Chapter 8. Checking access rights on entries using Get Effective Rights search
As an administrator, you can find and control access rights that a user has on attributes within a specific entry.
Get effective rights (GER) is a way to extend directory searches to display what access rights a user has to a specified entry. You can specify the following rights:
- Read
- Write and self-write
- Search
- Add
- Delete
Checking effective rights on an entry is beneficial in the following situations:
-
You can use the GER commands to better organize access control instructions for the directory. It is often necessary to restrict what one group of users can view or edit compared to another group. For example, members of the
QA Managers
group may have the right to search and read attributes likemanager
andsalary
but onlyHR Group
members have the right to modify or delete them. Checking effective rights for a user or group is one way to verify that an administrator sets the appropriate access controls. -
You can use the GER commands to see what attributes you can view or modify on your personal entry. For example, a user should have access to attributes such as
homePostalAddress
andcn
but may only have read access tomanager
andsalary
attributes.
The getEffectiveRights
search uses the following entities:
-
The requester. It is the authenticated entry when the
getEffectiveRights
search issues an operation. -
The subject whose rights you will evaluate. It is defined as authorization
DN
in the GER control. - The target. You define it by the search base, search filter, and attribute list of the request.
8.1. Get Effective Rights search permissions
Any Get Effective Rights (GER) search shows following access rights that any entry can have:
- The upper-level rights which are the rights on the entry. That access rights show what kind of operations the User A can perform on an entry of the User B.
- The second level rights show what rights for a given attribute the User A has. The User A may have different access permissions for different attributes in the same entry. Any access controls that a user has are the effective rights over that entry.
For example:
entryLevelRights: vadn attributeLevelRights: givenName:rscWO, sn:rscW, objectClass:rsc, uid:rsc, cn:rscW
A GER search has the following access rights to entries and attributes:
Permissions | Description |
---|---|
a | Add an entry. |
d | Delete this entry. |
n | Rename the DN. |
v | View the entry. |
Permissions | Description |
---|---|
r | Read. |
s | Search. |
w |
Write ( |
o |
Obliterate ( |
c | Compare. |
W | Self-write. |
O | Self-delete. |
8.2. Get Effective Rights search format
The Get effective rights (GER) is an extended directory search. To use it you must pass an -E
option to a Lightweight Directory Access Protocol (LDAP) control with the ldapsearch
command. For example:
# ldapsearch -x -D bind_dn -W -p server_port -h server_hostname -b base_DN -E [!]1.3.6.1.4.1.42.2.27.9.5.2=:GER_subject (searchFilter) attributeList
The
-b
is the base DN of the subtree or entry you can to search for the GER subject.If the search base is a specific entry DN or if the result returns only one entry, then the results show the rights the requester has over that specific entry. If multiple entries match the filter, then the search returns every matching entry with the rights for the requester over each entry.
The
1.3.6.1.4.1.42.2.27.9.5.2
option is the object identifier for the GER control.An exclamation mark (
!
) defines whether the search operation returns an error if the server does not support this control (!
) or returns nothing.-
The GER_subject is the user whose rights you check. You can leave the GER_subject blank (
dn:
) to get the result for the rights of an anonymous user. -
An optional attributeList limits the GER results to the specified attribute or object class, for example, a
mail
attribute. -
Use the asterisk (
*
) sign to return all attributes. -
Use the plus (
+
) sign to return operational attributes.
The GER option adds extra information to the ldapsearch
results, showing what rights a specific user has. That GER subject users can request rights on their own entries with the additional option -D
.
If the requester is not a Directory Manager user, then the requester can only see the rights that a GER subject has on the entry of the requester. All the other entries return an insufficient access error for the effective rights.
The following scenarios for a regular user to run a GER search are common:
- User A checks the rights that he has over other directory entries.
- User A checks the rights that he has to his personal entry.
- User A checks the rights that User B has to the entry of User A.
8.3. Common scenarios for a Get Effective Rights search
The following examples show the common scenarios when and how you can use the Get Effective Rights search.
