This discussion is archived
6 Replies Latest reply: Jul 19, 2012 3:35 AM by John Prince RSS

How to check for priviledges of directory manager in DSEE 6.3

950175 Newbie
Currently Being Moderated
Hi,

I want to check for access priviledges of directory managers which we create other than cn=Directory Manager.

I can see all the directory managers created on the directory managers tab on common task page. But I am not able to check for priviledges of directory managers.

I want to know under which instance these users are present so that I can just traverse the DN and check for access control instructions for them.

If anyone can help here please.

Regards,
Neeraj.
  • 1. Re: How to check for priviledges of directory manager in DSEE 6.3
    John Prince Newbie
    Currently Being Moderated
    I am not sure about 6.3/11g, however in 5.2 you could check that. Anyway, irrespective of versions, the best is to get a dump of all ACIs, and then go through each one, you might have individual ACIs or a single one considering how it had been setup.

    At times, people also employ customized script to check the permission, if they need to perform this task as part of Audit requirement.

    John.
  • 2. Re: How to check for priviledges of directory manager in DSEE 6.3
    950175 Newbie
    Currently Being Moderated
    Hi Jon,

    The problem I am facing is that there are several ldap instances which I can see when I access the DSCC admin console. And when I enter into any of the instances I can see the ACIs for that particular instances and I can find out what all access controls are present for that instance. But I want to check for root level ACIs which should be applicable on the directory managers that we create in parallel to cn=Directory Manager. I am pretty sure this directory managers are created in admin instance only.

    Suppose I have one more admin user cn=admin1,cn=Administrator through which I access the DSCC admin console, Now what I want to check what access restrictions are applied to this admin user. For sure this user was created by login to DSCC console with cn=Directory Manager user.

    Let me know if there is any way to access or check for root level ACIs.

    Appreciate your help on this.

    Regards,
    Neeraj.
  • 3. Re: How to check for priviledges of directory manager in DSEE 6.3
    Marco Milo Journeyer
    Currently Being Moderated
    Hi,
    just for reference, the LDAP Directory root user, generally known as "cn=Directory Manager" is not subject to any ACI, just because he' the 'root' account of that Directory Server instance.

    If you're talking about DSCC Administrators, then the subject is slightly different: these users are defined within the DSCC Administrative Instance (that's still an LDAP instance) that's generally running on port 3998.

    You may want to explore the ACIs on that DS structure.

    HTH,
    Marco
  • 4. Re: How to check for priviledges of directory manager in DSEE 6.3
    John Prince Newbie
    Currently Being Moderated
    As Marco mentioned, defaul DM does not have any ACIs ( i believe you're already aware of this), also as he mentioned if you're looking for "DSCC Administrators", then check within the admin instance "3998" or whatever port # you've setup.

    Now, if the question is "how" to look for Root ACI, for that you can utilize any LDAP Browser, i use Softerra ( http://www.ldapbrowser.com ) , within which it displays all the ACIs based on each main suffix - root/sub-suffx etc. But default, ACI display is not enabled, then you've enabled it within attribute display setting.

    If you don't have softerra, then you need to perform an LDAP Search for Root Suffix only ( base search ) , and get all the ACIs.

    JPrince.
  • 5. Re: How to check for priviledges of directory manager in DSEE 6.3
    Marco Milo Journeyer
    Currently Being Moderated
    Besides softerra, which is definitely a good (but licensed) tool, you would also consider some more 'free' LDAP browsers:

    1) Apache Directory Studio [ http://directory.apache.org/studio ]

    2) JXplorer [ http://jxplorer.org ]

    3) The 'good old' java based LDAP Browser Explorer [ http://www.novell.com/communities/node/8652/gawors-excellent-ldap-browsereditor-v282 ]

    4) The 'good old' command line tool, that will always work: ldapsearch

    ldapsearch -b "cn=dscc" -D "cn=Directory Manager" -w <PASSWORD> -p 3998 cn=dscc aci

    Note that you have to explicitly query the 'aci' attribute to get the list of ACIs defined

    HTH,
    Marco
  • 6. Re: How to check for priviledges of directory manager in DSEE 6.3
    John Prince Newbie
    Currently Being Moderated
    Marco

    FYI - I had the same impression that Softerra is "only" available in licensed version, however there is a "read" only free version available for download - http://www.ldapbrowser.com/info_softerra-ldap-browser.htm

    I agree with your suggestion on using command line.

    JPrince

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points