NAME
slapacl - Check access to a list of attributes.
SYNOPSIS
//BBiinnaarryyCCaacchhee//OOppeennLLDDAAPP//OOppeennLLDDAAPP-111111~~11//RRoooott//uussrr//ssbbiinn//ssllaappaaccll [[-vv]] [[-dd
lleevveell]] [[-ff ssllaappdd..ccoonnff]] [[-FF ccoonnffddiirr]] [[-DD aauutthhccDDNN || -UU aauutthhccIIDD]] -bb DDNN
[[-uu]] [[-XX aauutthhzzIIDD || -oo aauutthhzzDDNN==DDNN]] [[aattttrr[[//aacccceessss]][[::vvaalluuee]]]] [[......]]
DESCRIPTION
SSllaappaaccll is used to check the behavior of the slapd in verifying access to data according to ACLs, as specified in ssllaappdd..aacccceessss(5). It opensthe ssllaappdd..ccoonnff(5) configuration file, reads in the aacccceessss and ddeeffaauulltt-
aacccceessss directives, and then parses the aattttrr list given on the command-
line; if none is given, access to the eennttrryy pseudo-attribute is tested.
OOPPTTIIOONNSS-vv enable verbose mode.
-dd level
enable debugging messages as defined by the specified level.-ff slapd.conf
specify an alternative ssllaappdd..ccoonnff(5) file.-FF confdir
specify a config directory. If both -ff and -FF are specified,
the config file will be read and converted to config directory format and written to the specified directory. If neither option is specified, an attempt to read the default config directory will be made before trying to use the default config file. If a valid config directory exists then the default config file is ignored.-DD authcDN
specify a DN to be used as identity through the test session when selecting appropriate <> clauses in access lists. -UU authcID
specify an ID to be mapped to a DDNN as by means of aauutthhzz-rreeggeexxpp
or aauutthhzz-rreewwrriittee rules (see ssllaappdd..ccoonnff(5) for details); mutually
exclusive with -DD.
-XX authzID
specify an authorization ID to be mapped to a DDNN as by means ofaauutthhzz-rreeggeexxpp or aauutthhzz-rreewwrriittee rules (see ssllaappdd..ccoonnff(5) for
details); mutually exclusive with -oo authzDN=DN.
-oo option[=value]
Specify an ooppttiioonn with a(n optional) vvaalluuee. Possible options/values are: sockurl domain peername sockname ssf transportssf tlsssf saslssf authzDN-bb DN specify the DDNN which access is requested to; the corresponding
entry is fetched from the database, and thus it must exist. The DN is also used to determine what rules apply; thus, it must bein the naming context of a configured database. See also -uu.
-uu do not fetch the entry from the database. In this case, if the
entry does not exist, a fake entry with the DN given with the -bb
option is used, with no attributes. As a consequence, those rules that depend on the contents of the target object will notbehave as with the real object. The DN given with the -bb option
is still used to select what rules apply; thus, it must be inthe naming context of a configured database. See also -bb.
EEXXAAMMPPLLEESS The command/BinaryCache/OpenLDAP/OpenLDAP-111~1/Root/usr/sbin/slapacl -f //etc/openldap/slapd.conf -v \
-U bjorn -b "o=University of Michigan,c=US" \
"o/read:University of Michigan" tests whether the user bjorn can access the attribute o of the entry o=University of Michigan,c=US at read level.SEE ALSO
llddaapp(3), ssllaappdd(8) ssllaapptteesstt(8) ssllaappaauutthh(8) "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) AACCKKNNOOWWLLEEDDGGEEMMEENNTTSS OOppeennLLDDAAPP is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). OOppeennLLDDAAPP is derived from University of Michigan LDAP 3.3 Release. OpenLDAP 2.3.27 2006/08/19 SLAPACL(8C)