Red Hat Directory Server 8.0 Administrator's Guide
also means that these attributes must be explicitly requested in the search attributes list in
search requests. For example, this ldapsearch command lists all of the roles (values of
nsRole), all of the managed roles (values of nsRoleDN), and all of the regular attributes in the
entry matched by uid=scarter.
ldapsearch ... args ... “(uid=scarter)” \* nsRole nsRoleDN
Similarly for the role definition entries, they are operational entries and are not returned by
default with regular searches. This means that if roles are defined under the
ou=People,dc=example,dc=com subtree, for example, the following ldapsearch command will
not return the role definitions for any entry:
ldapsearch -s sub -b ou=People,dc=example,dc=com “(objectclass=*)”
To see the role definitions entries, use the special search filter
"(objectclass=ldapSubEntry)"with ldapsearch. The special filter can be added to any other
search filter, using OR (|):
ldapsearch -s sub -b ou=People,dc=example,dc=com
“(|(objectclass=*)(objectclass=ldapSubEntry))”
This search shows all regular entries in addition to role definition entries in the
ou=People,dc=example,dc=com subtree. The Console automatically shows all of the role
entries.
NOTE
In some cases, the value of the nsRoleDNattribute must be protected with an
ACI, as the attribute is writable. For more information about security and roles,
see Section 1.4, “Using Roles Securely”.
1.3.1. Examples: Managed Role Definition
Example Corporation's administrator is creating a role to be assigned to all marketing staff by
doing the following:
1. Run ldapmodify:
ldapmodify -D "cn=Directory Manager" -w secret -h host -p 389
2. Create the managed role entry, containing the nsManagedRoleDefinition object class,
which in turn inherits from the LdapSubEntry, nsRoleDefinition, and
Chapter 5. Managing Entries with Roles, Class of Service, and Views
140