Merge branch 'mdb.master' of ssh://git-master.openldap.org/~git/git/openldap

[openldap] / doc / man / man8 / slapacl.8

diff --git a/doc/man/man8/slapacl.8 b/doc/man/man8/slapacl.8
index 4c392391e6c57abeb8bd12daf3fa3b4d8380e62b..c72ed4cb6f0c997f4b099e2f639273169b792e8b 100644 (file)
--- a/doc/man/man8/slapacl.8
+++ b/doc/man/man8/slapacl.8
@@ -1,32 +1,47 @@
 .TH SLAPACL 8C "RELEASEDATE" "OpenLDAP LDVERSION"
 .TH SLAPACL 8C "RELEASEDATE" "OpenLDAP LDVERSION"

-.\" Copyright 2004-2005 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2011 The OpenLDAP Foundation All Rights Reserved.

 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.

+.\" $OpenLDAP$

 .SH NAME
 slapacl \- Check access to a list of attributes.
 .SH SYNOPSIS
 .B SBINDIR/slapacl
 .SH NAME
 slapacl \- Check access to a list of attributes.
 .SH SYNOPSIS
 .B SBINDIR/slapacl

-.B [\-v]
-.B [\-d level]
-.B [\-f slapd.conf]
-.B [\-F confdir]
-.B [\-D authcDN | \-U authcID]
-.B \-b DN
-.B [\-u]
-.B [\-X authzID | \-o authzDN=DN]
-.B [attr[/access][:value]] [...]
+.BI \-b \ DN
+[\c
+.BI \-d \ debug-level\fR]
+[\c
+.BI \-D \ authcDN\ \fR|
+.BI \-U \ authcID\fR]
+[\c
+.BI \-f \ slapd.conf\fR]
+[\c
+.BI \-F \ confdir\fR]
+[\c
+.BI \-o \ option\fR[ = value\fR]]
+[\c
+.BR \-u ]
+[\c
+.BR \-v ]
+[\c
+.BI \-X \ authzID\ \fR|
+.BI "\-o \ authzDN=" DN\fR]
+[\c
+.IR attr [\fB/\fI access ][\fB:\fI value ]]\fR\ [...]

 .LP
 .SH DESCRIPTION
 .LP
 .LP
 .SH DESCRIPTION
 .LP

-.B Slapacl
-is used to check the behavior of the slapd in verifying access to data
-according to ACLs, as specified in 
-.BR slapd.access (5).
+.B slapacl
+is used to check the behavior of 
+.BR slapd (8) 
+by verifying access to directory data according to the access control list
+directives defined in its configuration.
+.

 It opens the
 .BR slapd.conf (5)
 It opens the
 .BR slapd.conf (5)

-configuration file, reads in the 
-.B access
-and
-.B defaultaccess
+configuration file or the 
+.BR slapd\-config (5) 
+backend, reads in the  
+.BR access / olcAccess

 directives, and then parses the 
 .B attr
 list given on the command-line; if none is given, access to the
 directives, and then parses the 
 .B attr
 list given on the command-line; if none is given, access to the


@@ -35,109 +50,135 @@ pseudo-attribute is tested.
 .LP
 .SH OPTIONS
 .TP
 .LP
 .SH OPTIONS
 .TP

-.B \-v
-enable verbose mode.
+.BI \-b \ DN
+specify the 
+.I DN 
+which access is requested to; the corresponding entry is fetched 
+from the database, and thus it must exist.
+The
+.I DN
+is also used to determine what rules apply; thus, it must be
+in the naming context of a configured database.  See also
+.BR \-u .

 .TP
 .TP

-.BI \-d " level"
+.BI \-d \ debug-level

 enable debugging messages as defined by the specified
 enable debugging messages as defined by the specified

-.IR level .
+.IR debug-level ;
+see
+.BR slapd (8)
+for details.

 .TP
 .TP

-.BI \-f " slapd.conf"
+.BI \-D \ authcDN
+specify a DN to be used as identity through the test session
+when selecting appropriate
+.B <by> 
+clauses in access lists.
+.TP
+.BI \-f \ slapd.conf

 specify an alternative
 .BR slapd.conf (5)
 file.
 .TP
 specify an alternative
 .BR slapd.conf (5)
 file.
 .TP

-.BI \-F " confdir"
+.BI \-F \ confdir

 specify a config directory.
 If both
 specify a config directory.
 If both

-.B -f
+.B \-f

 and
 and

-.B -F
+.B \-F

 are specified, the config file will be read and converted to
 config directory format and written to the specified directory.
 If neither option is specified, an attempt to read the
 are specified, the config file will be read and converted to
 config directory format and written to the specified directory.
 If neither option is specified, an attempt to read the

-default config directory wll be made before trying to use the default
+default config directory will be made before trying to use the default

 config file. If a valid config directory exists then the
 default config file is ignored.
 .TP
 config file. If a valid config directory exists then the
 default config file is ignored.
 .TP

