Evaluating OUD ACI’s on a Per Entry Basis

I ran into an issue where I couldn’t determine why a certain ACI was not working as expected in Oracle Unified Directory 11gR2. After doing some research, I stumbled onto Effective Rights Control (ERC) within OUD. Effective Rights Control forces OUD to output the ACI that is affecting an entry’s permissions.

Here is the Oracle document on Searching Using the Get Effective Rights Control (http://docs.oracle.com/cd/E29407_01/admin.111200/e22648/managing_data.htm#solTO-SEARCH-USING-THE-GET-EFFECTIVE-RIGHTS-CONTROL)

The following command will display a description of the access permissions for an entry for the categories of add, delete, read, write, and proxy. This command doesn’t get down to the individual attribute level, but may give you coarse insight into which policy is/is not actually affecting an entry.

./ldapsearch -h oud.example.com -p 389 -b "cn=Users,dc=example,dc=com" -D "cn=Directory Manager" --getEffectiveRightsAuthzid "dn:cn=exampleuser,cn=serviceaccounts,dc=example,dc=com" "objectclass=*" aclRightsInfo

The above command looks like a normal ldapsearch with some extra “stuff”.

You can see the normal ldapsearch details: hostname, port, search base.

You need to bind with a user that has access to Effective Rights Control. That is why I have the default OUD administrator listed as the bindDN.
Then you have the first of the ERC specific commands.

--getEffectiveRightsAuthzid "dn:dn"

The option –getEffectiveRightsAuthzid is the command to enable ERC and this is followed directly by “dn:dn” which is the user that we wish to evaluate. The initial dn: is required.

Then the search filter is set, I have not had success with using filters other than objectclass=* but if you have, feel free to comment about it.
The final command is aclRightsInfo. Now technically there are two different commands you can use here, either aclRights or aclRightsInfo. aclRights provides a limited summary of what the dn user can/cannot do but it does not list the ACI so I don’t find it as useful.

An example of aclRights output follows:

dn: uid=mytestuser,cn=users,dc=example,dc=com
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0

An example output of aclRightsInfo is:

dn: uid=mytestuser,cn=users,dc=example,dc=com
aclRightsInfo;logs;entryLevel;add: acl_summary(main): access not allowed(add) on entry/attr(uid=mytestuser,cn=users,dc=example,dc=com, NULL) to (cn=exampleuser,cn=serviceaccounts,dc=example,dc=com) (not proxied) ( reason: no acis matched the subject )
aclRightsInfo;logs;entryLevel;delete: acl_summary(main): access not allowed(delete) on entry/attr(uid=mytestuser,cn=users,dc=example,dc=com, NULL) to (cn=exampleuser,cn=serviceaccounts,dc=example,dc=com) (not proxied) ( reason: no acis matched the subject )
aclRightsInfo;logs;entryLevel;read: acl_summary(main): access allowed(read) on entry/attr(uid=mytestuser,cn=users,dc=example,dc=com, NULL) to (cn=exampleuser,cn=serviceaccounts,dc=example,dc=com) (not proxied) ( reason: evaluated allow , deciding_aci: test acl)
aclRightsInfo;logs;entryLevel;write: acl_summary(main): access not allowed(write) on entry/attr(uid=mytestuser,cn=users,dc=example,dc=com, NULL) to (cn=exampleuser,cn=serviceaccounts,dc=example,dc=com) (not proxied) ( reason: no acis matched the subject )
aclRightsInfo;logs;entryLevel;proxy: acl_summary(main): access not allowed(proxy) on entry/attr(uid=mytestuser,cn=users,dc=example,dc=com, NULL) to (cn=exampleuser,cn=serviceaccounts,dc=example,dc=com) (not proxied) ( reason: no acis matched the subject )

With aclRightsInfo you can see that the read privilege is allowed due to the “test acl” ACI.

It just so happens that this result is displayed even though I have several attributes restricted from being read by another ACI that is not described in the output. But the lifesaving part of this functionality was that it enabled me to see when my ACI’s were applicable/inapplicable. As a result, this isn’t a perfect solution but was definitely critical in tracking down where I was having issues with my ACI configurations.

Hopefully this will assist in the debugging process next time you encounter issues.