.TH SLAPACL 8C "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2004-2005 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2007 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.SH NAME
slapacl \- Check access to a list of attributes.
.SH SYNOPSIS
.B SBINDIR/slapacl
-.B [\-v]
+.B \-b DN
.B [\-d level]
-.B [\-f slapd.conf]
.B [\-D authcDN | \-U authcID]
-.B \-b DN
+.B [\-f slapd.conf]
+.B [\-F confdir]
+.B [\-o name[=value]
+.B [\-u]
+.B [\-v]
+.B [\-X authzID | \-o authzDN=DN]
.B [attr[/access][:value]] [...]
.LP
.SH DESCRIPTION
.BR slapd.conf (5)
configuration file, reads in the
.B access
-and
-.B defaultaccess
directives, and then parses the
.B attr
list given on the command-line; if none is given, access to the
.LP
.SH OPTIONS
.TP
-.B \-v
-enable verbose mode.
+.BI \-b " DN"
+specify the
+.B DN
+which access is requested to; the corresponding entry is fetched
+from the database, and thus it must exist.
+The DN is also used to determine what rules apply; thus, it must be
+in the naming context of a configured database. See also
+.BR \-u .
.TP
.BI \-d " level"
enable debugging messages as defined by the specified
-.IR level .
-.TP
-.BI \-f " slapd.conf"
-specify an alternative
-.BR slapd.conf (5)
-file.
+.IR level ;
+see
+.BR slapd (8)
+for details.
.TP
.BI \-D " authcDN"
specify a DN to be used as identity through the test session
.B <by>
clauses in access lists.
.TP
+.BI \-f " slapd.conf"
+specify an alternative
+.BR slapd.conf (5)
+file.
+.TP
+.BI \-F " confdir"
+specify a config directory.
+If both
+.B -f
+and
+.B -F
+are specified, the config file will be read and converted to
+config directory format and written to the specified directory.
+If neither option is specified, an attempt to read the
+default config directory will be made before trying to use the default
+config file. If a valid config directory exists then the
+default config file is ignored.
+.TP
+.BI \-o " option[=value]"
+Specify an
+.BR option
+with a(n optional)
+.BR value .
+Possible generic options/values are:
+.LP
+.nf
+ syslog=<subsystems> (see `\-s' in slapd(8))
+ syslog-level=<level> (see `\-S' in slapd(8))
+ syslog-user=<user> (see `\-l' in slapd(8))
+
+.fi
+.RS
+Possible options/values specific to
+.B slapacl
+are:
+.RE
+.nf
+
+ authzDN
+ domain
+ peername
+ sasl_ssf
+ sockname
+ sockurl
+ ssf
+ tls_ssf
+ transport_ssf
+
+.fi
+.RS
+See the related fields in
+.BR slapd.access (5)
+for details.
+.RE
+.TP
+.BI \-u
+do not fetch the entry from the database.
+In this case, if the entry does not exist, a fake entry with the DN
+given with the
+.B \-b
+option is used, with no attributes.
+As a consequence, those rules that depend on the contents
+of the target object will not behave as with the real object.
+The DN given with the
+.B \-b
+option is still used to select what rules apply; thus, it must be
+in the naming context of a configured database.
+See also
+.BR \-b .
+.TP
.BI \-U " authcID"
specify an ID to be mapped to a
.B DN
for details); mutually exclusive with
.BR \-D .
.TP
-.BI \-b " DN"
-specify the
-.B DN
-access to is requested; the corresponding entry is not fetched
-from the database, and thus it must not exist.
-However, a database must be selected to determine what rules
-apply; thus, it must be in the naming context of a configured database.
+.B \-v
+enable verbose mode.
+.TP
+.BI \-X " authzID"
+specify an authorization ID to be mapped to a
+.B DN
+as by means of
+.B authz-regexp
+or
+.B authz-rewrite
+rules (see
+.BR slapd.conf (5)
+for details); mutually exclusive with \fB\-o\fP \fIauthzDN=DN\fP.
.SH EXAMPLES
The command
.LP
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
.SH ACKNOWLEDGEMENTS
-.B OpenLDAP
-is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
-.B OpenLDAP
-is derived from University of Michigan LDAP 3.3 Release.
+.so ../Project