HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

261

262

263

264

265

266

267

268

269

270

Example 16 Get effective rights results for all attribute for an object class

ldapsearch -D "cn=directory manager" -w secret12 -b

"uid=scarter,ou=people,dc=example,dc=com" -J

1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=scarter,ou=people,dc=example,dc=com

"(objectclass=*)" *@posixaccount

... snip ...

dn: cn=template_posixaccount_objectclass,uid=scarter,ou=people,dc=example,dc=com

objectClass: posixaccount

objectClass: top

homeDirectory: (template_attribute)

gidNumber: (template_attribute)

uidNumber: (template_attribute)

uid: (template_attribute)

cn: (template_attribute)

entryLevelRights: v

attributeLevelRights: cn:rsc, uid:rsc, uidNumber:rsc, gidNumber:rsc,

homeDirectory:rsc, objectClass:rsc, userPassword:none, loginShell:rsc,

gecos:rsc, description:rsc, aci:rsc

6.7.2.4 Examples of get effective rights searches for operational attributes

Operational attributes are not returned in regular ldapsearches, including get effective rights

searches. To return the information for the operational attributes, use the plus sign (+). This returns

only the operational attributes that can be used in the entry. For example:

Example 17 Get effective rights results for operational attributes

ldapsearch -D "cn=directory manager" -w secret12 -b

"uid=scarter,ou=people,dc=example,dc=com" -J

1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=scarter,ou=people,dc=example,dc=com

"(objectclass=*)" "+"

dn: uid=scarter, ou=People, dc=example,dc=com

entryLevelRights: vadn

attributeLevelRights: nsICQStatusText:rscwo, passwordGraceUserTime:rscwo,

pwdGraceUserTime:rscwo, nsYIMStatusText:rscwo, modifyTimestamp:rscwo,

passwordExpWarned:rscwo, pwdExpirationWarned:rscwo, entrydn:rscwo,

aci:rscwo, nsSizeLimit:rscwo, nsAccountLock:rscwo, passwordExpiration\

Time:rscwo, entryid:rscwo, nsSchemaCSN:rscwo, nsRole:rscwo, retryCountRe\

setTime:rscwo, ldapSchemas:rscwo, nsAIMStatusText:rscwo, copied\

From:rscwo, nsICQStatusGraphic:rscwo, nsUniqueId:rscwo, creators\

Name:rscwo, passwordRetryCount:rscwo, dncomp:rscwo, nsTimeLimit:rscwo,

passwordHistory:rscwo, pwdHistory:rscwo, nscpEntryDN:rscwo, subschemaS\

ubentry:rscwo, nsYIMStatusGraphic:rscwo, hasSubordinates:rscwo, pwdpoli\

cysubentry:rscwo, nsAIMStatusGraphic:rscwo, nsRoleDN:rscwo, create\

Timestamp:rscwo, accountUnlockTime:rscwo, copyingFrom:rscwo, nsLook\

ThroughLimit:rscwo, nsds5ReplConflict:rscwo, modifiersName:rscwo, parent\

id:rscwo, passwordAllowChangeTime:rscwo, nsBackendSuffix:rscwo, nsIdle\

Timeout:rscwo, ldapSyntaxes:rscwo, numSubordinates:rscwo

6.7.2.5 Examples of get effective rights results and access control rules

Get effective rights are returned according to whatever ACLs are in effect for the GER subject entry.

For example, this ACL is set and, for the purposes of this example, it is the only ACL set:

dn: dc=example,dc=com

objectClass: top

objectClass: domain

dc: example

aci:

(target=ldap:///ou=Accounting,dc=example,dc=com)(targetattr="*")(version

3.0; acl "test acl"; allow (read,search,compare) (userdn =

"ldap:///anyone") ;)

dn: ou=Accounting, dc=example,dc=com

6.7 Checking access rights on entries (get effective rights) 269