Chapter 7   Command-Line Utilities

-b

Specifies the starting point for the search. The value specified here must be a distinguished name that currently exists in the database. This option is optional if the LDAP_BASEDN environment variable has been set to a base DN.

The value specified in this option should be provided in double quotation marks. For example:

-b "cn=Barbara Jensen, ou=Product Development, dc=example,dc=com"

The root DSE entry is a special entry that contains a list of all the suffixes supported by the local directory. To search this entry, you must supply a search base of "", a search scope of base and a filter of "objectclass=*". For example:

-b "" -s base "objectclass=*"

-D

Specifies the distinguished name with which to authenticate to the server. This option is optional if anonymous access is supported by your server. If specified, this value must be a DN recognized by the Directory Server, and it must also have the authority to search for the entries. For example:

-D "uid=bjensen, dc=example,dc=com"

-g

Specifies that the password policy request control not be sent with the bind request. For details, see Netscape Directory Server Deployment Guide.

By default, the new LDAP password policy request control is sent with bind requests. The ldapsearch tool can parse and display information from the response control if it is returned by a server; that is, the tool will print an appropriate error or warning message when a server sends the password policy response control with the appropriate value.

The criticality of the request control is set to false to ensure that all LDAPv3 servers that do not understand the control can ignore it.

To suppress sending of the request control with the bind request, include -g on the command-line.

-h

Specifies the hostname or IP address of the machine on which the Directory Server is installed. If you do not specify a host, ldapsearch uses the local host. For example, -h mozilla.

-l

Specifies the maximum number of seconds to wait for a search request to complete. Regardless of the value specified here, ldapsearch will never wait longer than is allowed by the server's nsslapd-timelimit attribute. For example, -l 300. The default value for the nsslapd-timelimit attribute is 3600 seconds. See nsslapd-timelimit (Time Limit) for more information.

-p

Specifies the TCP port number that the Directory Server uses. For example, -p 1049. The default is 389. If -Z is used, the default is 636.

-s

Specifies the scope of the search. The scope can be one of the following:

base -- Search only the entry specified in the -b option or defined by the LDAP_BASEDN environment variable.

one -- Search only the immediate children of the entry specified in the -b option. Only the children are searched; the actual entry specified in the -b option is not searched.

sub -- Search the entry specified in the -b option and all of its descendants. That is, perform a subtree search starting at the point identified in the -b option. This is the default.

-w

Specifies the password associated with the distinguished name that is specified in the -D option. If you do not specify this option, anonymous access is used. For example, -w diner892.

-x

Specifies that the search results are sorted on the server rather than on the client. This is useful if you want to sort according to a matching rule, as with an international search. In general, it is faster to sort on the server rather than on the client.

-z

Specifies the maximum number of entries to return in response to a search request. For example, -z 1000. Normally, regardless of the value specified here, ldapsearch never returns more entries than the number allowed by the server's nsslapd-sizelimit attribute. However, you can override this limitation by binding as the root DN when using this command-line argument. This is because, when you bind as the root DN, this option defaults to zero (0). The default value for the nsslapd-sizelimit attribute is 2000 entries. See nsslapd-sizelimit (Size Limit) for more information.

-K

Specifies the path, including the filename, of the private key database of the client. You may specify the absolute or relative (to the server root) path.

You must specify the -K option when the key database has a different name than key3.db or when the key database is not under the same directory as the certificate database, the cert8.db file (the path which is specified with the -P option).

-m

Specifies the path to the security module database. For example, /usr/netscape/servers/secmod.db. You only need to specify this option if the security module database is in a different directory than the certificate database itself.

-N

Specifies the certificate name to use for certificate-based client authentication. For example, -N "Server-Cert". If this option is specified, then the -Z, -P, and -W options are required. Also, if this option is specified, then the -D and -w options must not be specified, or certificate-based authentication will not occur, and the bind operation will use the authentication credentials specified on -D and -w.

-P

Specifies the path, including the filename, of the certificate database of the client. You may specify the absolute or relative (to the server root) path. This option is used only with the -Z option.

When used on a machine where an SSL-enabled version of Netscape Communicator is configured, the path specified on this option can be that of the certificate database for Communicator. For example:

-P c:\security\cert.db

The client security files can also be stored on the Directory Server in the serverRoot/alias directory. In this case, the -P option would call out a path and filename similar to the following:

-P c:\netscape\servers\alias\client-cert.db

-W

Specifies the password for the private key database identified in the -P option. For example: -W serverpassword

-Z

Specifies that SSL is to be used for the search request.

-A

Specifies that the search retrieve the attributes only, not the attribute values. This option is useful if you just want to determine if an attribute is present for an entry and you are not interested in the value.

