1SLAPACL(8C)                                                        SLAPACL(8C)
2
3
4

NAME

6       slapacl - Check access to a list of attributes.
7

SYNOPSIS

9       /usr/sbin/slapacl  [-v]  [-d  level]  [-f  slapd.conf] [-F confdir] [-D
10       authcDN |  -U  authcID]  -b  DN  [-u]  [-X  authzID  |  -o  authzDN=DN]
11       [attr[/access][:value]] [...]
12

DESCRIPTION

14       Slapacl  is used to check the behavior of the slapd in verifying access
15       to data according to ACLs, as specified in slapd.access(5).   It  opens
16       the  slapd.conf(5)  configuration file, reads in the access directives,
17       and then parses the attr list given on the  command-line;  if  none  is
18       given, access to the entry pseudo-attribute is tested.
19

OPTIONS

21       -v     enable verbose mode.
22
23       -d level
24              enable debugging messages as defined by the specified level.
25
26       -f slapd.conf
27              specify an alternative slapd.conf(5) file.
28
29       -F confdir
30              specify  a  config  directory.  If both -f and -F are specified,
31              the config file will be read and converted to  config  directory
32              format  and  written  to  the  specified  directory.  If neither
33              option is specified, an  attempt  to  read  the  default  config
34              directory  will  be made before trying to use the default config
35              file. If a valid config directory exists then the default config
36              file is ignored.
37
38       -D authcDN
39              specify  a  DN  to  be used as identity through the test session
40              when selecting appropriate <by> clauses in access lists.
41
42       -U authcID
43              specify an ID to be mapped to a DN as by means  of  authz-regexp
44              or authz-rewrite rules (see slapd.conf(5) for details); mutually
45              exclusive with -D.
46
47       -X authzID
48              specify an authorization ID to be mapped to a DN as by means  of
49              authz-regexp  or  authz-rewrite  rules  (see  slapd.conf(5)  for
50              details); mutually exclusive with -o authzDN=DN.
51
52       -o option[=value]
53              Specify  an  option  with   a(n   optional)   value.    Possible
54              options/values are:
55
56                     sockurl
57                     domain
58                     peername
59                     sockname
60                     ssf
61                     transport_ssf
62                     tls_ssf
63                     sasl_ssf
64                     authzDN
65
66       -b DN  specify  the  DN which access is requested to; the corresponding
67              entry is fetched from the database, and thus it must exist.  The
68              DN  is also used to determine what rules apply; thus, it must be
69              in the naming context of a configured database.  See also -u.
70
71       -u     do not fetch the entry from the database.  In this case, if  the
72              entry does not exist, a fake entry with the DN given with the -b
73              option is used, with no attributes.   As  a  consequence,  those
74              rules  that depend on the contents of the target object will not
75              behave as with the real object.  The DN given with the -b option
76              is  still  used  to select what rules apply; thus, it must be in
77              the naming context of a configured database.  See also -b.
78

EXAMPLES

80       The command
81
82            /usr/sbin/slapacl -f //etc/openldap/slapd.conf -v \
83                   -U bjorn -b "o=University of Michigan,c=US" \
84                "o/read:University of Michigan"
85
86       tests whether the user bjorn can access the attribute o  of  the  entry
87       o=University of Michigan,c=US at read level.
88

SEE ALSO

90       ldap(3), slapd(8) slaptest(8) slapauth(8)
91
92       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
93

ACKNOWLEDGEMENTS

95       OpenLDAP   is   developed   and  maintained  by  The  OpenLDAP  Project
96       (http://www.openldap.org/).  OpenLDAP is  derived  from  University  of
97       Michigan LDAP 3.3 Release.
98
99
100
101OpenLDAP 2.3.34                    2007/2/16                       SLAPACL(8C)
Impressum