A frequently asked question about LDAP is how to determine what attributes can be modified in an entry in a directory server for a given authorization state. For example, for a given bind DN, does that bind DN have the authority to delete an entry, or delete, add, or modify an attribute in a specific entry? LDAP access controls are implementation specific, therefore the vendor should supply a way to determine access rights for an authorization state. This task can be accomplished with the
GetEffectiveRightsRequestControl request control which is available in the commercial edition of the UnboundID LDAP SDK.
This post is also available at ldapguru.info (which will be updated, this article might not be).