2010-03-08 08:08:40 +03:00
|
|
|
.TH SLAPACL 8C "2009/12/20" "OpenLDAP 2.4.21"
|
|
|
|
|
.\" Copyright 2004-2009 The OpenLDAP Foundation All Rights Reserved.
|
2008-05-22 17:57:46 +04:00
|
|
|
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
|
2010-03-08 08:08:40 +03:00
|
|
|
.\" OpenLDAP: pkg/ldap/doc/man/man8/slapacl.8,v 1.8.2.11 2009/06/03 01:42:00 quanah Exp
|
2008-05-22 17:57:46 +04:00
|
|
|
.SH NAME
|
|
|
|
|
slapacl \- Check access to a list of attributes.
|
|
|
|
|
.SH SYNOPSIS
|
|
|
|
|
.B /usr/sbin/slapacl
|
2010-03-08 08:08:40 +03:00
|
|
|
.BI \-b \ DN
|
|
|
|
|
[\c
|
|
|
|
|
.BI \-d \ debug-level\fR]
|
|
|
|
|
[\c
|
|
|
|
|
.BI \-D \ authcDN\ \fR|
|
|
|
|
|
.BI \-U \ authcID\fR]
|
|
|
|
|
[\c
|
|
|
|
|
.BI \-f \ slapd.conf\fR]
|
|
|
|
|
[\c
|
|
|
|
|
.BI \-F \ confdir\fR]
|
|
|
|
|
[\c
|
|
|
|
|
.BI \-o \ option\fR[ = value\fR]]
|
|
|
|
|
[\c
|
|
|
|
|
.BR \-u ]
|
|
|
|
|
[\c
|
|
|
|
|
.BR \-v ]
|
|
|
|
|
[\c
|
|
|
|
|
.BI \-X \ authzID\ \fR|
|
|
|
|
|
.BI "\-o \ authzDN=" DN\fR]
|
|
|
|
|
[\c
|
|
|
|
|
.IR attr [\fB/\fI access ][\fB:\fI value ]]\fR\ [...]
|
2008-05-22 17:57:46 +04:00
|
|
|
.LP
|
|
|
|
|
.SH DESCRIPTION
|
|
|
|
|
.LP
|
2010-03-08 08:08:40 +03:00
|
|
|
.B slapacl
|
|
|
|
|
is used to check the behavior of
|
|
|
|
|
.BR slapd (8)
|
|
|
|
|
by verifying access to directory data according to the access control list
|
|
|
|
|
directives defined in its configuration.
|
|
|
|
|
.
|
2008-05-22 17:57:46 +04:00
|
|
|
It opens the
|
|
|
|
|
.BR slapd.conf (5)
|
2010-03-08 08:08:40 +03:00
|
|
|
configuration file or the
|
|
|
|
|
.BR slapd\-config (5)
|
|
|
|
|
backend, reads in the
|
|
|
|
|
.BR access / olcAccess
|
2008-05-22 17:57:46 +04:00
|
|
|
directives, and then parses the
|
|
|
|
|
.B attr
|
|
|
|
|
list given on the command-line; if none is given, access to the
|
|
|
|
|
.B entry
|
|
|
|
|
pseudo-attribute is tested.
|
|
|
|
|
.LP
|
|
|
|
|
.SH OPTIONS
|
|
|
|
|
.TP
|
2010-03-08 08:08:40 +03:00
|
|
|
.BI \-b \ DN
|
2008-05-22 17:57:46 +04:00
|
|
|
specify the
|
2010-03-08 08:08:40 +03:00
|
|
|
.I DN
|
2008-05-22 17:57:46 +04:00
|
|
|
which access is requested to; the corresponding entry is fetched
|
|
|
|
|
from the database, and thus it must exist.
|
2010-03-08 08:08:40 +03:00
|
|
|
The
|
|
|
|
|
.I DN
|
|
|
|
|
is also used to determine what rules apply; thus, it must be
|
2008-05-22 17:57:46 +04:00
|
|
|
in the naming context of a configured database. See also
|
|
|
|
|
.BR \-u .
