Manualshelf

HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server
261262263264265266267268269270
criticality specifies whether the search operation should return an error if the server does
not support this control (true) or if it should be ignored and let the search return as normal
(false).
The GER_subject is the person whose rights are being checked. If the GER subject is left blank
(dn:), then the rights of an anonymous user are returned.
An optional attributeList limits the get effective rights results to the specified attribute or
object class. As with a regular ldapsearch, this can give specific attributes, like mail. If
no attributes are listed, then every present attribute for the entry is returned. Using an asterisk
(*) returns the rights for every possible attribute for the entry, both existing attribute and
non-existent attributes. Using an plus sign (+) returns operational attributes for the entry.
Examples for checking rights for specific attributes are given in “Examples of get effective
rights searches for non-existent attributes” (page 266) and “Examples of get effective rights
searches for specific attributes or object classes” (page 267).
The crux of a get effective rights search is the ability to check what rights the GER subject (-J) has
to the targets of the search (-b). The get effective rights search is a regular ldapsearch, in that
it simply looks for entries that match the search parameters and returns their information. The get
effective rights option adds extra information to those search results, showing what rights a specific
user has over those results. That GER subject user can be the requester himself (-D is the same as
-J) or someone else.
If the requester is a regular user (not the Directory Manager), then the requester can only see the
effective that a GER subject has on the requester's own entry. That is, if John Smith runs a request
to see what effective rights Babs Jensen has, then he can only get the effective rights that Babs
Jensen has on his own entry. All the other entries return an insufficient access error for the effective
rights.
There are three general scenarios for a regular user when running a get effective rights search:
User A checks the rights that he has over other directory entries.
User A checks the rights that he has to his personal entry.
User A checks the rights that User B has to User A's entry.
The get effective rights search has a number of flexible different ways that it can check rights on
attributes.
6.7.2.1 General examples on checking access rights
One common scenario for effective rights searches is for a regular user to determine what changes
he can make to his personal entry.
For example, Ted Morris wants to check the rights he has to his entry. Both the -D and -J options
give his entry as the requester. Because he is checking his personal entry, the -b option also
contains his DN.
264 Managing Access Control