HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

261

262

263

264

265

266

267

268

269

270

6.7.1 Rights shown with a get effective rights search

Any get effective rights search, both when viewing an entry in the Directory Server Console and

searching for it in the command line, shows the rights that User A has to User B's entry.

There are two kinds of access rights that can be allowed to any entry. The first are upper-level

rights, rights on the entry itself, which means that kinds of operations that the User A can perform

on User B's entry as a whole. The second level of access rights are more granular, show what

rights for a given attribute User A has. In this case, User A may have different kinds of access

permissions for different attributes in the same entry. Whatever access controls are allowed for a

user are the effective rights over that entry.

For example:

entryLevelRights: vadn

attributeLevelRights: givenName:rscWO, sn:rscW, objectClass:rsc, uid:rsc,

cn:rscW

Table 28 (page 263) and Table 29 (page 263) show the access rights to entries and attributes,

respectively, that are returned by a get effective rights search.

Table 28 Entry rights

DescriptionPermission

Add an entry.a

Delete this entry.d

Rename the DN.n

View the entry.v

Table 29 Attribute rights

DescriptionPermission

Read.r

Search.s

Write (mod-add).w

Obliterate (mod-del). Analogous to delete.o

Compare.c

Self-write.W

Self-delete.O

6.7.2 The format of a get effective rights search

Get effective rights (sometimes called GER) is an extended directory search; the GER parameters

are defined with the -J option with the

ldapsearch -p port -h host

-D bindDN -w bindPassword

-b searchBase

-J 1.3.6.1.4.1.42.2.27.9.5.2:criticality:dn:GER_subject (searchFilter) attributeList

• -b searchBase is the base DN subtree or entry used to search for the GER subject.

If the search base is a specific entry DN or if only one entry is returned, then the results show

the rights the requester has over that specific entry. If multiple entries beneath the search base

match the filter, then the search returns every matching entry, with the rights for the requester

over each entry.

• 1.3.6.1.4.1.42.2.27.9.5.2 is the OID for the get effective rights control.

6.7 Checking access rights on entries (get effective rights) 263