Retrieving ACL information from the server
To retrieve all of the ACL information in a namespace, use the ldapsearch utility,
as shown in the following example:
ldapsearch -h 127.0.0.1 -D "cn=admin, dc=Your Company,dc=com" -w xxxxxx
-b "dc=Your Company,dc=com" "(objectclass=*)" aclEntry aclPropagate aclSource
entryOwner ownerPropagate ownerSource
dn: dc=Your Company, dc=com
aclPropagate: TRUE
aclEntry: CN=ADMIN:normal:rwsc:sensitive:rwsc:critical:rwsc:object:ad
aclEntry: CN=ANYBODY:normal:rsc:system:rsc
aclSource: dc=Your Company, dc=com
ownerPropagate: TRUE
entryOwner: CN=ADMIN
ownerSource: default
This command performs a subtree search starting at the root of the tree (assuming that the root
of the tree is "dc=Your Company,c=com"
) and returns the six ACL attributes for each
entry in the tree. It is necessary to specifically request the six ACL attributes because they are
considered as operational
and, therefore, can only be returned on a search if requested. (See
RFC 2251.)
ACL information (aclEntry, aclPropagate, aclSource, entryOwner, ownerPropagate,
and ownerSource) is returned for all entries. For those entries
that contain ACLs, the aclSource and ownerSource attributes
contain the same DN as the entry DN. For those entries that do not
contain ACLs, the aclSource and ownerSource attributes
contain distinguished names of the entries that contain the ACL information
(aclEntry and entryOwner) that are used
for access control checking of information in that entry.
Note:
- It is possible for the aclSource and ownerSource attributes to contain the value default. This is not a distinguished name but rather represents that the ACL that applies to the entry is the default ACL.
- If the tree is larger than the sizeLimit configuration option in the LDAP server configuration file or on the search request or in the requester's group search limits, then some entries might not be returned. See sizeLimit num-limit for more information about the sizeLimit configuration option.
You can also use the same method to get the ACL information for a portion of the namespace by specifying the -b searchbase parameter on the ldapsearch utility, where searchbase is the starting point for the search.