Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Thursday, June 13, 2019
 
 

slapacl (8oldap)

Name

slapacl - Check access to a list of attributes.

Synopsis

/usr/sbin/slapacl   -b DN  [-d debug-level]  [-D authcDN |  -U authcID]
[-f slapd.conf]    [-F confdir]    [-o option[=value]]    [-u]     [-v]
[-X authzID | -o  authzDN=DN] [attr[/access][:value]] [...]

Description

SLAPACL(8oldap)                                                SLAPACL(8oldap)



NAME
       slapacl - Check access to a list of attributes.

SYNOPSIS
       /usr/sbin/slapacl   -b DN  [-d debug-level]  [-D authcDN |  -U authcID]
       [-f slapd.conf]    [-F confdir]    [-o option[=value]]    [-u]     [-v]
       [-X authzID | -o  authzDN=DN] [attr[/access][:value]] [...]

DESCRIPTION
       slapacl  is  used to check the behavior of slapd(8) by verifying access
       to directory data according  to  the  access  control  list  directives
       defined in its configuration.  It opens the slapd.conf(5) configuration
       file or the slapd-config(5)  backend,  reads  in  the  access/olcAccess
       directives, and then parses the attr list given on the command-line; if
       none is given, access to the entry pseudo-attribute is tested.

OPTIONS
       -b DN  specify the DN which access is requested to;  the  corresponding
              entry is fetched from the database, and thus it must exist.  The
              DN is also used to determine what rules apply; thus, it must  be
              in the naming context of a configured database.  See also -u.

       -d debug-level
              enable  debugging  messages  as  defined by the specified debug-
              level; see slapd(8) for details.

       -D authcDN
              specify a DN to be used as identity  through  the  test  session
              when selecting appropriate <by> clauses in access lists.

       -f slapd.conf
              specify an alternative slapd.conf(5) file.

       -F confdir
              specify  a  config  directory.  If both -f and -F are specified,
              the config file will be read and converted to  config  directory
              format  and  written  to  the  specified  directory.  If neither
              option is specified, an  attempt  to  read  the  default  config
              directory  will  be made before trying to use the default config
              file. If a valid config directory exists then the default config
              file is ignored.

       -o option[=value]
              Specify  an  option  with a(n optional) value.  Possible generic
              options/values are:

                     syslog=<subsystems>  (see `-s' in slapd(8))
                     syslog-level=<level> (see `-S' in slapd(8))
                     syslog-user=<user>   (see `-l' in slapd(8))

              Possible options/values specific to slapacl are:

                     authzDN
                     domain
                     peername
                     sasl_ssf
                     sockname
                     sockurl
                     ssf
                     tls_ssf
                     transport_ssf

              See the related fields in slapd.access(5) for details.

       -u     do not fetch the entry from the database.  In this case, if  the
              entry does not exist, a fake entry with the DN given with the -b
              option is used, with no attributes.   As  a  consequence,  those
              rules  that depend on the contents of the target object will not
              behave as with the real object.  The DN given with the -b option
              is  still  used  to select what rules apply; thus, it must be in
              the naming context of a configured database.  See also -b.

       -U authcID
              specify an ID to be mapped to a DN as by means  of  authz-regexp
              or authz-rewrite rules (see slapd.conf(5) for details); mutually
              exclusive with -D.

       -v     enable verbose mode.

       -X authzID
              specify an authorization ID to be mapped to a DN as by means  of
              authz-regexp  or  authz-rewrite  rules  (see  slapd.conf(5)  for
              details); mutually exclusive with -o authzDN=DN.

EXAMPLES
       The command

            /usr/sbin/slapacl -f /etc/openldap/slapd.conf -v \
                   -U bjorn -b "o=University of Michigan,c=US" \
                "o/read:University of Michigan"

       tests whether the user bjorn can access the attribute o  of  the  entry
       o=University of Michigan,c=US at read level.


ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       +---------------+-------------------------------+
       |ATTRIBUTE TYPE |       ATTRIBUTE VALUE         |
       +---------------+-------------------------------+
       |Availability   | service/network/ldap/openldap |
       +---------------+-------------------------------+
       |Stability      | Pass-through uncommitted      |
       +---------------+-------------------------------+
SEE ALSO
       ldap(3), slapd(8), slaptest(8), slapauth(8)

       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

ACKNOWLEDGEMENTS
       OpenLDAP  Software  is developed and maintained by The OpenLDAP Project
       <http://www.openldap.org/>.  OpenLDAP Software is derived from the Uni-
       versity of Michigan LDAP 3.3 Release.



NOTES
       This     software     was    built    from    source    available    at
       https://github.com/oracle/solaris-userland.   The  original   community
       source  was downloaded from  ftp://ftp.openldap.org/pub/OpenLDAP/openl-
       dap-release/openldap-2.4.46.tgz

       Further information about this software can be found on the open source
       community website at http://www.openldap.org/.



OpenLDAP 2.4.46                   2018/03/22                   SLAPACL(8oldap)