|
|
This manual page is for Mac OS X version 10.6.3If you are running a different version of Mac OS X, view the documentation locally:
Reading manual pagesManual pages are intended as a quick reference for people who already understand a technology.
|
SLAPACL(8C) SLAPACL(8C)
NAME
slapacl - Check access to a list of attributes.
SYNOPSIS
/usr/sbin/slapacl -b DN [-d level] [-D authcDN | -U authcID] [-f slapd.conf] [-F confdir] [-o
name[=value]] [-u] [-v] [-X authzID | -o authzDN=DN] [attr[/access][:value]] [...]
DESCRIPTION
Slapacl is used to check the behavior of the slapd in verifying access to data according to ACLs, as
specified in slapd.access(5). It opens the slapd.conf(5) configuration file, reads in the access
directives, and then parses the attr list given on the command-line; if none is given, access to the
entry pseudo-attribute is tested.
OPTIONS
-b DN specify the DN which access is requested to; the corresponding entry is fetched from the data-base, database,
base, and thus it must exist. The DN is also used to determine what rules apply; thus, it
must be in the naming context of a configured database. See also -u.
-d level
enable debugging messages as defined by the specified level; see slapd(8) for details.
-D authcDN
specify a DN to be used as identity through the test session when selecting appropriate <by>
clauses in access lists.
-f slapd.conf
specify an alternative slapd.conf(5) file.
-F confdir
specify a config directory. If both -f and -F are specified, the config file will be read and
converted to config directory format and written to the specified directory. If neither
option is specified, an attempt to read the default config directory will be made before try-ing trying
ing to use the default config file. If a valid config directory exists then the default config
file is ignored.
-o option[=value]
Specify an option with a(n optional) value. Possible generic options/values are:
syslog=<subsystems> (see `-s' in slapd(8))
syslog-level=<level> (see `-S' in slapd(8))
syslog-user=<user> (see `-l' in slapd(8))
Possible options/values specific to slapacl are:
authzDN
domain
peername
sasl_ssf
sockname
sockurl
ssf
tls_ssf
transport_ssf
See the related fields in slapd.access(5) for details.
-u do not fetch the entry from the database. In this case, if the entry does not exist, a fake
entry with the DN given with the -b option is used, with no attributes. As a consequence,
those rules that depend on the contents of the target object will not behave as with the real
object. The DN given with the -b option is still used to select what rules apply; thus, it
must be in the naming context of a configured database. See also -b.
-U authcID
specify an ID to be mapped to a DN as by means of authz-regexp or authz-rewrite rules (see
slapd.conf(5) for details); mutually exclusive with -D.
-v enable verbose mode.
-X authzID
specify an authorization ID to be mapped to a DN as by means of authz-regexp or authz-rewrite
rules (see slapd.conf(5) for details); mutually exclusive with -o authzDN=DN.
EXAMPLES
The command
/usr/sbin/slapacl -f //etc/openldap/slapd.conf -v \
-U bjorn -b "o=University of Michigan,c=US" \
"o/read:University of Michigan"
tests whether the user bjorn can access the attribute o of the entry o=University of Michigan,c=US at
read level.
SEE ALSO
ldap(3), slapd(8) slaptest(8) slapauth(8)
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
ACKNOWLEDGEMENTS
OpenLDAP Software is developed and maintained by The OpenLDAP Project <http://www.openldap.org/>.
OpenLDAP Software is derived from University of Michigan LDAP 3.3 Release.
OpenLDAP 2.4.11 2008/07/16 SLAPACL(8C)
|
The way to report a problem with this manual page depends on the type of problem: