slapacl - Check access to a list of attributes.
/usr/sbin/slapacl -b DN
[-d debug-level]
[-D authcDN | -U authcID]
[-f slapd.conf] [-F confdir]
[-o option[=value]] [-u]
[-v] [-X authzID | -o
authzDN=DN]
[attr[/access][:value]] [...]
slapacl is used to check the behavior of slapd(8) by
verifying access to directory data according to the access control list
directives defined in its configuration. It opens the slapd.conf(5)
configuration file or the slapd-config(5) backend, reads in the
access/olcAccess directives, and then parses the attr
list given on the command-line; if none is given, access to the entry
pseudo-attribute is tested.
- -b DN
- specify the DN which access is requested to; the corresponding
entry is fetched from the database, and thus it must exist. The DN
is also used to determine what rules apply; thus, it must be in the naming
context of a configured database. See also -u.
- -d debug-level
- enable debugging messages as defined by the specified debug-level;
see slapd(8) for details.
- -D authcDN
- specify a DN to be used as identity through the test session when
selecting appropriate <by> clauses in access lists.
- -f slapd.conf
- specify an alternative slapd.conf(5) file.
- -F confdir
- specify a config directory. If both -f and -F are specified,
the config file will be read and converted to config directory format and
written to the specified directory. If neither option is specified, an
attempt to read the default config directory will be made before trying to
use the default config file. If a valid config directory exists then the
default config file is ignored.
- -o option[=value]
- Specify an option with a(n optional) value. Possible generic
options/values are:
syslog=<subsystems> (see `-s' in slapd(8))
syslog-level=<level> (see `-S' in slapd(8))
syslog-user=<user> (see `-l' in slapd(8))
Possible options/values specific to slapacl
are:
authzDN
domain
peername
sasl_ssf
sockname
sockurl
ssf
tls_ssf
transport_ssf
See the related fields in slapd.access(5) for
details.
- -u
- do not fetch the entry from the database. In this case, if the entry does
not exist, a fake entry with the DN given with the -b option
is used, with no attributes. As a consequence, those rules that depend on
the contents of the target object will not behave as with the real object.
The DN given with the -b option is still used to select what
rules apply; thus, it must be in the naming context of a configured
database. See also -b.
- -U authcID
- specify an ID to be mapped to a DN as by means of
authz-regexp or authz-rewrite rules (see
slapd.conf(5) for details); mutually exclusive with -D.
- -v
- enable verbose mode.
- -X authzID
- specify an authorization ID to be mapped to a DN as by means of
authz-regexp or authz-rewrite rules (see
slapd.conf(5) for details); mutually exclusive with -o
authzDN=DN.
The command
/usr/sbin/slapacl -f /etc/openldap/slapd.conf -v \
-U bjorn -b "o=University of Michigan,c=US" \
"o/read:University of Michigan"
tests whether the user bjorn can access the attribute o of the
entry o=University of Michigan,c=US at read level.
ldap(3), slapd(8), slaptest(8),
slapauth(8)
"OpenLDAP Administrator's Guide"
(http://www.OpenLDAP.org/doc/admin/)
OpenLDAP Software is developed and maintained by The
OpenLDAP Project <http://www.openldap.org/>. OpenLDAP Software
is derived from University of Michigan LDAP 3.3 Release.