Provided by: slapd_2.4.7-6ubuntu3_i386 bug

NAME

       slapacl - Check access to a list of attributes.

SYNOPSIS

       /usr/sbin/slapacl  -b  DN  [-d  level]  [-D  authcDN  | -U authcID] [-f
       slapd.conf] [-F confdir] [-o name[=value]] [-u] [-v] [-X authzID  |  -o
       authzDN=DN] [attr[/access][:value]] [...]

DESCRIPTION

       Slapacl  is used to check the behavior of the slapd in verifying access
       to data according to ACLs, as specified in slapd.access(5).   It  opens
       the  slapd.conf(5)  configuration file, reads in the access directives,
       and then parses the attr list given on the  command-line;  if  none  is
       given, access to the entry pseudo-attribute is tested.

OPTIONS

       -b DN  specify  the  DN which access is requested to; the corresponding
              entry is fetched from the database, and thus it must exist.  The
              DN  is also used to determine what rules apply; thus, it must be
              in the naming context of a configured database.  See also -u.

       -d level
              enable debugging messages as defined by the specified level; see
              slapd(8) for details.

       -D authcDN
              specify  a  DN  to  be used as identity through the test session
              when selecting appropriate <by> clauses in access lists.

       -f slapd.conf
              specify an alternative slapd.conf(5) file.

       -F confdir
              specify a config directory.  If both -f and  -F  are  specified,
              the  config  file will be read and converted to config directory
              format and written  to  the  specified  directory.   If  neither
              option  is  specified,  an  attempt  to  read the default config
              directory will be made before trying to use the  default  config
              file. If a valid config directory exists then the default config
              file is ignored.

       -o option[=value]
              Specify an option with a(n optional)  value.   Possible  generic
              options/values are:

                     syslog=<subsystems>  (see ‘-s’ in slapd(8))
                     syslog-level=<level> (see ‘-S’ in slapd(8))
                     syslog-user=<user>   (see ‘-l’ in slapd(8))

              Possible options/values specific to slapacl are:

                     authzDN
                     domain
                     peername
                     sasl_ssf
                     sockname
                     sockurl
                     ssf
                     tls_ssf
                     transport_ssf

              See the related fields in slapd.access(5) for details.

       -u     do  not fetch the entry from the database.  In this case, if the
              entry does not exist, a fake entry with the DN given with the -b
              option  is  used,  with  no attributes.  As a consequence, those
              rules that depend on the contents of the target object will  not
              behave as with the real object.  The DN given with the -b option
              is still used to select what rules apply; thus, it  must  be  in
              the naming context of a configured database.  See also -b.

       -U authcID
              specify  an  ID to be mapped to a DN as by means of authz-regexp
              or authz-rewrite rules (see slapd.conf(5) for details); mutually
              exclusive with -D.

       -v     enable verbose mode.

       -X authzID
              specify  an authorization ID to be mapped to a DN as by means of
              authz-regexp  or  authz-rewrite  rules  (see  slapd.conf(5)  for
              details); mutually exclusive with -o authzDN=DN.

EXAMPLES

       The command

            /usr/sbin/slapacl -f //etc/ldap/slapd.conf -v \
                   -U bjorn -b "o=University of Michigan,c=US" \
                "o/read:University of Michigan"

       tests  whether  the  user bjorn can access the attribute o of the entry
       o=University of Michigan,c=US at read level.

SEE ALSO

       ldap(3), slapd(8) slaptest(8) slapauth(8)

       "OpenLDAP Administrator’s Guide" (http://www.OpenLDAP.org/doc/admin/)

ACKNOWLEDGEMENTS

       OpenLDAP Software is developed and maintained by The  OpenLDAP  Project
       <http://www.openldap.org/>.    OpenLDAP   Software   is   derived  from
       University of Michigan LDAP 3.3 Release.