1SLAPACL(8C) SLAPACL(8C)
2
6 slapacl - Check access to a list of attributes.
7
9 /usr/sbin/slapacl -b DN [-d debug-level] [-D authcDN | -U authcID]
10 [-f slapd.conf] [-F confdir] [-o option[=value]] [-u] [-v] [-X au‐
11 thzID | -o authzDN=DN] [attr[/access][:value]] [...]
12
14 slapacl is used to check the behavior of slapd(8) by verifying access
15 to directory data according to the access control list directives de‐
16 fined in its configuration. It opens the slapd.conf(5) configuration
17 file or the slapd-config(5) backend, reads in the access/olcAccess di‐
18 rectives, and then parses the attr list given on the command-line; if
19 none is given, access to the entry pseudo-attribute is tested.
20
22 -b DN specify the DN which access is requested to; the corresponding
23 entry is fetched from the database, and thus it must exist. The
24 DN is also used to determine what rules apply; thus, it must be
25 in the naming context of a configured database. By default, the
26 first database that supports the requested operation is used.
27 See also -u.
28 -d debug-level
31 enable debugging messages as defined by the specified debug-
32 level; see slapd(8) for details.
33 -D authcDN
35 specify a DN to be used as identity through the test session
36 when selecting appropriate <by> clauses in access lists.
37 -f slapd.conf
39 specify an alternative slapd.conf(5) file.
40 -F confdir
42 specify a config directory. If both -f and -F are specified,
43 the config file will be read and converted to config directory
44 format and written to the specified directory. If neither op‐
45 tion is specified, an attempt to read the default config direc‐
46 tory will be made before trying to use the default config file.
47 If a valid config directory exists then the default config file
48 is ignored.
49 -o option[=value]
51 Specify an option with a(n optional) value. Possible generic
52 options/values are:
53 syslog=<subsystems> (see `-s' in slapd(8))
55 syslog-level=<level> (see `-S' in slapd(8))
56 syslog-user=<user> (see `-l' in slapd(8))
57 Possible options/values specific to slapacl are:
59 authzDN
61 domain
62 peername
63 sasl_ssf
64 sockname
65 sockurl
66 ssf
67 tls_ssf
68 transport_ssf
69 See the related fields in slapd.access(5) for details.
71 -u do not fetch the entry from the database. In this case, if the
73 entry does not exist, a fake entry with the DN given with the -b
74 option is used, with no attributes. As a consequence, those
75 rules that depend on the contents of the target object will not
76 behave as with the real object. The DN given with the -b option
77 is still used to select what rules apply; thus, it must be in
78 the naming context of a configured database. See also -b.
79 -U authcID
81 specify an ID to be mapped to a DN as by means of authz-regexp
82 or authz-rewrite rules (see slapd.conf(5) for details); mutually
83 exclusive with -D.
84 -v enable verbose mode.
86 -X authzID
88 specify an authorization ID to be mapped to a DN as by means of
89 authz-regexp or authz-rewrite rules (see slapd.conf(5) for de‐
90 tails); mutually exclusive with -o authzDN=DN.
91
93 The command
94 /usr/sbin/slapacl -f /etc/openldap/slapd.conf -v \
96 -U bjorn -b "o=University of Michigan,c=US" \
97 "o/read:University of Michigan"
98 tests whether the user bjorn can access the attribute o of the entry
100 o=University of Michigan,c=US at read level.
101
103 ldap(3), slapd(8), slaptest(8), slapauth(8)
104 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
106
108 OpenLDAP Software is developed and maintained by The OpenLDAP Project
109 <http://www.openldap.org/>. OpenLDAP Software is derived from the Uni‐
110 versity of Michigan LDAP 3.3 Release.
111OpenLDAP 2.6.6 2023/07/31 SLAPACL(8C)