:: RootR ::  Hosting Order Map Login   Secure Inter-Network Operations  
 
SLAPACL(8) - phpMan

Command: man perldoc info search(apropos)  


SLAPACL(8)                           System Manager's Manual                           SLAPACL(8)



NAME
       slapacl - Check access to a list of attributes.

SYNOPSIS
       /usr/sbin/slapacl   -b DN   [-d debug-level]   [-D authcDN |  -U authcID]  [-f slapd.conf]
       [-F confdir]    [-o option[=value]]    [-u]    [-v]    [-X authzID |    -o     authzDN=DN]
       [attr[/access][:value]] [...]

DESCRIPTION
       slapacl  is  used  to check the behavior of slapd(8) by verifying access to directory data
       according to the access control list directives defined in its  configuration.   It  opens
       the  slapd.conf(5)  configuration  file  or  the  slapd-config(5)  backend,  reads  in the
       access/olcAccess directives, and then parses the attr list given on the  command-line;  if
       none is given, access to the entry pseudo-attribute is tested.

OPTIONS
       -b DN  specify  the  DN  which  access is requested to; the corresponding entry is fetched
              from the database, and thus it must exist.  The DN is also used to  determine  what
              rules  apply; thus, it must be in the naming context of a configured database.  See
              also -u.

       -d debug-level
              enable debugging messages as defined by the specified debug-level; see slapd(8) for
              details.

       -D authcDN
              specify  a DN to be used as identity through the test session when selecting appro‐
              priate <by> clauses in access lists.

       -f slapd.conf
              specify an alternative slapd.conf(5) file.

       -F confdir
              specify a config directory.  If both -f and -F are specified, the config file  will
              be  read  and  converted  to  config  directory format and written to the specified
              directory.  If neither option is specified, an attempt to read the  default  config
              directory  will  be  made  before trying to use the default config file. If a valid
              config directory exists then the default config file is ignored.

       -o option[=value]
              Specify an option with a(n optional) value.  Possible generic options/values are:

                     syslog=<subsystems>  (see `-s' in slapd(8))
                     syslog-level=<level> (see `-S' in slapd(8))
                     syslog-user=<user>   (see `-l' in slapd(8))

              Possible options/values specific to slapacl are:

                     authzDN
                     domain
                     peername
                     sasl_ssf
                     sockname
                     sockurl
                     ssf
                     tls_ssf
                     transport_ssf

              See the related fields in slapd.access(5) for details.

       -u     do not fetch the entry from the database.  In this case,  if  the  entry  does  not
              exist,  a  fake  entry  with  the  DN  given  with  the  -b option is used, with no
              attributes.  As a consequence, those rules that depend on the contents of the  tar‐
              get  object  will  not  behave  as  with the real object.  The DN given with the -b
              option is still used to select what rules apply; thus, it must  be  in  the  naming
              context of a configured database.  See also -b.

       -U authcID
              specify  an  ID  to  be mapped to a DN as by means of authz-regexp or authz-rewrite
              rules (see slapd.conf(5) for details); mutually exclusive with -D.

       -v     enable verbose mode.

       -X authzID
              specify an authorization ID to be mapped to a DN as by  means  of  authz-regexp  or
              authz-rewrite  rules  (see  slapd.conf(5)  for details); mutually exclusive with -o
              authzDN=DN.

EXAMPLES
       The command

            /usr/sbin/slapacl -f /etc/ldap/slapd.conf -v \
                   -U bjorn -b "o=University of Michigan,c=US" \
                "o/read:University of Michigan"

       tests whether the user bjorn can access the attribute  o  of  the  entry  o=University  of
       Michigan,c=US at read level.

SEE ALSO
       ldap(3), slapd(8), slaptest(8), slapauth(8)

       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

ACKNOWLEDGEMENTS
       OpenLDAP  Software  is developed and maintained by The OpenLDAP Project <http://www.openl‐
       dap.org/>.  OpenLDAP Software is derived from University of Michigan LDAP 3.3 Release.



OpenLDAP                                    2014/09/20                                 SLAPACL(8)


/man
rootr.net - man pages