Le 08/11/16 à 17:53, Strong, Emily a écrit : > We are trying to develop auditing scripts for our ACIs. So we want to get a > list of all the ACIs of an OU, similar to what is returned by: > > > $ ldapsearch -h host -p port -D cn=admin,cn=Administrators,cn=config -w > password -b entryDN -s base "(objectclass=*)" aci > > > We were hoping to use the ACI methods in the LDAP API for this, but it sounds > like they might not be appropriate?
Ok, here is the thing : there is nothing like a common specification for ACI acrosse LDAP implementations. OpenLDAP uses a system, ApacheDS uses another one, etc. More important, ACI are not associated to an entry, they are configured globally. Let's see how OpenLDAP does that : it defines ACLs on the global server, or per database. Every time you do an operation against the server, authorization will be checked against teh configured ACLs. You simply can't read an entry and see what ACLs apply to it. ApacheDS is differnt : it implements the X.500 model, where ACIs are defined on an Administrative Area, which can cover many entries. The oly thing you'll get for an entry is the reference to the subentry that contains the ACI defintion and the associated area which applies on this entry. And as those informations are themselves subject to a authorization, you may perectly well not have the rights to acess them. SunDS and the other flavors are using a system close to what OpenLDAP implement, with some subtil variations. All in all, having a decent support for ACI/ACL in an API is a complex work that is far from being completed. I'm afraid that it's not going to be part of our API before long... -- Emmanuel Lecharny Symas.com directory.apache.org
