We have received a request to leverage CA LDAP to retrieve all EJBRole permits assigned to users. Nearly all of our permissions in Top Secret is provided through profiles assigned to user ACIDs. Users may have several profiles assigned with EJBRoles.
To accomplish this currently through CA LDAP it seems like this would need to be done in a multi-step process:
1. ldapsearch against the proflist for the tssacid:
ldapsearch -x -D cn=<user> -w pass -H host -s one -b tssacidgrp=proflist,tssacid=<user acid>,tssadmingrp=Acids,<suffix>
2. Then for each profile listed, issue a tssresclass search for each profile:
ldapsearch -x -D cn=<user> -w pass -H host -s one -b tssresclass=ejbrole,tssacidgrp=permissions,tssacid=<prof acid>,tssadmingrp=Acids,<suffix>
Ideally, it would be nice if this could be done in a single step however looking at the R15.1 doc, it does not seem like this may be possible. I was wondering if there would be any chance to extend the TSS backend in CA LDAP to do a recursive search given a user ACID to dump all permissions of a certain type (or all permissions) assigned to the ACID itself and any profiles the user has.