.TH SLAPACL 8C "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2004-2009 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2013 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
.SH NAME
slapacl \- Check access to a list of attributes.
.SH SYNOPSIS
.B SBINDIR/slapacl
-.B \-b DN
-.B [\-d level]
-.B [\-D authcDN | \-U authcID]
-.B [\-f slapd.conf]
-.B [\-F confdir]
-.B [\-o name[=value]]
-.B [\-u]
-.B [\-v]
-.B [\-X authzID | \-o authzDN=DN]
-.B [attr[/access][:value]] [...]
+.BI \-b \ DN
+[\c
+.BI \-d \ debug-level\fR]
+[\c
+.BI \-D \ authcDN\ \fR|
+.BI \-U \ authcID\fR]
+[\c
+.BI \-f \ slapd.conf\fR]
+[\c
+.BI \-F \ confdir\fR]
+[\c
+.BI \-o \ option\fR[ = value\fR]]
+[\c
+.BR \-u ]
+[\c
+.BR \-v ]
+[\c
+.BI \-X \ authzID\ \fR|
+.BI "\-o \ authzDN=" DN\fR]
+[\c
+.IR attr [\fB/\fI access ][\fB:\fI value ]]\fR\ [...]
.LP
.SH DESCRIPTION
.LP
-.B Slapacl
-is used to check the behavior of the slapd in verifying access to data
-according to ACLs, as specified in
-.BR slapd.access (5).
+.B slapacl
+is used to check the behavior of
+.BR slapd (8)
+by verifying access to directory data according to the access control list
+directives defined in its configuration.
+.
It opens the
.BR slapd.conf (5)
-configuration file, reads in the
-.B access
+configuration file or the
+.BR slapd\-config (5)
+backend, reads in the
+.BR access / olcAccess
directives, and then parses the
.B attr
list given on the command-line; if none is given, access to the
.LP
.SH OPTIONS
.TP
-.BI \-b " DN"
+.BI \-b \ DN
specify the
-.B DN
+.I DN
which access is requested to; the corresponding entry is fetched
from the database, and thus it must exist.
-The DN is also used to determine what rules apply; thus, it must be
+The
+.I DN
+is also used to determine what rules apply; thus, it must be
in the naming context of a configured database. See also
.BR \-u .
.TP
-.BI \-d " level"
+.BI \-d \ debug-level
enable debugging messages as defined by the specified
-.IR level ;
+.IR debug-level ;
see
.BR slapd (8)
for details.
.TP
-.BI \-D " authcDN"
+.BI \-D \ authcDN
specify a DN to be used as identity through the test session
when selecting appropriate
.B <by>
clauses in access lists.
.TP
-.BI \-f " slapd.conf"
+.BI \-f \ slapd.conf
specify an alternative
.BR slapd.conf (5)
file.
.TP
-.BI \-F " confdir"
+.BI \-F \ confdir
specify a config directory.
If both
-.B -f
+.B \-f
and
-.B -F
+.B \-F
are specified, the config file will be read and converted to
config directory format and written to the specified directory.
If neither option is specified, an attempt to read the
config file. If a valid config directory exists then the
default config file is ignored.
.TP
-.BI \-o " option[=value]"
+.BI \-o \ option\fR[ = value\fR]
Specify an
-.BR option
+.I option
with a(n optional)
-.BR value .
+.IR value .
Possible generic options/values are:
.LP
.nf
syslog=<subsystems> (see `\-s' in slapd(8))
- syslog-level=<level> (see `\-S' in slapd(8))
- syslog-user=<user> (see `\-l' in slapd(8))
+ syslog\-level=<level> (see `\-S' in slapd(8))
+ syslog\-user=<user> (see `\-l' in slapd(8))
.fi
.RS
.TP
.BI \-u
do not fetch the entry from the database.
-In this case, if the entry does not exist, a fake entry with the DN
+In this case, if the entry does not exist, a fake entry with the
+.I DN
given with the
.B \-b
option is used, with no attributes.
As a consequence, those rules that depend on the contents
of the target object will not behave as with the real object.
-The DN given with the
+The
+.I DN
+given with the
.B \-b
option is still used to select what rules apply; thus, it must be
in the naming context of a configured database.
See also
.BR \-b .
.TP
-.BI \-U " authcID"
+.BI \-U \ authcID
specify an ID to be mapped to a
.B DN
as by means of
-.B authz-regexp
+.B authz\-regexp
or
-.B authz-rewrite
+.B authz\-rewrite
rules (see
.BR slapd.conf (5)
for details); mutually exclusive with
.B \-v
enable verbose mode.
.TP
-.BI \-X " authzID"
+.BI \-X \ authzID
specify an authorization ID to be mapped to a
.B DN
as by means of
-.B authz-regexp
+.B authz\-regexp
or
-.B authz-rewrite
+.B authz\-rewrite
rules (see
.BR slapd.conf (5)
-for details); mutually exclusive with \fB\-o\fP \fIauthzDN=DN\fP.
+for details); mutually exclusive with \fB\-o\fP \fBauthzDN=\fIDN\fR.
.SH EXAMPLES
The command
.LP
.nf
.ft tt
- SBINDIR/slapacl -f ETCDIR/slapd.conf -v \\
- -U bjorn -b "o=University of Michigan,c=US" \\
+ SBINDIR/slapacl \-f ETCDIR/slapd.conf \-v \\
+ \-U bjorn \-b "o=University of Michigan,c=US" \\
"o/read:University of Michigan"
.ft
level.
.SH "SEE ALSO"
.BR ldap (3),
-.BR slapd (8)
-.BR slaptest (8)
+.BR slapd (8),
+.BR slaptest (8),
.BR slapauth (8)
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)