listing for S
slapacl - Check access to a list of attributes.
/usr/internet/openldap/sbin/slapacl [-v] [-d level] [-f slapd.conf] [-F
confdir] [-D authcDN | -U authcID] -b DN [-u] [-X authzID | -o authzDN=DN]
Slapacl is used to check the behavior of the slapd in verifying access to
data according to ACLs, as specified in slapd.access(5). It opens the
slapd.conf(5) configuration file, reads in the access and defaultaccess
directives, and then parses the attr list given on the command-line; if
none is given, access to the entry pseudo-attribute is tested.
-v enable verbose mode.
enable debugging messages as defined by the specified level.
specify an alternative slapd.conf(5) file.
specify a config directory. If both -f and -F are specified, the
config file will be read and converted to config directory format and
written to the specified directory. If neither option is specified,
an attempt to read the default config directory will be made before
trying to use the default config file. If a valid config directory
exists then the default config file is ignored.
specify a DN to be used as identity through the test session when
selecting appropriate <by> clauses in access lists.
specify an ID to be mapped to a DN as by means of authz-regexp or
authz-rewrite rules (see slapd.conf(5) for details); mutually
exclusive with -D.
specify an authorization ID to be mapped to a DN as by means of
authz-regexp or authz-rewrite rules (see slapd.conf(5) for details);
mutually exclusive with -o authzDN=DN.
Specify an option with a(n optional) value. Possible options/values
specify the DN which access is requested to; the corresponding entry
is fetched from the database, and thus it must exist. The DN is also
used to determine what rules apply; thus, it must be in the naming
context of a configured database. See also -u.
-u do not fetch the entry from the database. In this case, if the entry
does not exist, a fake entry with the DN given with the -b option is
used, with no attributes. As a consequence, those rules that depend
on the contents of the target object will not behave as with the real
object. The DN given with the -b option is still used to select what
rules apply; thus, it must be in the naming context of a configured
database. See also -b.
/usr/internet/openldap/sbin/slapacl -f //usr/internet/openldap/etc/slapd.conf -v \
-U bjorn -b "o=University of Michigan,c=US" \
"o/read:University of Michigan"
tests whether the user bjorn can access the attribute o of the entry
o=University of Michigan,c=US at read level.
ldap(3), slapd(8) slaptest(8) slapauth(8)
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
OpenLDAP is developed and maintained by The OpenLDAP Project
(http://www.openldap.org/). OpenLDAP is derived from University of
Michigan LDAP 3.3 Release.
listing for S