|
|
|
|
|
.TP
|
2010-03-08 08:08:40 +03:00
|
|
|
.BI \-d \ debug-level
|
2008-05-22 17:57:46 +04:00
|
|
|
enable debugging messages as defined by the specified
|
2010-03-08 08:08:40 +03:00
|
|
|
.IR debug-level ;
|
2008-05-22 17:57:46 +04:00
|
|
|
see
|
|
|
|
|
.BR slapd (8)
|
|
|
|
|
for details.
|
|
|
|
|
.TP
|
2010-03-08 08:08:40 +03:00
|
|
|
.BI \-D \ authcDN
|
2008-05-22 17:57:46 +04:00
|
|
|
specify a DN to be used as identity through the test session
|
|
|
|
|
when selecting appropriate
|
|
|
|
|
.B <by>
|
|
|
|
|
clauses in access lists.
|
|
|
|
|
.TP
|
2010-03-08 08:08:40 +03:00
|
|
|
.BI \-f \ slapd.conf
|
2008-05-22 17:57:46 +04:00
|
|
|
specify an alternative
|
|
|
|
|
.BR slapd.conf (5)
|
|
|
|
|
file.
|
|
|
|
|
.TP
|
2010-03-08 08:08:40 +03:00
|
|
|
.BI \-F \ confdir
|
2008-05-22 17:57:46 +04:00
|
|
|
specify a config directory.
|
|
|
|
|
If both
|
2010-03-08 08:08:40 +03:00
|
|
|
.B \-f
|
2008-05-22 17:57:46 +04:00
|
|
|
and
|
2010-03-08 08:08:40 +03:00
|
|
|
.B \-F
|
2008-05-22 17:57:46 +04:00
|
|
|
are specified, the config file will be read and converted to
|
|
|
|
|
config directory format and written to the specified directory.
|
|
|
|
|
If neither option is specified, an attempt to read the
|
|
|
|
|
default config directory will be made before trying to use the default
|
|
|
|
|
config file. If a valid config directory exists then the
|
|
|
|
|
default config file is ignored.
|
|
|
|
|
.TP
|
2010-03-08 08:08:40 +03:00
|
|
|
.BI \-o \ option\fR[ = value\fR]
|
2008-05-22 17:57:46 +04:00
|
|
|
Specify an
|
2010-03-08 08:08:40 +03:00
|
|
|
.I option
|
2008-05-22 17:57:46 +04:00
|
|
|
with a(n optional)
|
2010-03-08 08:08:40 +03:00
|
|
|
.IR value .
|
2008-05-22 17:57:46 +04:00
|
|
|
Possible generic options/values are:
|
|
|
|
|
.LP
|
|
|
|
|
.nf
|
|
|
|
|
syslog=<subsystems> (see `\-s' in slapd(8))
|
2010-03-08 08:08:40 +03:00
|
|
|
syslog\-level=<level> (see `\-S' in slapd(8))
|
|
|
|
|
syslog\-user=<user> (see `\-l' in slapd(8))
|
2008-05-22 17:57:46 +04:00
|
|
|
|
|
|
|
|
.fi
|
|
|
|
|
.RS
|
|
|
|
|
Possible options/values specific to
|
|
|
|
|
.B slapacl
|
|
|
|
|
are:
|
|
|
|
|
.RE
|
|
|
|
|
.nf
|
|
|
|
|
|
|
|
|
|
authzDN
|
|
|
|
|
domain
|
|
|
|
|
peername
|
|
|
|
|
sasl_ssf
|
|
|
|
|
sockname
|
|
|
|
|
sockurl
|
|
|
|
|
ssf
|
|
|
|
|
tls_ssf
|
|
|
|
|
transport_ssf
|
|
|
|
|
|
|
|
|
|
.fi
|
|
|
|
|
.RS
|
|
|
|
|
See the related fields in
|
|
|
|
|
.BR slapd.access (5)
|
|
|
|
|
for details.
|
|
|
|
|
.RE
|
|
|
|
|
.TP
|
|
|
|
|
.BI \-u
|
|
|
|
|
do not fetch the entry from the database.
|
2010-03-08 08:08:40 +03:00
|
|
|
In this case, if the entry does not exist, a fake entry with the
|
|
|
|
|
.I DN
|
2008-05-22 17:57:46 +04:00
|
|
|
given with the
|
|
|
|
|
.B \-b
|
|
|
|
|
option is used, with no attributes.
