1 .TH SLAPACL 8C "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 2004-2009 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapacl \- Check access to a list of attributes.
11 .B [\-D authcDN | \-U authcID]
17 .B [\-X authzID | \-o authzDN=DN]
18 .B [attr[/access][:value]] [...]
23 is used to check the behavior of
25 by verifying access to directory data according to the access control list
26 directives defined in its configuration.
30 configuration file or the
34 directives, and then parses the
36 list given on the command-line; if none is given, access to the
38 pseudo-attribute is tested.
45 which access is requested to; the corresponding entry is fetched
46 from the database, and thus it must exist.
47 The DN is also used to determine what rules apply; thus, it must be
48 in the naming context of a configured database. See also
52 enable debugging messages as defined by the specified
59 specify a DN to be used as identity through the test session
60 when selecting appropriate
62 clauses in access lists.
65 specify an alternative
70 specify a config directory.
75 are specified, the config file will be read and converted to
76 config directory format and written to the specified directory.
77 If neither option is specified, an attempt to read the
78 default config directory will be made before trying to use the default
79 config file. If a valid config directory exists then the
80 default config file is ignored.
82 .BI \-o " option[=value]"
87 Possible generic options/values are:
90 syslog=<subsystems> (see `\-s' in slapd(8))
91 syslog-level=<level> (see `\-S' in slapd(8))
92 syslog-user=<user> (see `\-l' in slapd(8))
96 Possible options/values specific to
114 See the related fields in
120 do not fetch the entry from the database.
121 In this case, if the entry does not exist, a fake entry with the DN
124 option is used, with no attributes.
125 As a consequence, those rules that depend on the contents
126 of the target object will not behave as with the real object.
127 The DN given with the
129 option is still used to select what rules apply; thus, it must be
130 in the naming context of a configured database.
135 specify an ID to be mapped to a
143 for details); mutually exclusive with
150 specify an authorization ID to be mapped to a
158 for details); mutually exclusive with \fB\-o\fP \fIauthzDN=DN\fP.
164 SBINDIR/slapacl -f ETCDIR/slapd.conf -v \\
165 -U bjorn -b "o=University of Michigan,c=US" \\
166 "o/read:University of Michigan"
170 tests whether the user
172 can access the attribute
175 .I o=University of Michigan,c=US
185 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)