products | company | support | downloads | isp services | contact us
|
mail us
|
mail this page products | company | support | downloads | isp services | contact us |
OpenLDAP Tools - command line utilities
LDAPBrowser/Editor - our LDAP Browser of choice
ApacheDS Tools - tools and utilities
OpenLDAP provides a number of tools. We document them here for the sake of completeness but you can always get this information from the appropriate man pages if you are lucky enough to be using 'nix systems.
A vital rule of thumb: in general if the command starts with ldap slapd MUST be running. If it starts with slap (specifically slapcat, slapindex, slapadd) slapd MUST NOT be running and you can corrupt the ldap databse if it is running. Mix them at your peril - though the lastest versions of OpenLDAP notes that slapcat may be run when using a bdb or hdb when slapd is running. mmmm.
There is a single exception to the rule above which is slappasswd - a benign little utility used to create passwords. It is regretable that this crummy exception exists - so important is the need the need to stop slapd when running any of the other commands. While it is pretty pointless to stop slapd just to run slappasswd its better to have a pavlovian response to the prefix slap and always stop slapd than to get a corrupt database when you run, say, slatcat. That's how important this stuff is. Some among us will say "I'll never get it wrong 'cos I'm smart". When we are panicing to get service back with 57 people breathing down our necks - ain't none of us too smart.
ldapadd - add LDIF entries to an LDAP directory
ldapauth - add LDIF entries to an LDAP directory
ldapdelete - delete LDAP entries
ldapmodify - modify existing LDAP entries
ldapmodrdn - modify an LDAP entry's DN
ldappasswd - modify an entry's password
ldapsearch - search LDAP entries
ldapwhoami - perform an LDAP Who Am I operation of a server
slapacl - verify access to attributes by inspecting the configuraion of a DIT
slapadd - add LDAP entries to a database - STOP SLAPD FIRST
slapauth - verify SASL data against a DIT
slapcat - export an LDIF from an LDAP database - STOP SLAPD FIRST
slapdn - verify a DN against a DIT configuration
slapindex - re-index an LDAP database - STOP SLAPD FIRST
slappasswd - generate password
slaptest - verify a slapd.conf file or a cn=config directory (slapd.d)
ldapadd and ldapmodify take the same arguments and are treated as essentially synonymous e.g. ldapmodify with the -a argument IS ldapadd. Both utilities require an operational LDAP server and will take input (in LDIF format) from either standard input (the console) or an LDIF using the -f argument. Both allow an extensive argument set. In practice it is the commands in the LDIF file that actually perform the work. Normally if changetype is omitted in an LDIF it defaults to add however if run using an ldapmodify it will assume modify. However if when using ldapmodify the LDIF contains an explicit changetype: add the entry will be added.
ldapmodify/ldapadd [-a] [-c] [-S file] [-n] [-v] [-k] [-K] [-M[M]] [-d debu_glevel] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-O security-properties] [-I] [-Q] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] [-f file]
| Arg | Description |
| -a | Add new entries. The default for ldapmodify is to modify existing entries. If invoked as ldapadd, this flag is always set. |
| -c | Continuous operation mode. Errors are reported, but ldapmodify will continue with modifications. The default is to exit after reporting an error. |
| -S file | Add or change records which where skipped due to an error are written to file and the error message returned by the server is added as a comment. Most useful in conjunction with -c. |
| -n | Show what would be done, but don't actually modify entries. Useful for debugging in conjunction with -v. |
| -v | Use verbose mode, with many diagnostics written to standard output. |
| -k | Use Kerberos IV authentication instead of simple authentication. It is assumed that you already have a valid ticket granting ticket. You must compile with Kerberos support for this option to have any effect. |
| -K | Same as -k, but only does step 1 of the Kerberos IV bind. This is useful when connecting to a slapd and there is no x500dsa.hostname principal registered with your Kerberos Domain Controller(s). |
| -F | Force application of all changes regardless of the contents of input lines that begin with replica: (by default, replica: lines are compared against the LDAP server host and port in use to decide if a replog record should actually be applied). |
| -M[M] | Enable manage DSA IT control. -MM makes control critical. |
| -d debug | Set the LDAP debugging level to debuglevel. ldapmodify must be compiled with LDAP_DEBUG defined for this option to have any effect. |
| -f file | Read the entry modification information from file instead of from standard input. |
| -x | Use simple authentication instead of SASL. |
| -D binddn | Use the Distinguished Name binddn to bind to the LDAP directory. |
| -W | Prompt for simple authentication. This is used instead of specifying the password on the command line. |
| -w passwd | Use passwd as the password for simple authentication. |
| -y passfile | Use complete contents of passwdfile as the password for simple authentication. |
| -H ldapuri | Specify URI(s) referring to the ldap server(s). |
| -h ldaphost | Specify an alternate host on which the ldap server is running. Deprecated in favor of -H. |
| -p ldapport | Specify an alternate TCP port where the ldap server is listening. Deprecated in favor of -H. |
| -P 2|3 | Specify the LDAP protocol version to use. |
| -O props | Specify SASL security properties. |
| -I | Enable SASL Interactive mode. Always prompt. Default is to prompt only as needed. |
| -Q | Enable SASL Quiet mode. Never prompt. |
| -U authcid | Specify the authentication ID for SASL bind. The form of the ID depends on the actual SASL mechanism used. |
| -R realm | Specify the realm of authentication ID for SASL bind. The form of the realm depends on the actual SASL mechanism used. |
| -X authzid | Specify the requested authorization ID for SASL bind. authzid must be one of the following formats: dn:<distinguished name> or u:<username> |
| -Y mech | Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows. |
| -Z[Z] | Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be successful. |
Use the specified LDIF file to modify the defined LDAP server, authenticate using the rootdn an its password. Use simple authentication.
