Article
Search
Share This
Most Popular
Who's online
Online users
User login
Setting eDirectory ACL Entries with IDM
2333
Setting ACL entries aka trustees in Edirectory with IDM is possible but far from self-explaining. There is no DIrxmlScript token that translates the API bit codes into human readable ACL flag names, and setting special trustees like [Root] or [Public] requires a special syntax.
Here's what I found about this topic in the forums, compiled for easy reference (and my own lazyness :-) since Geoffrey did not write an article about it yet ;-)
ACL is a structured attribute, with three components: "protectedName", "trustee" and "privileges". Setting an ACL entry in DirXMLScript can be done this way:
<do-add-dest-attr-value class-name="User" name="ACL"> <arg-value type="structured"> <arg-component name="protectedName"> <token-text xml:space="preserve">Internet Email Address</token-text> </arg-component> <arg-component name="trustee"> <token-text xml:space="preserve">\VAULT-TREE\edu\acme\proxies\proxy</token-text> </arg-component> <arg-component name="privileges"> <token-text xml:space="preserve">0</token-text> </arg-component> </arg-value> </do-add-dest-attr-value>
The protectedName component can be the name of an attribute or something like [All Attributes Rights] or [Entry Rights].
The trustee component has to be a DN in slash form and can also be \[Root], \[Self], \[Inherited Rights Filter], \[Public] or \[This] (make sure to include the leading slash!).
The privileges component is coded bitwise:
Rights to attributes:
1 Compare 2 Read 4 Write 8 Add Self 16 (unused) 32 Supervisor 64 Inheritance Control
Rights to entries:
1 Browse 2 Add 4 Delete 8 Rename 16 Supervisor 32 (unused) 64 Inheritance Control
The meaning of the inheritance control bit (0 or 1 -> block or inherit) depends on Edirectory version and whether the protectedName is an individual attribute or [All Attribute Right] or [Entry Rights]. The following table is taken from http://developer.novell.com/documentation/ndslib/n...
|
NetWare Version |
Object Right DS_ENTRY_INHERIT_CTL |
[All Attributes Rights] DS_ATTR_INHERIT_CTL |
Specific Attribute DS_ATTR_INHERIT_CTL |
|---|---|---|---|
|
NetWare 4.x |
NetWare 4.x does not support this functionality. Inheritance of object rights is always supported. NetWare 4.x requires this bit to be set to 0. |
NetWare 4.x does not support this functionality. Inheritance of rights to [All Attributes Rights] is always supported. NetWare 4.x requires this bit to be set to 0. |
NetWare 4.x does not support this functionality. Inheritance of ACLs to specific attributes is always blocked. NetWare 4.x requires this bit to be set to 0. |
|
NetWare 5.x |
NetWare 5.x supports this right. Set this bit to 0 (zero) to allow the inheritance of the rights in the ACL. Set this bit to 1 (one) to block the inheritance of the ACL rights. |
NetWare 5.x supports this right. Set this bit to 0 Set this bit to 1 (one) to block the inheritance of the ACL rights. |
NetWare 5.x supports this right. Set this bit to 1 Set this bit to 0 to block the inheritance of the ACL rights. |
I guess the NetWare 5.x row also covers all current eDirectory versions, even if they run on Linux, Windows or elsewhere ;-)
Thanks to Father Ramon for helping us all that much on the forums, without his input I wouldn't have been able to put this all together.
Related Articles
User Comments
Did too!
Submitted by geoffc on 25 November 2008 - 8:31pm.
Lothar, just to be annoying, I actually DID write an article about this topic, sort of... But actually, I think I like your version better!
http://www.novell.com/communities/node/5686/cool-t...
Part four of my Toolkit rule article set (Part 2 just got published this week) will talk about comparing ACL values inside the toolkit rule. :)
- Login to post comments
Oops, how could I miss that?
Submitted by lhaeger on 26 November 2008 - 9:51am.
Geoffrey, sorry for having missed that article, still don't know them all by heart. And no annoyance at all, in fact I was wondering how it could happen that you've left out that topic so far... ;-) Cheers, Lothar
- Login to post comments
2