1SLAPACL(8C)                                                        SLAPACL(8C)
2
3
4

NAME

6       slapacl - Check access to a list of attributes.
7

SYNOPSIS

9       /usr/sbin/slapacl   -b DN  [-d debug-level]  [-D authcDN |  -U authcID]
10       [-f slapd.conf]    [-F confdir]    [-o option[=value]]    [-u]     [-v]
11       [-X authzID | -o  authzDN=DN] [attr[/access][:value]] [...]
12

DESCRIPTION

14       slapacl  is  used to check the behavior of slapd(8) by verifying access
15       to directory data according  to  the  access  control  list  directives
16       defined in its configuration.  It opens the slapd.conf(5) configuration
17       file or the slapd-config(5)  backend,  reads  in  the  access/olcAccess
18       directives, and then parses the attr list given on the command-line; if
19       none is given, access to the entry pseudo-attribute is tested.
20

OPTIONS

22       -b DN  specify the DN which access is requested to;  the  corresponding
23              entry is fetched from the database, and thus it must exist.  The
24              DN is also used to determine what rules apply; thus, it must  be
25              in the naming context of a configured database.  See also -u.
26
27       -d debug-level
28              enable  debugging  messages  as  defined by the specified debug-
29              level; see slapd(8) for details.
30
31       -D authcDN
32              specify a DN to be used as identity  through  the  test  session
33              when selecting appropriate <by> clauses in access lists.
34
35       -f slapd.conf
36              specify an alternative slapd.conf(5) file.
37
38       -F confdir
39              specify  a  config  directory.  If both -f and -F are specified,
40              the config file will be read and converted to  config  directory
41              format  and  written  to  the  specified  directory.  If neither
42              option is specified, an  attempt  to  read  the  default  config
43              directory  will  be made before trying to use the default config
44              file. If a valid config directory exists then the default config
45              file is ignored.
46
47       -o option[=value]
48              Specify  an  option  with a(n optional) value.  Possible generic
49              options/values are:
50
51                     syslog=<subsystems>  (see `-s' in slapd(8))
52                     syslog-level=<level> (see `-S' in slapd(8))
53                     syslog-user=<user>   (see `-l' in slapd(8))
54
55              Possible options/values specific to slapacl are:
56
57                     authzDN
58                     domain
59                     peername
60                     sasl_ssf
61                     sockname
62                     sockurl
63                     ssf
64                     tls_ssf
65                     transport_ssf
66
67              See the related fields in slapd.access(5) for details.
68
69       -u     do not fetch the entry from the database.  In this case, if  the
70              entry does not exist, a fake entry with the DN given with the -b
71              option is used, with no attributes.   As  a  consequence,  those
72              rules  that depend on the contents of the target object will not
73              behave as with the real object.  The DN given with the -b option
74              is  still  used  to select what rules apply; thus, it must be in
75              the naming context of a configured database.  See also -b.
76
77       -U authcID
78              specify an ID to be mapped to a DN as by means  of  authz-regexp
79              or authz-rewrite rules (see slapd.conf(5) for details); mutually
80              exclusive with -D.
81
82       -v     enable verbose mode.
83
84       -X authzID
85              specify an authorization ID to be mapped to a DN as by means  of
86              authz-regexp  or  authz-rewrite  rules  (see  slapd.conf(5)  for
87              details); mutually exclusive with -o authzDN=DN.
88

EXAMPLES

90       The command
91
92            /usr/sbin/slapacl -f /etc/openldap/slapd.conf -v \
93                   -U bjorn -b "o=University of Michigan,c=US" \
94                "o/read:University of Michigan"
95
96       tests whether the user bjorn can access the attribute o  of  the  entry
97       o=University of Michigan,c=US at read level.
98

SEE ALSO

100       ldap(3), slapd(8), slaptest(8), slapauth(8)
101
102       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
103

ACKNOWLEDGEMENTS

105       OpenLDAP  Software  is developed and maintained by The OpenLDAP Project
106       <http://www.openldap.org/>.  OpenLDAP Software is derived from the Uni‐
107       versity of Michigan LDAP 3.3 Release.
108
109
110
111OpenLDAP 2.4.50                   2020/04/28                       SLAPACL(8C)
Impressum