[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Retrieving permissions from server



Lee Jensen wrote:
Is there a way that the client accessing the LDAP server can determine
what permissions it has on a given object? Is there a hidden system
attribute I can request or something?

In LDAP (and X500), if you do not have permission to read an object, even if it does exist, then the server will return result code 32 (NO SUCH OBJECT). You are not allowed to attempt to deduce what does exist and what does not exist in a directory.


Given an account with proper permissions, and a server which supports ACIs, you could determine the permissions on a particular object, simply by reading the aci operational attributes and implementing an evaluation routine similar to what the server uses. ACI support has been listed as "experimental" forever in OpenLDAP. I wonder when it will finally be supported.

BR,
--
mike