Index Index for
Section 8C
Index Alphabetical
listing for S
Bottom of page Bottom of
page		 

SLAPACL(8C)


NAME

  slapacl - Check access to a list of attributes.


SYNOPSIS

  /usr/internet/openldap/sbin/slapacl [-v] [-d level] [-f slapd.conf] [-F
  confdir] [-D authcDN | -U authcID] -b DN [-u] [-X authzID | -o authzDN=DN]
  [attr[/access][:value]] [...]


DESCRIPTION

  Slapacl is used to check the behavior of the slapd in verifying access to
  data according to ACLs, as specified in slapd.access(5).  It opens the
  slapd.conf(5) configuration file, reads in the access and defaultaccess
  directives, and then parses the attr list given on the command-line; if
  none is given, access to the entry pseudo-attribute is tested.


OPTIONS

  -v   enable verbose mode.

  -d level
       enable debugging messages as defined by the specified level.

  -f slapd.conf
       specify an alternative slapd.conf(5) file.

  -F confdir
       specify a config directory.  If both -f and -F are specified, the
       config file will be read and converted to config directory format and
       written to the specified directory.  If neither option is specified,
       an attempt to read the default config directory will be made before
       trying to use the default config file. If a valid config directory
       exists then the default config file is ignored.

  -D authcDN
       specify a DN to be used as identity through the test session when
       selecting appropriate <by> clauses in access lists.

  -U authcID
       specify an ID to be mapped to a DN as by means of authz-regexp or
       authz-rewrite rules (see slapd.conf(5) for details); mutually
       exclusive with -D.

  -X authzID
       specify an authorization ID to be mapped to a DN as by means of
       authz-regexp or authz-rewrite rules (see slapd.conf(5) for details);
       mutually exclusive with -o authzDN=DN.

  -o option[=value]
       Specify an option with a(n optional) value.  Possible options/values
       are:

		sockurl
		domain
		peername
		sockname
		ssf
		transport_ssf
		tls_ssf
		sasl_ssf
		authzDN

  -b DN
       specify the DN which access is requested to; the corresponding entry
       is fetched from the database, and thus it must exist.  The DN is also
       used to determine what rules apply; thus, it must be in the naming
       context of a configured database.  See also -u.

  -u   do not fetch the entry from the database.  In this case, if the entry
       does not exist, a fake entry with the DN given with the -b option is
       used, with no attributes.  As a consequence, those rules that depend
       on the contents of the target object will not behave as with the real
       object.	The DN given with the -b option is still used to select what
       rules apply; thus, it must be in the naming context of a configured
       database.  See also -b.


EXAMPLES

  The command

	  /usr/internet/openldap/sbin/slapacl -f //usr/internet/openldap/etc/slapd.conf -v \
	      -U bjorn -b "o=University of Michigan,c=US" \
	      "o/read:University of Michigan"

  tests whether the user bjorn can access the attribute o of the entry
  o=University of Michigan,c=US at read level.


SEE ALSO

  ldap(3), slapd(8) slaptest(8) slapauth(8)

  "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)


ACKNOWLEDGEMENTS

  OpenLDAP is developed and maintained by The OpenLDAP Project
  (http://www.openldap.org/).  OpenLDAP is derived from University of
  Michigan LDAP 3.3 Release.

Index Index for
Section 8C
Index Alphabetical
listing for S
Top of page Top of
page