-a

Specifies how alias dereferencing is completed. Values can be never, always, search, or find. Default value is never.

-B

Print binary values. Specifies that binary values stored in the directory should be printed in the search output. If you use -B and -o together, then the binary data will not use base-64 encoding.

-F

Specify a different separator. This option can only be used with -o. This option allows you to specify a separator other than a colon ":" to separate an attribute name from the corresponding value. For example, -F +

-f

Specifies the file containing the search filter(s) to be used in the search. For example, -f search_filters. Omit this option if you want to supply a search filter directly to the command-line. For more information about search filters, see Appendix B, "Finding Directory Entries," in the Netscape Directory Server Administrator's Guide.

-G

Virtual list search. Allows you to specify the number of entries before or after the search target and the index or value of the first entry returned. For example, if you are sorting by surname, -G 20:30:johnson returns the first entry with a surname equal to or less than johnson, in addition to 20 entries that come before it and 30 entries that come after it. If there are fewer matching entries in the directory than the "before" or "after" number requested by the search, all available entries before/after the search target that match the search criteria are returned.

-i

Character set. Specifies the character set to use for command-line input. The default is the character set specified in the LANG environment variable. You might want to use this option to perform the conversion from the specified character set to UTF8, thus overriding the environment variable setting.

Using this argument, you can input the bind DN, base DN, and the search filter pattern in the specified character set. ldapsearch converts the input from these arguments before it processes the search request. For example, -i no indicates that the bind DN, base DN, and search filter are provided in Norwegian.

This argument only affects the command-line input; that is, if you specify a file containing a search filter (with the -f option) ldapsearch will not convert the data in the file.

-k

Conversion routines directory. If you want to specify a sort language that is not supported by default in this release of the Directory Server, such as one obtained from a later release of the LDAP SDK, you need to supply the directory in which you store the conversion routines. You can view the list of supported languages in Table B-1 in the Netscape Directory Server Administrator's Guide.

When performing the search, the server looks in the current working directory. However, if the conversion routines are not in the current working directory, you need to specify this option when using ldapsearch. The conversion routines directory is located by default in <NSHOME>/<ServerID>/lib/nls.

-M

Manage smart referrals. Causes the server not to return the smart referral contained on the entry but, instead, to return the actual entry containing the referral. Use this option if you are attempting to search for entries that contain smart referrals. For more information about smart referrals, see chapter 3, "Configuring Directory Databases," in the Netscape Directory Server Administrator's Guide.

-n

Specifies that the search is not actually to be performed, but that ldapsearch is to show what it would do with the specified input.

-O

Specifies the maximum number of referral hops ldapsearch should automatically follow. For example, -O 2.

-o

Specifies that the output for individual values be formatted without line breaks and that equal signs "=" be used to separate attribute names from values. This argument produces output in a non-LDIF format.

-R

Specifies that referrals are not to be followed automatically. By default, referrals are followed automatically.

-S

Specifies the attribute to use as the sort criteria. For example, -S sn. You can use multiple -S arguments if you want to further define the sort order. In the following example, the search results will be sorted first by surname and then by given name:

-S sn -S givenname

The default is not to sort the returned entries.

-T

Specifies that no line breaks should be used within individual values in the search results.

-t

Specifies that the results be written to a set of temporary files. When you use this option, each attribute value is placed in a separate file within the system temporary directory. No base-64 encoding is performed on the values, regardless of the content.

-u

Specifies that the user-friendly form of the distinguished name be used in the output.

-v

Specifies that the utility is to run in verbose mode.

-V

Specifies the LDAP version number to be used on the search. For example, -V 2. LDAPv3 is the default. You cannot perform an LDAPv3 search against a Directory Server that only supports LDAPv2.

-y

Specifies the proxy DN to use for the search. This argument is provided for testing purposes. For more information about proxied authorization, see chapter 6, "Managing Access Control," in the Netscape Directory Server Administrator's Guide.

-a

Allows you to add LDIF entries to the directory without requiring the changetype:add LDIF update statement. This provides a simplified method of adding entries to the directory. This option also allows you to add directly a file created by ldapsearch.

-B

Specifies the suffix under which the new entries will be added.

-D

Specifies the distinguished name with which to authenticate to the server. The value must be a DN recognized by the Directory Server, and it must also have the authority to modify the entries. For example, -D "uid=bjensen, dc=example,dc=com". You cannot use this option with the -N option.

-f

Optional option that specifies the file containing the LDIF update statements used to define the directory modifications. For example, -f modify_statements. If you do not supply this option, the update statements are read from stdin. For information on supplying LDIF update statements from the command-line, see chapter 2, "Creating Directory Entries," in the Netscape Directory Server Administrator's Guide.

-g

Specifies that the password policy request control not be sent with the bind request. For details, see Netscape Directory Server Deployment Guide.

