Use the validate-acis tool to process data contained in an LDIF file.
The validate-acis tool ignores all attributes except
aci
and ignores all entries that do not contain the
aci
attribute. You can use any existing LDIF file that contains access
control rules.
-
Run the validate-acis tool and specify the input file and output
file.
- UNIX or Linux: bin/validate-acis
- Windows: bat\validate-acis
If the output file already exists, the existing file contents are re-written. If no output file is specified, the results are written to standard output.
$ bin/validate-acis --ldifFile test-acis.ldif --outputFile validated-acis.ldif
# Processing complete # Total entries examined: 1 # Entries found with ACIs: 1 # Total ACI values found: 3 # Malformed ACI values found: 0 # Other processing errors encountered: 0
-
Open the output file and review the results.
For example, the validated-acis.ldif file generated in the previous step reads as follows.
# The following access control rule is valid dn: dc=example,dc=com aci: (targetattr!="userPassword") (version 3.0; acl "Allow anonymous read access for anyone"; allow (read,search,compare) userdn="ldap:///anyone";) # The following access control rule is valid dn: dc=example,dc=com aci: (targetattr="*") (version 3.0; acl "Allow users to update their own entries"; allow (write) userdn="ldap:///self";) # The following access control rule is valid dn: dc=example,dc=com aci: (targetattr="*") (version 3.0; acl "Grant full access for the admin user"; allow (all) userdn="ldap:///uid=admin,dc=example,dc=com";)
If the input file has any malformed access control instructions (ACIs), then the generated output file will show what was incorrectly entered. For example, if
userPassword
in thetest-acis.ldif
file does not have quotation marks around it, the output file reports an error. The following command uses the--onlyReportErrors
option to write any error messages to the output file only if a malformed ACI syntax is encountered.$ bin/validate-acis --ldifFIle test-acis.ldif --outputFile validated-acis.ldif \ --onlyReportErrors
# Processing complete # Total entries examined: 1 # Entries found with ACIs: 1 # Total ACI values found: 3 # Malformed ACI values found: 1 # Other processing errors encountered: 0
The output file shows the following message.
# The following access control rule is malformed or contains an unsupported # syntax: The provided string '(targetattr!=userPassword)(version 3.0; acl # "Allow anonymous read access for anyone"; allow (read,search,compare) # userdn="ldap:///anyone";)' could not be parsed as a valid Access Control # Instruction (ACI) because it failed general ACI syntax evaluation dn: dc=example,dc=com aci: (targetattr!=userPassword) (version 3.0; acl "Allow anonymous read access for anyone"; allow (read,search,compare) userdn="ldap:///anyone";) # The following access control rule is valid dn: dc=example,dc=com aci: (targetattr="*") (version 3.0; acl "Allow users to update their own entries"; allow (write) userdn="ldap:///self";) # The following access control rule is valid dn: dc=example,dc=com aci: (targetattr="*") (version 3.0; acl "Grant full access for the admin user"; allow (all) userdn="ldap:///uid=admin,dc=example,dc=com";)