8.3.1. General examples of Get Effective Rights search
The most common scenarios when you need to use the Get Effective Rights (GER) search are:
Checking personal rights. When a User A is checking the rights on personal entry. For example, Ted Morris wants to check the rights he has to his entry:
Example 8.1. Checking personal rights (User A to User A)
# ldapsearch -x -p 389 -h server.example.com -D "uid=tmorris,ou=people,dc=example,dc=com" -W -b "uid=tmorris,ou=people,dc=example,dc=com" -E '!1.3.6.1.4.1.42.2.27.9.5.2=:dn:uid=tmorris,ou=people,dc=example,dc=com' "(objectClass=*)" dn: uid=tmorris,ou=People,dc=example,dc=com givenName: Ted sn: Morris ou: IT ou: People l: Santa Clara manager: uid=jsmith,ou=People,dc=example,dc=com roomNumber: 4117 mail: tmorris@example.com facsimileTelephoneNumber: +1 408 555 5409 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: tmorris cn: Ted Morris userPassword: {SSHA}bz0uCmHZM5b357zwrCUCJs1IOHtMD6yqPyhxBA== entryLevelRights: v attributeLevelRights: givenName:rsc, sn:rsc, ou:rsc, l:rsc, manager:rsc, roomNumber:rscwo, mail:rscwo, facsimileTelephoneNumber:rscwo, objectClass:rsc, uid:rsc, cn:rsc, userPassword:wo
In this example, the
-b
option also has DN of the requester.Checking the rights over another user. For example, Ted Morris is a manager and needs to check entry for one of his subordinates Dave Miller:
Example 8.2. Checking the rights over another user (User A to User B)
# ldapsearch -p 389 -h server.example.com -D "uid=tmorris,ou=people,dc=example,dc=com" -W -b "uid=dmiller,ou=people,dc=example,dc=com" -E '!1.3.6.1.4.1.42.2.27.9.5.2=:dn:uid=tmorris,ou=people,dc=example,dc=com' "(objectClass=*)" dn: uid=dmiller,ou=People,dc=example,dc=com ... entryLevelRights: vad attributeLevelRights: givenName:rscwo, sn:rscwo, ou:rscwo, l:rscwo, manager:rsc, roomNumber:rscwo, mail:rscwo, facsimileTelephoneNumber:rscwo, objectClass:rscwo, uid:rscwo, cn:rscwo, userPassword:rswo
In this example, Ted Morris has read, search, compare, modify, and delete permissions for all attributes to the entry of Dave Miller.
As a Directory Manager, checking the rights of one user having over an entry of another user. For example, the Directory Manager is checking what rights Jane Smith as a manager has over the entry of her subordinate Ted Morris:
Example 8.3. Directory Manager checking the rights of one user over another user
# ldapsearch -p 389 -h server.example.com -D "cn=Directory Manager" -W -b "uid=tmorris,ou=people,dc=example,dc=com" -E '!1.3.6.1.4.1.42.2.27.9.5.2=:dn:uid=jsmith,ou=people,dc=example,dc=com' "(objectClass=*)" dn: uid=tmorris,ou=People,dc=example,dc=com ... entryLevelRights: vadn attributeLevelRights: givenName:rscwo, sn:rscwo, ou:rscwo, l:rscwo, manager:rscwo, roomNumber:rscwo, mail:rscwo, facsimileTelephoneNumber:rscwo, objectClass:rscwo, uid:rscwo, cn:rscwo, userPassword:rscwo
If a user does not have permissions, the result shows an insufficient access error:
Example 8.4. No permission on the entry
# ldapsearch -p 389 -h server.example.com -D "uid=dmiller,ou=people,dc=example,dc=com" -W -b "uid=tmorris,ou=people,dc=example,dc=com" -E '!1.3.6.1.4.1.42.2.27.9.5.2=:dn:uid=tmorris,ou=people,dc=example,dc=com' "(objectClass=*)" ldap_search: Insufficient access ldap_search: additional info: get-effective-rights: requester has no g permission on the entry
Checking what rights another user has over your entry. For example, Ted Morris checks what rights Dave Miller has on an entry of Ted Morris:
Example 8.5. Checking what rights another user has over your entry
# ldapsearch -p 389 -h server.example.com -D "uid=tmorris,ou=people,dc=example,dc=com" -W -b "uid=tmorris,ou=people,dc=example,dc=com" -E '!1.3.6.1.4.1.42.2.27.9.5.2=:dn:uid=dmiller,ou=people,dc=example,dc=com' "(objectClass=*)" dn: uid=tmorris,ou=people,dc=example,dc=com ... entryLevelRights: v attributeLevelRights: givenName:rsc, sn:rsc, ou:rsc, l:rsc,manager:rsc, roomNumber:rsc, mail:rsc, facsimileTelephoneNumber:rsc, objectClass:rsc, uid:rsc, cn:rsc, userPassword:none
In this example, Dave Miller has the right to view the DN of the entry and to read, search, and compare the
ou
,givenName
,l
, and other attributes. He has no any rights to theuserPassword
attribute.
8.3.2. Example of Get Effective Rights search for non-existent attributes
By default the attributes in an entry have no values. Using an asterisk (*
) with the Get Effective Rights (GER) search returns every attribute available for the entry, including attributes that are not set on the entry.
