B
LDAP Command-Line Tools

LDAP protocol operations are divided into three categories: authentication, interrogation, and update and control. The LDAP C-API provides a number of simple command-line tools that together cover all three categories.

The appendix covers the following topics:

• LDAP Command-Line Tools
• Optional Arguments for Command-Line Tools

LDAP Command-Line Tools

This section introduces six popular command-line tools. The section "Optional Arguments for Command-Line Tools", immediately following, defines the optional arguments used in the command descriptions and examples.

These are the six commands:

• ldapbind
• ldapsearch
• ldapadd
• ldapdelete
• ldapmodify
• ldapmoddn

---

ldapbind

Use the command-line tool ldapbind to authenticate to a directory server. You can also use ldapbind to find out if the server is running.

Syntax

ldapbind [options]

Example

ldapbind -h myhost -p 389 -D "cn=orcladmin" -w welcome

This command authenticates user orcladmin to the directory server myhost located at port 389, using the password welcome.

---

ldapsearch

Use the command-line tool ldapsearch to search for specific entries in a directory. ldapsearch opens a connection to a directory, authenticates the user performing the operation, searches for the specified entry, and prints the result in a format that the user specifies.

Syntax

ldapsearch  [options]  filter [attributes]

Example

ldapsearch -h myhost -p 389 -s base -b "ou=people,dc=acme,dc=com" \ 
"objectclass=*"

This command searches the directory server myhost, located at port 389. The scope of the search (-s) is base, and the part of the directory searched is the base DN (-b) designated. The search filter "objectclass=*" means that values for all of the entry's object classes are returned. No attributes are returned because they have not been requested. The example assumes anonymous authentication because authentication options are not specified.

---

ldapadd

Use the command-line tool ldapadd to add entries to the directory. ldapadd opens a connection to the directory and authenticates the user. Then it opens the LDIF file supplied as an argument and adds, in succession, each entry in the file.

Syntax

ldapadd [options] [-f LDIF-filename]

Example

ldapadd -h myhost -p 389 -D "cn=orcladmin" -w welcome -f jhay.ldif

Using this command, user orcladmin authenticates to the directory myhost, located at port 389. The command then opens the file jhay.ldif and adds its contents to the directory. The file might, for example, add the entry uid=jhay,cn=Human Resources,cn=acme,dc=com and its object classes and attributes.

---

ldapdelete

Use the command-line tool ldapdelete to remove leaf entries from a directory. ldapdelete opens a connection to a directory server and authenticates the user. Then it deletes specified entries.

Syntax

ldapdelete [options] "entry DN"

Example

ldapdelete -h myhost -p 389 -D "cn=orcladmin" -w welcome \
"uid=hricard,ou=sales,ou=people,dc=acme,dc=com"

This command authenticates user orcladmin to the directory myhost, using the password welcome. Then it deletes the entry uid=hricard,ou=sales,ou=people,dc=acme,dc=com.

---

ldapmodify

Use the command-line tool ldapmodify to modify existing entries. ldapmodify opens a connection to the directory and authenticates the user. Then it opens the LDIF file supplied as an argument and modifies the LDAP entries specified by the file.

ldapmodify uses a modified form of an LDIF file. Within the file itself, you use the attribute changetype to specify the type of change. An example is changetype: add.

Four types of changes are possible:

• add--adds a new entry
• modify--changes an existing entry, that is, it adds, deletes, or replaces attributes of the entry
• delete--deletes an existing entry
• modrdn--modifies the RDN of an existing entry

Syntax

ldapmodify [options] [-f LDIF-filename]

Example

ldapmodify -h myhost -p 389 -D "cn=orcladmin" -w welcome -f hricard.ldif

Using this command, user orcladmin authenticates to the directory myhost, located at port 389. The command then opens the file hricard.ldif and modifies the directory entries specified by the file. The file might, for example, change the telephone number attribute of entry uid=hricard,cn=sales,cn=acme,dc=com.

---

ldapmoddn

Use the command-line tool ldapmoddn to:

• change the RDN of an entry
• move an entry or subtree to another location in the directory

Syntax

ldapmoddn [options] -b "current DN" -R "new RDN" -N "new Parent"

Example

ldapmoddn -h myhost -p 389 -D "cn=orcladmin" -w welcome \
-b "uid=oball,ou=sales,ou=people,dc=acme,dc=com" \
-N "ou=marketing,ou=people,dc=acme,dc=com"

This command authenticates user orcladmin to the directory myhost, using the password welcome. Then it assigns to the entry uid=oball,ou=sales,ou=people,dc=acme,dc=com a new parent entry, ou=marketing,ou=people,dc=acme,dc=com.

Optional Arguments for Command-Line Tools

Table B-1 defines the optional arguments used in the command descriptions and examples.

Table B-1 Commonly Used Command-Line Options

Option	Description
-h	The host name of the directory server
-p	The port number of the directory server
-D	The bind DN--that is, the user authenticating to the directory
-w	The bind password in simple authentication
-W	Wallet location for one- or two-way SSL authentication
-P	Wallet password
-U	SSL authentication mode: 1 for no authentication 2 for one-way authentication 3 for two-way authentication
-bFoot 1	The base DN for a search:
-sFoot 2	Search scope: base--the entry requested one--the entries just below the requested entry sub--the entire subtree
-f	The LDIF file containing additions, deletions, or modifications
-R	New RDN
-N	New parent for an entry or subtree that is moved

1 Mandatory for ldapsearch 2 Mandatory for ldapsearch