slapacl(8)
SLAPACL(8C) MAINTENANCE COMMANDS SLAPACL(8C)
NAME
slapacl - Check access to a list of attributes.
SYNOPSIS
/usr/sbin/slapacl [-v] [-d level] [-f slapd.conf] [-F
confdir] [-D authcDN | -U authcID] -b DN [-u] [-X authzID |
-o authzDN=DN] [attr[/access][:value]] [...]
DESCRIPTION
Slapacl is used to check the behavior of the slapd in veri-
fying access to data according to ACLs, as specified in
slapd.access(5). It opens the slapd.conf(5) configuration
file, reads in the access and defaultaccess directives, and
then parses the attr list given on the command-line; if none
is given, access to the entry pseudo-attribute is tested.
OPTIONS
-v enable verbose mode.
-d level
enable debugging messages as defined by the specified
level.
-f slapd.conf
specify an alternative slapd.conf(5) file.
-F confdir
specify a config directory. If both -f and -F are
specified, the config file will be read and converted
to config directory format and written to the specified
directory. If neither option is specified, an attempt
to read the default config directory will be made
before trying to use the default config file. If a
valid config directory exists then the default config
file is ignored.
-D authcDN
specify a DN to be used as identity through the test
session when selecting appropriate <by> clauses in
access lists.
-U authcID
specify an ID to be mapped to a DN as by means of
authz-regexp or authz-rewrite rules (see slapd.conf(5)
for details); mutually exclusive with -D.
-X authzID
specify an authorization ID to be mapped to a DN as by
means of authz-regexp or authz-rewrite rules (see
slapd.conf(5) for details); mutually exclusive with -o
authzDN=DN.
OpenLDAP 2.3.27 Last change: 2006/08/19 1
SLAPACL(8C) MAINTENANCE COMMANDS SLAPACL(8C)
-o option[=value]
Specify an option with a(n optional) value. Possible
options/values are:
sockurl
domain
peername
sockname
ssf
transport_ssf
tls_ssf
sasl_ssf
authzDN
-b DN
specify the DN which access is requested to; the
corresponding entry is fetched from the database, and
thus it must exist. The DN is also used to determine
what rules apply; thus, it must be in the naming con-
text of a configured database. See also -u.
-u do not fetch the entry from the database. In this
case, if the entry does not exist, a fake entry with
the DN given with the -b option is used, with no attri-
butes. As a consequence, those rules that depend on
the contents of the target object will not behave as
with the real object. The DN given with the -b option
is still used to select what rules apply; thus, it must
be in the naming context of a configured database. See
also -b.
EXAMPLES
The command
/usr/sbin/slapacl -f //etc/openldap/slapd.conf -v \
-U bjorn -b "o=University of Michigan,c=US" \
"o/read:University of Michigan"
tests whether the user bjorn can access the attribute o of
the entry o=University of Michigan,c=US at read level.
SEE ALSO
ldap(3), slapd(8) slaptest(8) slapauth(8)
"OpenLDAP Administrator's Guide"
(http://www.OpenLDAP.org/doc/admin/)
ACKNOWLEDGEMENTS
OpenLDAP is developed and maintained by The OpenLDAP Project
(http://www.openldap.org/). OpenLDAP is derived from
University of Michigan LDAP 3.3 Release.
OpenLDAP 2.3.27 Last change: 2006/08/19 2
Man(1) output converted with
man2html