Red Hat Directory Server 8.0 Administrator's Guide
In this example, Ted Morris has the right to add, view, delete, or rename the DN on his own
entry, as shown by the return values in entryLevelRights. For attributes, he has the right to
read, search, compare, self-modify, or self-delete the location (l) attribute but only self-write and
self-delete rights to his password, as shown in the attributeLevelRights return value.
Information is not given for attributes in an entry that do not have a value; for example, if the
userPassword value is removed, then a future effective rights search on the entry above would
not return any effective rights for userPassword, even though self-write and self-delete rights
could be allowed. Likewise, if the street attribute were added with read, compare, and search
rights, then street: rsc would appear in the attributeLevelRights results.
Table 6.6, “Permissions That Can Be Set on Entries” and Table 6.7, “Permissions That Can Be
Set on Attributes” summarize the permissions that can be set on entries and on attributes that
are retrieved by the get effective rights operation.
Permission Description
a Add.
d Delete.
n Rename the DN.
v View the entry.
Table 6.6. Permissions That Can Be Set on Entries
Permission Description
r Read.
s Search.
w Write (mod-add).
o Obliterate(mod-del). Analogous to delete.
c Compare.
W Self-write.
O Self-delete.
Table 6.7. Permissions That Can Be Set on Attributes
7.1. Using Get Effective Rights from the Command-Line
To retrieve the effective rights with ldapsearch, you must pass the control information with the
ldapsearch utility's -J option, as follows:
ldapsearch -p port -h host -D bindDN -w bindPassword -b search_base
-J control OID:boolean criticality:dn:AuthId
Chapter 6. Managing Access Control
212