HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

261

262

263

264

265

266

267

268

269

270

Example 10 The directory manager's checking the rights of one user over another (User A to User

ldapsearch -p 389 -h localhost -D "cn=directory manager" -w secret

-b "uid=tmorris,ou=people,dc=example,dc=com" -J

"1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=jsmith,ou=people,dc=example,dc=com"

"(objectClass=*)"

dn: uid=tmorris, ou=People, dc=example,dc=com

... snip ...

entryLevelRights: vadn

attributeLevelRights: givenName:rscwo,

sn:rscwo, ou:rscwo, l:rscwo,

manager:rscwo, roomNumber:rscwo, mail:rscwo,

facsimileTelephoneNumber:rscwo,

objectClass:rscwo, uid:rscwo,

cn:rscwo, userPassword:rscwo

Only an administrator can retrieve the effective rights that a different user has on an entry. If Ted

Morris tried to determine Dave Miller's rights to Dave Miller's entry, then he would receive an

insufficient access error:

ldapsearch -p 389 -h localhost -D "uid=dmiller,ou=people,dc=example,dc=com"

-w secret -b "uid=tmorris,ou=people,dc=example,dc=com" -J

"1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=tmorris,ou=people,dc=example,dc=com"

"(objectClass=*)"

ldap_search: Insufficient access

ldap_search: additional info: get-effective-rights: requester has no g

permission on the entry

However, a regular user can run a get effective rights search to see what rights another user has

to his personal entry. In Example 11 “Checking the rights someone else has to a personal entry”,

Ted Morris checks what rights Dave Miller has on Ted Morris's entry.

Example 11 Checking the rights someone else has to a personal entry

ldapsearch -p 389 -h localhost -D "uid=tmorris,ou=people,dc=example,dc=com"

-w secret -b "uid=tmorris,ou=people,dc=example,dc=com" -J

"1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=dmiller,ou=people,dc=example,dc=com"

"(objectClass=*)"

dn: uid=tmorris,ou=people,dc=example,dc=com

... snip ...

entryLevelRights: v

attributeLevelRights: givenName:rsc,

sn:rsc,

ou:rsc,

l:rsc,manager:rsc,

roomNumber:rsc, mail:rsc, facsimileTelephoneNumber:rsc,

objectClass:rsc,

uid:rsc, cn:rsc,

userPassword:none

In this case, Dave Miller has the right to view the DN of the entry and to read, search, and compare

the ou, givenName, l, and other attributes, and no rights to the userPassword attribute.

6.7.2.2 Examples of get effective rights searches for non-existent attributes

By default, information is not given for attributes in an entry that do not have a value; for example,

if the userPassword value is removed, then a future effective rights search on the entry above

would not return any effective rights for userPassword, even though self-write and self-delete

rights could be allowed.

266 Managing Access Control