[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Retrieving permissions from server

To: Lee Jensen <lee_jensen@sento.com>
Subject: Re: Retrieving permissions from server
From: Mike Jackson <mj@sci.fi>
Date: Tue, 01 Mar 2005 21:04:23 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <1109700184.79187.74.camel@localhost>
References: <1109700184.79187.74.camel@localhost>
User-agent: Mozilla Thunderbird 0.7.3 (X11/20040803)

Lee Jensen wrote:

Is there a way that the client accessing the LDAP server can determine
what permissions it has on a given object? Is there a hidden system
attribute I can request or something?

In LDAP (and X500), if you do not have permission to read an object, even if it does exist, then the server will return result code 32 (NO SUCH OBJECT). You are not allowed to attempt to deduce what does exist and what does not exist in a directory.

Given an account with proper permissions, and a server which supports ACIs, you could determine the permissions on a particular object, simply by reading the aci operational attributes and implementing an evaluation routine similar to what the server uses. ACI support has been listed as "experimental" forever in OpenLDAP. I wonder when it will finally be supported.

BR,
--
mike

References:
- Retrieving permissions from server
  - From: Lee Jensen <lee_jensen@sento.com>

Prev by Date: Re: SyncRepl provider failure, ITS 3534 and 3546
Next by Date: Re: [openldap2.1.30 + BerkeleyDB4.2.52] performance problem
Index(es):
- Chronological
- Thread