The line below is split for HTML formatting reasons only and should be on a single line:
ldapadd -H ldap://ldaphost.example.com -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/addgroups.ldif -w dirtysecret
Notes:
ldapdelete opens a connection to an LDAP server, binds, and deletes one or more entries. If one or more DN arguments are provided, entries with those Distinguished Names are deleted. Each DN should be provided using the LDAPv3 string representation as defined in RFC 2253. If no dn arguments are provided, a list of DNs is read from standard input (or from file if the -f flag is used).
Note: The file referenced in this command is not in LDIF format. It is a text file containing one or more DN's (one per line) that will be processed by the command as shown:
cn=someone,ou=people,dc=example,dc=com cn=someone else,ou=people,dc=example,dc=com
The alternate method to delete entries is to use an LDIF file with ldapmodify with a file such as:
dn: cn=someone,ou=people,dc=example,dc=com changetype: delete cn=someone else,ou=people,dc=example,dc=com changetype: delete
ldapdelete [-c] [-d debuglevel] [-D binddn] [-f file] [-H ldapuri] [-h ldaphost] [-I] [-k] [-K] [-M[M]] [-n] [-O security-properties] [-P 2|3] [-p ldapport] [-Q] [-R realm] [-U authcid] [-v] [-W] [-w passwd] [-x] [-X authzid] [-y passwdfile] [-Y mech] [-Z[Z]] [dn]...
| Arg | Description |
| -c | Continuous operation mode. Errors are reported, but ldapmodify will continue with modifications. The default is to exit after reporting an error. |
| -d debug | Set the LDAP debugging level to debuglevel. ldapmodify must be compiled with LDAP_DEBUG defined for this option to have any effect. |
| -D binddn | Use the Distinguished Name binddn to bind to the LDAP directory. |
| -f file | Read the entry modification information from file instead of from standard input. This file is notin LDIF format it is simply a text file with the requitred DN's to be deleted - one per line. |
| -H ldapuri | Specify URI(s) referring to the ldap server(s). |
| -h ldaphost | Specify an alternate host on which the ldap server is running. Deprecated in favor of -H. |
| -I | Enable SASL Interactive mode. Always prompt. Default is to prompt only as needed. |
| -k | Use Kerberos IV authentication instead of simple authentication. It is assumed that you already have a valid ticket granting ticket. You must compile with Kerberos support for this option to have any effect. |
| -K | Same as -k, but only does step 1 of the Kerberos IV bind. This is useful when connecting to a slapd and there is no x500dsa.hostname principal registered with your Kerberos Domain Controller(s). |
| -M[M] | Enable manage DSA IT control. -MM makes control critical. |
| -n | Show what would be done, but don't actually modify entries. Useful for debugging in conjunction with -v. |
| -O props | Specify SASL security properties. |
| -p ldapport | Specify an alternate TCP port where the ldap server is listening. Deprecated in favor of -H. |
| -P 2|3 | Specify the LDAP protocol version to use. |
| -Q | Enable SASL Quiet mode. Never prompt. |
| -R realm | Specify the realm of authentication ID for SASL bind. The form of the realm depends on the actual SASL mechanism used. |
| -U authcid | Specify the authentication ID for SASL bind. The form of the ID depends on the actual SASL mechanism used. |
| -v | Use verbose mode, with many diagnostics written to standard output. |
| -W | Prompt for simple authentication. This is used instead of specifying the password on the command line. |
| -w passwd | Use passwd as the password for simple authentication. |
| -x | Use simple authentication instead of SASL. |
| -X authzid | Specify the requested authorization ID for SASL bind. authzid must be one of the following formats: dn:<distinguished name> or u:<username> |
| -y passfile | Use complete contents of passwdfile as the password for simple authentication. |
| -Y mech | Specify the SASL mechanism to be used for authentication. If it's not specified, the progr!m will choose the best mechanism the server knows. |
| -Z[Z] | Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be successful. |
| dn.. | A comma separated list of DNs to delete (may be read from a file if the -f argument is used). |
ldapmodrdn opens a connection to an LDAP server, binds, and modifies the RDN of entries. The entry information is read from standard input, from file through the use of the -f option, or from the command-line pair dn and rdn.
