| Most commercial and open -source LDAP implementations come with a set of command-line utilities that allow you to query and manipulate your directory's contents. These tools are flexible, and with a little additional knowledge about shell scripting, you may find that the command-line utilities meet most of your basic directory access needs. In this section we'll describe the three tools you're likely to encounter and how to use them. Versions of these tools are available from multiple sources. We'll describe the version of the tools bundled with Netscape Directory Server 6. Other versions have different parameters. Consult the documentation for your particular command-line utilities if you are not using the Netscape tools. The examples we've provided assume that you have installed Netscape Directory Server 6 and have imported the sample LDIF file named Example.ldif provided with the server software. If you need to obtain a copy of the server software, you can download an evaluation copy from the Netscape Web site at http://enterprise.netscape.com. The ldapsearch Command-Line Utility The ldapsearch command-line utility allows you to search a directory server. Search parameters are supplied on the command line, and search results are output in LDIF format. A basic search operation might look like this: ldapsearch -h ldap.example.com -s sub -b "dc=example,dc=com" "(cn=Barbara Jensen)" version: 1 dn: uid=bjensen, ou=People, dc=example,dc=com cn: Barbara Jensen cn: Babs Jensen sn: Jensen givenName: Barbara objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson ou: Product Development ou: People L: Cupertino uid: bjensen mail: bjensen@example.com telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 roomNumber: 0209 In this example, we sent an LDAP search operation to the directory server running on host ldap.example.com . A search scope of subtree ( -s sub ) was used, with a search base of dc=example,dc=com (-b "dc=example,dc=com") . The search filter "(cn=Barbara Jensen)" indicates that we want to find all entries where the common name ( cn ) attribute exactly matches the string "Barbara Jensen". One matching entry was returned and displayed. If you are unfamiliar with the terms search base , search filter , or search scope , review the information on the LDAP search operation earlier in this chapter, in the section titled The LDAP Functional Model. Notice that the search base (dc=example,dc=com) and the search filter (cn=Barbara Jensen) were enclosed in quotes. This is necessary because those arguments to the ldapsearch command contain spaces. If the quotation marks were not used, those arguments would be split by the command interpreter or shell and would confuse the command-line utility. Certain other characters , such as the asterisk, may have meaning to the shell. If you receive an error such as "ldap_search: Bad search filter," check whether your command line is missing some required quotation marks. Retrieving a Single Entry To retrieve a single entry, use a search base equal to the DN of the entry you want to retrieve and a search scope of base : ldapsearch -h ldap.example.com -s base -b "uid=bjensen,ou=people,dc=example,dc=com" "(  objectclass=*)" version: 1 dn: uid=bjensen, ou=People, dc=example,dc=com cn: Barbara Jensen cn: Babs Jensen sn: Jensen givenName: Barbara objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson ou: Product Development ou: People L: Cupertino uid: bjensen mail: bjensen@example.com telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 roomNumber: 0209 Binding (Authenticating) In the previous examples we did not supply an identity to authenticate as. This is called an anonymous bind . Most directories are configured to limit the types of data that may be viewed by clients that bind anonymously. To gain more access, you must bind to the directory as a specific user . You can perform simple authentication using the -D bind dn and -w bind password options. Note what happens when we add these two parameters to the previous ldapsearch command: ldapsearch -h localhost -D "uid=bjensen,ou=people,dc=example,dc=com" -w hifalutin -s sub -b "dc=example,dc=com" "(cn=Barbara Jensen)" version: 1 dn: uid=bjensen, ou=People, dc=example,dc=com cn: Barbara Jensen cn: Babs Jensen sn: Jensen givenName: Barbara objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson ou: Product Development ou: People L: Cupertino uid: bjensen mail: bjensen@example.com telephoneNumber: +1 408 555 1862 homeTelephoneNumber: +1 408 555 9233 facsimileTelephoneNumber: +1 408 555 1992 roomNumber: 0209 Notice that the homeTelephoneNumber attribute is now returned. The reason is that the directory server has been configured with tighter access control restrictions on that attribute, and by authenticating, we now have access to it. Besides simple authentication, the command-line utilities allow you to use SSL client authentication to bind to the directory (see the section Using SSL to Search the Directory later in this chapter). Retrieving Only Certain Attributes By default, the server returns all attributes of an entry except for operational attributes, which we'll discuss in a moment. What if you're interested in retrieving only some of the attributes available? You can specify a space-separated list of attribute types at the end of the ldapsearch command line. For example, if you're interested in retrieving only the mail and roomNumber attributes of an entry, then you should include those attribute names at the end of the ldapsearch command line, as follows : ldapsearch -h localhost -s sub -b "dc=example,dc=com" "(cn=Barbara Jensen)" mail roomNumber version: 1 dn: uid=bjensen, ou=People, dc=example,dc=com mail: bjensen@example.com roomNumber: 0209 Recall that operational attributes are not returned unless specifically requested . If you want to retrieve one or more operational attributes, you need to specify their names on the command line. For example, if you want to retrieve the modifiersName and modifyTimeStamp attributes of an entry to determine who last updated the entry and when, use the following command: ldapsearch -h ldap.example.com -s sub -b "dc=example,dc=com" "(cn=Barbara Jensen)" modifiersName modifyTimeStamp version: 1 dn: uid=bjensen, ou=People, dc=example,dc=com modifiersName: cn=directory manager modifyTimeStamp: 20010719043240Z What if you want to retrieve all user attributes and some operational attributes? Use the special attribute type * along with the names of the operational attribute types you wish to retrieve. Because the asterisk has special meaning to Unix and Windows command shells , you should enclose it in quotation marks: ldapsearch -h localhost -s sub -b "dc=example,dc=com" "(cn=Barbara Jensen)" "*" modifiersName modifyTimeStamp version: 1 dn: uid=bjensen, ou=People, dc=example,dc=com cn: Barbara Jensen cn: Babs Jensen sn: Jensen givenName: Barbara objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson ou: Product Development ou: People L: Cupertino uid: bjensen mail: bjensen@example.com telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 roomNumber: 0209 modifiersName: cn=directory manager modifyTimeStamp: 20010719043240Z More Complex Filters In the preceding examples we used simple filters with a single term . What if you wanted to perform more complex searches? It's possible to use multiple filters and combine them with AND ( & ), OR ( ), and NOT ( ! ) operators, as described earlier in this chapter. For example, if you want to produce a list of all entries where the locality attribute matches either cupertino or sunnyvale you use the following filter: ldapsearch -h localhost -s sub -b "dc=example,dc=com" "((L=cupertino)(L=sunnyvale))" Note that the OR operator precedes the operands, and parentheses are used to group the operands. LDAP search filters use prefix notation, as described earlier. Suppose that the previous search operation returned some entries representing printers, and you weren't interested in those. You could further limit the search to person objects by adding a term, (objectclass=person) : ldapsearch -h localhost -s sub -b "dc=example,dc=com" "(&((L=cupertino)(L=sunnyvale))( objectclass=person))" The prefix filter notation makes this difficult to read. In a more familiar infix notation, it means (location = cupertino OR location = sunnyvale) AND objectclass = person Using SSL to Search the Directory If you want to use SSL to encrypt the communication between ldapsearch and the server, you can do so by using the “ Z and “ P options. The “ Z option enables SSL, and the “ P option gives the path to the certificate database. The certificate database is consulted by the client to determine whether the certificate provided by the client is trusted. The certificate database format used by the command-line utilities is the same format as that used by Netscape Communicator 4.x and 6.x: ldapsearch Z P /home/bjensen/.netscape/cert7.db -h localhost -D "uid=bjensen,ou=people, dc=example,dc=com" -w hifalutin -s sub -b "dc=example,dc=com" "(cn=Barbara Jensen)" In this example, we still provide the bind DN and password. SSL is being used only to encrypt the communications. SSL can also be used to carry authentication credentials. If you have a client certificate generated by a certificate authority and installed into the certificate database, you can use SSL client authentication. With SSL client authentication, the client presents a digital certificate to the server. The server verifies the authenticity of the client's certificate. If verification succeeds, then the server attempts to map the certificate to an entry in the directory. If the mapping step succeeds, then the client is authenticated as the mapped entry. The actual mapping step in Netscape Directory Server is configured via the certmap.conf configuration file. For more information, consult the Netscape Directory Server 6 Administrator's Guide . To use SSL client authentication, use the “ Z and “ P options as in the previous example, and add the “ W option (key database password) and the “ N option (certificate name to use). Here's an example: ldapsearch -h localhost -Z -P /home/bjensen/.netscape/cert7.db -W "mycertdbpassword" -N "My Certificate" -s sub -b "dc=example,dc=com" "(cn=Barbara Jensen)" For more information on these options, see the next section, ldapsearch Command-Line Option Reference. ldapsearch Command-Line Option Reference Table 2.5 is a comprehensive reference for all the ldapsearch command-line options. Table 2.5. Options for the ldapsearch Command | Option | Description | -n | Show what would be done, but do not send any search requests to the server. | -v | Display verbose diagnostic output. | | -h host | Connect to the LDAP server running on host . The default host is localhost . | | -p port | Connect to the server running on port instead of the default port. By default, ldapsearch uses port 389, unless you use the “ Z option to request an SSL connection, in which case ldapsearch uses port 636. | | -V n | Use LDAP protocol version n . The default is 3 . If you're communicating with a server that understands only LDAPv2 you can use the “ V 2 option to force the utility to use LDAPv2. Values other than 2 or 3 are illegal. | -Z | Use SSL when connecting to the server. | | -P path | Specify the pathname to the SSL certificate database. The certificate database is needed so that the utility can determine whether the server's certificate is trusted. The certificate database must be in the standard Netscape Communicator format. If you're using Communicator on a Unix system, your certificate database is $HOME/.netscape/cert7.db . | | -N name | Specify the name of the certificate to use for SSL client authentication. If you have more than one certificate in your certificate database, the “ N option allows you to specify which one should be used. | | -K path | Specify the pathname to the key database used for SSL client authentication. The key database contains your encrypted private keys. If the “ P option is given, then the default for the “ P option is the file key3.db in the same directory as cert7.db . | | -m path | Specify the path to the security module database, which contains the implementations of the security protocols. You will not normally need to provide this option, unless you're using a nonstandard security module. If the “ P option is given, then the default for the “ m option is the file secmod.db in the same directory as cert7.db . | | -W passwd | Specify the password for the SSL key database. If you're using SSL client authentication, you must provide the password to unlock the key database so that the ldapsearch command-line utility can use your private key. | | -D binddn | Bind as binddn , if using simple authentication. | | -w passwd | Use passwd when binding with simple authentication. | -E | Request that the server expose (report) bind identity. When this option is used, the client sends an authentication request control to the server. This control requests that the server return an authentication response control that describes the actual bind identity assigned. This is useful when SSL client authentication or SASL is being used, when the server may map the client credentials (for example, a certificate) to a directory entry. | -R | Do not automatically follow referrals. By default, the command-line utility attempts to follow any referrals encountered . A referral is returned when the server does not hold the required entries ”for example, when directory data is distributed across several servers. | | -O hoplimit | If following referrals, do not follow more than hoplimit referrals. This option is useful in preventing the client from getting stuck chasing a circular referral reference. | -M | Manage references. A reference (a ref attribute in an entry) normally results in a referral being returned to the client. If you want to examine or update the referral information, use the “ M option to send a ManageDSAIT control to the server. (See Chapter 3, LDAPv3 Extensions, for more information.) | -0 | Ignore version mismatches between the ldapsearch command-line utility and the LDAP shared library (Unix) or DLL (Windows). Note that this option is the character "0" (zero). | | -i charset | Specify the character set for command-line input. By default, the input character set is the default locale (the character set specified by the LANG environment variable). This option affects only strings provided in the command line, such as the search base, bind DN, and so on. It does not affect LDIF file input, which must be in the UTF-8 character set. | | -k dir | Specify a directory containing character set conversion routines. The default is the current directory. Netscape Directory Server 6 installs a set of conversion routines in the directory lib/nls/conv31 below the installation directory. | | -Y proxyid | Specify the authorization ID to use for the proxied authorization control. When the “ Y option is used, the client attempts to impersonate the given ID. If the client has the appropriate permission, the server processes the client requests as if they had been performed by the impersonated identity. The authorization ID is of the form dn: entrydn , where entrydn is the DN of the entry to impersonate. For example, dn: uid=bjensen, ou=people, dc=example, dc=com . For more information on proxied authorization, see Chapter 3, LDAPv3 Extensions. | -H | Display help text, with a short description of each option and its usage. | -t | Write values to files in the temp directory. When this option is used, the utility writes each value of each attribute into a separate file in the directory named by the user's TMP environment variable and prints the name of the file(s) to the standard output. This option is most useful when you want to save a binary attribute such as a JPEG file or X.509 certificate to a file for further processing. | -U | Display the location of files containing attribute values. When -U is used in conjunction with the “ t option, the ldapsearch utility outputs file URLs describing the location of the files it just wrote. The file URLs are of the form attrname:< file:///path , where attrname is the name of the attribute written, and path is the path of the file containing the attribute value. The LDIF file written can be read by the ldapmodify utility, which opens the file:/// URLs and sends the contents to the server. | -U | Include user-friendly names (UFNs) in the output. In addition to displaying the DN of an entry, the utility displays the user's DN without tags. For example, the DN uid=bjensen, ou=people, dc=example, dc=com will be displayed in UFN format as bjensen, people, example, com . User-friendly naming is a holdover from LDAP's X.500 roots and is not widely used today. | -o | Print directory data in an older format. Attribute types and values are separated with an equal sign ( = ), and long attribute values are not split into multiple lines. | -t | Don't fold (wrap) long lines. This option is useful when you want to export data to a file and modify that file. The “ T option prevents long lines from being split into multiple lines, which can be confusing if grep, sed, or other tools are being used to perform global search and replace operations on an LDIF file. Normally, the ldapsearch utility splits lines longer than 72 characters into multiple lines. | -E | Minimize base 64 encoding of values. Normally, the ldapsearch utility encodes any attribute values that contain binary characters, newline characters, and leading or trailing spaces. With the “ e option, the utility uses base 64 encoding only when the attribute value contains binary data. | -1 | Omit the leading "version: 1" in LDIF output. The latest LDIF standards specify that the first line of the LDIF file should indicate the LDIF version. Some older utilities may not expect this. Use the -1 option to create an LDIF file that these utilities can understand. | -A | Retrieve attribute names only. The client will not retrieve or display attribute values. | -B | Print binary values. This option is useful only with the “ o option. When printing attribute values in old format, the ldapsearch utility will normally not display non-ASCII values. The “ B option overrides this behavior and causes the utility to print non-ASCII values. | -x | Perform sorting on the server. When this flag is provided, any sort specifications (see the “ S option) will be processed on the server. For more information, see Chapter 3, LDAPv3 Extensions. | | -F sep | Print sep between the attribute type and value. The “ F option is valid only when used with the “ o option. | | -S attr | Sort the results by the attribute attr . To reverse the sort order, precede the attribute name with a dash ( -S -sn , for example). You may use multiple “ S options to specify more than one sort key. Sort keys are processed in the order they appear on the command line. For example, to sort by surname and then given name, use the options “ S sn “S givenName . | | -a deref | Some directory server software supports aliases, entries that point to another entry. When the server encounters an alias, it can choose to dereference the alias or return the actual alias entry. The “ a option specifies how aliases are to be dereferenced. You can control the dereferencing behavior separately for the two phases of the search operation. Phase 1 locates the base object of the search (the entry given in the “ b option), and phase 2 returns the entries below the base object that match the search criteria. deref may be one of the following: -
find . Dereference aliases only when locating the base object of the search, but not when returning entries subordinate to the base object. -
search . Dereference aliases when returning the entries subordinate to the base object, but not when locating the base object itself. -
never . Never dereference aliases. Return the alias entries themselves . -
always . Always dereference aliases, no matter when they are encountered. Note that Netscape Directory Server does not support server-side dereferencing of aliases, so this option has no effect with that server. | | -s scope | Search scope. One of base , one , or sub . | | -l time | Time limit in seconds for searching. The server will terminate a search operation if it does not complete in time seconds. The server may impose a smaller time limit that the client may not increase. | | -a size | Size limit in entries for searching. The server will return at most size entries to the client. The server may impose a smaller size limit that the client may not increase. | -G | Use the Virtual List View feature to restrict results to a particular subset of the search results. There are two forms of the arguments: -
before:after:index:count . index specifies the absolute offset from the beginning of the search result set, before tells the server how many entries before the index entry to return, and after tells the server how many entries after the index entry to return. count is the total requested size of the result set. For example, the argument “ G 5:4:105:0 instructs the server to send entries 100 through 109 to the client (5 entries before index 105, 4 entries after). -
before:after:value . Locate the first entry matching value , and return before entries before the matched entry and after entries after the matched entry. For example, the argument “ G 0:9:j instructs the server to find the first entry matching "j" and to return that entry and the next 9 entries. | | before:after:index:count | | or | | before:after:value | | | The “ G option is always used in conjunction with a server-side sort request. Therefore, the “ G option must always be used with the “ S option and the “ x option. | | | For more information on the Virtual List View feature, see Chapter 3, LDAPv3 Extensions. | The ldapmodify Command-Line Utility The ldapmodify utility allows you to perform one or more updates against a directory server. The LDIF file describing the updates to be performed is read from the standard input, or from a file if the “ f option is used. The ldapmodify command applies the updates in the order they appear in the file. If you haven't read the preceding section on LDIF, you may want to do so now. Many command-line options for ldapmodify are the same as for ldapsearch . All the options that specify the server host name, bind DN, passwords, and SSL options are the same. Suppose that you need to change Barbara Jensen's e-mail address to babs@example.com . The following ldapmodify command line accomplishes this: ldapmodify h ldap.example.com D "cn=directory manager" w secret < updates.ldif where updates.ldif contains dn: uid=bjensen, ou=people, dc=example, dc=com changetype: modify replace: mail mail: bjensen@example.com The following example shows how you can use the “ f option to achieve the same result: ldapmodify h ldap.example.com D "cn=directory manager" w secret -f updates.ldif Adding Entries By default, the ldapmodify utility expects that you will provide LDIF update statements as input (LDIF update statements always contain a changetype line in every entry). If the input file contains LDIF entries to be added to the directory, and those entries do not have a changetype line, you can use the “ a option on the command line. To illustrate , the following two examples produce the same result: ldapmodify h ldap.example.com D "cn=directory manager" w secret < updates.ldif where updates.ldif contains version: 1 dn: uid=bjensen, ou=people, dc=example, dc=com changetype: add objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen givenName: Barbara sn: Jensen uid: bjensen mail: bjensen@example.com telephoneNumber: +1 408 555 1212 description: Manager, switching products division is equivalent to ldapmodify h ldap.example.com D "cn=directory manager" w secret a < updates.ldif where updates.ldif contains version: 1 dn: uid=bjensen, ou=people, dc=example, dc=com objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen givenName: Barbara sn: Jensen uid: bjensen mail: bjensen@example.com telephoneNumber: +1 408 555 1212 description: Manager, switching products division Continuous Mode (“c) and Rejects File (“e) Options Normally, the ldapmodify command stops if it encounters an error. You can instruct the utility to continue in the event of errors by using the “ c (continuous mode) option. If you do this, you can also use the “ e option to write any rejected LDIF update statements to a separate file. You can then fix the problem that caused the entries to be rejected and just apply the updates that were previously rejected. The following example continues if errors are encountered and writes any rejected entries to the file rejects.ldif : ldapmodify h ldap.example.com D "cn=directory manager" w secret c e rejects.ldif < updates.ldif ldapmodify Command-Line Option Reference Table 2.6 is a comprehensive reference for all the ldapmodify command-line options. Table 2.6. Options for the ldapmodify Command | Option | Description | -n | Show what would be done, but do not send any update requests to the server. The “ n option can be used to verify that the LDIF file is correctly formatted. | -v | Display verbose diagnostic output. | -H | Connect to the LDAP server running on host . The default host is localhost . | -p | Connect to the server running on port instead of the default port. By default, ldapmodify uses port 389, unless you use the “ Z option to request an SSL connection. In this case, ldapmodify uses port 636. | | -V n | Use LDAP protocol version n . The default is 3 . If you're communicating with a server that understands only LDAPv2, you can use the “ V 2 option to force the utility to use LDAPv2. Values other than 2 or 3 are illegal. | -Z | Use SSL when connecting to the server. | | -P path | Specify the pathname to the SSL certificate database. The certificate database is needed so that the utility can determine whether the server's certificate is trusted. The certificate database must be in the standard Netscape Communicator format. If you're using Communicator on a Unix system, your certificate database is $HOME/.netscape/cert7.db . | | -N name | Specify the name of the certificate to use for SSL client authentication. If you have more than one certificate in your certificate database, the “ N option allows you to specify which one should be used. | | -K path | Specify the pathname to key database used for SSL client authentication. The key database contains your encrypted private keys. If the “ P option is given, then the default for the “ P option is the file key3.db in the same directory as cert7.db . | | -m path | Specify the path to the security module database. The security module database contains the implementations of the security protocols. You will not normally need to provide this option, unless you are using a nonstandard security module. If the “ P option is given, then the default for the “ m option is the file secmod.db in the same directory as cert7.db . | | -W passwd | Specify the password for the SSL key database. If you're using SSL client authentication, you must provide the password to unlock the key database so that the ldapsearch command-line utility can use your private key. | | -D binddn | Bind as binddn , if using simple authentication. | | -w passwd | Use passwd when binding with simple authentication. | -E | Request that the server expose (report) bind identity. When this option is used, the client sends an authentication request control to the server. This control requests that the server return an authentication response control that describes the actual bind identity assigned. This is useful when using SSL client authentication or SASL, when the server may map the client credentials (for example, a certificate) to a directory entry. | -R | Do not automatically follow referrals. By default, the command-line utility attempts to follow any referrals encountered. A referral is returned when the server does not hold the required entries ”for example, when directory data is distributed across several servers. | | -O hoplimit | If following referrals, do not follow more than hoplimit referrals. This option is useful in preventing the client from getting stuck chasing a circular referral reference. | -M | Manage references. A reference (a ref attribute in an entry) normally results in a referral being returned to the client. If you want to examine or update the referral information, use the “ M option to send a ManageDSAIT control to the server. (See Chapter 3, LDAPv3 Extensions, for more information.) | -0 | Ignore version mismatches between the ldapsearch command-line utility and the LDAP shared library (Unix) or DLL (Windows). Note that this option is the character "0" (zero). | | -i charset | Specify the character set for command-line input. By default, the input character set is the default locale (the character set specified by the LANG environment variable). This option affects only strings provided in the command line, such as the search base, bind DN, and so on. It does not affect LDIF file input, which must be in the UTF-8 character set. | | -k dir | Specify the directory containing character set conversion routines. The default is the current directory. Netscape Directory Server 6 installs a set of conversion routines in the directory lib/nls/conv31 below the installation directory. | | -Y proxyid | Specify the authorization ID to use for the proxied authorization control. When the “ Y option is used, the client attempts to impersonate the given ID. If the client has the appropriate permission, the server processes the client requests as if they have been performed by the impersonated identity. The authorization ID is of the form dn: entrydn , where entrydn is the DN of the entry to impersonate ”for example, dn: uid=bjensen, ou=people, dc=example, dc=com . For more information on proxied authorization, see Chapter 3, LDAPv3 Extensions. | -H | Display help text, with a short description of each option and its usage. | -c | Specify that continuous mode is to be used. If an error is encountered while the directory is being updated, continue. By default, the ldapmodify tool stops when an error is returned by the server. | -A | Display non-ASCII values in conjunction with “ v . | | -f file | Read LDIF from file instead of standard input. | -A | Add entries. Assume that the LDIF file contains only entries (no changetype lines). | -B | Read values that start with " / " from files. For example, the attribute value Jpegphoto: /tmp/file001.jpg causes the ldapmodify utility to open the file /tmp/file001.jpg and send its contents to the server. | -F | Force application of all changes, regardless of replica lines. | | -e rejfile | Save rejected entries to file rejfile . You can fix the problem that caused the entries to be rejected and then use rejfile as input to ldapmodify to send just the rejected entries. | | -B suffix | Bulk import to suffix . Completely replace the contents of suffix with the LDIF input file. The LDIF input file must contain LDIF entries, without changetype lines. For more information, see Chapter 3, LDAPv3 Extensions. | -q | Be quiet when adding or modifying entries. Do not produce diagnostic output. | |