By default, the new LDAP password policy request control is sent with bind requests. The ldapmodify tool can parse and display information from the response control if it is returned by a server; that is, the tool will print an appropriate error or warning message when a server sends the password policy response control with an appropriate value.

The criticality of the request control is set to false to ensure that all LDAPv3 servers that do not understand the control can ignore it.

To suppress sending of the request control with the bind request, include -g on the command-line.

-h

Specifies the name of the host on which the server is running. For example, -h cyclops.

-p

Specifies the port number that the server uses. For example, -p 1049. The default is 389. If -Z is used, the default is 636.

-q

Causes each add to be performed silently as opposed to being echoed to the screen individually.

-w

Specifies the password associated with the distinguished name specified in the -D option. For example, -w mypassword.

-R

Specifies that referrals are not to be followed automatically. By default, the server follows referrals.

-v

Specifies that the utility is to run in verbose mode.

-V

Specifies the LDAP version number to be used on the operation. For example, -V 2. LDAPv3 is the default. You cannot perform an LDAPv3 operation against a Directory Server that only supports LDAPv2.

-y

Specifies the proxy DN to use for the delete operation. This argument is provided for testing purposes. For more information about proxied authorization, see chapter 6, "Managing Access Control," in the Netscape Directory Server Administrator's Guide.

-K

Specifies the path, including the filename, of the private key database of the client. You may specify the absolute or relative (to the server root) path.

You must specify the -K option when the key database has a different name than key3.db or when the key database is not under the same directory as the certificate database, the cert8.db file (the path for which is specified with the -P option).

-N

Specifies the certificate name to use for certificate-based client authentication. For example, -N Server-Cert. If this option is specified, then the -Z and -W options are required. Also, if this option is specified, then the -D and -w options must not be specified, or certificate-based authentication will not occur, and the bind operation will use the authentication credentials specified on -D and -w.

-P

Specifies the path, including the filename, of the certificate database of the client. You may specify the absolute or relative (to the server root) path. This option is used only with the -Z option.

When used on a machine where an SSL-enabled web browser is configured, the path specified on this option can be pointed to the certificate database for the web browser. For example:

-P c:\security\cert.db

You can also store the client security files on the Directory Server in the serverRoot/alias directory. In this case, the -P option calls out a path and filename similar to the following: -P c:\netscape\servers\alias\client-cert.db

-W

Specifies the password for the certificate database identified on the -P option. For example, -W serverpassword.

-Z

Specifies that SSL is to be used for the directory request.

-ZZ

Specifies Start TLS request. Use this option if you want to make a clear text connection into a secure one. If the server does not support Start TLS, you do not need to abort the command; it will continue in clear text.

-ZZZ

Enforces the Start TLS request. The server must respond that the request was successful. If the server does not support Start TLS (such as Start TLS is not enabled or the certificate information is incorrect), the command is aborted immediately.

-b

Causes the utility to check every attribute value to determine whether the value is a valid file reference. If the value is a valid file reference, then the content of the referenced file is used as the attribute value. This is often used for specifying a path to a file containing binary data, such as JPEG. For example, if you wanted to add a jpegPhoto attribute, then specify the -b option on the ldapmodify call. In the LDIF you provide to ldapmodify, include something like the following:

jpegPhoto: /tmp/photo.jpeg

ldapmodify reads the contents of the photo.jpeg file into the jpegPhoto attribute that you are placing on the entry.

On Windows, the format of this option is exactly the same (including the forward slashes, except that you can specify a drive letter). For example:

jpegPhoto: c:\tmp\photo.jpeg

As an alternative to the -b option, you can you can use the :< URL specifier notation, which is simpler to use. For example:

jpegphoto:<file:///tmp/myphoto.jpg

Although the official notation requires three ///, the use of one / is tolerated. For further information on the LDIF format, see chapter 4, "Managing Directory Entries," in the Netscape Directory Server Administrator's Guide.

-c

Specifies that the utility run in continuous operation mode. Errors are reported, but the utility continues with modifications. The default is to quit after reporting an error.

-H

Lists all available ldapmodify options.

-M

Manages smart referrals. Causes the server not to return the smart referral contained on the entry but, instead, to apply the modification request directly to the entry. Use this option if you are attempting to add, change, or delete a directory entry that contains a smart referral. For more information about smart referrals, see chapter 3, "Configuring Directory Databases," in the Netscape Directory Server Administrator's Guide.

-n

Specifies that the entries are not actually to be modified, but that ldapmodify is to show what it would do with the specified input.

-O

Specifies the maximum number of referral hops to follow. For example, -O 2.

-R

Specifies that referrals are not to be followed automatically.

-v

Specifies that the utility is to run in verbose mode.