ldapmodrdn [-r] [-n] [-v] [-k] [-K] [-c] [-M[M]] [-d debuglevel] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-O security-properties] [-I] [-Q] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] [-f file] [dn rdn]
| Arg | Description |
| -r | Remove old RDN values from the entry. Default is to keep old values. |
| -n | Show what would be done, but don't actually modify entries. Useful for debugging in conjunction with -v. |
| -v | Use verbose mode, with many diagnostics written to standard output. |
| -k | Use Kerberos IV authentication instead of simple authentication. It is assumed that you already have a valid ticket granting ticket. You must compile with Kerberos support for this option to have any effect. |
| -K | Same as -k, but only does step 1 of the Kerberos IV bind. This is useful when connecting to a slapd and there is no x500dsa.hostname principal registered with your Kerberos Domain Controller(s). |
| -c | Continuous operation mode. Errors are reported, but ldapmodify will continue with modifications. The default is to exit after reporting an error. |
| -M[M] | Enable manage DSA IT control. -MM makes control critical. |
| -d debug | Set the LDAP debugging level to debuglevel. ldapmodify must be compiled with LDAP_DEBUG defined for this option to have any effect. |
| -D binddn | Use the Distinguished Name binddn to bind to the LDAP directory. |
| -W | Prompt for simple authentication. This is used instead of specifying the password on the command line. |
| -w passwd | Use passwd as the password for simple authentication. |
| -y passfile | Use complete contents of passwdfile as the password for simple authentication. |
| -H ldapuri | Specify URI(s) referring to the ldap server(s). |
| -h ldaphost | Specify an alternate host on which the ldap server is running. Deprecated in favor of -H. |
| -p ldapport | Specify an alternate TCP port where the ldap server is listening. Deprecated in favor of -H. |
| -P 2|3 | Specify the LDAP protocol version to use. |
| -O props | Specify SASL security properties. |
| -I | Enable SASL Interactive mode. Always prompt. Default is to prompt only as needed. |
| -Q | Enable SASL Quiet mode. Never prompt. |
| -U authcid | Specify the authentication ID for SASL bind. The form of the ID depends on the actual SASL mechanism used. |
| -R realm | Specify the realm of authentication ID for SASL bind. The form of the realm depends on the actual SASL mechanism used. |
| -X authzid | Specify the requested authorization ID for SASL bind. authzid must be one of the following formats: dn:<distinguished name> or u:<username> |
| -Y mech | Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows. |
| -Z[Z] | Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be successful. |
| -f file | Read the entry modification information from file instead of from standard input. |
| -x | Use simple authentication instead of SASL. |
| dn rdn | modifies the dn using the supplied rdn. |
ldappasswd uses the LDAP Password Modify Extended Operation defined in RFC 3062 to modify the password of user who may reside within the LDAP DIT (where user is specified with a DN) or maintained externally by SASL. While the RFC suggests that some form of authentication should be used ldappassword does not appently police such usage.
ldappasswd [-A] [-a oldpassword] [-t oldpasswdfile] [-D binddn] [-d debuglevel] [-H ldapuri] [-h ldaphost] [-n] [-p ldapport] [-S] [-s newPasswd] [-T newpasswdfile] [-v] [-W] [-w passwd] [-y passwdfile] [-O props] [-I] [-Q] [-U authcid] [-x] [-X authzid] [-R realm] [-Y mech] [-Z[Z]] [user]
| Arg | Description |
| -A | Prompt for old (current) password. Incompatible with -a or -t option. |
| -a oldpassword | The curent password is defined by oldpassword value. Incompatible with -A or -t option. |
| -d debug | Set the LDAP debugging level to debug. ldapsearch must be compiled with LDAP_DEBUG defined for this option to have any effect. |
| -D binddn | Use the Distinguished Name binddn to bind to the LDAP directory. |
| -H ldapuri | Preferred format (-h is deprecated). If omitted assumes ldap://localhost:389. Format is scheme(ldap/ldaps)://host.name:port - multiple entries may be defined separated by whitespace or commas. |
| -h ldaphost | Specify an alternate host on which the ldap server is running. Deprecated in favor of -H. |
| -I | Enable SASL Interactive mode. Always prompt. Default is to prompt only as needed. |
| -n | Perform all connection and protocol operation but do NOT set password. Useful for debugging in conjunction with -v and/or -d. |
| -O props | Specify SASL security properties. |
| -p ldapport | Specify an alternate TCP port where the ldap server is listening. Deprecated in favor of -H. |
| -Q | Enable SASL Quiet mode. Never prompt. |
| -R realm | Specify the realm of authentication ID for SASL bind. The form of the realm depends on the actual SASL mechanism used. |
| -s newpasswd | Use the newpasswd value. Incompatible with -s and -T option. |
| -S | Prompt for new password (will occur twice). Incompatible with -s and -T option. |
| -t oldpasswdfile | Read the old (current) password from the defined file. Incompatible with -a and -A option. |
| -T path | Read the new password from the defined file. Incompatible with -s and -S option. |
| -U authcid | Specify the authentication ID for SASL bind. The form of the ID depends on the actual SASL mechanism used. |
| -v | Use verbose mode, with many diagnostics written to standard output. |
| -y passwdfile | Use complete contents of passwdfile as the password for simple authentication. |
| -Y mech | Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows. |
| -W | Prompt for simple authentication. This is used instead of specifying the password on the command line. |
| -w passwd | Use passwd as the password for simple authentication. |
| -x | Use simple authentication instead of SASL. |
| -X authzid | Specify the requested authorization ID for SASL bind. authzid must be one of the following formats: dn:<distinguished name> or u:<username> |
| -y passfile | Use complete contents of passwdfile as the password for simple authentication. |
| -Z[Z] | Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be successful. |
| user | If the user is defined within LDAP then a DN uniquely identifying the user is defined enclosed in double quotes, for example: "cn=slimy toad,ou=people,dc=example,dc=com". |
Modifies the userPassword entry for cn=slimy toad,ou=people,dc=example,dc=com using the rootdn as a bind DN and prompts for the old password, new password and the rootdn password.
