B.3 LDAP Tools
OpenLDAP's set
of LDAP client tools can be used to communicate with any LDAPv3
server (see Table B-6).
Table B-6. Command-line options common to ldapsearch, ldapcompare, ldapadd, ldapdelete, ldapmodify, and ldapmodrdn
|
-d integer
|
Specifies what debugging information to log. See the
loglevel slapd.conf parameter
for a listing of log levels.
|
|
-D binddn
|
Specifies the DN to use for binding to the LDAP server.
|
|
-e [!]ctrl[=ctrlparam]
|
Defines an LDAP control to be used on the current operation. See also
the -M option for the manageDSAit control.
|
|
-f filename
|
Specifies the file containing the LDIF entries to be used in the
operations.
|
|
-H URI
|
Defines the LDAP URI to be used in the connection request.
|
|
-I
|
Enables the SASL "interactive"
mode. By default, the client prompts for information only when
necessary.
|
|
-k
|
Enables Kerberos 4 authentication.
|
|
-K
|
Enables only the first step of the Kerberos 4 bind for authentication.
|
|
-M-MM
|
Enable the Manager DSA IT control. This option is necessary when
modifying an entry that is a referral or an alias.
-MM requires that the Manager DSA IT control be
supported by the server.
|
|
-n
|
Does not perform the search; just displays what would be done.
|
|
-O security_properties
|
Defines the SASL security properties for authentication. See previous
information on the sasl-secprops parameter in
slapd.conf.
|
|
-P [2|3]
|
Defines which protocol version to use in the connection (Version 2 or
3). The default is LDAP v3.
|
|
-Q
|
Suppresses SASL-related messages such as how the authentication
mechanism is used, username, and realm.
|
|
-R sasl_realm
|
Defines the realm to be used by the SASL authentication mechanism.
|
|
-U username
|
Defines the username to be used by the SASL authentication mechanism.
|
|
-v
|
Enables verbose mode.
|
|
-w password
|
Specifies the password to be used for authentication.
|
|
-W
|
Instructs the client to prompt for the password.
|
|
-x
|
Enables simple authentication. The default is to use SASL
authentication.
|
|
-X id
|
Defines the SASL authorization identity. The identity has the form
dn:dn
oru:user. The default
is to use the same authorization identity that the user
authenticated.
|
|
-y passwdfile
|
Instructs the ldap tool to read the password for
a simple bind from the given filename.
|
|
-Y sasl_mechanism
|
Tells the client which SASL mechanism should be used. The bind
request will fail if the server does not support the chosen
mechanism.
|
|
-Z-ZZ
|
Issue a StartTLS request. Use of -ZZ makes the
support of this request mandatory for a successful connection.
|
B.3.1 ldapadd(1), ldapmodify(1)
These
tools send updates to directory servers (see Table B-7).
Table B-7. ldapadd/ldapmodify options
|
-a
|
Adds entries. This option is the default for
ldapadd.
|
|
-r
|
Replaces (or modifies) entries and values. This is the default for
ldapmodify.
|
|
-F
|
Forces all change records to be used from the input.
|
B.3.2 ldapcompare(1)
This tool
asks a directory server to compare two values:
ldapcompare [options] DN <attr:value|attr::b64value>.
There are no additional command-line flags for this tool.
B.3.3 ldapdelete(1)
This tool
deletes entries from an LDAP directory (see Table B-8).
Table B-8. ldapdelete [option] DN
|
-r
|
Deletes the subtree whose root is designated by DN. The delete is not
performed atomically.
|
B.3.4 ldapmodrdn(1)
This tool
changes the RDN of an entry in an LDAP directory (see Table B-9).
Table B-9. ldapmodrdn [options] [dn rdn]
|
-c
|
Instructs ldapmodrdn to continue if errors
occur. By default, it terminates if there is an error.
|
|
-r
|
Removes the old RDN value. The default behavior is to add another
value of the RDN and leave the old value intact. The default behavior
makes it easier to modify a directory without leaving orphaned
entries.
|
|
-s new_superior_node
|
Defines the new superior, or parent, entry under which the renamed
entry should be located.
|
B.3.5 ldappasswd(1)
This tool
changes the password stored in a directory entry (see Table B-10).
Table B-10. ldappasswd [options] [user]
|
-a secret
|
The old password value
|
|
-A
|
Prompt for the old password
|
|
-s new_secret
|
The new password value
|
|
-S
|
Prompt for the new password
|
B.3.6 ldapsearch(1)
This tool
issues LDAP search queries to directory servers (see Table B-11).
Table B-11. ldapsearch [options] [filter [attributes...]]
|
-a [never|always|search|find]
|
Specifies how to handle aliases when they are located during a
search. Possible values include never (default),
always, search, or
find.
|
|
-A
|
For any entries found, returns the attribute names, but not their
values.
|
|
-b basedn
|
Defines the base DN for the directory search.
|
|
-F prefix
|
Defines the URL prefix for filenames. The default is to use the value
stored in $LDAP_FILE_URI_PREFIX.
|
|
-l limit
|
Defines a time limit (in seconds) for the server in the search.
|
|
-L-LL-LLL
|
Print the resulting output in LDIF v1 format.
-LL causes the result to be printed in LDIF
format without comments. -LLL prints the
resulting output in LDIF format without comments and without version
information.
|
|
-s [sub|base|one]
|
Defines the scope of the search to be base,
one, or sub (the default).
|
|
-S attribute
|
Causes the ldapsearch client to sort the results
by the value of attribute.
|
|
-t-tt
|
Write binary values to files in a temporary directory defined by the
-T option. -tt specifies
that all values should be written to files in a temporary directory
defined by the -T option.
|
|
-T directory
|
Defines the directory used to store the resulting output files. The
default is the directory specified by
$LDAP_TMPDIR.
|
|
-u
|
Includes user-friendly entry names in the output.
|
|
-z limit
|
Specifies the maximum number of entries to return.
|
|
