are returned.

• An optional attributeList limits the get effective rights results to the specified attribute

or object class. As with a regular ldapsearch, this can give specific attributes, like mail.

If no attributes are listed, then every present attribute for the entry is returned. Using an

asterisk (*) returns the rights for every possible attribute for the entry, both existing attribute

and non-existent attributes. Using an plus sign (+) returns operational attributes for the

entry. Examples for checking rights for specific attributes are given in “Examples of get

effective rights searches for non-existent attributes” and “Examples of get effective rights

searches for specific attributes or object classes”.

The crux of a get effective rights search is the ability to check what rights the GER subject (-J)

has to the targets of the search (-b). The get effective rights search is a regular ldapsearch, in

that it simply looks for entries that match the search parameters and returns their information.

The get effective rights option adds extra information to those search results, showing what

rights a specific user has over those results. That GER subject user can be the requester himself

(-D is the same as -J) or someone else.

If the requester is a regular user (not the Directory Manager), then the requester can only see the

effective that a GER subject has on the requester's own entry. That is, if John Smith runs a request

to see what effective rights Babs Jensen has, then he can only get the effective rights that Babs

Jensen has on his own entry. All the other entries return an insufficient access error for the

effective rights.

There are three general scenarios for a regular user when running a get effective rights search:

• User A checks the rights that he has over other directory entries.

• User A checks the rights that he has to his personal entry.

• User A checks the rights that User B has to User A's entry.

The get effective rights search has a number of flexible different ways that it can check rights on

attributes.

6.7.2.1 General examples on checking access rights

One common scenario for effective rights searches is for a regular user to determine what changes

he can make to his personal entry.

For example, Ted Morris wants to check the rights he has to his entry. Both the -D and -J options

give his entry as the requester. Because he is checking his personal entry, the -b option also

contains his DN.

266 Managing access control