|
|
|
|
|
As a consequence, those rules that depend on the contents
|
|
|
|
|
of the target object will not behave as with the real object.
|
2010-03-08 08:08:40 +03:00
|
|
|
The
|
|
|
|
|
.I DN
|
|
|
|
|
given with the
|
2008-05-22 17:57:46 +04:00
|
|
|
.B \-b
|
|
|
|
|
option is still used to select what rules apply; thus, it must be
|
|
|
|
|
in the naming context of a configured database.
|
|
|
|
|
See also
|
|
|
|
|
.BR \-b .
|
|
|
|
|
.TP
|
2010-03-08 08:08:40 +03:00
|
|
|
.BI \-U \ authcID
|
2008-05-22 17:57:46 +04:00
|
|
|
specify an ID to be mapped to a
|
|
|
|
|
.B DN
|
|
|
|
|
as by means of
|
2010-03-08 08:08:40 +03:00
|
|
|
.B authz\-regexp
|
2008-05-22 17:57:46 +04:00
|
|
|
or
|
2010-03-08 08:08:40 +03:00
|
|
|
.B authz\-rewrite
|
2008-05-22 17:57:46 +04:00
|
|
|
rules (see
|
|
|
|
|
.BR slapd.conf (5)
|
|
|
|
|
for details); mutually exclusive with
|
|
|
|
|
.BR \-D .
|
|
|
|
|
.TP
|
|
|
|
|
.B \-v
|
|
|
|
|
enable verbose mode.
|
|
|
|
|
.TP
|
2010-03-08 08:08:40 +03:00
|
|
|
.BI \-X \ authzID
|
2008-05-22 17:57:46 +04:00
|
|
|
specify an authorization ID to be mapped to a
|
|
|
|
|
.B DN
|
|
|
|
|
as by means of
|
2010-03-08 08:08:40 +03:00
|
|
|
.B authz\-regexp
|
2008-05-22 17:57:46 +04:00
|
|
|
or
|
2010-03-08 08:08:40 +03:00
|
|
|
.B authz\-rewrite
|
2008-05-22 17:57:46 +04:00
|
|
|
rules (see
|
|
|
|
|
.BR slapd.conf (5)
|
2010-03-08 08:08:40 +03:00
|
|
|
for details); mutually exclusive with \fB\-o\fP \fBauthzDN=\fIDN\fR.
|
2008-05-22 17:57:46 +04:00
|
|
|
.SH EXAMPLES
|
|
|
|
|
The command
|
|
|
|
|
.LP
|
|
|
|
|
.nf
|
|
|
|
|
.ft tt
|
2010-03-08 08:08:40 +03:00
|
|
|
/usr/sbin/slapacl \-f /etc/openldap/slapd.conf \-v \\
|
|
|
|
|
\-U bjorn \-b "o=University of Michigan,c=US" \\
|
2008-05-22 17:57:46 +04:00
|
|
|
"o/read:University of Michigan"
|
|
|
|
|
|
|
|
|
|
.ft
|
|
|
|
|
.fi
|
|
|
|
|
tests whether the user
|
|
|
|
|
.I bjorn
|
|
|
|
|
can access the attribute
|
|
|
|
|
.I o
|
|
|
|
|
of the entry
|
|
|
|
|
.I o=University of Michigan,c=US
|
|
|
|
|
at
|
|
|
|
|
.I read
|
|
|
|
|
level.
|
|
|
|
|
.SH "SEE ALSO"
|
|
|
|
|
.BR ldap (3),
|
2010-03-08 08:08:40 +03:00
|
|
|
.BR slapd (8),
|
|
|
|
|
.BR slaptest (8),
|
2008-05-22 17:57:46 +04:00
|
|
|
.BR slapauth (8)
|
|
|
|
|
.LP
|
|
|
|
|
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
|
|
|
|
|
.SH ACKNOWLEDGEMENTS
|
|
|
|
|
.\" Shared Project Acknowledgement Text
|
|
|
|
|
.B "OpenLDAP Software"
|
|
|
|
|
is developed and maintained by The OpenLDAP Project <http://www.openldap.org/>.
|
|
|
|
|
.B "OpenLDAP Software"
|
|
|
|
|
is derived from University of Michigan LDAP 3.3 Release.
|
