1SLAPACL(8C)                                                        SLAPACL(8C)
2
3
4

NAME

6       slapacl - Check access to a list of attributes.
7

SYNOPSIS

9       /usr/sbin/slapacl   -b DN  [-d debug-level]  [-D authcDN |  -U authcID]
10       [-f slapd.conf]  [-F confdir]  [-o option[=value]]  [-u]  [-v]  [-X au‐
11       thzID | -o  authzDN=DN] [attr[/access][:value]] [...]
12

DESCRIPTION

14       slapacl  is  used to check the behavior of slapd(8) by verifying access
15       to directory data according to the access control list  directives  de‐
16       fined  in  its configuration.  It opens the slapd.conf(5) configuration
17       file or the slapd-config(5) backend, reads in the access/olcAccess  di‐
18       rectives,  and  then parses the attr list given on the command-line; if
19       none is given, access to the entry pseudo-attribute is tested.
20

OPTIONS

22       -b DN  specify the DN which access is requested to;  the  corresponding
23              entry is fetched from the database, and thus it must exist.  The
24              DN is also used to determine what rules apply; thus, it must  be
25              in the naming context of a configured database.  See also -u.
26
27       -d debug-level
28              enable  debugging  messages  as  defined by the specified debug-
29              level; see slapd(8) for details.
30
31       -D authcDN
32              specify a DN to be used as identity  through  the  test  session
33              when selecting appropriate <by> clauses in access lists.
34
35       -f slapd.conf
36              specify an alternative slapd.conf(5) file.
37
38       -F confdir
39              specify  a  config  directory.  If both -f and -F are specified,
40              the config file will be read and converted to  config  directory
41              format  and  written to the specified directory.  If neither op‐
42              tion is specified, an attempt to read the default config  direc‐
43              tory  will be made before trying to use the default config file.
44              If a valid config directory exists then the default config  file
45              is ignored.
46
47       -o option[=value]
48              Specify  an  option  with a(n optional) value.  Possible generic
49              options/values are:
50
51                     syslog=<subsystems>  (see `-s' in slapd(8))
52                     syslog-level=<level> (see `-S' in slapd(8))
53                     syslog-user=<user>   (see `-l' in slapd(8))
54
55              Possible options/values specific to slapacl are:
56
57                     authzDN
58                     domain
59                     peername
60                     sasl_ssf
61                     sockname
62                     sockurl
63                     ssf
64                     tls_ssf
65                     transport_ssf
66
67              See the related fields in slapd.access(5) for details.
68
69       -u     do not fetch the entry from the database.  In this case, if  the
70              entry does not exist, a fake entry with the DN given with the -b
71              option is used, with no attributes.   As  a  consequence,  those
72              rules  that depend on the contents of the target object will not
73              behave as with the real object.  The DN given with the -b option
74              is  still  used  to select what rules apply; thus, it must be in
75              the naming context of a configured database.  See also -b.
76
77       -U authcID
78              specify an ID to be mapped to a DN as by means  of  authz-regexp
79              or authz-rewrite rules (see slapd.conf(5) for details); mutually
80              exclusive with -D.
81
82       -v     enable verbose mode.
83
84       -X authzID
85              specify an authorization ID to be mapped to a DN as by means  of
86              authz-regexp  or  authz-rewrite rules (see slapd.conf(5) for de‐
87              tails); mutually exclusive with -o authzDN=DN.
88

EXAMPLES

90       The command
91
92            /usr/sbin/slapacl -f /etc/openldap/slapd.conf -v \
93                   -U bjorn -b "o=University of Michigan,c=US" \
94                "o/read:University of Michigan"
95
96       tests whether the user bjorn can access the attribute o  of  the  entry
97       o=University of Michigan,c=US at read level.
98

SEE ALSO

100       ldap(3), slapd(8), slaptest(8), slapauth(8)
101
102       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
103

ACKNOWLEDGEMENTS

105       OpenLDAP  Software  is developed and maintained by The OpenLDAP Project
106       <http://www.openldap.org/>.  OpenLDAP Software is derived from the Uni‐
107       versity of Michigan LDAP 3.3 Release.
108
109
110
111OpenLDAP 2.4.57                   2021/01/18                       SLAPACL(8C)
Impressum