Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual page 141
Hide thumbs
Also See for DIRECTORY SERVER 8.1 - DEPLOYMENT:
- Command reference manual (372 pages) ,
- Configuration and command reference (292 pages) ,
- Reference (228 pages)
Table of Contents
Advertisement
• An administrator can use the get effective rights command for minute access control, such as
allowing certain groups or users access to entries and restricting others. For example, members
of the QA Managers group may have the right to search and read attributes such as title and
salary, but only HR Group members have the rights to modify or delete them.
• A user can use the get effective rights option to determine what attributes they can view or
modify on their personal entry. For example, a user should have access to attributes such as
homePostalAddress and cn, but may only have read access to title and salary.
An ldapsearch executed using the -J switch returns the access controls on a particular entry as
part of the normal search results. The following search the rights that user Ted Morris has to his
personal entry:
/usr/lib/mozldap/ldapsearch -p 389 -h localhost -D
"uid=tmorris, ou=people,dc=example,dc=com" -w password
-b "uid=tmorris, ou=people,dc=example,dc=com" -J
"1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=tmorris,
ou=people,dc=example,dc=com" "(objectClass=*)"
version: 1
dn: uid=tmorris, ou=People, dc=example, dc=com
givenName: Ted
sn: Morris
ou: Accounting
ou: People
l: Santa Clara
manager: uid=dmiller, ou=People, dc=example, dc=com
roomNumber: 4117
mail: tmorris@example.com
facsimileTelephoneNumber: +1 408 555 5409
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: tmorris
cn: Ted Morris
userPassword: {SSHA}bz0uCmHZM5b357zwrCUCJs1IOHtMD6yqPyhxBA==
entryLevelRights: vadn
attributeLevelRights: givenName:rsc, sn:rsc, ou:rsc, l:rscow, manager:rsc,
roomNumber:rscwo, mail:rscwo, facsimileTelephoneNumber:rscwo,
objectClass:rsc, uid:rsc, cn:rsc, userPassword:wo
In this example, Ted Morris has the right to add, view, delete, or rename the DN on his own entry, as
shown by the results in entryLevelRights. He can read, search, compare, self-modify, or self-
delete the location (l) attribute but only self-write and self-delete rights to his password, as shown in
the attributeLevelRights result.
By default, effective rights information is not returned for attributes in an entry that do not have
a value or which do not exist in the entry. For example, if the userPassword value is removed,
then a future effective rights search on the above entry would not return any effective rights for
userPassword, even though self-write and self-delete rights could be allowed. Similarly, if the
Viewing ACIs: Get Effective Rights
131
Advertisement
Table of Contents
Related Manuals for Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT
Related Products for Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT
- Red Hat DIRECTORY SERVER 8.1 - 11-01-2010
- Red Hat DIRECTORY SERVER 8.1 - USING THE ADMIN SERVER
- Red Hat SYSTEM 8 - 25-03-2010
- Red Hat SYSTEM 8.0 - MANAGING SMART CARDS WITH THE ENTERPRISE SECURITY CLIENT
- Red Hat DIRECTORY SERVER 2.0 - GATEWAY
- Red Hat DIRECTORY SERVER 7.1
- Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR
- Red Hat DIRECTORY SERVER 7.1 - DEPLOYMENT
- Red Hat DIRECTORY SERVER 7.1 - GATEWAY CUSTOMIZATION
- Red Hat DIRECTORY SERVER 7.1 - PLUG-IN PROGRAMMERS
- Red Hat DIRECTORY SERVER 7.1 SP7 - S
- Red Hat DIRECTORY SERVER 8.0
- Red Hat DIRECTORY SERVER 8.1 - USING RED HAT CONSOLE 4-28-2008
- Red Hat Linux Virtual Server
- Red Hat LINUX VIRTUAL SERVER - FOR ENTERPRISE LINUX 5.2 REV 05-2008
- Red Hat LINUX VIRTUAL SERVER 4.5 - ADMINISTRATION