1SLAPACL(8C)                                                        SLAPACL(8C)
2
3
4

NAME

6       slapacl - Check access to a list of attributes.
7

SYNOPSIS

9       /usr/sbin/slapacl   -b DN  [-d debug-level]  [-D authcDN |  -U authcID]
10       [-f slapd.conf]  [-F confdir]  [-o option[=value]]  [-u]  [-v]  [-X au‐
11       thzID | -o  authzDN=DN] [attr[/access][:value]] [...]
12

DESCRIPTION

14       slapacl  is  used to check the behavior of slapd(8) by verifying access
15       to directory data according to the access control list  directives  de‐
16       fined  in  its configuration.  It opens the slapd.conf(5) configuration
17       file or the slapd-config(5) backend, reads in the access/olcAccess  di‐
18       rectives,  and  then parses the attr list given on the command-line; if
19       none is given, access to the entry pseudo-attribute is tested.
20

OPTIONS

22       -b DN  specify the DN which access is requested to;  the  corresponding
23              entry is fetched from the database, and thus it must exist.  The
24              DN is also used to determine what rules apply; thus, it must  be
25              in  the naming context of a configured database. By default, the
26              first database that supports the requested  operation  is  used.
27              See also -u.
28
29
30       -d debug-level
31              enable  debugging  messages  as  defined by the specified debug-
32              level; see slapd(8) for details.
33
34       -D authcDN
35              specify a DN to be used as identity  through  the  test  session
36              when selecting appropriate <by> clauses in access lists.
37
38       -f slapd.conf
39              specify an alternative slapd.conf(5) file.
40
41       -F confdir
42              specify  a  config  directory.  If both -f and -F are specified,
43              the config file will be read and converted to  config  directory
44              format  and  written to the specified directory.  If neither op‐
45              tion is specified, an attempt to read the default config  direc‐
46              tory  will be made before trying to use the default config file.
47              If a valid config directory exists then the default config  file
48              is ignored.
49
50       -o option[=value]
51              Specify  an  option  with a(n optional) value.  Possible generic
52              options/values are:
53
54                     syslog=<subsystems>  (see `-s' in slapd(8))
55                     syslog-level=<level> (see `-S' in slapd(8))
56                     syslog-user=<user>   (see `-l' in slapd(8))
57
58              Possible options/values specific to slapacl are:
59
60                     authzDN
61                     domain
62                     peername
63                     sasl_ssf
64                     sockname
65                     sockurl
66                     ssf
67                     tls_ssf
68                     transport_ssf
69
70              See the related fields in slapd.access(5) for details.
71
72       -u     do not fetch the entry from the database.  In this case, if  the
73              entry does not exist, a fake entry with the DN given with the -b
74              option is used, with no attributes.   As  a  consequence,  those
75              rules  that depend on the contents of the target object will not
76              behave as with the real object.  The DN given with the -b option
77              is  still  used  to select what rules apply; thus, it must be in
78              the naming context of a configured database.  See also -b.
79
80       -U authcID
81              specify an ID to be mapped to a DN as by means  of  authz-regexp
82              or authz-rewrite rules (see slapd.conf(5) for details); mutually
83              exclusive with -D.
84
85       -v     enable verbose mode.
86
87       -X authzID
88              specify an authorization ID to be mapped to a DN as by means  of
89              authz-regexp  or  authz-rewrite rules (see slapd.conf(5) for de‐
90              tails); mutually exclusive with -o authzDN=DN.
91

EXAMPLES

93       The command
94
95            /usr/sbin/slapacl -f /etc/openldap/slapd.conf -v \
96                   -U bjorn -b "o=University of Michigan,c=US" \
97                "o/read:University of Michigan"
98
99       tests whether the user bjorn can access the attribute o  of  the  entry
100       o=University of Michigan,c=US at read level.
101

SEE ALSO

103       ldap(3), slapd(8), slaptest(8), slapauth(8)
104
105       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
106

ACKNOWLEDGEMENTS

108       OpenLDAP  Software  is developed and maintained by The OpenLDAP Project
109       <http://www.openldap.org/>.  OpenLDAP Software is derived from the Uni‐
110       versity of Michigan LDAP 3.3 Release.
111
112
113
114OpenLDAP 2.6.2                    2022/05/04                       SLAPACL(8C)
Impressum