ldappasswd [-H localhost] -D cn=admin,dc=example,dc=com -W -A -S "cn=slimy toad,ou=people,dc=example,dc=com"
Modifies the userPassword entry for cn=slimy toad,ou=people,dc=example,dc=com using the rootdn as a bind DN and prompts for the old password, new password and the rootdn password.
ldappasswd [-H localhost] -D cn=admin,dc=example,dc=com -W -A -S "cn=slimy toad,ou=people,dc=example,dc=com"
ldapsearch opens a connection to an LDAP server, binds, and performs a search using specified parameters. The filter should conform to the string representation for search filters as defined in RFC 4515. If not provided, the default filter, (objectClass=*), is used.
If ldapsearch finds one or more entries, the attributes specified by attrs are returned. If * is listed, all user attributes are returned. If + is listed, all operational attributes are returned. If no attrs are listed, all user attributes are returned.
ldapsearch results are displayed in LDIF format (format controlled by -L).
ldapsearch [-a never|always|search|find] [-A] [-b searchbase] [-c] [-d debuglevel] [-D binddn] [-e [!]ext[=extparam]] [-E [!]ext[=extparam]] [-f file] [-F prefix] [-h ldaphost] [-H ldapuri] [-I] [-l time] [-L[L[L]]] [-M[M]] [-n] [-O security-properties] [-p ldapport] [-P 2|3] [-Q] [-R realm] [-s base|one|sub|children] [-S attribute] [-t[t]] [-T path] [-u] [-U authcid] [-v] [-w passwd] [-W] [-x] [-X authzid] [-y passwdfile] [-Y mech] [-z sizelimit] [-Z[Z]] filter [attrs...]
| Arg | Description |
| -a never|always|search|find | Specify how alias dereferencing is done. May be never, always, search, or find to specify that aliases are never dereferenced, always dereferenced, dereferenced when searching, or dereferenced only when locating the base object for the search. The default is to never dereference aliases. |
| -A | Retrieve attributes only (no values). This is useful when you just want to see if an attribute is present in an entry and are not interested in the specific values. |
| -b base | Use base (DN) as the starting point for the search instead of the default. |
| -c | (LDAP 2.4+) continue after error. Default will terminate after error encountered. Only relevant if used in conjunction with -f (read searches from file). |
| -d debug | Set the LDAP debugging level to debug. ldapsearch must be compiled with LDAP_DEBUG defined for this option to have any effect. |
| -D binddn | Use the Distinguished Name binddn to bind to the LDAP directory. |
| -e [!]ext[=extparam] | See -E below |
| -E [!]ext[=extparam] | Specify general extensions with -e and search extensions with -E. '!' indicates criticality.
General extensions:
[!]assert=<filter> (an RFC 4515 Filter)
[!]authzid=<authzid> ("dn:<dn>" or "u:<user>")
[!]manageDSAit
[!]noop
ppolicy
[!]postread[=<attrs>] (a comma-separated attribute list)
[!]preread[=<attrs>] (a comma-separated attribute list)
abandon, cancel (SIGINT sends abandon/cancel)
Search extensions:
[!]domainScope (domain scope)
[!]mv=<filter> (matched values filter)
[!]pr=<size>[/prompt|noprompt] (paged results/prompt)
[!]subentries[=true|false] (subentries)
[!]sync=ro[/<cookie>] (LDAP Sync refreshOnly)
rp[/<cookie>][/<slimit>] (LDAP Sync refreshAndPersist)
|
| -f file | Read a series of lines from file, performing one LDAP search for each line. In this case, the filter given on the command line is treated as a pattern where the first and only occurrence of %s is replaced with a line from file. Any other occurrence of the the % character in the pattern will be regarded as an error. Where it is desired that the search filter include a % character, the character should be encoded as \25 (see RFC 4515). If file is a single - character, then the lines are read from standard input. ldapsearch will exit when the first non-successful search result is returned, unless -c is used (2.4+ only). |
| -F prefix | URL prefix for temporary files. Default is file://path/ where path is /var/tmp/ or specified with -T. |
| -H ldapuri | Specify URI(s) referring to the ldap server(s); a list of URI, separated by whitespace or commas is expected; only the scheme://host.name:port are allowed. As an exception, if no host/port is specified, but a DN is, the DN is used to look up the corresponding host(s) using the DNS SRV records, according to RFC 2782. The DN must be a non-empty sequence of AVAs whose attribute type is "dc" (domain component), and must be escaped according to RFC 2396. The precise syntax used ro invoke the DN format is - and remains - a mystery. |
