fix previous commit in case of access to non existent backend (e.g. rootDSE); add...

[openldap] / doc / man / man8 / slapacl.8

.TH SLAPACL 8C "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 2004-2005 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
.SH NAME
slapacl \- Check access to a list of attributes.
.SH SYNOPSIS
.B SBINDIR/slapacl
.B [\-v]
.B [\-d level]
.B [\-f slapd.conf]
.B [\-D authcDN | \-U authcID]
.B \-b DN
.B [\-u]
.B [\-X authzID | \-o authzDN=DN]
.B [attr[/access][:value]] [...]
.LP
.SH DESCRIPTION
.LP
.B Slapacl
is used to check the behavior of the slapd in verifying access to data
according to ACLs, as specified in 
.BR slapd.access (5).
It opens the
.BR slapd.conf (5)
configuration file, reads in the 
.B access
and
.B defaultaccess
directives, and then parses the 
.B attr
list given on the command-line; if none is given, access to the
.B entry
pseudo-attribute is tested.
.LP
.SH OPTIONS
.TP
.B \-v
enable verbose mode.
.TP
.BI \-d " level"
enable debugging messages as defined by the specified
.IR level .
.TP
.BI \-f " slapd.conf"
specify an alternative
.BR slapd.conf (5)
file.
.TP
.BI \-D " authcDN"
specify a DN to be used as identity through the test session
when selecting appropriate
.B <by> 
clauses in access lists.
.TP
.BI \-U " authcID"
specify an ID to be mapped to a 
.B DN 
as by means of 
.B authz-regexp
or
.B authz-rewrite
rules (see 
.BR slapd.conf (5)
for details); mutually exclusive with
.BR \-D .
.TP
.BI \-X " authzID"
specify an authorization ID to be mapped to a
.B DN
as by means of
.B authz-regexp
or
.B authz-rewrite
rules (see
.BR slapd.conf (5)
for details); mutually exclusive with \fB\-o\fP \fIauthzDN=DN\fP.
.TP
.BI \-o " option[=value]"
Specify an
.BR option
with a(n optional)
.BR value .
Possible options/values are:
.LP
.nf
              sockurl
              domain
              peername
              sockname
              ssf
              transport_ssf
              tls_ssf
              sasl_ssf
              authzDN
.fi
.TP
.BI \-b " DN"
specify the 
.B DN 
which access is requested to; the corresponding entry is fetched 
from the database, and thus it must exist.
The DN is also used to determine what rules apply; thus, it must be
in the naming context of a configured database.  See also
.BR \-u .
.TP
.BI \-u
do not fetch the entry from the database.
In this case, if the entry does not exist, a fake entry with the DN
given with the
.B \-b
option is used, with no attributes.
As a consequence, those rules that depend on the contents 
of the target object will not behave as with the real object.
The DN given with the
.B \-b
option is still used to select what rules apply; thus, it must be
in the naming context of a configured database.
See also
.BR \-b .
.SH EXAMPLES
The command
.LP
.nf
.ft tt
        SBINDIR/slapacl -f /ETCDIR/slapd.conf -v \\
            -U bjorn -b "o=University of Michigan,c=US" \\
            "o/read:University of Michigan"

.ft
.fi
tests whether the user
.I bjorn
can access the attribute 
.I o
of the entry
.I o=University of Michigan,c=US
at
.I read
level.
.SH "SEE ALSO"
.BR ldap (3),
.BR slapd (8)
.BR slaptest (8)
.BR slapauth (8)
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
.SH ACKNOWLEDGEMENTS
.B OpenLDAP
is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
.B OpenLDAP
is derived from University of Michigan LDAP 3.3 Release.