Using LDAP Tools on Linux or Solaris
eDirectory includes LDAP tools that help you manage the LDAP directory sever. The following sections provide information about using LDAP tools for eDirectory:
To perform secure LDAP tools operations, refer to Ensuring Secure eDirectory Operations on Linux and Solaris Systems, and include the DER file in all command line LDAP operations that establish secure LDAP connections to eDirectory.
Modifying Entries in the LDAP Directory Server
The ldapmodify tool opens a connection to an LDAP server, binds, and modifies or adds entries. The entry information is read from standard input or from file using the -f option.
Use the following syntax to perform ldapmodify operations:
ldapmodify [-a] [-b] [-c] [-r] [-n] [-v] [-d debuglevel] [-e key filename] [-D binddn] [[-W]|[-w passwd]] [-h ldaphost] [-p ldap-port] [-f file]
Table 111. ldapmodify Parameters
-a |
Adds new entries. The default for ldapmodify is to modify existing entries. |
-b |
Assumes that any values that start with a slash (/) are binary values and that the actual value is in a file whose path is specified in the place where values normally appear. |
-c |
Continuous operation mode. Errors are reported, but ldapmodify will continue with modifications. The default is to exit after reporting an error. |
-r |
Replaces existing values by default. |
-n |
Displays what would be executed, but does not actually modify entries. Useful for debugging in conjunction with -v. |
-v |
Uses verbose mode, with many diagnostics written to standard output. |
-F |
Forces application of all changes regardless of the contents of input lines that begin with replica: (by default, replica: lines are compared against the LDAP server host and port in use to decide if a replog record should actually be applied). |
-d debuglevel |
Sets the LDAP debugging level to debuglevel. ldapmodify must be compiled with LDAP_DEBUG defined for this option to have any effect. |
-e |
File certificate file name for SSL bind. |
-f file |
Reads the entry modification information from file instead of from standard input. |
-D binddn |
Binds to the X.500 directory. binddn should be a string-represented DN as defined in RFC 1779. |
-W prompt_for_simple_authentication |
Use instead of specifying the password on the command line. |
-w passwd |
Use passwd as the password for simple authentication. |
-h ldaphost |
Specifies an alternate host on which the LDAP server is running. |
-p ldapport |
Specifies an alternate TCP port where the LDAP server is listening. |
Example
For modifying entries in the LDAP directory server, enter the following:
ldapmodify -h xyzcompany.com -D cn=admin,o=xyzcompany -w treasure -f T01.mod
Modifying the Relative Distinguished Name of Entries in LDAP Directory Server
You can use ldapmodrdn to modify the relative distinguished name (RDN) of entries in the LDAP directory server. The ldapmodrdn tool opens a connection to an LDAP server, binds, and modifies the RDN of entries. The entry information is read from standard input, from file using the -f option, or from the command line pair dn and rdn.
Use the following syntax to perform ldapmodrdn operations:
ldapmodrdn [-r] [-n] [-v] [-c] [-d debuglevel] [-e key filename] [-D binddn] [[-W]|[-w passwd]] [-h ldaphost] [-p ldapport] [-f file] [dn rdn]
Table 112. ldapmodrdn Parameters
-r |
Removes old RDN values from the entry. The default is to retain old values. |
-n |
Displays what would be executed, but does not actually change entries. Useful for debugging in conjunction with -v. |
-v |
Uses verbose mode, with many diagnostics written to standard output. |
-c |
Continuous operation mode. Errors are reported, but ldapmodify will continue with modifications. The default is to exit after reporting an error. |
-d debuglevel |
Sets the LDAP debugging level to debuglevel. ldapmodrdn must be compiled with LDAP_DEBUG defined for this option to have any effect. |
-e |
File certificate file name for SSL bind. |
-f file |
Reads the entry modification information from file instead of from standard input or the command line. |
-D binddn |
Binds to the X.500 directory. binddn should be a string-represented DN as defined in RFC 1779. |
-w |
Prompts for simple authentication. Used instead of specifying the password on the command line. |
-w passwd |
Use passwd as the password for simple authentication. |
-h ldaphost |
Specifies an alternate host on which the LDAP server is running. |
-p |
Specifies an alternate TCP port where the LDAP server is listening. |
Example
For modifying the RDN of entries in LDAP directory server, enter the following:
ldapmodrdn -r -D cn=admin,o=xyzcompany -w treasure cn=UserDetail,o=xyzcompany cn=UserInfo
Deleting Entries from the LDAP Directory Server
You can use ldapdelete to delete entries from the LDAP directory server. The ldapdelete tool opens a connection to an LDAP server, binds, and deletes one or more entries. If one or more dn arguments are provided, entries with those distinguished names are deleted. Each dn should be a string-represented DN as defined in RFC 1779. If no dn arguments are provided, a list of DNs is read from the standard input or from file, if the -f flag is used.
Use the following syntax to perform ldapdelete operations:
ldapdelete [-n] [-v] [-c] [-d debuglevel] [-e key filename] [-f file] [-D binddn] [[-W]| [-w passwd]] [-h ldaphost] [-p ldapport] [dn]...
