The validate-acis tool can process data contained in an LDIF file. It will ignore all attributes except aci, and will ignore all entries that do not contain the aci attribute, so any existing LDIF file that contains access control rules may be used.

  1. Run the bin/validate-acis tool (UNIX or Linux systems) or bat\validate-acis (Win dows systems) by specifying the input file and output file. If the output file already exists, the existing contents will be re-written. If no output file is specified, then the results will be written to standard output.
    $ bin/validate-acis --ldifFile test-acis.ldif --outputFile validated-acis.ldif
    # Processing complete # Total entries examined: 1 
    # Entries found with ACIs: 1 
    # Total ACI values found: 3 
    # Malformed ACI values found: 0 
    # Other processing errors encountered: 0
  2. Review the results by opening the output file. For example, the validated-acis.ldif file that was generated in the previous step reads as follows:
    # The following access control rule is valid 
    dn: dc=example,dc=com 
    aci: (targetattr!="userPassword")
      (version 3.0; acl "Allow anonymous read access for anyone"; 
        allow (read,search,compare) userdn="ldap:///anyone";)
    
    # The following access control rule is valid 
    dn: dc=example,dc=com 
    aci: (targetattr="*")
      (version 3.0; acl "Allow users to update their own entries"; 
        allow (write) userdn="ldap:///self";)
    
    # The following access control rule is valid
    dn: dc=example,dc=com
    aci: (targetattr="*")
      (version 3.0; acl "Grant full access for the admin user"; 
        allow (all) userdn="ldap:///uid=admin,dc=example,dc=com";)
  3. If the input file has any malformed ACIs, then the generated output file will show what was incorrectly entered. For example, remove the quotation marks around userPassword in the original test-acis.ldif file, and re-run the command. The following command uses the --onlyReportErrors option to write any error messages to the output file only if a malformed ACI syntax is encountered.
    $ bin/validate-acis --ldifFIle test-acis.ldif --outputFile validated-acis.ldif \
      --onlyReportErrors
    # Processing complete 
    # Total entries examined: 1 
    # Entries found with ACIs: 1 
    # Total ACI values found: 3 
    # Malformed ACI values found: 0 
    # Other processing errors encountered: 0
    The output file shows the following message:
    # The following access control rule is malformed or contains an unsupported 
    # syntax: The provided string '(targetattr!=userPassword)(version 3.0; acl 
    # "Allow anonymous read access for anyone"; allow (read,search,compare) 
    # userdn="ldap:///anyone";)' could not be parsed as a valid Access Control 
    # Instruction (ACI) because it failed general ACI syntax evaluation
    dn: dc=example,dc=com 
    aci: (targetattr!=userPassword)
      (version 3.0; acl "Allow anonymous read access for anyone"; 
        allow (read,search,compare) userdn="ldap:///anyone";)
    
    # The following access control rule is valid 
    dn: dc=example,dc=com 
    aci: (targetattr="*")
      (version 3.0; acl "Allow users to update their own entries"; 
        allow (write) userdn="ldap:///self";)
    
    # The following access control rule is valid 
    dn: dc=example,dc=com 
    aci: (targetattr="*")
      (version 3.0; acl "Grant full access for the admin user"; 
        allow (all) userdn="ldap:///uid=admin,dc=example,dc=com";)