Brad Mace Brad Mace - 2 months ago 14
Java Question

programmatically querying LDAP permissions

Is there any way to programmatically query an OpenLDAP 2.4 server to find out what attributes of some object a user is allowed to modify? Or any way to tell the server to ignore modifications that the current user doesn't have permission to make, instead of rejecting the whole request?

I'm looking for some way I can avoid hard-coding which users should see which fields as editable in my LDAP management webapp.

Answer Source

What I found out from the UnboundID folks is that there is no official standard for retrieving ACL info, so any implementation is server-specific.

UnboundID's commercial server provides the ability to get effective access controls for a particular entry and apparently Sun/Oracle DSEE and OpenDS implement similar features. 389 Directory Server (also known as Fedora Directory Server also known as Red Hat Directory Server) may also have some support.

So I guess I'm out of luck with our OpenLDAP servers unless I want to go through the hassle of migrating to a different directory server.