1 .TH SLAPACL 8C "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 2004-2012 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapacl \- Check access to a list of attributes.
11 .BI \-d \ debug-level\fR]
13 .BI \-D \ authcDN\ \fR|
16 .BI \-f \ slapd.conf\fR]
20 .BI \-o \ option\fR[ = value\fR]]
26 .BI \-X \ authzID\ \fR|
27 .BI "\-o \ authzDN=" DN\fR]
29 .IR attr [\fB/\fI access ][\fB:\fI value ]]\fR\ [...]
34 is used to check the behavior of
36 by verifying access to directory data according to the access control list
37 directives defined in its configuration.
41 configuration file or the
44 .BR access / olcAccess
45 directives, and then parses the
47 list given on the command-line; if none is given, access to the
49 pseudo-attribute is tested.
56 which access is requested to; the corresponding entry is fetched
57 from the database, and thus it must exist.
60 is also used to determine what rules apply; thus, it must be
61 in the naming context of a configured database. See also
65 enable debugging messages as defined by the specified
72 specify a DN to be used as identity through the test session
73 when selecting appropriate
75 clauses in access lists.
78 specify an alternative
83 specify a config directory.
88 are specified, the config file will be read and converted to
89 config directory format and written to the specified directory.
90 If neither option is specified, an attempt to read the
91 default config directory will be made before trying to use the default
92 config file. If a valid config directory exists then the
93 default config file is ignored.
95 .BI \-o \ option\fR[ = value\fR]
100 Possible generic options/values are:
103 syslog=<subsystems> (see `\-s' in slapd(8))
104 syslog\-level=<level> (see `\-S' in slapd(8))
105 syslog\-user=<user> (see `\-l' in slapd(8))
109 Possible options/values specific to
127 See the related fields in
133 do not fetch the entry from the database.
134 In this case, if the entry does not exist, a fake entry with the
138 option is used, with no attributes.
139 As a consequence, those rules that depend on the contents
140 of the target object will not behave as with the real object.
145 option is still used to select what rules apply; thus, it must be
146 in the naming context of a configured database.
151 specify an ID to be mapped to a
159 for details); mutually exclusive with
166 specify an authorization ID to be mapped to a
174 for details); mutually exclusive with \fB\-o\fP \fBauthzDN=\fIDN\fR.
180 SBINDIR/slapacl \-f ETCDIR/slapd.conf \-v \\
181 \-U bjorn \-b "o=University of Michigan,c=US" \\
182 "o/read:University of Michigan"
186 tests whether the user
188 can access the attribute
191 .I o=University of Michigan,c=US
201 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)