slapacl — Check access to a list of attributes.
SBINDIR/slapacl
−b DN [ −d level ] [ −D authcDN | −U authcID ] [ −f slapd.conf ] [ −F confdir ] [ −o name[=value] ] [−u] [−v] [ −X authzID | −o authzDN=DN ]
[attr[/access][:value]] [ ... ]
Slapacl is used
to check the behavior of the slapd in verifying access to
data according to ACLs, as specified in slapd.access(5). It opens
the slapd.conf(5) configuration
file, reads in the access directives, and then
parses the attr
list given on the command-line; if none is given, access to
the entry
pseudo-attribute is tested.
−b
DNspecify the DN which access is
requested to; the corresponding entry is fetched from
the database, and thus it must exist. The DN is also
used to determine what rules apply; thus, it must be in
the naming context of a configured database. See also
−u.
−d
levelenable debugging messages as defined by the
specified level; see slapd(8) for
details.
−D
authcDNspecify a DN to be used as identity through the test
session when selecting appropriate <by> clauses in
access lists.
−f
slapd.confspecify an alternative slapd.conf(5) file.
−F
confdirspecify a config directory. If both −f and −F are specified,
the config file will be read and converted to config
directory format and written to the specified
directory. If neither option is specified, an attempt
to read the default config directory will be made
before trying to use the default config file. If a
valid config directory exists then the default config
file is ignored.
−o
option[=value]Specify an option with a(n optional)
value. Possible
generic options/values are:
syslog=<subsystems> (see `−s' in slapd(8))
syslog-level=<level> (see `−S' in slapd(8))
syslog-user=<user> (see `−l' in slapd(8))
Possible options/values specific to slapacl are:
authzDN
domain
peername
sasl_ssf
sockname
sockurl
ssf
tls_ssf
transport_ssf
See the related fields in slapd.access(5) for details.
−udo not fetch the entry from the database. In this
case, if the entry does not exist, a fake entry with
the DN given with the −b option is used, with no
attributes. As a consequence, those rules that depend
on the contents of the target object will not behave as
with the real object. The DN given with the
−b option is still
used to select what rules apply; thus, it must be in
the naming context of a configured database. See also
−b.
−U
authcIDspecify an ID to be mapped to a DN as by means of
authz-regexp
or authz-rewrite rules
(see slapd.conf(5) for
details); mutually exclusive with −D.
−venable verbose mode.
−X
authzIDspecify an authorization ID to be mapped to a
DN as by means
of authz-regexp or
authz-rewrite
rules (see slapd.conf(5) for
details); mutually exclusive with −o authzDN=DN.
The command
SBINDIR/slapacl -f /ETCDIR/slapd.conf -v \
-U bjorn -b "o=University of Michigan,c=US" \
"o/read:University of Michigan"
tests whether the user bjorn can access the
attribute o of the entry
o=University of
Michigan,c=US at read level.
ldap(3), slapd(8) slaptest(8) slapauth(8)
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
OpenLDAP Software is developed and maintained by The OpenLDAP Project <http://www.openldap.org/>. OpenLDAP Software is derived from University of Michigan LDAP 3.3 Release.