As I'm sure you're aware, the docs are here:

https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/viewing_the_acis_for_an_entry-get_effective_rights_control

I think you don't need to request the entrylevelrights or attributelevelrights on the search (the log looks like you're requesting them). You probably just want * or + here instead.

I tried that, but it made no difference. I also noticed that despite asking for attributes “*” and “+”, the java code didn’t give me any operational attributes back at all.

I’m assuming that entryLevelRights/attributeLevelRights are operational attributes and 389ds won’t return them with a “*” attribute on it’s own?

I’m trying to work out whether this is a java issue or a 389ds issue.

Are there any known issues when trying to return operational attributes from 389ds to java JNDI calls?

Otherwise I'm not 100% sure here. Perhaps the best thing is actually to attach gdb to the server and break on:

br _ger_parse_control

And then step through with: "next" to see what logic paths are being taken on the dn parser - or if you even reach that stage.

You could alternately break on acl_get_effective_rights to see the full extended op processing logic too.

Sorry I can't give a more concrete piece of advice here :(

gdb stops on these breakpoints, so the logic is definitely triggered, although I don't have any debuginfos configured to step through the code. Let me dig further on this.

Regards,

Graham

—