| -h ldaphost | Specify an alternate host on which the ldap server is running. Deprecated in favor of -H. |
| -I | Enable SASL Interactive mode. Always prompt. Default is to prompt only as needed. |
| -l time | wait at most time seconds for a search to complete. A time of 0 (zero) removes the ldap.conf limit. This value cannot exceed any timelimit (in sladpd.conf) unless authenticated as (-D) rootdn . |
| -L[L[L]] | Search results are displayed in LDIF format. A single -L restricts the output to LDIFv1. A second L (-LL) disables comments. A third L (-LLL) disables printing of the LDIF version. The default (no -L) is to use an extended version of LDIF. |
| -M[M] | Enable manage DSA IT control. -MM makes control critical. |
| -n | Show what would be done, but don't actually modify entries. Useful for debugging in conjunction with -v. |
| -O props | Specify SASL security properties. |
| -p ldapport | Specify an alternate TCP port where the ldap server is listening. Deprecated in favor of -H. |
| -P 2|3 | Specify the LDAP protocol version to use. |
| -Q | Enable SASL Quiet mode. Never prompt. |
| -R realm | Specify the realm of authentication ID for SASL bind. The form of the realm depends on the actual SASL mechanism used. |
| -s scope | Specify the scope of the search to be base, one, sub or children to specify the base object, one-level, or subtree search. The default is sub. Note: children scope requires LDAPv3 subordinate feature extension. |
| -S attribute | Sort the entries returned based on attribute. The default is not to sort entries returned. If attribute is a zero-length string (""), the entries are sorted by the components of their Distinguished Name. See ldap_sort(3) for more details. Note that ldapsearch normally prints out entries as it receives them. The use of the -S option defeats this behavior, causing all entries to be retrieved, then sorted, then printed. |
| -t | Write retrieved values to a set of temporary files. This is useful for dealing with non-ASCII values such as jpegPhoto or audio. A second t (-tt) saves all values to temporary files. Default files are in /var/tmp. |
| -T path | Defines the path to a directory to be used to store files created using the -t argument (use to override /var/tmp default). |
| -u | Include the User Friendly Name form of the Distinguished Name (DN) in the output. |
| -U authcid | Specify the authentication ID for SASL bind. The form of the ID depends on the actual SASL mechanism used. |
| -v | Use verbose mode, with many diagnostics written to standard output. |
| -y passwdfile | Use complete contents of passwdfile as the password for simple authentication. |
| -Y mech | Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows. |
| -W | Prompt for simple authentication. This is used instead of specifying the password on the command line. |
| -w passwd | Use passwd as the password for simple authentication. |
| -x | Use simple authentication instead of SASL. |
| -X authzid | Specify the requested authorization ID for SASL bind. authzid must be one of the following formats: dn:<distinguished name> or u:<username> |
| -y passfile | Use complete contents of passwdfile as the password for simple authentication. |
| -z size | retrieve at most size entries for a search. A size of 0 (zero) removes the ldap.conf limit. This value cannot exceed any sizelimit (in sladpd.conf) unless authenticated as (-D) rootdn . |
| -Z[Z] | Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be successful. |
| filter | The search filter to be used. This is enclosed in double quotes and bounded by parentheses. |
| attrs | space separated list of attributes to be returned. |
The following will search multiple levels (sub is -s default) for attribute mail with mail address of anything containing smith and display sn, cn and mail attributes and output in LDIFv1 format wiythout comments. The -LL is included to ensure that any displayed LDIF can be output to a file and then read by, say, ldapmodify.
ldapsearch -H ldap://ldap.example.com -LL -b ou=people,dc=example,dc=com sn cn mail # using standard redirection the above results could be written to a file # > /tmp/search1.ldif
One Day Real Soon Now™
Updated to 2.4. slapacl allows the user to test access to specific attributes given the current access directives in the slapd.conf file. The utility requires read-only access to the slapd.conf file and the DIT therefore may be used when slapd is running.
