Environment
Novell eDirectory 8.8 for All Platforms
Novell eDirectory 8.7.3 for All Platforms
Novell Open Enterprise Server (NetWare 6.5)
Novell Open Enterprise Server 2 (OES 2) Linux
Novell Open Enterprise Server 11 (OES 11) Linux
Novell eDirectory 8.7.3 for All Platforms
Novell Open Enterprise Server (NetWare 6.5)
Novell Open Enterprise Server 2 (OES 2) Linux
Novell Open Enterprise Server 11 (OES 11) Linux
Situation
When exporting objects, you may see ACL attributes exported as well. For example:
# extended LDIF
#
# LDAPv3
# base <o=MyOrg> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# MyOrg
dn: o=MyOrg
ACL: 1073741856#subtree#cn=MyOrg,cn=User Management,cn=Role Based Service,ou=EN
T,o=MyOrg#sasAuditConfiguration
ACL: 1073741863#subtree#cn=MyOrg,cn=User Management,cn=Role Based Service,ou=EN
T,o=MyOrg#cn
ACL: 1073741855#subtree#cn=MyOrg,cn=User Management,cn=Role Based Service,ou=EN
T,o=MyOrg#[Entry Rights]
ACL: 3#subtree#cn=UNIX Workstation - server101,ou=SERVERS,ou=CITY,ou=ST,o=MyOrg
#passwordExpirationTime
The number before the first # in each ACL line is the permission or rights assigned. This TID will address translating those values to human readable form.
# extended LDIF
#
# LDAPv3
# base <o=MyOrg> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# MyOrg
dn: o=MyOrg
ACL: 1073741856#subtree#cn=MyOrg,cn=User Management,cn=Role Based Service,ou=EN
T,o=MyOrg#sasAuditConfiguration
ACL: 1073741863#subtree#cn=MyOrg,cn=User Management,cn=Role Based Service,ou=EN
T,o=MyOrg#cn
ACL: 1073741855#subtree#cn=MyOrg,cn=User Management,cn=Role Based Service,ou=EN
T,o=MyOrg#[Entry Rights]
ACL: 3#subtree#cn=UNIX Workstation - server101,ou=SERVERS,ou=CITY,ou=ST,o=MyOrg
#passwordExpirationTime
The number before the first # in each ACL line is the permission or rights assigned. This TID will address translating those values to human readable form.
Resolution
The number before the first # is in decimal. Convert the decimal value to hexadecimal (base 16) and select the privileges from the following table (starting with the largest value, or at the bottom):
ENTRY PRIVILEGES | ||
Decimal | Hexadecimal | Description |
1 | 1 | entry_browse |
2 | 2 | entry_add |
4 | 4 | entry_delete |
8 | 8 | entry_rename |
16 | 10 | entry_supervisor |
64 | 40 | entry_inherit_ctl |
ATTRIBUTE PRIVILEGES | ||
1 | 1 | attr_compare |
2 | 2 | attr_read |
4 | 4 | attr_write |
8 | 8 | attr_self |
32 | 20 | attr_supervisor |
64 | 40 | attr_inherit_ctl |
Privilege for both Entries and Attrs | ||
536870912 | 20000000 | Dynamic Groups |
1073741824 | 40000000 | iManager Role Based Svcs |
Additional Information
So in the case of:
ACL: 1073741863#subtree#cn=MyOrg,cn=User Management,cn=Role Based Service,ou=EN
T,o=MyOrg#cn
The ACL value is 1073741863 (decimal).
This converts to 40000027 hex (or 0x40000027).
Starting at the bottom of the above table, this translates to:
0x40000000 = iManager Role Base Services granted privilege.
0x00000020 = Supervisor Permission to the attribute indicated (attr_supervisor)
0x00000004 = Write Permission to the attribute indicated (attr_write)
0x00000002 = Read Permission to the attribute indicated (attr_read)
0x00000001 = Compare Permission to the attribute indicated (attr_compare)
ACL: 1073741863#subtree#cn=MyOrg,cn=User Management,cn=Role Based Service,ou=EN
T,o=MyOrg#cn
The ACL value is 1073741863 (decimal).
This converts to 40000027 hex (or 0x40000027).
Starting at the bottom of the above table, this translates to:
0x40000000 = iManager Role Base Services granted privilege.
0x00000020 = Supervisor Permission to the attribute indicated (attr_supervisor)
0x00000004 = Write Permission to the attribute indicated (attr_write)
0x00000002 = Read Permission to the attribute indicated (attr_read)
0x00000001 = Compare Permission to the attribute indicated (attr_compare)