SLAPACL(8C)SLAPACL(8C)NAMEslapacl - Check access to a list of attributes.
SYNOPSIS
/usr/sbin/slapacl [-v] [-d level] [-f slapd.conf] [-F confdir] [-D
authcDN | -U authcID] -b DN [-u] [-X authzID | -o authzDN=DN]
[attr[/access][:value]] [...]
DESCRIPTION
Slapacl is used to check the behavior of the slapd in verifying access
to data according to ACLs, as specified in slapd.access(5). It opens
the slapd.conf(5) configuration file, reads in the access and defaultā
access directives, and then parses the attr list given on the command-
line; if none is given, access to the entry pseudo-attribute is tested.
OPTIONS-v enable verbose mode.
-d level
enable debugging messages as defined by the specified level.
-f slapd.conf
specify an alternative slapd.conf(5) file.
-F confdir
specify a config directory. If both -f and -F are specified,
the config file will be read and converted to config directory
format and written to the specified directory. If neither
option is specified, an attempt to read the default config
directory will be made before trying to use the default config
file. If a valid config directory exists then the default config
file is ignored.
-D authcDN
specify a DN to be used as identity through the test session
when selecting appropriate <by> clauses in access lists.
-U authcID
specify an ID to be mapped to a DN as by means of authz-regexp
or authz-rewrite rules (see slapd.conf(5) for details); mutually
exclusive with -D.
-X authzID
specify an authorization ID to be mapped to a DN as by means of
authz-regexp or authz-rewrite rules (see slapd.conf(5) for
details); mutually exclusive with -o authzDN=DN.
-o option[=value]
Specify an option with a(n optional) value. Possible
options/values are:
sockurl
domain
peername
sockname
ssf
transport_ssf
tls_ssf
sasl_ssf
authzDN
-b DN specify the DN which access is requested to; the corresponding
entry is fetched from the database, and thus it must exist. The
DN is also used to determine what rules apply; thus, it must be
in the naming context of a configured database. See also -u.
-u do not fetch the entry from the database. In this case, if the
entry does not exist, a fake entry with the DN given with the -b
option is used, with no attributes. As a consequence, those
rules that depend on the contents of the target object will not
behave as with the real object. The DN given with the -b option
is still used to select what rules apply; thus, it must be in
the naming context of a configured database. See also -b.
EXAMPLES
The command
/usr/sbin/slapacl -f //etc/openldap/slapd.conf -v \
-U bjorn -b "o=University of Michigan,c=US" \
"o/read:University of Michigan"
tests whether the user bjorn can access the attribute o of the entry
o=University of Michigan,c=US at read level.
SEE ALSOldap(3), slapd(8)slaptest(8)slapauth(8)
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
ACKNOWLEDGEMENTS
OpenLDAP is developed and maintained by The OpenLDAP Project
(http://www.openldap.org/). OpenLDAP is derived from University of
Michigan LDAP 3.3 Release.
OpenLDAP 2.3.24 2006/05/30 SLAPACL(8C)