So....just how many entries is under that LDAP Branch??

ACL for LDAP Groups

User Rating: 0 / 5

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive


I have seen a couple of tools that shows the number of entries (or typically users or objects) under a LDAP branch (node).  Working with a colleague who is helping to improve our LDAP Browser, we wanted to add that "nice to know" feature to the tree.  So that is where "numSubordinates" comes in to play.

OK.  Gotcha.

So, by read/write/update/compare, I assume you do not want any "add child entry" or "delete entry", is that correct?

For later reading, you can learn about ACL Access Evaluation here:

And ACL Propagation here:


If my assumption above is correct, you would model it similar to the aclEntry for TDSAdmins, but change the "object:ad" to "object:deny:ad" - where "a" means "add" and "d" is for "delete entry".











Such that the command for adding this aclEntry on any branch will look like this:



dn: <branch DN>

changetype: modify

add: aclEntry

aclEntry: group:CN=ADMINGRP,OU=GROUP,OU=GUESTS,DC=zFLEXSOFTWARE,DC=COM:restricted:rwsc:system:rsc:critical:rwsc:sensitive:rwsc:normal:rwsc:object:deny:ad






There are other "operational" attributes which can be displayed with using "(*)" "+" symbols at the end of the ldapsearch command.  We go into more details in our white paper on the numSubordinates parameter.  You can download it here.


About zFlex Software

zFlex Software have over of 25 years experience working with the IT field.  Over 15 years working directly with IBM products and projects in Enterprise System Environments.  We focus on IBM product installation, Infrastructure Setup and Solution Design in the Mainframe (z/OS), Linux, Solaris and Window platforms.   Knowledge of these various platforms makes our consulting very flexible for Integration tasks around these various platforms, enabling zFlex to meet your business needs.

© 2016 zFlex Software,LLC. All Rights Reserved. Designed By zFlex Software