Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software

231

232

233

234

235

236

237

238

239

240

ldapsearch -p 389 -h localhost -D "cn=directory manager" -w password

-b "uid=tmorris,ou=people,dc=example,dc=com" -J

"1.3.6.1.4.1.42.2.27.9.5.2:true:dn:

uid=dmiller,ou=people,dc=example,dc=com" "(objectClass=*)"

version: 1

dn: uid=tmorris, ou=People, dc=example,dc=com

givenName: Ted

sn: Morris

ou: Accounting

ou: People

l: Santa Clara

manager: uid=dmiller, ou=People, dc=example,dc=com

roomNumber: 4117

mail: tmorris@example.com

facsimileTelephoneNumber: +1 408 555 5409

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

uid: tmorris

cn: Ted Morris

userPassword: {SSHA}bz0uCmHZM5b357zwrCUCJs1IOHtMD6yqPyhxBA==

entryLevelRights: vadn

attributeLevelRights: givenName:rscwo, sn:rscwo, ou:rscwo,

l:rscwo, manager:rscwo, roomNumber:rscwo, mail:rscwo,

facsimileTelephoneNumber:rscwo, objectClass:rscwo, uid:rscwo,

cn:rscwo, userPassword:rscwo

For all attributes, Dave Miller has read, search, compare, modify, and delete permissions to Ted

Morris's entry. These results are different than the ones returned in checking Ted Morris's

access to his own entry, since he personally had only read, search, and compare rights to most

of these attributes.

Only an administrator can retrieve effective rights to another user's entry. If Ted Morris tried to

determine Dave Miller's rights to Dave Miller's entry, then he would receive the following error:

ldapsearch -p 389 -h localhost -D "uid=dmiller,ou=people,dc=example,dc=com"

-w password

-b "uid=tmorris,ou=people,dc=example,dc=com" -J

"1.3.6.1.4.1.42.2.27.9.5.2:true:dn:

uid=tmorris,ou=people,dc=example,dc=com" "(objectClass=*)"

ldap_search: Insufficient access

ldap_search: additional info: get-effective-rights: requestor has no g

permission on the entry

However, Ted Morris could run a get effective rights search on his personal entry to determine

the rights another user, such as Sam Carter, has to it. Assuming that an ldapsearch was run

with -b set to uid=tmorris,ou=people,dc=example,dc=com and the AuthId was set to

Chapter 6. Managing Access Control

214