Table 113. ldapdelete Parameters
-n |
Displays what would be executed, but does not actually delete entries. Useful for debugging in conjunction with -v. |
-v |
Uses verbose mode, with many diagnostics written to standard output. |
-c |
Continuous operation mode. Errors are reported, but ldapdelete will continue with deletions. The default is to exit after reporting an error. |
-d debuglevel |
Sets the LDAP debugging level to debuglevel. ldapdelete must be compiled with LDAP_DEBUG defined for this option to have any effect. |
-e |
File certificate file name for SSL bind. |
-f file |
Reads a series of lines from file, performing one LDAP search for each line. In this case, the filter given on the command line is treated as a pattern where the first occurrence of% is replaced with a line from file. |
-D binddn |
Binds to the X.500 directory. binddn should be a string-represented DN as defined in RFC 1779. |
-W |
Prompts for simple authentication. Used instead of specifying the password on the command line. |
-w passwd |
Use passwd as the password for simple authentication. |
-h ldaphost |
Specifies an alternate host on which the LDAP server is running. |
-p ldapport |
Specifies an alternate TCP port where the LDAP server is listening. |
Example
To delete entries from the LDAP directory server, enter the following:
ldapdelete -D cn=admin,o=xyzcompany -w treasure -f T01.del
Searching Entries in the LDAP Directory Server
You can use ldapsearch to search entries in the LDAP directory server. The ldapsearch tool opens a connection to an LDAP server, binds, and performs a search using the specified filter. The filter should conform to the string representation for LDAP filters as defined in RFC 2254. If ldapsearch finds one or more entries, the attributes specified by the attrs parameter are retrieved and the entries and values are printed to standard output. If no value is specified for this parameter, all attributes are returned.
Use the following syntax to perform ldapsearch operations:
ldapsearch [-n] [-u] [-v] [-t] [-A] [-C] [-L] [-R] [-d debuglevel] [-e key filename] [-F sep] [-f file] [-D binddn] [[-W]| [-w bindpasswd]] [-h ldaphost] [-p ldapport] [-b searchbase] [-s scope] [-a deref] [-l time limit] [-z size limit] filter [attrs....]
Table 114. ldapsearch Parameters
-n |
Displays what would be executed, but does not actually perform the search. Useful for debugging in conjunction with -v. |
-u |
Includes the user-friendly form of the Distinguished Name (DN) in the output. |
-v |
Runs in verbose mode, with many diagnostics written to standard output. |
-t |
Writes retrieved values to a set of temporary files. This is useful for dealing with non-ASCII values such as jpegPhoto or audio. |
-A |
Retrieves attributes only (no values). This is useful when you only want to verify if an attribute is present in an entry and not specific values of the attribute. |
-C |
Chase referrals automatically. |
-L |
Displays search results in LDIF format. This option also turns on the -B option, and causes the -F option to be ignored. |
-R |
Does not automatically follow referrals returned while searching. ldapsearch must be compiled with LDAP_REFERRALS defined for referrals to be automatically followed by default, and for this option to have any effect. |
-e |
File certificate filename for SSL bind. |
-F sep |
Uses sep as the field separator between attribute names and values. The default separator is =, unless the -L flag has been specified, in which case this option is ignored. |
-S attribute |
Sorts the entries returned based on attribute. The default is not to sort entries returned. If the attribute is a zero-length string (""), the entries are sorted by the components of their distinguished names. Note that ldapsearch normally prints out entries as it receives them. The use of the -S option causes all entries to be retrieved, sorted, and then printed. |
-d debuglevel |
Sets the LDAP debugging level to debuglevel. ldapsearch must be compiled with LDAP_DEBUG defined for this option to have any effect. |
-f file |
Reads a series of lines from file, performing one LDAP search for each line. In this case, the filter given on the command line is treated as a pattern where the first occurrence of% is replaced with a line from file. If file is a single - character, then the lines are read from standard input. |
-D binddn |
Binds to the X.500 directory. binddn should be a string-represented DN as defined in RFC 1779. |
-W prompt_for_simple_authentication |
Use instead of specifying the password on the command line. |
-w bindpasswd |
Use bindpasswd as the password for simple authentication. |
-h ldaphost |
Specifies an alternate host on which the LDAP server is running. |
-p ldapport |
Specifies an alternate TCport where the LDAP server is listening. |
-b searchbase |
Use as the starting point for the search instead of the default. |
-s scope |
Specifies the scope of the search. The scope should be base, one, or sub to specify a base object, one-level, or subtree search. The default is sub. |
-a deref |
Specifies how aliases dereferencing is done. The values for this parameter can be one or never, always, search, or find to specify that aliases are never dereferenced, always dereferenced, dereferenced when searching, or dereferenced only when locating the base object for the search. The default is to never dereference aliases. |
-l time_limit |
Waits at most timelimit seconds for a search to complete. |
-a size_limit |
Waits at most sizelimit seconds for a search to complete. |
Example
For searching entries in the LDAP directory server, enter the following:
ldapsearch -h xyzcompany.com -b o=xyzcompany -p 636 -e TrustedRootCert -D cn=admin,o=xyzcompany -w treasure cn=admin
Previous | Next