OpenDS Tips: Control the controls...
By Ludo on Feb 04, 2009
LDAP Controls are a way to change the default behavior of LDAP operations and thus enhance the service. Several controls have been defined and standardized at IETF. Because some of those controls are extending the service beyond the basic operations, you might want to restrict their use to specific users like the Directory Administrators.
The OpenDS LDAP directory server controls who can make use of the various LDAP controls through access control rules.
The default global ACIs contain a rule that list the controls that can be used by all users:
ds-cfg-global-aci: (targetcontrol="2.16.840.1.1137220.127.116.11 || 2.16.840.1.113718.104.22.168 || 2.16.840.1.113722.214.171.124 || 126.96.36.199.4.1.4188.8.131.52 || 184.108.40.206.220.127.116.11.18.104.22.168 || 2.16.840.1.113722.214.171.124") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)
This list allows the use of the Manage DSA IT Control (RFC 3296), the Real Attributes Only Control, the Virtual Attributes Only Control, the Password Policy Control (draft-behera-ldap-password-policy),the LDAP No-Op Control (draft-zeilenga-ldap-noop), and the Authorization dentity Control (RFC 3829).
If an application makes use of a control that is not allowed, the server returns an error like this one:
[LDAP: error code 50 - The request control with Object Identifier (OID) "1.2.840.1135126.96.36.1995" cannot be used due to insufficient access rights]
The control here is the SubTree Delete Control which extends the delete operation to operate over a complete subtree of entries.
To allow specific users to make use of the SubTree Delete Control, you will need to add a global ACI:
$ dsconfig -h localhost -p 4444 -D cn="Directory Manager" -X -n \\
--add global-aci:"(targetcontrol=\\"1.2.840.1135188.8.131.525\\") \\
(version 3.0; acl \\"Data Administrator SubTree delete control access\\"; allow(read) \\
Password for user 'cn=Directory Manager': \*\*\*\*\*\*\*\*\*
The above ACI grants the use of the SubTree Delete control to a single user whose DN is "cn=Data Administrator,dc=example,dc=com".
Note that even if the user has the permission to use the Control, other access controls are still enforced to verify that the user has the permission to delete all the entries targeted by the operation.