1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
|
.TH SLAPACL 8C "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 2004-2022 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapacl \- Check access to a list of attributes.
.SH SYNOPSIS
.B SBINDIR/slapacl
.BI \-b \ DN
[\c
.BI \-d \ debug-level\fR]
[\c
.BI \-D \ authcDN\ \fR|
.BI \-U \ authcID\fR]
[\c
.BI \-f \ slapd.conf\fR]
[\c
.BI \-F \ confdir\fR]
[\c
.BI \-o \ option\fR[ = value\fR]]
[\c
.BR \-u ]
[\c
.BR \-v ]
[\c
.BI \-X \ authzID\ \fR|
.BI "\-o \ authzDN=" DN\fR]
[\c
.IR attr [\fB/\fI access ][\fB:\fI value ]]\fR\ [...]
.LP
.SH DESCRIPTION
.LP
.B slapacl
is used to check the behavior of
.BR slapd (8)
by verifying access to directory data according to the access control list
directives defined in its configuration.
.
It opens the
.BR slapd.conf (5)
configuration file or the
.BR slapd\-config (5)
backend, reads in the
.BR access / olcAccess
directives, and then parses the
.B attr
list given on the command-line; if none is given, access to the
.B entry
pseudo-attribute is tested.
.LP
.SH OPTIONS
.TP
.BI \-b \ DN
specify the
.I DN
which access is requested to; the corresponding entry is fetched
from the database, and thus it must exist.
The
.I DN
is also used to determine what rules apply; thus, it must be
in the naming context of a configured database. By default, the first
database that supports the requested operation is used. See also
.BR \-u .
.TP
.BI \-d \ debug-level
enable debugging messages as defined by the specified
.IR debug-level ;
see
.BR slapd (8)
for details.
.TP
.BI \-D \ authcDN
specify a DN to be used as identity through the test session
when selecting appropriate
.B <by>
clauses in access lists.
.TP
.BI \-f \ slapd.conf
specify an alternative
.BR slapd.conf (5)
file.
.TP
.BI \-F \ confdir
specify a config directory.
If both
.B \-f
and
.B \-F
are specified, the config file will be read and converted to
config directory format and written to the specified directory.
If neither option is specified, an attempt to read the
default config directory will be made before trying to use the default
config file. If a valid config directory exists then the
default config file is ignored.
.TP
.BI \-o \ option\fR[ = value\fR]
Specify an
.I option
with a(n optional)
.IR value .
Possible generic options/values are:
.LP
.nf
syslog=<subsystems> (see `\-s' in slapd(8))
syslog\-level=<level> (see `\-S' in slapd(8))
syslog\-user=<user> (see `\-l' in slapd(8))
.fi
.RS
Possible options/values specific to
.B slapacl
are:
.RE
.nf
authzDN
domain
peername
sasl_ssf
sockname
sockurl
ssf
tls_ssf
transport_ssf
.fi
.RS
See the related fields in
.BR slapd.access (5)
for details.
.RE
.TP
.BI \-u
do not fetch the entry from the database.
In this case, if the entry does not exist, a fake entry with the
.I DN
given with the
.B \-b
option is used, with no attributes.
As a consequence, those rules that depend on the contents
of the target object will not behave as with the real object.
The
.I DN
given with the
.B \-b
option is still used to select what rules apply; thus, it must be
in the naming context of a configured database.
See also
.BR \-b .
.TP
.BI \-U \ authcID
specify an ID to be mapped to a
.B DN
as by means of
.B authz\-regexp
or
.B authz\-rewrite
rules (see
.BR slapd.conf (5)
for details); mutually exclusive with
.BR \-D .
.TP
.B \-v
enable verbose mode.
.TP
.BI \-X \ authzID
specify an authorization ID to be mapped to a
.B DN
as by means of
.B authz\-regexp
or
.B authz\-rewrite
rules (see
.BR slapd.conf (5)
for details); mutually exclusive with \fB\-o\fP \fBauthzDN=\fIDN\fR.
.SH EXAMPLES
The command
.LP
.nf
.ft tt
SBINDIR/slapacl \-f ETCDIR/slapd.conf \-v \\
\-U bjorn \-b "o=University of Michigan,c=US" \\
"o/read:University of Michigan"
.ft
.fi
tests whether the user
.I bjorn
can access the attribute
.I o
of the entry
.I o=University of Michigan,c=US
at
.I read
level.
.SH "SEE ALSO"
.BR ldap (3),
.BR slapd (8),
.BR slaptest (8),
.BR slapauth (8)
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
.SH ACKNOWLEDGEMENTS
.so ../Project
|