6.6. ldapdelete

ldapdelete performs delete operations on directory entries via LDAP.

Syntax

ldapdelete [ optional_options ]

Commonly-Used ldapdelete Options

Option	Description
`-D`	Specifies the distinguished name with which to authenticate to the server. The value must be a DN recognized by the Directory Server, and it must also have the authority to delete the entries. For example: -D "uid=bjensen, dc=example,dc=com" For more information on access control, see the "Managing Access Control" chapter in the Directory Server Administration Guide. The `-D` option cannot be used with the `-N` option.
dn	Specifies the `dn` of the entry to delete.
`-g`	Specifies that the password policy request control not be sent with the bind request. By default, the new LDAP password policy request control is sent with bind requests. The `ldapdelete` tool can parse and display information from the response control if it is returned by a server; that is, the tool will print an appropriate error or warning message when a server sends the password policy response control with the appropriate value. The criticality of the request control is set to `false` to ensure that all LDAPv3 servers that do not understand the control can ignore it. To suppress sending of the request control with the bind request, include `-g` on the command-line.
`-h`	Specifies the name of the host on which the server is running. For example: -h cyclops The default is `localhost`.
`-p`	Specifies the port number that the server uses. The default is `389`. If `-Z` is used, the default is `636`.
`-w`	Specifies the password associated with the distinguished name specified in the `-D` option. For example: -w mypassword The default is `""`, or anonymous. If a password is not sent on the command line and the server requires one, the command prompts for one. It is more secure not to provide a password on the command line so that it does not show up in clear text in a listing of commands.

Table 6.14. Commonly-Used ldapdelete Options

SSL Options

Use the following options to specify that ldapdelete use LDAPS when communicating with the Directory Server or to use certificate-based authentication. These options are valid only when LDAPS has been turned on and configured for the Directory Server. For more information on certificate-based authentication and how to create a certificate database for use with LDAP clients, see the "Managing SSL" and "Managing SASL" chapters in the Directory Server Administration Guide.

Ensure that the Directory Server's encrypted port is set when using these options.

Option	Description
`-3`	Specifies that hostnames should be checked in SSL certificates.
`-I`	Specifies the SSL key password file that contains the token:password pair.
`-K`	Specifies the path, including the filename, of the private key database of the client. Either the absolute or relative (to the server root) path can be used. The `-K` option must be used when the key database has a different name than `key3.db` or when the key database is not under the same directory as the certificate database, the `cert8.db` file (the path for which is specified with the `-P` option).
`-N`	Specifies the certificate name to use for certificate-based client authentication. For example: -N Server-Cert If this option is specified, then the `-Z` and `-W` options are required. Also, if this option is specified, then the `-D` and `-w` options must not be specified, or certificate-based authentication will not occur, and the bind operation will use the authentication credentials specified on `-D` and `-w`.
`-P`	Specifies the absolute path, including the filename, of the certificate database of the client. This option is used only with the `-Z` option. When used on a machine where an SSL-enabled web browser is configured, the path specified on this option can be pointed to the certificate database for the web browser. For example: -P /security/cert.db The client security files can be stored on the Directory Server in the `/etc/dirsrv/slapd-instance_name` directory. In this case, the `-P` option calls out a path and filename similar to the following: -P /etc/dirsrv/slapd-`instance_name`/client-cert.db
`-Q`	Specifies the token and certificate name, which is separated by a semicolon (:) for PKCS11.
`-W`	Specifies the password for the certificate database identified on the `-P` option. For example: -W serverpassword
`-Z`	Specifies that SSL is to be used for the delete request.
`-ZZ`	Specifies the Start TLS request. Use this option to make a cleartext connection into a secure one. If the server does not support Start TLS, the command does not need to be aborted; it will continue in plain text.
`-ZZZ`	Enforces the Start TLS request. The server must respond that the request was successful. If the server does not support Start TLS, such as Start TLS is not enabled or the certificate information is incorrect, the command is aborted immediately.

Table 6.15. ldapdelete SSL Options

SASL Options

SASL mechanisms can be used to authenticate a user, using the -o the required SASL information.

To learn which SASL mechanisms are supported, search the root DSE. See the -b option in Table 6.3, “Commonly-Used ldapsearch Options”.

Option	Description
`-o`	Specifies SASL options. The format is `-o` saslOption=value. saslOption can have one of six values: `mech` `authid` `authzid` `secProp` `realm` `flags` The expected values depend on the supported mechanism. The `-o` can be used multiple times to pass all of the required SASL information for the mechanism. For example: -o "mech=DIGEST-MD5" -o "authzid=test_user" -o "authid=test_user"

Table 6.16. SASL Options

See SASL Options for information on how to use SASL options with ldapdelete.

Additional ldapdelete Options

Option	Description
`-c`	Specifies that the utility must run in continuous operation mode. Errors are reported, but the utility continues with deletions. The default is to quit after reporting an error.
`-f`	Specifies the file containing the distinguished names of entries to be deleted. For example: -f modify_statements Omit this option to supply the distinguished name of the entry to be deleted directly to the command-line.
`-H`	Lists all available `ldapdelete` options.
`-M`	Manages smart referrals. This causes the server not to return the smart referral contained on the entry but, instead, to delete the actual entry containing the smart referral. For more information about smart referrals, see the "Configuring Directory Databases" chapter in the Directory Server Administration Guide.
`-n`	Specifies that the entries are not actually to be deleted, but that `ldapdelete` is to show what it would do with the specified input.
`-O`	Specifies the maximum number of referral hops to follow. For example: -O 2 There is no maximum number of referral hops.
`-R`	Specifies that referrals are not to be followed automatically. By default, the server follows referrals.
`-v`	Specifies that the utility is to run in verbose mode.
`-V`	Specifies the LDAP version number to be used on the operation. For example: -V 2 LDAPv3 is the default. An LDAPv3 operation cannot be performed against a Directory Server that only supports LDAPv2.
`-Y`	Specifies the proxy DN to use for the delete operation. This argument is provided for testing purposes. For more information about proxied authorization, see the "Managing Access Control" chapter in the Directory Server Administration Guide.