I want to check for access priviledges of directory managers which we create other than cn=Directory Manager.
I can see all the directory managers created on the directory managers tab on common task page. But I am not able to check for priviledges of directory managers.
I want to know under which instance these users are present so that I can just traverse the DN and check for access control instructions for them.
If anyone can help here please.
I am not sure about 6.3/11g, however in 5.2 you could check that. Anyway, irrespective of versions, the best is to get a dump of all ACIs, and then go through each one, you might have individual ACIs or a single one considering how it had been setup.
At times, people also employ customized script to check the permission, if they need to perform this task as part of Audit requirement.
The problem I am facing is that there are several ldap instances which I can see when I access the DSCC admin console. And when I enter into any of the instances I can see the ACIs for that particular instances and I can find out what all access controls are present for that instance. But I want to check for root level ACIs which should be applicable on the directory managers that we create in parallel to cn=Directory Manager. I am pretty sure this directory managers are created in admin instance only.
Suppose I have one more admin user cn=admin1,cn=Administrator through which I access the DSCC admin console, Now what I want to check what access restrictions are applied to this admin user. For sure this user was created by login to DSCC console with cn=Directory Manager user.
Let me know if there is any way to access or check for root level ACIs.
Appreciate your help on this.
just for reference, the LDAP Directory root user, generally known as "cn=Directory Manager" is not subject to any ACI, just because he' the 'root' account of that Directory Server instance.
If you're talking about DSCC Administrators, then the subject is slightly different: these users are defined within the DSCC Administrative Instance (that's still an LDAP instance) that's generally running on port 3998.
You may want to explore the ACIs on that DS structure.
As Marco mentioned, defaul DM does not have any ACIs ( i believe you're already aware of this), also as he mentioned if you're looking for "DSCC Administrators", then check within the admin instance "3998" or whatever port # you've setup.
Now, if the question is "how" to look for Root ACI, for that you can utilize any LDAP Browser, i use Softerra ( http://www.ldapbrowser.com ) , within which it displays all the ACIs based on each main suffix - root/sub-suffx etc. But default, ACI display is not enabled, then you've enabled it within attribute display setting.
If you don't have softerra, then you need to perform an LDAP Search for Root Suffix only ( base search ) , and get all the ACIs.
Besides softerra, which is definitely a good (but licensed) tool, you would also consider some more 'free' LDAP browsers:
1) Apache Directory Studio [ http://directory.apache.org/studio ]
2) JXplorer [ http://jxplorer.org ]
3) The 'good old' java based LDAP Browser Explorer [ http://www.novell.com/communities/node/8652/gawors-excellent-ldap-browsereditor-v282 ]
4) The 'good old' command line tool, that will always work: ldapsearch
ldapsearch -b "cn=dscc" -D "cn=Directory Manager" -w <PASSWORD> -p 3998 cn=dscc aci
Note that you have to explicitly query the 'aci' attribute to get the list of ACIs defined
FYI - I had the same impression that Softerra is "only" available in licensed version, however there is a "read" only free version available for download - http://www.ldapbrowser.com/info_softerra-ldap-browser.htm
I agree with your suggestion on using command line.