Retrieving ACL information from the server

To retrieve all of the ACL information in a namespace, use the ldapsearch utility, as shown in the following example:
ldapsearch -h 127.0.0.1 -D "cn=admin, dc=Your Company,dc=com" -w xxxxxx
 -b "dc=Your Company,dc=com" "(objectclass=*)" aclEntry aclPropagate aclSource
 entryOwner ownerPropagate ownerSource
dn: dc=Your Company, dc=com
aclPropagate: TRUE
aclEntry: CN=ADMIN:normal:rwsc:sensitive:rwsc:critical:rwsc:object:ad
aclEntry: CN=ANYBODY:normal:rsc:system:rsc
aclSource: dc=Your Company, dc=com
ownerPropagate: TRUE
entryOwner: CN=ADMIN
ownerSource: default

This command performs a subtree search starting at the root of the tree (assuming that the root of the tree is "dc=Your Company,c=com") and returns the six ACL attributes for each entry in the tree. It is necessary to specifically request the six ACL attributes because they are considered as operational and, therefore, can only be returned on a search if requested. (See RFC 2251.)

ACL information (aclEntry, aclPropagate, aclSource, entryOwner, ownerPropagate, and ownerSource) is returned for all entries. For those entries that contain ACLs, the aclSource and ownerSource attributes contain the same DN as the entry DN. For those entries that do not contain ACLs, the aclSource and ownerSource attributes contain distinguished names of the entries that contain the ACL information (aclEntry and entryOwner) that are used for access control checking of information in that entry.
Note:
  1. It is possible for the aclSource and ownerSource attributes to contain the value default. This is not a distinguished name but rather represents that the ACL that applies to the entry is the default ACL.
  2. If the tree is larger than the sizeLimit configuration option in the LDAP server configuration file or on the search request or in the requester's group search limits, then some entries might not be returned. See sizeLimit num-limit for more information about the sizeLimit configuration option.

You can also use the same method to get the ACL information for a portion of the namespace by specifying the -b searchbase parameter on the ldapsearch utility, where searchbase is the starting point for the search.