1SLAPACL(8C) SLAPACL(8C)
2
6 slapacl - Check access to a list of attributes.
7
9 /usr/sbin/slapacl [-v] [-d level] [-f slapd.conf] [-F confdir] [-D
10 authcDN | -U authcID] -b DN [-u] [-X authzID | -o authzDN=DN]
11 [attr[/access][:value]] [...]
12
14 Slapacl is used to check the behavior of the slapd in verifying access
15 to data according to ACLs, as specified in slapd.access(5). It opens
16 the slapd.conf(5) configuration file, reads in the access directives,
17 and then parses the attr list given on the command-line; if none is
18 given, access to the entry pseudo-attribute is tested.
19
21 -v enable verbose mode.
22 -d level
24 enable debugging messages as defined by the specified level.
25 -f slapd.conf
27 specify an alternative slapd.conf(5) file.
28 -F confdir
30 specify a config directory. If both -f and -F are specified,
31 the config file will be read and converted to config directory
32 format and written to the specified directory. If neither
33 option is specified, an attempt to read the default config
34 directory will be made before trying to use the default config
35 file. If a valid config directory exists then the default config
36 file is ignored.
37 -D authcDN
39 specify a DN to be used as identity through the test session
40 when selecting appropriate <by> clauses in access lists.
41 -U authcID
43 specify an ID to be mapped to a DN as by means of authz-regexp
44 or authz-rewrite rules (see slapd.conf(5) for details); mutually
45 exclusive with -D.
46 -X authzID
48 specify an authorization ID to be mapped to a DN as by means of
49 authz-regexp or authz-rewrite rules (see slapd.conf(5) for
50 details); mutually exclusive with -o authzDN=DN.
51 -o option[=value]
53 Specify an option with a(n optional) value. Possible
54 options/values are:
55 sockurl
57 domain
58 peername
59 sockname
60 ssf
61 transport_ssf
62 tls_ssf
63 sasl_ssf
64 authzDN
65 -b DN specify the DN which access is requested to; the corresponding
67 entry is fetched from the database, and thus it must exist. The
68 DN is also used to determine what rules apply; thus, it must be
69 in the naming context of a configured database. See also -u.
70 -u do not fetch the entry from the database. In this case, if the
72 entry does not exist, a fake entry with the DN given with the -b
73 option is used, with no attributes. As a consequence, those
74 rules that depend on the contents of the target object will not
75 behave as with the real object. The DN given with the -b option
76 is still used to select what rules apply; thus, it must be in
77 the naming context of a configured database. See also -b.
78
80 The command
81 /usr/sbin/slapacl -f //etc/openldap/slapd.conf -v \
83 -U bjorn -b "o=University of Michigan,c=US" \
84 "o/read:University of Michigan"
85 tests whether the user bjorn can access the attribute o of the entry
87 o=University of Michigan,c=US at read level.
88
90 ldap(3), slapd(8) slaptest(8) slapauth(8)
91 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
93
95 OpenLDAP is developed and maintained by The OpenLDAP Project
96 (http://www.openldap.org/). OpenLDAP is derived from University of
97 Michigan LDAP 3.3 Release.
98OpenLDAP 2.3.34 2007/2/16 SLAPACL(8C)