Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

view aci or acl information with an ldap client

270 views
Skip to first unread message

christian

unread,
Apr 14, 2003, 8:14:33 AM4/14/03
to
Does anyone know if it is possible to view the acl information with an
ldap admin client (along with the other attributes) ?
Would be nice to see that.

Christian

Bob Fowles

unread,
Apr 14, 2003, 3:10:44 PM4/14/03
to
It depends on the client. E.g., with ldapsearch, you have to explicitly list
the ACI attribute names that you want to see. If you list them and still
don't see them, you may need additional authorization to access them (e.g.,
an aclentry may restrict who can read those attributes).

Bob Fowles, Penn State

On 4/14/03 8:14 AM, in article b7e8ho$2ulg$2...@news.boulder.ibm.com,

christian

unread,
Apr 14, 2003, 4:36:54 PM4/14/03
to
I ment with a client like the java ldap browser/editor or the softerra
editor client.
I though I saw something like that with Novell's edirectory (using the
lbe java client).
I don't find it very productive to use the web administration tool for
something like that :) expand , expand , ... :-)

Christian

Michael Ströder

unread,
Apr 14, 2003, 4:46:43 PM4/14/03
to
christian wrote:
> I ment with a client like the java ldap browser/editor or the softerra
> editor client.

I'd guess that both of these LDAP clients request all normal attributes by
sending empty attribute list with search request. You have to use an LDAP
client which allows you to explicitly request certain attributes.

That's why I've implemented a configuration parameter for this:

http://www.web2ldap.de/web2ldapcnf_hosts.html#requested_attrs

Your mileage may vary.

Off course you also need to have proper access rights.

Ciao, Michael.

christian

unread,
Apr 14, 2003, 5:23:03 PM4/14/03
to
Thanks for the answer.
Client looks great but I think I will need a java or windows client here.
Softerra client by default does a search with (objectclass=*)
Maybe this is a basic ldap question but how do you define that you want
all attributes and also the extended (aci) attributes ?

Christian

Michael Ströder

unread,
Apr 14, 2003, 8:20:28 PM4/14/03
to
christian wrote:
> (objectclass=*)

That's the filter.

> Maybe this is a basic ldap question but how do you define that you want
> all attributes and also the extended (aci) attributes ?

A list of attributes is sent in the search request (see RFC2251, section
4.5.1 for details).

$ /usr/ldap/bin/ldapsearch
/usr/ldap/bin/ldapsearch: option requires an argument -- h

Sends a search request to an LDAP server.
usage:
ldapsearch [-b basedn] [options] filter [attributes...]
where:
basedn: base dn for search
(optional if LDAP_BASEDN set in environment)
filter: LDAP search filter
attributes: whitespace-separated list of attributes to retrieve
(if no attribute list is specified, all are retrieved)

Example (quotes for avoiding shell globbing):

$ ldapsearch -b"dc=stroeder,dc=com" "(objectclass=*)" "*" aci

Ciao, Michael.

christian

unread,
Apr 16, 2003, 8:05:34 AM4/16/03
to
Thanks.
Didn't work with the search filter in softerra but was able to add these
in advanced options. (aclentry,entryowner, ... etc ).


Christian

0 new messages