Example 8.6. Checking rights on every attribute of the entry
# ldapsearch -D "cn=Directory Manager" -W -b "uid=scarter,ou=people,dc=example,dc=com" -E '!1.3.6.1.4.1.42.2.27.9.5.2=:dn:uid=scarter,ou=people,dc=example,dc=com' "(objectclass=*)" "*"
dn: uid=scarter,ou=People,dc=example,dc=com
givenName: Sam
telephoneNumber: +1 408 555 4798
sn: Carter
ou: Accounting
ou: People
l: Sunnyvale
manager: uid=dmiller,ou=People,dc=example,dc=com
roomNumber: 4612
mail: scarter@example.com
facsimileTelephoneNumber: +1 408 555 9700
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: scarter
cn: Sam Carter
userPassword: {SSHA}Xd9Jt8g1UsHC8enNDrEmxj3iJPKQLItlDYdD9A==
entryLevelRights: vadn
attributeLevelRights: objectClass:rscwo, aci:rscwo, sn:rscwo, cn:rscwo, description:rscwo, seeAlso:rscwo, telephoneNumber:rscwo, userPassword:rscwo, destinationIndicator:rscwo, facsimileTelephoneNumber:rscwo, internationaliSDNNumber:rscwo, l:rscwo, ou:rscwo, physicalDeliveryOfficeName:rscwo, postOfficeBox:rscwo, postalAddress:rscwo, postalCode:rscwo, preferredDeliveryMethod:rscwo, registeredAddress:rscwo, st:rscwo, street:rscwo, teletexTerminalIdentifier:rscwo, telexNumber:rscwo, title:rscwo, x121Address:rscwo, audio:rscwo, businessCategory:rscwo, carLicense:rscwo, departmentNumber:rscwo, displayName:rscwo, employeeType:rscwo, employeeNumber:rscwo, givenName:rscwo, homePhone:rscwo, homePostalAddress:rscwo, initials:rscwo, jpegPhoto:rscwo, labeledUri:rscwo, manager:rscwo, mobile:rscwo, pager:rscwo, photo:rscwo, preferredLanguage:rscwo, mail:rscwo, o:rscwo, roomNumber:rscwo, secretary:rscwo, uid:rscwo,x500UniqueIdentifier:rscwo, userCertificate:rscwo, userSMIMECertificate:rscwo, userPKCS12:rscwo
In this example, the secretary
attribute is not set, but you still can see it in the GER search results.
8.3.3. Examples of Get Effective Rights search for specific attribute or object class
The examples in this section show how to search for the rights to specific attribute, set of attributes, and all attributes that belong to an object class of the entry.
Get Effective Rights (GER) search results for specific attributes of an entry by listing them. For example:
Example 8.7. Get Effective Rights search results for specific attributes
# ldapsearch -D "cn=Directory Manager" -W -b "uid=scarter,ou=people,dc=example,dc=com" -E '!1.3.6.1.4.1.42.2.27.9.5.2=:dn:uid=scarter,ou=people,dc=example,dc=com' "(objectclass=*)" cn mail initials dn: uid=scarter,ou=People,dc=example,dc=com cn: Sam Carter mail: scarter@example.com entryLevelRights: vadn attributeLevelRights: cn:rscwo, mail:rscwo, initials:rscwo
GER search for a specific attribute of an object class of an entry in a format attribute@objectClass. The requester must be a Directory Manager.
Example 8.8. Get Effective Rights search results for a specific attribute of an object class
# ldapsearch -D "cn=Directory Manager" -W -b "uid=scarter,ou=people,dc=example,dc=com" -E '!1.3.6.1.4.1.42.2.27.9.5.2=:dn:uid=scarter,ou=people,dc=example,dc=com' "(objectclass=*)" uidNumber@posixAccount ... dn: cn=template_posixaccount_objectclass,uid=scarter,ou=people,dc=example,dc=com uidnumber: (template_attribute) entryLevelRights: v attributeLevelRights: uidNumber:rsc
You can use an asterisk (
*
) to return all attributes of an object class in a format *@objectClass. The search result also includes the non-existent attributes.
8.3.4. Examples of Get Effective Rights search for non-existent entries
This example shows how to check the rights of a specific user over the entries of a user, which does not exist yet. In this case the server generates the template entry within the subtree and you can use the Get Effective Rights (GER) search on it. For checking a non-existent entry, the Get Effective Rights (GER) search can use a specified object class to generate a template entry with all of the potential attributes of this entry.
When the server creates the template entry, it uses the first MUST attribute in the object class definition to create the RDN attribute. If the MUST attribute does not exist, the server uses MAY attribute. Specify the RDN value by passing it to the object class in a format @objectclass:rdn_attribute.
