Object ACL

Syntax ID

#define SYN_OBJECT_ACL 17

LDAP Name

NDS ACL

ASN.1 ID

2.16.840.1.113719.1.1.5.1.17

API Data Structure

typedef struct 
{
   pnstr8          protectedAttrName; 
   pnstr8          subjectName; 
   nuint32         privileges; 
} Object_ACL_T;

Transfer Format

uint32     Length 
unicode    Name of Protected Attribute 
Align4 
unicode    Subject Name 
Align4 
uint32     Privileges

LDAP Format

ndsAcl = privileges "#" scope "#" subjectname "#"
      protectedattrname

privileges = uint32string

scope = "entry" / "subtree"

subjectname = distinguishedname / "[Self]" / "[Creator]" / 
              "[Public]" / "[Inheritance Mask]" / "[Root]"

protectedattrname = caseignorestring / "[Entry Rights]" /
                   "[All Attribute Rights]"

ndsAcl ::= SEQUENCE {
   privileges          uint32,
   subjectName         LDAPDN,
   protectedAttrName   LDAPString
}

Matching Rules

• Approximate
• Equality

Remarks

For help in understanding the syntax definition template, see Reading Syntax Definitions.

An Object ACL value can protect either an object or an attribute. The protected object is always the one that contains the ACL attribute. If an ACL entry is to apply to the object as a whole, the protected attribute name should be left empty (NULL). If a specific attribute is to be protected, it should be named in the ACL entry.

You can match an ACL value against either a subject (trustee) or a privilege set, or both. If the subject name is not to be considered in the comparison, specify it as NULL. If the privilege set is not to be considered in the comparison, specify an “approximate match” with a privilege set value of zero.

The Object ACL syntax supports both matching for equality and approximate matching. The difference between matching for equality and approximate matching concerns the privileges field of the comparison value. When matching for equality, the privilege set must match exactly for the comparison to succeed. When approximate matching has been selected, any bits in the privilege field in the filter that are set must also be set in the target. Any other bits in the target are ignored.

Values with the same protectedAttrName and subjectName fields are considered to be duplicate, and so are not permitted.

For information on bit mask for the privileges field and on the special values available for protectedAttrName and subjectName fields, see the Object_ACL_T structure (NDK: Novell eDirectory Core Services).

Used In

• ACL
• Inherited ACL
• New Object's DS Rights
• New Object's Self Rights
• Trustees Of New Object