-.BI \-D " authcDN"
-specify a DN to be used as identity through the test session
-when selecting appropriate
-.B <by> 
-clauses in access lists.
-.TP
-.BI \-U " authcID"
-specify an ID to be mapped to a 
-.B DN 
-as by means of 
-.B authz-regexp
-or
-.B authz-rewrite
-rules (see 
-.BR slapd.conf (5)
-for details); mutually exclusive with
-.BR \-D .
-.TP
-.BI \-X " authzID"
-specify an authorization ID to be mapped to a
-.B DN
-as by means of
-.B authz-regexp
-or
-.B authz-rewrite
-rules (see
-.BR slapd.conf (5)
-for details); mutually exclusive with \fB\-o\fP \fIauthzDN=DN\fP.
-.TP
-.BI \-o " option[=value]"
+.BI \-o \ option\fR[ = value\fR]

 Specify an
 Specify an

-.BR option
+.I option

 with a(n optional)
 with a(n optional)

-.BR value .
-Possible options/values are:
+.IR value .
+Possible generic options/values are:

 .LP
 .nf
 .LP
 .nf

-              sockurl
+              syslog=<subsystems>  (see `\-s' in slapd(8))
+              syslog\-level=<level> (see `\-S' in slapd(8))
+              syslog\-user=<user>   (see `\-l' in slapd(8))
+
+.fi
+.RS
+Possible options/values specific to
+.B slapacl
+are:
+.RE
+.nf
+
+              authzDN

               domain
               peername
               domain
               peername

+              sasl_ssf

               sockname
               sockname

+              sockurl

               ssf
               ssf

-              transport_ssf

               tls_ssf
               tls_ssf

-              sasl_ssf
-              authzDN
+              transport_ssf
+

 .fi
 .fi

-.TP
-.BI \-b " DN"
-specify the 
-.B DN 
-which access is requested to; the corresponding entry is fetched 
-from the database, and thus it must exist.
-The DN is also used to determine what rules apply; thus, it must be
-in the naming context of a configured database.  See also
-.BR \-u .
+.RS
+See the related fields in
+.BR slapd.access (5)
+for details.
+.RE

 .TP
 .BI \-u
 do not fetch the entry from the database.
 .TP
 .BI \-u
 do not fetch the entry from the database.

-In this case, if the entry does not exist, a fake entry with the DN
+In this case, if the entry does not exist, a fake entry with the
+.I DN

 given with the
 .B \-b
 option is used, with no attributes.
 As a consequence, those rules that depend on the contents 
 of the target object will not behave as with the real object.
 given with the
 .B \-b
 option is used, with no attributes.
 As a consequence, those rules that depend on the contents 
 of the target object will not behave as with the real object.

-The DN given with the
+The
+.I DN
+given with the

 .B \-b
 option is still used to select what rules apply; thus, it must be
 in the naming context of a configured database.
 See also
 .BR \-b .
 .B \-b
 option is still used to select what rules apply; thus, it must be
 in the naming context of a configured database.
 See also
 .BR \-b .

+.TP
+.BI \-U \ authcID
+specify an ID to be mapped to a 
+.B DN 
+as by means of 
+.B authz\-regexp
+or
+.B authz\-rewrite
+rules (see 
+.BR slapd.conf (5)
+for details); mutually exclusive with
+.BR \-D .
+.TP
+.B \-v
+enable verbose mode.
+.TP
+.BI \-X \ authzID
+specify an authorization ID to be mapped to a
+.B DN
+as by means of
+.B authz\-regexp
+or
+.B authz\-rewrite
+rules (see
+.BR slapd.conf (5)
+for details); mutually exclusive with \fB\-o\fP \fBauthzDN=\fIDN\fR.

 .SH EXAMPLES
 The command
 .LP
 .nf
 .ft tt
 .SH EXAMPLES
 The command
 .LP
 .nf
 .ft tt

-       SBINDIR/slapacl -f /ETCDIR/slapd.conf -v \\
-            -U bjorn -b "o=University of Michigan,c=US" \\
+       SBINDIR/slapacl \-f ETCDIR/slapd.conf \-v \\
+            \-U bjorn \-b "o=University of Michigan,c=US" \\

            "o/read:University of Michigan"
 
 .ft
            "o/read:University of Michigan"
 
 .ft


@@ -153,13 +194,10 @@ at
 level.
 .SH "SEE ALSO"
 .BR ldap (3),
 level.
 .SH "SEE ALSO"
 .BR ldap (3),

-.BR slapd (8)
-.BR slaptest (8)
+.BR slapd (8),
+.BR slaptest (8),

 .BR slapauth (8)
 .LP
 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
 .SH ACKNOWLEDGEMENTS
 .BR slapauth (8)
 .LP
 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
 .SH ACKNOWLEDGEMENTS

-.B OpenLDAP
-is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
-.B OpenLDAP
-is derived from University of Michigan LDAP 3.3 Release.  
+.so ../Project