-V

Specifies the LDAP version number to be used on the operation. For example, -V 2. LDAP v3 is the default. You can not perform an LDAP v3 operation against a Directory Server that only supports LDAP v2.

-y

Specifies the proxy DN to use for the modify operation. This argument is provided for testing purposes. For more information about proxied authorization, see chapter 6, "Managing Access Control," in the Netscape Directory Server Administrator's Guide.

-D

Specifies the distinguished name with which to authenticate to the server. The value must be a DN recognized by the Directory Server, and it must also have the authority to delete the entries. For example, -D "uid=bjensen, dc=example,dc=com". For more information on access control, see chapter 6, "Managing Access Control," in the Netscape Directory Server Administrator's Guide. If you use the -D option, you cannot use the -N option.

-g

Specifies that the password policy request control not be sent with the bind request. For details, see Netscape Directory Server Deployment Guide.

By default, the new LDAP password policy request control is sent with bind requests. The ldapsdelete tool can parse and display information from the response control if it is returned by a server; that is, the tool will print an appropriate error or warning message when a server sends the password policy response control with the appropriate value.

The criticality of the request control is set to false to ensure that all LDAPv3 servers that do not understand the control can ignore it.

To suppress sending of the request control with the bind request, include -g on the command-line.

-h

Specifies the name of the host on which the server is running. For example, -h cyclops. The default is localhost.

-p

Specifies the port number that the server uses. Default is 389. If -Z is used, the default is 636.

-w

Specifies the password associated with the distinguished name specified in the -D option. For example, -w mypassword. The default is "", or anonymous. If you do not specify a password on the command-line and the server requires one, the command will prompt you to provide one. It is more secure not to provide a password on the command-line so that it does not show up in clear text in a listing of commands.

dn

Specifies the dn of the entry to delete.

-K

Specifies the path, including the filename, of the private key database of the client. You may specify the absolute or relative (to the server root) path.

You must specify the -K option when the key database has a different name than key3.db or when the key database is not under the same directory as the certificate database, the cert8.db file (the path for which is specified with the -P option).

-N

Specifies the certificate name to use for certificate-based client authentication. For example, -N Server-Cert . If this option is specified, then the -Z and -W options are required. Also, if this option is specified, then the -D and -w options must not be specified, or certificate-based authentication will not occur, and the bind operation will use the authentication credentials specified on -D and -w .

-P

Specifies the path, including the filename, of the certificate database of the client. You may specify the absolute or relative (to the server root) path. This option is used only with the -Z option.

When used on a machine where an SSL-enabled web browser is configured, the path specified on this option can point to the certificate database for the web browser. For example:

-P c:\security\cert.db

The client security files can also be stored on the Directory Server in the serverRoot/alias directory. In this case, the -P option calls out a path and filename similar to the following: -P c:\netscape\servers\alias\client-cert.db

-W

Specifies the password for the certificate database identified on the -P option. For example, -W serverpassword.

-Z

Specifies that SSL is to be used for the delete request.

-ZZ

Specifies Start TLS request. Use this option if you want to make a clear text connection into a secure one. If the server does not support Start TLS, you do not need to abort the command; it will continue in clear text.

-ZZZ

Enforces the Start TLS request. The server must respond that the request was successful. If the server does not support Start TLS (such as Start TLS is not enabled or the certificate information is incorrect), the command is aborted immediately.

-c

Specifies that the utility must run in continuous operation mode. Errors are reported, but the utility continues with deletions. The default is to quit after reporting an error.

-f

Specifies the file containing the distinguished names of entries to be deleted. For example, -f modify_statements. Omit this option if you want to supply the distinguished name of the entry to be deleted directly to the command-line.

-H

Lists all available ldapdelete options.

-M

Manage smart referrals. Causes the server not to return the smart referral contained on the entry but, instead, to delete the actual entry containing the smart referral. For more information about smart referrals, see chapter 3, "Configuring Directory Databases," in the Netscape Directory Server Administrator's Guide.

-n

Specifies that the entries are not actually to be deleted, but that ldapdelete is to show what it would do with the specified input.

-O

Specifies the maximum number of referral hops to follow. For example, -O 2. There is no maximum number of referral hops.

-R

Specifies that referrals are not to be followed automatically. By default, the server follows referrals.

-v

Specifies that the utility is to run in verbose mode.

-V

Specifies the LDAP version number to be used on the operation. For example, -V 2. LDAPv3 is the default. You cannot perform an LDAPv3 operation against a Directory Server that only supports LDAPv2.

-y

Specifies the proxy DN to use for the delete operation. This argument is provided for testing purposes. For more information about proxied authorization, see chapter 6, "Managing Access Control," in the Netscape Directory Server Administrator's Guide.