3.1.1.4.3 Access Checks
An object is not visible to a requester if the requester is not granted the necessary rights. But even if an object is visible to a requester, the requester might lack the necessary rights to see individual attributes. The values for attributes that are not visible to the requester are treated as "does not exist" in the returned attributes and the LDAP filter. For example, if the requester requests the value for displayName but that attribute is not visible, then the returned value will be the same as it would have been if the attribute displayName did not exist on that Object. Likewise, if displayName were part of the LDAP filter, then, similarly, the filter would behave just as if displayName did not exist on that Object.
Let O be the Object being considered during search.
Let ON be the root object of the NC containing O.
Let OP be O!parent.
Let OA be the Attribute, or the property set containing the Attribute, that is being considered for O during search.
Generally, the security context of the requester MUST be granted rights RIGHT_DS_LIST_CONTENTS (defined in section 5.1.3.2) on OP by OP!nTSecurityDescriptor.
Generally, the security context of the requester MUST be granted rights RIGHT_DS_READ_PROPERTY on OA by O!nTSecurityDescriptor. Otherwise, the value is treated as "does not exist" in the returned attributes and the LDAP filter. This behavior changes for special attributes, for attributes with special search flags in their definition, and for some attributes because of dSHeuristics (section 6.1.1.2.4.1.2), as specified in section 3.1.1.4.4.