FreeBSD Manual Pages
SLAPACL(8C) SLAPACL(8C) NAME slapacl - Check access to a list of attributes. SYNOPSIS /usr/local/sbin/slapacl -b DN [-d debug-level] [-D authcDN | -U auth- cID] [-f slapd.conf] [-F confdir] [-o option[=value]] [-u] [-v] [-X au- thzID | -o authzDN=DN] [attr[/access][:value]] [...] DESCRIPTION slapacl is used to check the behavior of slapd(8) by verifying access to directory data according to the access control list directives de- fined in its configuration. It opens the slapd.conf(5) configuration file or the slapd-config(5) backend, reads in the access/olcAccess di- rectives, and then parses the attr list given on the command-line; if none is given, access to the entry pseudo-attribute is tested. OPTIONS -b DN specify the DN which access is requested to; the corresponding entry is fetched from the database, and thus it must exist. The DN is also used to determine what rules apply; thus, it must be in the naming context of a configured database. By default, the first database that supports the requested operation is used. See also -u. -d debug-level enable debugging messages as defined by the specified debug- level; see slapd(8) for details. -D authcDN specify a DN to be used as identity through the test session when selecting appropriate <by> clauses in access lists. -f slapd.conf specify an alternative slapd.conf(5) file. -F confdir specify a config directory. If both -f and -F are specified, the config file will be read and converted to config directory format and written to the specified directory. If neither op- tion is specified, an attempt to read the default config direc- tory will be made before trying to use the default config file. If a valid config directory exists then the default config file is ignored. -o option[=value] Specify an option with a(n optional) value. Possible generic options/values are: syslog=<subsystems> (see `-s' in slapd(8)) syslog-level=<level> (see `-S' in slapd(8)) syslog-user=<user> (see `-l' in slapd(8)) Possible options/values specific to slapacl are: authzDN domain peername sasl_ssf sockname sockurl ssf tls_ssf transport_ssf See the related fields in slapd.access(5) for details. -u enable dry-run mode. Do not fetch any entries from the database. In this case, a fake entry with the DN given with the -b option is used, with no attributes. As a consequence, those rules that depend on the contents of the target object or any other data- base objects will not behave as with the real object. The DN given with the -b option is still used to select what rules ap- ply; thus, it must be in the naming context of a configured database. See also -b. -U authcID specify an ID to be mapped to a DN as by means of authz-regexp or authz-rewrite rules (see slapd.conf(5) for details); mutually exclusive with -D. -v enable verbose mode. -X authzID specify an authorization ID to be mapped to a DN as by means of authz-regexp or authz-rewrite rules (see slapd.conf(5) for de- tails); mutually exclusive with -o authzDN=DN. EXAMPLES The command /usr/local/sbin/slapacl -f /usr/local/etc/openldap/slapd.conf -v \ -U bjorn -b "o=University of Michigan,c=US" \ "o/read:University of Michigan" tests whether the user bjorn can access the attribute o of the entry o=University of Michigan,c=US at read level. SEE ALSO ldap(3), slapd(8), slaptest(8), slapauth(8) "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) ACKNOWLEDGEMENTS OpenLDAP Software is developed and maintained by The OpenLDAP Project <http://www.openldap.org/>. OpenLDAP Software is derived from the Uni- versity of Michigan LDAP 3.3 Release. OpenLDAP 2.6.10 2025/05/22 SLAPACL(8C)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | SEE ALSO | ACKNOWLEDGEMENTS
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=slapacl&sektion=8&manpath=FreeBSD+Ports+15.0>