For example, to check the rights of scarter
for a non-existent POSIX entry with uidNumber
as its RDN:
Example 8.9. Checking rights on non-existent entry
# ldapsearch -D "cn=Directory Manager" -W -b "ou=people,dc=example,dc=com" -E '!1.3.6.1.4.1.42.2.27.9.5.2=:dn:uid=scarter,ou=people,dc=example,dc=com' "(objectclass=*)" @posixaccount:uidnumber dn: uidNumber=template_posixaccount_objectclass,ou=people,dc=example,dc=com entryLevelRights: v attributeLevelRights: description:rsc, gecos:rsc, loginShell:rsc, userPassword:rsc, objectClass:rsc, homeDirectory:rsc, gidNumber:rsc, uidNumber:rsc, uid:rsc, cn:rsc
8.3.5. Examples of Get Effective Rights search for operational attributes
The ldapsearch
command does not return the operational attributes. Use the plus sign (+
) to search for them. Using the +
returns only operational attributes which you can use on an entry.
Example 8.10. Searching for operational attributes
# ldapsearch -D "cn=Directory Manager" -W -x -b "uid=scarter,ou=people,dc=example,dc=com" -E '!1.3.6.1.4.1.42.2.27.9.5.2=:dn:uid=scarter,ou=people,dc=example,dc=com' "(objectclass=*)" "+" dn: uid=scarter,ou=People,dc=example,dc=com entryLevelRights: vadn attributeLevelRights: nsICQStatusText:rscwo, passwordGraceUserTime:rscwo, pwdGraceUserTime:rscwo, nsYIMStatusText:rscwo, modifyTimestamp:rscwo, passwordExpWarned:rscwo, pwdExpirationWarned:rscwo, entrydn:rscwo, aci:rscwo, nsSizeLimit:rscwo, nsAccountLock:rscwo, passwordExpirationTime:rscwo, entryid:rscwo, nsSchemaCSN:rscwo, nsRole:rscwo, retryCountResetTime:rscwo, ldapSchemas:rscwo, nsAIMStatusText:rscwo, copiedFrom:rscwo, nsICQStatusGraphic:rscwo, nsUniqueId:rscwo, creatorsName:rscwo, passwordRetryCount:rscwo, dncomp:rscwo, nsTimeLimit:rscwo, passwordHistory:rscwo, pwdHistory:rscwo, nscpEntryDN:rscwo, subschemaSubentry:rscwo, nsYIMStatusGraphic:rscwo, hasSubordinates:rscwo, pwdpolicysubentry:rscwo, nsAIMStatusGraphic:rscwo, nsRoleDN:rscwo, createTimestamp:rscwo, accountUnlockTime:rscwo, copyingFrom:rscwo, nsLookThroughLimit:rscwo, nsds5ReplConflict:rscwo, modifiersName:rscwo, parentid:rscwo, passwordAllowChangeTime:rscwo, nsBackendSuffix:rscwo, nsIdleTimeout:rscwo, ldapSyntaxes:rscwo, numSubordinates:rscwo
8.3.6. Examples of Get Effective Rights results and Access Control rules
The effective Access Control Lists (ACL) define what Get Access Rights (GER) a user has.
Example 8.11. Access Control List
dn: dc=example,dc=com objectClass: top objectClass: domain dc: example aci: (target=ldap:///ou=Accounting,dc=example,dc=com)(targetattr="*")(version 3.0; acl "test acl"; allow (read,search,compare) (userdn = "ldap:///anyone") ;) dn: ou=Accounting,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: Accounting
In this example, the ACL does not include the dc=example,dc=com
subtree. That causes the GER search result to show that the user does not have any right on the dc=example,dc=com
entry:
Example 8.12. GER search results with unset ACL
# ldapsearch -D "cn=Directory Manager" -W -b "dc=example,dc=com" -E '!1.3.6.1.4.1.42.2.27.9.5.2=:dn:uid=scarter,ou=people,dc=example,dc=com' "(objectclass=*)" "*@person"
dn: cn=template_person_objectclass,uid=scarter,ou=people,dc=example,dc=com
objectClass: person
objectClass: top
cn: (template_attribute)
sn: (template_attribute)
description: (template_attribute)
seeAlso: (template_attribute)
telephoneNumber: (template_attribute)
userPassword: (template_attribute)
entryLevelRights: none
attributeLevelRights: sn:none, cn:none, objectClass:none, description:none, seeAlso:none, telephoneNumber:none, userPassword:none, aci:none
To see the result, you must be a Directory Manager, else the result is blank.
8.4. Get Effective Right return codes
The Get Effective Rights (GER) search result returns an error code if an error occurs. The following table describes the error codes:
Code | Description |
---|---|
0 | Successfully completed. |
1 | Operation error. |
12 |
The critical extension is unavailable. If the critical expression is set to |
16 | No such attribute. |
17 | Undefined attribute type. |
21 | Invalid attribute syntax. |
50 | Insufficient rights. |
52 | Unavailable. |
53 | Unwilling to perform. |
80 | Other. |