1 .TH SLAPACL 8C "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 2004-2007 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
5 slapacl \- Check access to a list of attributes.
10 .B [\-D authcDN | \-U authcID]
16 .B [\-X authzID | \-o authzDN=DN]
17 .B [attr[/access][:value]] [...]
22 is used to check the behavior of the slapd in verifying access to data
23 according to ACLs, as specified in
27 configuration file, reads in the
31 directives, and then parses the
33 list given on the command-line; if none is given, access to the
35 pseudo-attribute is tested.
42 which access is requested to; the corresponding entry is fetched
43 from the database, and thus it must exist.
44 The DN is also used to determine what rules apply; thus, it must be
45 in the naming context of a configured database. See also
49 enable debugging messages as defined by the specified
56 specify a DN to be used as identity through the test session
57 when selecting appropriate
59 clauses in access lists.
62 specify an alternative
67 specify a config directory.
72 are specified, the config file will be read and converted to
73 config directory format and written to the specified directory.
74 If neither option is specified, an attempt to read the
75 default config directory will be made before trying to use the default
76 config file. If a valid config directory exists then the
77 default config file is ignored.
79 .BI \-o " option[=value]"
84 Possible generic options/values are:
87 syslog=<subsystems> (see `\-s' in slapd(8))
88 syslog-level=<level> (see `\-S' in slapd(8))
89 syslog-user=<user> (see `\-l' in slapd(8))
93 Possible options/values specific to
111 See the related fields in
117 do not fetch the entry from the database.
118 In this case, if the entry does not exist, a fake entry with the DN
121 option is used, with no attributes.
122 As a consequence, those rules that depend on the contents
123 of the target object will not behave as with the real object.
124 The DN given with the
126 option is still used to select what rules apply; thus, it must be
127 in the naming context of a configured database.
132 specify an ID to be mapped to a
140 for details); mutually exclusive with
147 specify an authorization ID to be mapped to a
155 for details); mutually exclusive with \fB\-o\fP \fIauthzDN=DN\fP.
161 SBINDIR/slapacl -f /ETCDIR/slapd.conf -v \\
162 -U bjorn -b "o=University of Michigan,c=US" \\
163 "o/read:University of Michigan"
167 tests whether the user
169 can access the attribute
172 .I o=University of Michigan,c=US
182 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)