slapacl -b DN [-d level] [-D authcDN | -U authcID] [-f slapd.conf] [-F confdir] [-o name[=value]] [-u] [-v] [-X authzID | -o authzDN=DN] [attr[/access][:value]] [...]| Arg | Description |
| -b DN | specify the DN which access is requested to; the corresponding entry is fetched from the database, and thus it must exist. The DN is also used to determine what rules apply; thus, it must be in the naming context of a configured database. See also -u. |
| -d level | enable debugging messages as defined by the specified level. |
| -D authcDN | specify a DN to be used as identity through the test session when selecting appropriate <by> clauses in access control lists. |
| -f slapd.conf | specify an alternative slapd.conf(5) file. |
| -F confdir | specify a config directory (for use with cn=config). If both -f and -F are specified, the config file (slapd.conf) will be read and converted to config directory format and written to the specified directory. If neither option is specified, an attempt to read the default config directory (slapd.d) will be made before trying to use the default config file. If a valid config directory exists then the default config file is ignored. If dryrun mode (-u) is also specified, no conversion will occur. |
| -o name[=value] | Specify a slapd option with an optional value. Examples are are:
syslog=subsystems (`-s' in slapd) syslog-user=user (`-l' in slapd) Possible options/values specific to slapacl are: authzDN domain peername sasl_ssf sockname sockurl ssf tls_ssf transport_ssf |
| -u | do not fetch the entry from the database. In this case, if the entry does not exist, a fake entry with the DN given with the -b option is used, with no attributes. As a consequence, those rules that depend on the contents of the target object will not behave as with the real object. The DN given with the -b option is still used to select what rules apply; thus, it must be in the naming context of a configured database. See also -b. |
| -v | enable verbose mode. |
| -X authzID | specify an ID to be mapped to a DN by means of authz-regexp or authz-rewrite rules; mutually exclusive with -D. |
| attr[/access][:value] [...] | Each attribute sequence is enclosed in a quoted string as shown in this example:
# tests whether it is possible to read the # organizationName (o) with the value 'Example, inc.' "o/read:Example, Inc." |
Updated to 2.4+. Slapadd is used to add entries specified in LDIF format to a LDAP database. LDAP MUST NOT BE RUNNING WHEN THIS COMMAND IS ISSUED OR SERIOUS DATABASE CORRUPTION MAY RESULT. It applied the LDIF to the database determined by the database number or suffix. The LDIF input is read from standard input or the specified file (-l argument).
STOP SLAPD BEFORE RUNNING slapadd is designed to accept LDIF in database order, it does not verify that superior entries exist before adding an entry, does not perform user and system schema checks, and does not maintain operational attributes (such as createTimeStamp and modifiersName).
slapadd [-b suffix] [-c] [-d level] [-f slapd.conf]
[-F confdir] [-g] [-j lineno] [-l ldif-file]
[-n dbnum] [-o name[=value]]
[-q] [-s] [-S SID] [-u] [-v] [-w]
| Arg | Description |
| -b suffix | Use the specified suffix to determine which database to add entries to. The -b cannot be used in conjunction with the -n option. |
| -c | enable continue (ignore errors) mode. |
| -d level | enable debugging messages as defined by the specified level. |
| -f slapd.conf | specify an alternative slapd.conf(5) file. |
| -F confdir | specify a config directory (for use with cn=config). If both -f and -F are specified, the config file (slapd.conf) will be read and converted to config directory format and written to the specified directory. If neither option is specified, an attempt to read the default config directory (slapd.d) will be made before trying to use the default config file. If a valid config directory exists then the default config file is ignored. If dryrun mode (-u) is also specified, no conversion will occur. |
| -g | disable subordinate gluing. Only the specified database will be processed, and not its glued subordinates (if any). |
| -j lineno | Jump to the specified lineno (line number) in the LDIF file before processing any entries. This allows a load that was aborted due to errors in the input LDIF to be resumed after the errors are corrected. |
| -l ldif-file | Read LDIF from the specified file instead of standard input. |
| -n dbnum | Add entries to the dbnum-th database listed in the configuration file. The -n cannot be used in conjunction with the -b option. |
| -o name[=value] | Specify a slapd option with an optional value. Examples are are:
syslog=subsystems (`-s' in slapd) syslog-user=user (`-l' in slapd) |
| -q | enable quick (fewer integrity checks) mode. Does fewer consistency checks on the input data, and no consistency checks when writing the database. Improves the load time but if any errors or interruptions occur the resulting database will be unusable. |
| -s | disable schema checking. This option is intended to be used when loading databases containing special objects, such as fractional objects on a partial replica. Loading normal objects which do not conform to schema may result in an unusable DIT and is not recommended. |
| -S SID | Server ID to use in generated entryCSN. Also used for contextCSN if `-w' is set as well. Defaults to 0. |
| -u | enable dry-run (don't write to backend) mode. |
| -v | enable verbose mode. |
| -w | 2.3+. write syncrepl context information. After all entries are added, the contextCSN will be updated with the greatest CSN in the database. This is implies that the LDIF file contains attributes (was reated from a post version 2.2 DIT). Using this option will allow the consumer to generate a SyncCookie minimise the time taken to initially synchronize a syncrepl style replication. see laso syncreply synchronization. |
One Day Real Soon Now™
Updated to 2.4. STOP SLAPD BEFORE RUNNING - though the lastest versions (2.3+) of OpenLDAP suggest that if either an HDB or BDB backend is being used then it is safe to leave slapd running when using slapcat. slapcat is used to generate an LDIF based upon the contents of an LDAP database. It opens the database determined by the database number or suffix and writes the corresponding LDIF to standard output or the specified file (-l argument). OpenLDAP should not be running when this command is issued.
