LDAP Tools

OpenLDAP’s set of LDAP client tools can be used to communicate with any LDAPv3 server (see Table B-6).

Table B-6. Command-line options common to ldapsearch, ldapcompare, ldapadd, ldapdelete, ldapmodify, and ldapmodrdn

Option

Description

-d integer

Specifies what debugging information to log. See the loglevel slapd.conf parameter for a listing of log levels.

-D binddn

Specifies the DN to use for binding to the LDAP server.

-e [!]ctrl[=ctrlparam]

Defines an LDAP control to be used on the current operation. See also the -M option for the manageDSAit control.

-f filename

Specifies the file containing the LDIF entries to be used in the operations.

-H URI

Defines the LDAP URI to be used in the connection request.

-I

Enables the SASL “interactive” mode. By default, the client prompts for information only when necessary.

-k

Enables Kerberos 4 authentication.

-K

Enables only the first step of the Kerberos 4 bind for authentication.

-M-MM

Enable the Manager DSA IT control. This option is necessary when modifying an entry that is a referral or an alias. -MM requires that the Manager DSA IT control be supported by the server.

-n

Does not perform the search; just displays what would be done.

-O security_properties

Defines the SASL security properties for authentication. See previous information on the sasl-secprops parameter in slapd.conf.

-P [2|3]

Defines which protocol version to use in the connection (Version 2 or 3). The default is LDAP v3.

-Q

Suppresses SASL-related messages such as how the authentication mechanism is used, username, and realm.

-R sasl_realm

Defines the realm to be used by the SASL authentication mechanism.

-U username

Defines the username to be used by the SASL authentication mechanism.

-v

Enables verbose mode.

-w password

Specifies the password to be used for authentication.

-W

Instructs the client to prompt for the password.

-x

Enables simple authentication. The default is to use SASL authentication.

-X id

Defines the SASL authorization identity. The identity has the form dn:dn oru:user. The default is to use the same authorization identity that the user authenticated.

-y passwdfile

Instructs the ldap tool to read the password for a simple bind from the given filename.

-Y sasl_mechanism

Tells the client which SASL mechanism should be used. The bind request will fail if the server does not support the chosen mechanism.

-Z-ZZ

Issue a StartTLS request. Use of -ZZ makes the support of this request mandatory for a successful connection.

ldapadd(1), ldapmodify(1)

These tools send updates to directory servers (see Table B-7).

Table B-7. ldapadd/ldapmodify options

Option

Description

-a

Adds entries. This option is the default for ldapadd.

-r

Replaces (or modifies) entries and values. This is the default for ldapmodify.

-F

Forces all change records to be used from the input.

ldapcompare(1)

This tool asks a directory server to compare two values:

ldapcompare [options] DN <attr:value|attr::b64value>.

There are no additional command-line flags for this tool.

ldapdelete(1)

This tool deletes entries from an LDAP directory (see Table B-8).

Table B-8. ldapdelete [option] DN

Option

Description

-r

Deletes the subtree whose root is designated by DN. The delete is not performed atomically.

ldapmodrdn(1)

This tool changes the RDN of an entry in an LDAP directory (see Table B-9).

Table B-9. ldapmodrdn [options] [dn rdn]

Option

Description

-c

Instructs ldapmodrdn to continue if errors occur. By default, it terminates if there is an error.

-r

Removes the old RDN value. The default behavior is to add another value of the RDN and leave the old value intact. The default behavior makes it easier to modify a directory without leaving orphaned entries.

-s new_superior_node

Defines the new superior, or parent, entry under which the renamed entry should be located.

ldappasswd(1)

This tool changes the password stored in a directory entry (see Table B-10).

Table B-10. ldappasswd [options] [user]

Option

Description

-a secret

The old password value

-A

Prompt for the old password

-s new_secret

The new password value

-S

Prompt for the new password

ldapsearch(1)

This tool issues LDAP search queries to directory servers (see Table B-11).

Table B-11. ldapsearch [options] [filter [attributes...]]

Option

Description

-a [never|always|search|find]

Specifies how to handle aliases when they are located during a search. Possible values include never (default), always, search, or find.

-A

For any entries found, returns the attribute names, but not their values.

-b basedn

Defines the base DN for the directory search.

-F prefix

Defines the URL prefix for filenames. The default is to use the value stored in $LDAP_FILE_URI_PREFIX.

-l limit

Defines a time limit (in seconds) for the server in the search.

-L-LL-LLL

Print the resulting output in LDIF v1 format. -LL causes the result to be printed in LDIF format without comments. -LLL prints the resulting output in LDIF format without comments and without version information.

-s [sub|base|one]

Defines the scope of the search to be base, one, or sub (the default).

-S attribute

Causes the ldapsearch client to sort the results by the value of attribute.

-t-tt

Write binary values to files in a temporary directory defined by the -T option. -tt specifies that all values should be written to files in a temporary directory defined by the -T option.

-T directory

Defines the directory used to store the resulting output files. The default is the directory specified by $LDAP_TMPDIR.

-u

Includes user-friendly entry names in the output.

-z limit

Specifies the maximum number of entries to return.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset