OpenLDAP's set of LDAP client tools can be used to communicate with any LDAPv3 server (see Table B-6). Table B-6. Command-line options common to ldapsearch, ldapcompare, ldapadd, ldapdelete, ldapmodify, and ldapmodrdn Option | Description | -d integer | Specifies what debugging information to log. See the loglevel slapd.conf parameter for a listing of log levels. | -D binddn | Specifies the DN to use for binding to the LDAP server. | -e [!]ctrl[=ctrlparam] | Defines an LDAP control to be used on the current operation. See also the -M option for the manageDSAit control. | -f filename | Specifies the file containing the LDIF entries to be used in the operations. | -H URI | Defines the LDAP URI to be used in the connection request. | -I | Enables the SASL "interactive" mode. By default, the client prompts for information only when necessary. | -k | Enables Kerberos 4 authentication. | -K | Enables only the first step of the Kerberos 4 bind for authentication. | -M-MM | Enable the Manager DSA IT control. This option is necessary when modifying an entry that is a referral or an alias. -MM requires that the Manager DSA IT control be supported by the server. | -n | Does not perform the search; just displays what would be done. | -O security_properties | Defines the SASL security properties for authentication. See previous information on the sasl-secprops parameter in slapd.conf. | -P [2|3] | Defines which protocol version to use in the connection (Version 2 or 3). The default is LDAP v3. | -Q | Suppresses SASL-related messages such as how the authentication mechanism is used, username, and realm. | -R sasl_realm | Defines the realm to be used by the SASL authentication mechanism. | -U username | Defines the username to be used by the SASL authentication mechanism. | -v | Enables verbose mode. | -w password | Specifies the password to be used for authentication. | -W | Instructs the client to prompt for the password. | -x | Enables simple authentication. The default is to use SASL authentication. | -X id | Defines the SASL authorization identity. The identity has the form dn:dn oru:user. The default is to use the same authorization identity that the user authenticated. | -y passwdfile | Instructs the ldap tool to read the password for a simple bind from the given filename. | -Y sasl_mechanism | Tells the client which SASL mechanism should be used. The bind request will fail if the server does not support the chosen mechanism. | -Z-ZZ | Issue a StartTLS request. Use of -ZZ makes the support of this request mandatory for a successful connection. | B.3.1 ldapadd(1), ldapmodify(1) These tools send updates to directory servers (see Table B-7). Table B-7. ldapadd/ldapmodify options Option | Description | -a | Adds entries. This option is the default for ldapadd. | -r | Replaces (or modifies) entries and values. This is the default for ldapmodify. | -F | Forces all change records to be used from the input. | B.3.2 ldapcompare(1) This tool asks a directory server to compare two values: ldapcompare [options] DN <attr:value|attr::b64value>. There are no additional command-line flags for this tool. B.3.3 ldapdelete(1) This tool deletes entries from an LDAP directory (see Table B-8). Table B-8. ldapdelete [option] DN Option | Description | -r | Deletes the subtree whose root is designated by DN. The delete is not performed atomically. | B.3.4 ldapmodrdn(1) This tool changes the RDN of an entry in an LDAP directory (see Table B-9). Table B-9. ldapmodrdn [options] [dn rdn] Option | Description | -c | Instructs ldapmodrdn to continue if errors occur. By default, it terminates if there is an error. | -r | Removes the old RDN value. The default behavior is to add another value of the RDN and leave the old value intact. The default behavior makes it easier to modify a directory without leaving orphaned entries. | -s new_superior_node | Defines the new superior, or parent, entry under which the renamed entry should be located. | B.3.5 ldappasswd(1) This tool changes the password stored in a directory entry (see Table B-10). Table B-10. ldappasswd [options] [user] Option | Description | -a secret | The old password value | -A | Prompt for the old password | -s new_secret | The new password value | -S | Prompt for the new password | B.3.6 ldapsearch(1) This tool issues LDAP search queries to directory servers (see Table B-11). Table B-11. ldapsearch [options] [filter [attributes...]] Option | Description | -a [never|always|search|find] | Specifies how to handle aliases when they are located during a search. Possible values include never (default), always, search, or find. | -A | For any entries found, returns the attribute names, but not their values. | -b basedn | Defines the base DN for the directory search. | -F prefix | Defines the URL prefix for filenames. The default is to use the value stored in $LDAP_FILE_URI_PREFIX. | -l limit | Defines a time limit (in seconds) for the server in the search. | -L-LL-LLL | Print the resulting output in LDIF v1 format. -LL causes the result to be printed in LDIF format without comments. -LLL prints the resulting output in LDIF format without comments and without version information. | -s [sub|base|one] | Defines the scope of the search to be base, one, or sub (the default). | -S attribute | Causes the ldapsearch client to sort the results by the value of attribute. | -t-tt | Write binary values to files in a temporary directory defined by the -T option. -tt specifies that all values should be written to files in a temporary directory defined by the -T option. | -T directory | Defines the directory used to store the resulting output files. The default is the directory specified by $LDAP_TMPDIR. | -u | Includes user-friendly entry names in the output. | -z limit | Specifies the maximum number of entries to return. | |