The LDIF generated by this utility can be used by slapadd. As the entries are in database order, not superior first order, they cannot be loaded with ldapadd without being reordered.
slapcat [-a filter] [-b suffix] [-c] [-d level]
[-f slapd.conf] [-F confdir] [-g] [-l ldif-file]
[-n dbnum] [-o name[=value]] [-s subtree-dn] [-v]
| Arg | Description |
| -a filter | Only dump entries matching the asserted filter. For example"
slapcat -a \ "(!(entryDN:dnSubtreeMatch:=ou=People,dc=example,dc=com))"will dump all but the "ou=People,dc=example,dc=com" subtree of the "dc=example,dc=com" database. |
| -b suffix | Use the specified suffix (as defined in the slapd.conf suffix directive to determine which database to generate output for. The -b cannot be used in conjunction with the -n option. |
| -c | enable continue (ignore errors) mode. |
| -d level | enable debugging messages as defined by the specified level. |
| -f slapd.conf | specify an alternative slapd.conf file. |
| -F confdir | specify a config directory (for use with cn=config). If both -f and -F are specified, the config file (slapd.conf) will be read and converted to config directory format and written to the specified directory. If neither option is specified, an attempt to read the default config directory (slapd.d) will be made before trying to use the default config file. If a valid config directory exists then the default config file is ignored. If dryrun mode (-u) is also specified, no conversion will occur. |
| -g | disable subordinate gluing. Only the specified database will be processed, and not its glued subordinates (if any). |
| -l ldif.file | Write LDIF to specified file instead of standard output. |
| -n dbnum | Generate output for the dbnum-th database listed in the configuration file. The -n cannot be used in conjunction with the -b option. |
| -o name[=value] | Specify a slapd option with an optional value. Examples are are:
syslog=subsystems (`-s' in slapd) syslog-user=user (`-l' in slapd) |
| -q | enable quick (fewer integrity checks) mode. Does fewer consistency checks on the input data, and no consistency checks when writing the database. Improves the load time but if any errors or interruptions occur the resulting database will be unusable. |
| -s subtree-dn | Only dump entries in the subtree specified by this DN. Implies `-b subtree-dn' if no -b or -n option is given. |
| -v | enable verbose mode. |
One Day Real Soon Now™
Updated to 2.4+. STOP SLAPD BEFORE RUNNING. Slapindex is used to regenerate LDAP indices based upon the current contents of a database. It opens the given database determined by the database number or suffix and updates the indices for all values of all attributes of all entries using the slapd.conf.
slapindex [-v] [-c] [-d level] [-b suffix] [-n dbnum] [-f slapd.conf]
slapindex [-b suffix] [-c] [-d level] [-f slapd.conf]
[-F confdir] [-g] [-n dbnum] [-o name[=value]] [-q] [-t] [-v] [attr]
[...]
| Arg | Description |
| -b suffix | Use the specified suffix to determine which database to generate output for. The -b cannot be used in conjunction with the -n option. |
| -c | enable continue (ignore errors) mode. |
| -d level | enable debugging messages as defined by the specified level. |
| -f slapd.conf | specify an alternative slapd.conf file. |
| -F confdir | specify a config directory (for use with cn=config). If both -f and -F are specified, the config file (slapd.conf) will be read and converted to config directory format and written to the specified directory. If neither option is specified, an attempt to read the default config directory (slapd.d) will be made before trying to use the default config file. If a valid config directory exists then the default config file is ignored. If dryrun mode (-u) is also specified, no conversion will occur. |
| -g | disable subordinate gluing. Only the specified database will be processed, and not its glued subordinates (if any). |
| -n dbnum | Generate output for the dbnum-th database listed in the configuration file. The -n cannot be used in conjunction with the -b option. |
| -o name[=value] | Specify a slapd option with an optional value. Examples are are:
syslog=subsystems (`-s' in slapd) syslog-user=user (`-l' in slapd) |
| -q | enable quick (fewer integrity checks) mode. Does fewer consistency checks on the input data, and no consistency checks when writing the database. Improves the load time but if any errors or interruptions occur the resulting database will be unusable. |
| -t | enable truncate mode. Truncates (empties) an index database before indexing any entries. May only be used with Quick mode (-q). |
| -v | enable verbose mode. |
| attr | The index is normally bult from the slapd.conf file but one or more attributes may be specified on the command line. |
Slappasswd is used to generate password strings - using a variety of algorithms - that can be used in files such as slapd.conf or LDIFs (for population of userPassword or authPassword attributes). This utility may be used to create the rootpw value. See examples below for how to add the password to the file.
