|
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | SEE ALSO | ACKNOWLEDGEMENTS | COLOPHON |
SLAPACL(8C) SLAPACL(8C)
slapacl - Check access to a list of attributes.
SBINDIR/slapacl -b DN [-d debug-level] [-D authcDN | -U authcID]
[-f slapd.conf] [-F confdir] [-o option[=value]] [-u] [-v]
[-X authzID | -o authzDN=DN] [attr[/access][:value]] [...]
slapacl is used to check the behavior of slapd(8) by verifying access
to directory data according to the access control list directives
defined in its configuration. It opens the slapd.conf(5)
configuration file or the slapd-config(5) backend, reads in the
access/olcAccess directives, and then parses the attr list given on
the command-line; if none is given, access to the entry pseudo-
attribute is tested.
-b DN specify the DN which access is requested to; the corresponding
entry is fetched from the database, and thus it must exist.
The DN is also used to determine what rules apply; thus, it
must be in the naming context of a configured database. See
also -u.
-d debug-level
enable debugging messages as defined by the specified debug-
level; see slapd(8) for details.
-D authcDN
specify a DN to be used as identity through the test session
when selecting appropriate <by> clauses in access lists.
-f slapd.conf
specify an alternative slapd.conf(5) file.
-F confdir
specify a config directory. If both -f and -F are specified,
the config file will be read and converted to config directory
format and written to the specified directory. If neither
option is specified, an attempt to read the default config
directory will be made before trying to use the default config
file. If a valid config directory exists then the default
config file is ignored.
-o option[=value]
Specify an option with a(n optional) value. Possible generic
options/values are:
syslog=<subsystems> (see `-s' in slapd(8))
syslog-level=<level> (see `-S' in slapd(8))
syslog-user=<user> (see `-l' in slapd(8))
Possible options/values specific to slapacl are:
authzDN
domain
peername
sasl_ssf
sockname
sockurl
ssf
tls_ssf
transport_ssf
See the related fields in slapd.access(5) for details.
-u do not fetch the entry from the database. In this case, if
the entry does not exist, a fake entry with the DN given with
the -b option is used, with no attributes. As a consequence,
those rules that depend on the contents of the target object
will not behave as with the real object. The DN given with
the -b option is still used to select what rules apply; thus,
it must be in the naming context of a configured database.
See also -b.
-U authcID
specify an ID to be mapped to a DN as by means of authz-regexp
or authz-rewrite rules (see slapd.conf(5) for details);
mutually exclusive with -D.
-v enable verbose mode.
-X authzID
specify an authorization ID to be mapped to a DN as by means
of authz-regexp or authz-rewrite rules (see slapd.conf(5) for
details); mutually exclusive with -o authzDN=DN.
The command
SBINDIR/slapacl -f ETCDIR/slapd.conf -v \
-U bjorn -b "o=University of Michigan,c=US" \
"o/read:University of Michigan"
tests whether the user bjorn can access the attribute o of the entry
o=University of Michigan,c=US at read level.
ldap(3), slapd(8), slaptest(8), slapauth(8)
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
OpenLDAP Software is developed and maintained by The OpenLDAP Project
<http://www.openldap.org/>. OpenLDAP Software is derived from the
University of Michigan LDAP 3.3 Release.
This page is part of the OpenLDAP (an open source implementation of
the Lightweight Directory Access Protocol) project. Information
about the project can be found at ⟨http://www.openldap.org/⟩. If you
have a bug report for this manual page, see
⟨http://www.openldap.org/its/⟩. This page was obtained from the
project's upstream Git repository
⟨git://git.openldap.org/openldap.git⟩ on 2017-07-05. If you discover
any rendering problems in this HTML version of the page, or you
believe there is a better or more up-to-date source for the page, or
you have corrections or improvements to the information in this
COLOPHON (which is not part of the original manual page), send a mail
to man-pages@man7.org
OpenLDAP LDVERSION RELEASEDATE SLAPACL(8C)
Pages that refer to this page: slapd.access(5), slapd.conf(5), slapd-config(5), slapd(8)