X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=doc%2Fman%2Fman8%2Fslapacl.8;h=66f95c5f681f5d3408bc82e4bd3b7c9aa6e26dc3;hb=c8c7002e289a7934db8e70143053b5796fbef9a6;hp=fc369a3b989c52ed27bc88aa6fc07f2e438dea6e;hpb=e9ab146a413ec67fac3666313f5783fd3bec6146;p=openldap diff --git a/doc/man/man8/slapacl.8 b/doc/man/man8/slapacl.8 index fc369a3b98..66f95c5f68 100644 --- a/doc/man/man8/slapacl.8 +++ b/doc/man/man8/slapacl.8 @@ -1,31 +1,47 @@ .TH SLAPACL 8C "RELEASEDATE" "OpenLDAP LDVERSION" -.\" Copyright 2004-2005 The OpenLDAP Foundation All Rights Reserved. +.\" Copyright 2004-2013 The OpenLDAP Foundation All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ .SH NAME slapacl \- Check access to a list of attributes. .SH SYNOPSIS .B SBINDIR/slapacl -.B [\-v] -.B [\-d level] -.B [\-f slapd.conf] -.B [\-D authcDN | \-U authcID] -.B \-b DN -.B [\-u] -.B [\-X authzID | \-o authzDN=DN] -.B [attr[/access][:value]] [...] +.BI \-b \ DN +[\c +.BI \-d \ debug-level\fR] +[\c +.BI \-D \ authcDN\ \fR| +.BI \-U \ authcID\fR] +[\c +.BI \-f \ slapd.conf\fR] +[\c +.BI \-F \ confdir\fR] +[\c +.BI \-o \ option\fR[ = value\fR]] +[\c +.BR \-u ] +[\c +.BR \-v ] +[\c +.BI \-X \ authzID\ \fR| +.BI "\-o \ authzDN=" DN\fR] +[\c +.IR attr [\fB/\fI access ][\fB:\fI value ]]\fR\ [...] .LP .SH DESCRIPTION .LP -.B Slapacl -is used to check the behavior of the slapd in verifying access to data -according to ACLs, as specified in -.BR slapd.access (5). +.B slapacl +is used to check the behavior of +.BR slapd (8) +by verifying access to directory data according to the access control list +directives defined in its configuration. +. It opens the .BR slapd.conf (5) -configuration file, reads in the -.B access -and -.B defaultaccess +configuration file or the +.BR slapd\-config (5) +backend, reads in the +.BR access / olcAccess directives, and then parses the .B attr list given on the command-line; if none is given, access to the @@ -34,96 +50,135 @@ pseudo-attribute is tested. .LP .SH OPTIONS .TP -.B \-v -enable verbose mode. +.BI \-b \ DN +specify the +.I DN +which access is requested to; the corresponding entry is fetched +from the database, and thus it must exist. +The +.I DN +is also used to determine what rules apply; thus, it must be +in the naming context of a configured database. See also +.BR \-u . .TP -.BI \-d " level" +.BI \-d \ debug-level enable debugging messages as defined by the specified -.IR level . -.TP -.BI \-f " slapd.conf" -specify an alternative -.BR slapd.conf (5) -file. +.IR debug-level ; +see +.BR slapd (8) +for details. .TP -.BI \-D " authcDN" +.BI \-D \ authcDN specify a DN to be used as identity through the test session when selecting appropriate .B clauses in access lists. .TP -.BI \-U " authcID" -specify an ID to be mapped to a -.B DN -as by means of -.B authz-regexp -or -.B authz-rewrite -rules (see +.BI \-f \ slapd.conf +specify an alternative .BR slapd.conf (5) -for details); mutually exclusive with -.BR \-D . +file. .TP -.BI \-X " authzID" -specify an authorization ID to be mapped to a -.B DN -as by means of -.B authz-regexp -or -.B authz-rewrite -rules (see -.BR slapd.conf (5) -for details); mutually exclusive with \fB\-o\fP \fIauthzDN=DN\fP. +.BI \-F \ confdir +specify a config directory. +If both +.B \-f +and +.B \-F +are specified, the config file will be read and converted to +config directory format and written to the specified directory. +If neither option is specified, an attempt to read the +default config directory will be made before trying to use the default +config file. If a valid config directory exists then the +default config file is ignored. .TP -.BI \-o " option[=value]" +.BI \-o \ option\fR[ = value\fR] Specify an -.BR option +.I option with a(n optional) -.BR value . -Possible options/values are: +.IR value . +Possible generic options/values are: .LP .nf - sockurl + syslog= (see `\-s' in slapd(8)) + syslog\-level= (see `\-S' in slapd(8)) + syslog\-user= (see `\-l' in slapd(8)) + +.fi +.RS +Possible options/values specific to +.B slapacl +are: +.RE +.nf + + authzDN domain peername + sasl_ssf sockname + sockurl ssf - transport_ssf tls_ssf - sasl_ssf - authzDN + transport_ssf + .fi -.TP -.BI \-b " DN" -specify the -.B DN -which access is requested to; the corresponding entry is fetched -from the database, and thus it must exist. -The DN is also used to determine what rules apply; thus, it must be -in the naming context of a configured database. See also -.BR \-u . +.RS +See the related fields in +.BR slapd.access (5) +for details. +.RE .TP .BI \-u do not fetch the entry from the database. -In this case, if the entry does not exist, a fake entry with the DN +In this case, if the entry does not exist, a fake entry with the +.I DN given with the .B \-b option is used, with no attributes. As a consequence, those rules that depend on the contents of the target object will not behave as with the real object. -The DN given with the +The +.I DN +given with the .B \-b option is still used to select what rules apply; thus, it must be in the naming context of a configured database. See also .BR \-b . +.TP +.BI \-U \ authcID +specify an ID to be mapped to a +.B DN +as by means of +.B authz\-regexp +or +.B authz\-rewrite +rules (see +.BR slapd.conf (5) +for details); mutually exclusive with +.BR \-D . +.TP +.B \-v +enable verbose mode. +.TP +.BI \-X \ authzID +specify an authorization ID to be mapped to a +.B DN +as by means of +.B authz\-regexp +or +.B authz\-rewrite +rules (see +.BR slapd.conf (5) +for details); mutually exclusive with \fB\-o\fP \fBauthzDN=\fIDN\fR. .SH EXAMPLES The command .LP .nf .ft tt - SBINDIR/slapacl -f /ETCDIR/slapd.conf -v \\ - -U bjorn -b "o=University of Michigan,c=US" \\ + SBINDIR/slapacl \-f ETCDIR/slapd.conf \-v \\ + \-U bjorn \-b "o=University of Michigan,c=US" \\ "o/read:University of Michigan" .ft @@ -139,13 +194,10 @@ at level. .SH "SEE ALSO" .BR ldap (3), -.BR slapd (8) -.BR slaptest (8) +.BR slapd (8), +.BR slaptest (8), .BR slapauth (8) .LP "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) .SH ACKNOWLEDGEMENTS -.B OpenLDAP -is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). -.B OpenLDAP -is derived from University of Michigan LDAP 3.3 Release. +.so ../Project