slappasswd [-v] [-u] [-s secret|-T file] [-h hash] [-c salt-format]
| Arg | Description |
| -c salt-format | Defines the format of the salt used when generating {CRYPT} (DES) passwords. This string is in quoted sprintf format and may include one (and only one) %s conversion. This conversion will be substituted with a string of random characters from the set [A-Za-z0-9./]. For example, "%.2s" provides a two character salt and "$1$%.8s" tells some versions of crypt(3) to use an MD5 algorithm and provides 8 random characters of salt. The default is "%s", which provides 31 characters of salt. For more information chack the crypt man page page for your platform. |
| -h hash | If -h is not specified it defaults to {SSHA} suitable for use with userPassword (and authPassword). If -h is specified, it may take one of the following RFC 2307 scheme values: {CRYPT}, {MD5}, {SMD5}, {SSHA}, {SHA} and {CLEARTEXT}. Note: The enclsing braces (curly brackets {}) may need to be escaped depending on shell being used. {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the latter with a seed. {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter with a seed. {CRYPT} uses the crypt(3) library to generate DES strings. {CLEARTEXT} indicates that clear text will be used (no encoding of the user password will occur - pretty useful stuff). |
| -s secret | The secret to hash or encode using the defined hash algorithm (-h). Options -s and -T are mutually incompatible. If neither -s nor -T is supplied the utility will prompt (twice) for the secret to be hashed - this method is significantly safer that specifying the secret using the -s option and safer than using the -T option. |
| -T /path/to/file | Use the entire contents of the file defined by /path/to/file as the secret to hash or encode using the defined hash algorithm (-h). Options -s and -T are mutually incompatible. If neither -s nor -T is supplied the utility will prompt (twice) for the secret to be hashed - this method is significantly safer that specifying the secret using the -s option and safer than using the -T option. |
| -u | Generate RFC 2307 userPassword attribute values (the default) used in many ObjectClasses such as inetOrgPerson, organization, organizationalUnit. Future versions may generate alternative syntaxes by default and this option is provided for forward compatibility. |
| -v | enable verbose mode. |
Generate a simple SSHA password suitable for use as rootpw (in slapd.conf) or for use in a LDIF file for userPassword or authPassword attributes.
# no options required
slappasswd
# prompts twice for password string and then
# outputs {SSHA}kjhfhfehflejhfvlldkl
# save to a file using normal re-direction
slapppasswd > /tmp/slappassword
# generate {SSHA} encoding of password secret
slappasswd -s secret
# generate {MD5) encoding of password secret
slappasswd -s secret -h {MD5}
To place the output in LDIF or sladp.conf, save to a file and copy, paste to relevant file if GUI editing tools are being used. If vi is being used, navigate to location in file where password is to be inserted then use :r !slappasswd [opts] - runs the command and inserts stdout into editing file at last cursor position. Alternatively save the output of slappasswd to a file, navigate to insert location and execute :r /path/to/file - inserts file contents into last cursor location.
Slaptest is used to check the conformance of the slapd.conf configuration file. It opens the slapd.conf configuration file, and parses it according to the general and the backend-specific rules, checking its sanity. The utility also opens the database - so should be used with the -u flag if verification of slapd.conf only is required. The utility is also used as the preferred method of converting from slapd.conf to cn=config style configurations (see examples).
slaptest [-d level] [-f slapd.conf] [-F confdir]
[-o name[=value]] [-Q] [-u] [-v]
| Arg | Description |
| -d level | enable debugging messages as defined by the specified level. |
| -f slapd.conf | specify an alternative slapd.conf file. |
| -F confdir | specify a config directory (for use with cn=config). If both -f and -F are specified, the config file (slapd.conf) will be read and converted to config directory format and written to the specified directory. If neither option is specified, an attempt to read the default config directory (slapd.d) will be made before trying to use the default config file. If a valid config directory exists then the default config file is ignored. If dryrun mode (-u) is also specified, no conversion will occur. |
| -o name[=value] | Specify a slapd option with an optional value. Examples are:
syslog=subsystems (`-s' in slapd) syslog-user=user (`-l' in slapd) |
| -Q | Be extremely quiet: only the exit code indicates success (0) or not (any other value). |
| -u | Don't fail if database(s) cannot be opened, verify configuration (slapd.conf or cn=config) only. |
| -v | enable verbose mode. |
Simple verification of slapd.conf (or cn=config) in normal location - ignores database(s) if not available.
slaptest -u
Full verification of slapd.conf or cn=config and database(s):
slaptest
Convert slapd.conf to cn=config - ignore database(s):
[fc]slaptest -f /etc/openldap/slapd.cong -F /etc/openldap/slapd.d -u [bsd]slaptest -f /usr/local/etc/openldap/slapd.cong -F /usr/local/etc/openldap/slapd.d -u
Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.
|
Copyright © 1994 - 2008 ZyTrax, Inc. All rights reserved. Legal and Privacy |
site by zytrax |
web-master at zytrax Page modified: February 23 2008. |
tech info
guides home
intro
contents
1 objectives
big picture
2 concepts
3 ldap objects
quickstart
4 install ldap
5 samples
6 config files
7 replicate & refer
reference
8 ldif
9 protocol
10 ldap api
operations
11 howtos
12 trouble
13 performance
14 ldap tools
security
15 security
appendices
notes & info
ldap resources
rfc's & x.500
glossary
ldap objects
change log
This work is licensed under a
Creative Commons License.
If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Mozilla
FreeBSD
NetBSD
OpenBSD
DragonFlyBSD
Linux
OpenOffice
Mozilla
SourceForge
GNU-Free SW Foundation
Open Source Initiative
Creative Commons
Ibiblio - Library
Open Book Project
Open Directory
Wikipedia
RSS Feed