logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

slapacl - Check access to a list of attributes.

Contents

Acknowledgements

OpenLDAPSoftware  is  developed  and  maintained  by  The  OpenLDAP Project <http://www.openldap.org/>.
       OpenLDAPSoftware is derived from the University of Michigan LDAP 3.3 Release.

OpenLDAP 2.6.10+dfsg-1ubuntu1                      2025/05/22                                         SLAPACL(8)

Description

slapacl is used to check the behavior of slapd(8) by verifying access to directory data according to  the
       access  control  list  directives defined in its configuration.  It opens the slapd.conf(5) configuration
       file or the slapd-config(5) backend, reads in the access/olcAccess directives, and then parses  the  attr
       list given on the command-line; if none is given, access to the entry pseudo-attribute is tested.

Examples

       The command

            /usr/sbin/slapacl -f /etc/ldap/slapd.conf -v \
                   -U bjorn -b "o=University of Michigan,c=US" \
                "o/read:University of Michigan"

       tests whether the user bjorn can access the attribute o of the entry  o=UniversityofMichigan,c=US  at
       read level.

Name

       slapacl - Check access to a list of attributes.

Options

-bDN  specify the DN which access is requested to; the corresponding entry is fetched from the database,
              and  thus  it  must exist.  The DN is also used to determine what rules apply; thus, it must be in
              the naming context of a configured database. By default, the  first  database  that  supports  the
              requested operation is used.  See also -u.

       -ddebug-level
              enable debugging messages as defined by the specified debug-level; see slapd(8) for details.

       -DauthcDN
              specify  a  DN  to  be  used  as identity through the test session when selecting appropriate <by>
              clauses in access lists.

       -fslapd.conf
              specify an alternative slapd.conf(5) file.

       -Fconfdir
              specify a config directory.  If both -f and -F are specified, the config file  will  be  read  and
              converted to config directory format and written to the specified directory.  If neither option is
              specified,  an  attempt to read the default config directory will be made before trying to use the
              default config file. If a valid config directory exists then the default config file is ignored.

       -ooption[=value]
              Specify an option with a(n optional) value.  Possible generic options/values are:

                     syslog=<subsystems>  (see `-s' in slapd(8))
                     syslog-level=<level> (see `-S' in slapd(8))
                     syslog-user=<user>   (see `-l' in slapd(8))

              Possible options/values specific to slapacl are:

                     authzDN
                     domain
                     peername
                     sasl_ssf
                     sockname
                     sockurl
                     ssf
                     tls_ssf
                     transport_ssf

              See the related fields in slapd.access(5) for details.

       -u     enable dry-run mode. Do not fetch any entries from the database.  In this case, a fake entry  with
              the  DN  given with the -b option is used, with no attributes.  As a consequence, those rules that
              depend on the contents of the target object or any other database objects will not behave as  with
              the  real object.  The DN given with the -b option is still used to select what rules apply; thus,
              it must be in the naming context of a configured database.  See also -b.

       -UauthcID
              specify an ID to be mapped to a DN as  by  means  of  authz-regexp  or  authz-rewrite  rules  (see
              slapd.conf(5) for details); mutually exclusive with -D.

       -v     enable verbose mode.

       -XauthzID
              specify  an  authorization  ID  to  be mapped to a DN as by means of authz-regexp or authz-rewrite
              rules (see slapd.conf(5) for details); mutually exclusive with -oauthzDN=DN.

See Also

ldap(3), slapd(8), slaptest(8), slapauth(8)

       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

Synopsis

/usr/sbin/slapacl-bDN   [-ddebug-level]   [-DauthcDN |   -UauthcID]  [-fslapd.conf]  [-Fconfdir]
       [-ooption[=value]] [-u] [-v] [-XauthzID | -oauthzDN=DN] [attr[/access][:value]] [...]
return

See Also

← View System admin Category← Back to Network service daemons🙏  Credits & Acknowledgments