Starting and Stopping Your Server Instance
Configuring the Server Instance
Configuring the Proxy Components
Configuring Security Between Clients and Servers
Configuring Security Between the Proxy and the Data Source
Configuring Servers With the Control Panel
Managing Global ACIs With dsconfig
Granting Write Access to Personal Entries
Granting a Group Full Access to a Suffix
Granting Rights to Add and Delete Group Entries
Allowing Users to Add or Remove Themselves From a Group
Granting Conditional Access to a Group
Defining Permissions for DNs That Contain a Comma
The Get Effective Rights Control
Using the Get Effective Rights Control
Restricting Access to the Get Effective Rights Control
Depending on the options specified, an effective rights request returns the following information:
The effective rights information is presented according to the following subtypes:
aclRights;entrylevel - Presents entry-level rights information
aclRights;attributelevel - Presents attribute-level rights information
aclRightsInfo;entrylevel - Presents entry-level logging information
aclRightsInfo;attributelevel - Presents attribute-level logging information
The format of the aclRights string is as follows:
aclRights;entryLevel: permission:value(permission:value)*
and
aclRights;attributeLevel: permission:value(permission:value)*
The possible entry-level permissions are add, delete, read, write, and proxy. The possible values for each permission are 0 (permission not granted) and 1 (permission granted).
|
Note - For information about assigning these permissions in an ACI, see ACI Syntax in Sun OpenDS Standard Edition 2.2 Architectural Reference.
The possible attribute-level permissions are read, search, compare, write, selfwrite_add, selfwrite_delete, and proxy. The possible values for each permission are 0 (permission not granted) and 1 (permission granted). For the case of the write permission, the value of "?" is also permitted.
|
Note - The write, selfwrite_add, and selfwrite_delete permissions are particularly complex. If you see a "?", consult the logging information to establish why the permissions will or will not be granted. For more information, see Table 3.
The format of the aclRightsInfo string is as follows:
aclRightsInfo;logs;entryLevel;permission: acl_summary(main):permission-string
and
aclRightsInfo;logs;attributeLevel;permission;attribute: acl_summary(main):permission-string
The entry-level and attribute-level permissions are described in the preceding section.
The permission-string contains detailed information about the effective rights at the entry-level and attribute-levels.
The attribute-level permission for write can be either 0, 1, or "?". Only write attribute-level permissions can have a value of "?", which usually results from a targattrfilters ACI component. For add and delete permissions, the entries that can be modified depend on the values of the attributes in the entry. Only the permission, 0 or 1, is returned on the entries as they are returned with the ldapsearch operation.
For all attribute values except the authorization dn, if the value for a write permission is 1, the permission is granted for both add and delete. Similarly, for all attribute values except the authorization dn, a value of 0 for a write permission means that the permission is not granted for either add or delete ldapmodify operations. The permission in force for the value of the authorization dn is returned explicitly in one of the selfwrite permissions, that is, either selfwrite_add or selfwrite_delete.
Although selfwrite_add and selfwrite_delete attribute-level permissions do not exist in the context of ACIs, a set of ACIs can grant a user selfwrite permission for just the add or just the delete part of a modify operation. For selfwrite permissions, the value of the attribute being modified is the authorization dn. The same distinction is not made for write permissions because the value of the attribute being modified for a write permission is undefined.
When the effective permission depends on a targattrfilters ACI, the "?" value indicates that the logging information should be consulted for more permission detail. Given the relative complexity of the interdependencies between the write, selfwrite_add, and selfwrite_delete permissions, The following table explains what the possible combinations of these three permissions mean.
The following table outlines the interdependencies of the various effective rights values.
|
The effective rights logging information enables you to understand and debug access control difficulties. The logging information contains an access control summary statement, called the acl_summary, that indicates why access control has been allowed or denied. The access control summary statement includes the following information:
Whether access was allowed or denied
The permissions granted
The target entry of the permissions
The name of the target attribute
The subject of the rights being requested
Whether or not the request was made by proxy, and if so, the proxy authentication DN
The reason for allowing or denying access (important for debugging purposes as explained in the following table)
The following table lists the effective rights logging information reasons and their explanations.
|
Note - Write permissions for virtual attributes are not provided, nor is any associated logging evaluation information, because virtual attributes cannot be updated.