Querying effective permissions

When filters are specified in aclEntry or entryOwner attribute values in the directory, it might be difficult to determine the permissions that users or groups have to entries. To ease in the determination of effective ACLs, the ldapexop utility provides the GetEffectiveACL extended operation. See ldapexop utility for more information.

This extended operation in the ldapexop utility allows the specification of search criteria and bound user's information (such as the bind distinguished name, time of day, the day of the week, and IP address where the user is authenticating from). By specifying the search criteria and bound user's information, an LDAP root administrator is allowed to simulate the effective ACLs for multiple users in the directory.

This extended operation returns the following information for each requested entry:
  • the entry DN to which access was requested
  • the subject and all of its alternate DNs and group DNs for which access was calculated for
  • the source attribute values (aclEntry, aclPropagate, aclSource, entryOwner, ownerPropagate, and ownerSource) in effect for the entry
  • the applicable attribute values (aclEntry and entryOwner) used to form the effective permissions
  • the calculated effective access class permissions
  • the calculated effective attribute permissions
This example performs the GetEffectiveACL extended operation for each entry returned on the subtree search of the dc=yourcompany,dc=com subtree. The requested subtree search uses dc=yourcompany,dc=com as the baseDN, with a filter of "objectclass=*", a search size limit of 100, a search time limit of 10 seconds, and no alias dereferencing. Based on these returned search entries, the GetEffectiveACL extended operation calculates the effective ACLs for user cn=Joe Shmoe,ou=users,dc=yourcompany,dc=com when a simple bind is done from IP address 129.176.132.92 at 18:30 on a Saturday over a secure SSL connection.
ldapexop -D adminDn -w adminPw -op geteffectiveacl -filter "objectclass=*"
 -base "dc=yourcompany,dc=com" -s sub -a never -z 100 -l 10
 -dn "cn=Joe Shmoe,ou=users,dc=yourcompany,dc=com" -ip 129.176.132.92
 -time 18:30 -day 6 -mech SIMPLE –encrypt
#ENTRY INFORMATION:
dn: dc=yourcompany,dc=com
#SUBJECT INFORMATION:
#Bind DN:
dn: cn=Joe Shmoe,ou=users,dc=yourcompany,dc=com

#Alternate DNs:
dn: cn=alt_01
dn: cn=alt_02

#Group DNs:
dn: cn=group_01
dn: cn=group_02

#SOURCE ATTRIBUTE VALUES:
aclEntry: group:cn=Anybody:normal:rsc:system:rsc
aclPropagate: TRUE
aclSource: dc=yourcompany,dc=com
entryOwner: cn=Admin
ownerPropagate: TRUE
ownerSource:dc=yourcompany,dc=com

#APPLICABLE ATTRIBUTE VALUES:
aclEntry: group:cn=Anybody:normal:rsc:system:rsc

#EFFECTIVE ACCESS-CLASS PERMISSIONS:
normal: grant:rsc
system: grant:rsc


#ENTRY INFORMATION:
dn: ou=users,dc=yourcompany,dc=com

#SUBJECT INFORMATION:
#Bind DN:
dn: cn=Joe Shmoe,ou=users,dc=yourcompany,dc=com

#Alternate DNs:
dn: cn=alt_01
dn: cn=alt_02

#SOURCE ATTRIBUTE VALUES:
aclEntry: group:cn=Anybody:normal:rsc:system:rsc
aclPropagate: TRUE
aclSource: dc=yourcompany,dc=com
entryOwner: cn=Joe Shmoe,ou=users,dc=yourcompany,dc=com
ownerPropagate: TRUE
ownerSource: dc=yourcompany,dc=com

#APPLICABLE ATTRIBUTE VALUES:
entryOwner: cn=Joe Shmoe,ou=users,dc=yourcompany,dc=com

#EFFECTIVE ACCESS-CLASS PERMISSIONS:
restricted:grant:rwsc
system:grant:rwsc
critical:grant:rwsc
sensitive:grant:rwsc
normal:grant:rwsc
object:grant:ad


