2

Is there any way to programmatically query an OpenLDAP 2.4 server to find out what attributes of some object a user is allowed to modify? Or any way to tell the server to ignore modifications that the current user doesn't have permission to make, instead of rejecting the whole request?

I'm looking for some way I can avoid hard-coding which users should see which fields as editable in my LDAP management webapp.

Cœur
  • 37,241
  • 25
  • 195
  • 267
Brad Mace
  • 27,194
  • 17
  • 102
  • 148
  • Although, I do not know the answer on the top of my head, but can point you to right direction: Take a look at the source code for Apache Directory Studio's source code. It's offiial GUI manager for Apache's LDAP server. – cheekoo May 10 '11 at 20:31

3 Answers3

1

Please check if this helps.

In this example, he is trying to change ACL's for a specific object. You might be able to re-use same/similar code.

cheekoo
  • 887
  • 12
  • 22
  • If I'm following it right, it's reading from an operational attribute named `acl`? I've got operational attributes shown in ApacheDS and I don't see any `acl` attributes anywhere. Does the `acl` attribute only show rules specifically for that object? – Brad Mace May 10 '11 at 20:50
  • It's been some time since I stopped working on LDAP's and frankly i never needed to work with ACL's. In debug mode, try fetching object's ACL as he does in the example. ACL could be a hidden attribute for an object. Post your results here, might be useful for others. You can read more about ACL on LDAP's using Google. – cheekoo May 10 '11 at 20:55
0

What I found out from the UnboundID folks is that there is no official standard for retrieving ACL info, so any implementation is server-specific.

UnboundID's commercial server provides the ability to get effective access controls for a particular entry and apparently Sun/Oracle DSEE and OpenDS implement similar features. 389 Directory Server (also known as Fedora Directory Server also known as Red Hat Directory Server) may also have some support.

So I guess I'm out of luck with our OpenLDAP servers unless I want to go through the hassle of migrating to a different directory server.

Brad Mace
  • 27,194
  • 17
  • 102
  • 148
  • I am sad to hear that, sir! But thanks for putting it here, I am sure someone or the else will benefit form the discussion! – cheekoo May 13 '11 at 18:30
  • The name of the control that is available in the UnboundID LDAP SDK (commercial edition) is EffectiveRightsEntry. This request control provides support for determining access rights. – Terry Gardner Nov 23 '11 at 10:49
  • OpenLDAP doesn't support this control. – user207421 Aug 28 '17 at 04:03
0

If slapd is configured to use cn=config then you may have a shortcut to getting the ACL info. To have slapd use cn=config instead of slapd.conf: http://www.zytrax.com/books/ldap/ch6/slapd-config.html At least if the ACL's are available via Ldap the modify requests can be filtered before they are executed.

What about slapadd -u enable dry-run (don't write to backend) mode.

Would that be useful for handling this scenario?

ticktock
  • 133
  • 5
  • Good ideas but what I was really looking for was a way to tailor edit forms to the current user's permissions. Different users can write to different attributes of the same objects and that needs to be reflected in the UI somehow. Since there's no way to ask the server "Can this user edit this attribute?" I'm going to be stuck with some sort of hard-coded solution. – Brad Mace May 24 '11 at 14:01