Skip to content Skip to site navigation

Viewing OpenLDAP ACLs

It is often useful to know exactly what access an given Kerberos principal has to the directory.  There is a remctl command that will return the current access control list for the Kerberos principal used to invoke the command. The command usage is straight forward. First create a ticket cache for the Kerberos principal, and then use the ticket cache to execute the command. The following example uses k5start to obtain the ticket cache.

    % k5start -q -U -f /etc/webauth/keytab -- remctl ldap.stanford.edu ldap access
    Checking access for webauth/trainmaster.stanford.edu@stanford.edu

    cn=WebAuthGeneral,cn=applications,dc=stanford,dc=edu

The principal webauth/trainmaster.stanford.edu has access to the the WebAuthGeneral bundle of attributes. The details can be examined using the --expand switch.

Note that currently you must specify a physical LDAP server as the target of the remctl command and not the service.  For the production servers ldap1 will display the ACLs used by the entire set of replicas.

Last modified April 27, 2017