#ENTRY INFORMATION:
dn: cn=Joe Shmoe,ou=users,dc=yourcompany,dc=com

#SUBJECT INFORMATION:
#Bind DN:
dn: cn=Joe Shmoe,ou=users,dc=yourcompany,dc=com

#SOURCE ATTRIBUTE VALUES:
aclEntry: access-id:cn=Joe Shmoe,ou=users,dc=yourcompany,dc=com:normal:rsc:
 sensitive:rsc:critical:rsc
aclEntry: aclFilter:(&(ibm-filterSubject=cn=Joe Shmoe,ou=users,dc=yourcompan
 y,dc=com)(ibm-filterIP=129.176.132.*)(|(ibm-filterTimeOfDay<09:00)(ibm-filt
 eRTimeOfDay>17:00))(|(ibm-filterDayOfWeek<1)(ibm-filterDayOfWeek>5))):union
 :object:ad:normal:w
aclEntry: group:cn=Anybody:normal:rsc
aclPropagate: TRUE
aclSource: cn=Joe Shmoe,ou=users,dc=yourcompany,dc=com
entryOwner: cn=Admin
ownerPropagate: TRUE
ownerSource: dc=yourcompany,dc=com

#APPLICABLE ATTRIBUTE VALUES:
aclEntry: access-id:cn=Joe Shmoe,ou=users,dc=yourcompany,dc=com:normal:rsc:
 sensitive:rsc:critical:rsc
aclEntry: aclFilter:(&(ibm-filterSubject=cn=Joe Shmoe,ou=users,dc=yourcomany,
 dc=com)(ibm-filterIP=129.176.132.*)(|(ibm-filterTimeOfDay<09:00)
 (ibm-filterTimeOfDay>17:00))(|(ibm-filterDayOfWeek<1)
 (ibm-filterDayOfWeek>5))):union:object:ad:normal:w

#EFFECTIVE ACCESS-CLASS PERMISSIONS:
normal: grant:rwsc
sensitive: grant:rsc
critical: grant:rsc
object: grant:ad

#ENTRY INFORMATION:
dn: cn=Corey,ou=users,dc=yourcompany,dc=com

#SUBJECT INFORMATION:

#Bind DN:
dn: cn=Joe Shmoe,ou=users,dc=yourcompany,dc=com

#SOURCE ATTRIBUTE VALUES:
aclEntry: access-id:cn=Corey,ou=users,dc=yourcompany,dc=com:normal:rsc:
 sensitive:rsc:critical:rsc
aclEntry: AclFilter: (&(ibm-filterSubject=cn=Corey,ou=users,
 dc=yourcompany,dc=com)(ibm-filterIP=129.176.132.*)(|
 (ibm-filterTimeOfDay<09:00)(ibm-filterTimeOfDay>17:00))(|
 (ibm-filterDayOfWeek<1)(ibm-filterDayOfWeek>5))):union:object:ad:normal:w
aclEntry: group:cn=Anybody:normal:rsc
aclEntry: access-id:cn=Joe Shmoe,ou=users,dc=yourcompany,dc=com:normal:
 rsc:at.telephoneNumber:deny:rsc:at.cn:deny:rsc
aclPropagate: TRUE
aclSource: cn=Corey,ou=users,dc=yourcompany,dc=com
entryOwner: cn=Admin
ownerPropagate: TRUE
ownerSource: dc=yourcompany,dc=com

#APPLICABLE ATTRIBUTE VALUES:
aclEntry: access-id:cn=Joe Shmoe,ou=users,dc=yourcompany,dc=com:normal:
 rsc:at.telephoneNumber:deny:rsc:at.cn:deny:rsc

#EFFECTIVE ACCESS-CLASS PERMISSIONS:
normal: grant:rsc

#EFFECTIVE ATTRIBUTE PERMISSIONS:
at.cn: deny:rsc
at.telephoneNumber: deny:rsc