User-agent: Mozilla Thunderbird 0.7.3 (X11/20040803)
Lee Jensen wrote:
Is there a way that the client accessing the LDAP server can determine
what permissions it has on a given object? Is there a hidden system
attribute I can request or something?
In LDAP (and X500), if you do not have permission to read an object, even if it does exist, then
the server will return result code 32 (NO SUCH OBJECT). You are not allowed to attempt to deduce
what does exist and what does not exist in a directory.
Given an account with proper permissions, and a server which supports ACIs, you could determine the
permissions on a particular object, simply by reading the aci operational attributes and
implementing an evaluation routine similar to what the server uses. ACI support has been listed as
"experimental" forever in OpenLDAP. I wonder when it will finally be supported.