ACL Utility Design


This tool allows the user to find out the effect of an ACI on Directory Server entries. It shows the user the DN of the entries or the number of entries that the ACI matches

Use Cases

Use Case 1:

Use Case 2:

Use Case 3:


This tool is implemented as a command line utility. It performs a search operation on the directory server to find out the entries(or count of entries) to which the given aci is applicable. The syntax of this tool is:

aclutil [-h ldaphost] [-p ldapport] -D <binddn> -w \< binddnpw\> -a "aci\_name" | -v "aci\_value" [-b basedn] [-t[-n][-x]]

-b basedn: If basedn is given, entries under the basedn are matched; otherwise, everything is matched;

-a “aci_name”: aci_name finds out the aci target dn and target attributes and returns the entries which match that target. If the name does not exist, it reports it.

-v “aci_value”: aci_value allows the user to specify the complete aci value. It may or may not be present in the directory server. This aci value is then used to perform the search in the directory server

-t: (targetdn) returns the DN of the entries that match the given aci’s target entries. If the target contains wildcards and/or macros, they are evaluated and matched DNs are returned.

-tn: only the count of the DNs is returned.

-tx: (target attribute) returns the matched DNs and attributes based on the given aci.

-tnx: count of the DNs as well as count of attributes is returned.


No additional requirements

Major configuration options and enablement

None required


No impact

Updates and Upgrades

No impact


Depends on the presence of LDAPsearch client library

External Impact

No external impact

Last modified on 7 August 2014