|
slapacl — Check access to a list of attributes.
SBINDIR/slapacl
−b
DN [ −d
debug−level ] [ −D
authcDN | −U
authcID ] [ −f
slapd.conf ] [ −F
confdir ] [ −o
option[= value] ] [−u
] [−v
] [ −X
authzID | −o
authzDN= DN ] [ attr [ / access][:
value ] ] [ ... ]
slapacl is
used to check the behavior of slapd(8) by verifying
access to directory data according to the access control list
directives defined in its configuration. It opens the
slapd.conf(5) configuration
file or the slapd-config(5) backend,
reads in the access/olcAccess
directives, and
then parses the attr
list given on the command-line; if none is given, access to
the entry
pseudo-attribute is tested.
−b
DN
specify the DN
which access is
requested to; the corresponding entry is fetched from
the database, and thus it must exist. The DN
is also used to
determine what rules apply; thus, it must be in the
naming context of a configured database. See also
−u
.
−d
debug−level
enable debugging messages as defined by the
specified debug-level
; see
slapd(8) for
details.
−D
authcDN
specify a DN to be used as identity through the test
session when selecting appropriate <by>
clauses in
access lists.
−f
slapd.conf
specify an alternative slapd.conf(5) file.
−F
confdir
specify a config directory. If both −f
and −F
are specified, the config file
will be read and converted to config directory format
and written to the specified directory. If neither
option is specified, an attempt to read the default
config directory will be made before trying to use the
default config file. If a valid config directory exists
then the default config file is ignored.
−o
option[=value]
Specify an option
with a(n optional)
value
. Possible
generic options/values are:
syslog=<subsystems> (see `−s' in slapd(8)) syslog−level=<level> (see `−S' in slapd(8)) syslog−user=<user> (see `−l' in slapd(8))
Possible options/values specific to slapacl are:
authzDN domain peername sasl_ssf sockname sockurl ssf tls_ssf transport_ssf
See the related fields in slapd.access(5) for details.
−u
do not fetch the entry from the database. In this
case, if the entry does not exist, a fake entry with
the DN
given
with the −b
option is
used, with no attributes. As a consequence, those rules
that depend on the contents of the target object will
not behave as with the real object. The DN
given with the
−b
option is still
used to select what rules apply; thus, it must be in
the naming context of a configured database. See also
−b
.
−U
authcID
specify an ID to be mapped to a DN
as by means of
authz−regexp
or
authz−rewrite
rules (see slapd.conf(5) for
details); mutually exclusive with −D
.
−v
enable verbose mode.
−X
authzID
specify an authorization ID to be mapped to a
DN
as by means
of authz−regexp
or
authz−rewrite
rules (see slapd.conf(5) for
details); mutually exclusive with −o
authzDN=
DN
.
The command
SBINDIR/slapacl −f ETCDIR/slapd.conf −v \ −U bjorn −b "o=University of Michigan,c=US" \ "o/read:University of Michigan"
tests whether the user bjorn
can access the
attribute o
of the entry
o=University of
Michigan,c
=US
at read
level.
ldap(3), slapd(8), slaptest(8), slapauth(8)
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
OpenLDAP Software is developed and maintained by The OpenLDAP Project <http://www.openldap.org/>. OpenLDAP Software is derived from University of Michigan LDAP 3.3 Release.