The acl.c file is a program that displays the ACLs on each entry in the directory for a specific user. The permisions are presented in a form similar to UNIX file permissions. In addition, each entry is flagged as either a master or a shadow copy.
The distinguished name of the user requesting the access permissions is /C=de/O=sni/OU=ap/CN=norbert. The results of the request are presented in the following format:
[ABCD] <entry's distinguished name>
where:
A is one of the following:
· m (master copy)
· s (shadow copy)
B is one of the following:
· r (read access to public attributes)
· w (write access to public attributes)
· - (no access to public attributes)
C is one of the following:
· r (read access to standard attributes)
· w (write access to standard attributes)
· - (no access to standard attributes))
D is one of the following:
· r (read access to sensitive attributes)
· w (write access to sensitive attributes)
· - (no access to sensitive attributes)
For example, the following result means that the entry /C=de/O=sni is a master copy, and that the user who is making the request (/C=de/O=sni/OU=ap/CN=norbert) has write access to its public attributes, read access to its standard attributes, and no accesss to its sensitive attributes:
[mwr-] /C=de/O=sni
The program requires that the user perform an authenticated bind to the directory service. The user's credentials must already exist in the directory. For this reason, the tree of six entries shown in the figure below is added to the directory each time the program runs, and is removed again afterward.
Entries with User Credentials Added to the Directory Tree
The program consists of the following steps:
1. Export the required object identifiers (see acl.h in The acl.h Header File).
2. Build the descriptor lists for objects required by the program (see acl.h in The acl.h Header File).
3. Initialize a workspace.
4. Negotiate use of the basic directory contents and GDS packages.
5. Add a fixed tree of entries to the directory to permit an authenticated bind.
6. Create a default session object.
7. Alter the default session object to include the credentials of the requestor (/C=de/O=sni/OU=ap/CN=norbert).
8. Bind with credentials to the default GDS server.
9. Create a default context object and alter it to include shadow entries.
10. Search the whole subtree below root and extract the ACL attribute from each selected entry.
11. Close the connection to the GDS server.
12. Remove the user's credentials from the directory.
13. Extract the components from the search result.
14. Examine each entry and print the entry details.
15. Close the XDS workspace.
Step 1 through Step 4, Step 6 through Step 8, Step 12, and Step 15 are similar to those performed for the previous sample application example.c.
Step 5 is included so that the appropriate entries will exist in the directory when the program attempts to access the access permissions.
The default session object created in Step 9 uses om_create( ) to create an instance of a default session object, and it uses om_put( ) to put in the appropriate user credentials. The credentials parameter is a descriptor list defined in acl.h header file.
Step 10 used the same method as Step 9 to alter the default context to include shadow entries. Using om_create( ) and om_put( ), the OM attribute DS_DONT_USE_COPY is set to a value of OM_FALSE to indicate that copies of entries maintained in other DSAs and copies cached locally (that is, shadow copies) can be used. The use_copy parameter is a descriptor list defined in the acl.h header file.
Step 11 uses ds_search( ) to search the subtree below root to find and extract the ACL attributes from the selected entries defined in the selection_acl parameter. The selection_acl variable is a descriptor list defined in acl.h. The results are returned to the workspace in result.
Step 13 and Step 14 extract the components from result and examine each entry by using a series of om_get( ) calls, as described in the previous topic for example.c.
More: