Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun ONE Directory Server Resource Kit 5.2 Tools Reference 

Chapter 5
The ldapdelete Tool

The ldapdelete tool is a simple command for deleting entries in a Lightweight Directory Access Protocol (LDAP) directory. This chapter provides instructions on how to use the ldapdelete tool. It contains the following sections:


In its simplest form, ldapdelete takes distinguished names (DNs), defined using the LDAP Data Interchange Format (LDIF), as input and deletes the corresponding entries. The DNs can be input on the command-line, via standard input or they can be culled from a file for bulk processing. (See Common Use Examples for information on how to use all three options.)

ldapdelete is also provided with Sun™ ONE Directory Server in the DirectoryServer_base/shared/bin directory. However, the DSRK and its updates should include the latest version of the tool in the DSRK_base/bin/dsrk52 directory.


If you use the Solaris™ operating environment, there may be an older version of ldapdelete in /usr/bin. Be sure your path is set to use the latest version in DSRK_base/bin/dsrk52.

Command Usage

The ldapdelete command binds to the given directory server and deletes each LDAP entry defined by a DN in the input.


In order to delete an entry in a directory server, the DN used for binding and authentication must have the correct permissions.

Only leaf entries, which do not have any children, may be deleted from a directory using ldapdelete. For example, when deleting a subtree representing an organizational unit, you must first delete all the entries it contains before deleting the entry representing the organizational unit. Thus, when deleting DNs listed in a file, ldapdelete will process each delete operation separately, in the order they are defined in the file. Therefore, DNs representing leaf entries must be listed before the DNs for their parent entries.


The syntax of ldapdelete on the command-line can take any of these forms:

ldapdelete [ options ]

ldapdelete [ options ] "DN" ...

ldapdelete [ options ] < DNfile

ldapdelete [ options ] -f DNfile


In its first and second forms, the tool will expect you to type one or more DNs to the standard input. Once you enter all DNs and the EOF (end-of-file) marker, ldapdelete will process your input and perform all operations.


The EOF marker is platform dependent:

  • Type Control-D (^d) on most UNIX systems.
  • Type Control-Z (^z) and press Enter on Windows NT.

The last two forms take a DNfile as input. The first of the two uses < (the less than symbol) to take the input from the specified file instead of the keyboard. The final syntax does the same by using the -f option. Some samples of syntax and update statements are given in Common Use Examples.


For general information on LDIF, see Appendix E, “LDAP Data Interchange Format,” in the Sun ONE Directory Server Reference Manual). Additional information on LDIF and update statements is in “Managing Entries From the Command Line” in Chapter 2 of the Sun ONE Directory Server Administration Guide.


The ldapdelete tool has three types of options:

The following sections detail these options. The ldapdelete -H command and option when run on the command-line will display brief descriptions of all the command-line options.

Common Options

The common options listed in Table 5-1 control the binding and general behavior of the ldapdelete command.

Table 5-1  Common Options for ldapdelete 






Specify the hostname of the directory server. When this option is omitted, the default is localhost.



Specify the port number for accessing the directory server host. The default is 389 normally and 636 when the SSL options are used.



Specify a bind DN for accessing your directory, usually in double quotes ("") for the shell. If the bind DN and its password are omitted, the tool will use anonymous binding. The bind DN determines what entries may be deleted, according to the DN’s access permissions.



Specify the password for the bind DN. CAUTION: Specifying the password on the command-line is a possible security risk.



Type the password for the bind DN when prompted. This is the most secure way of specifying the password.



Specify a file containing the password for the bind DN. Use this option in scripts and place the password in a secure file to protect the password. This option is mutually exclusive with the -w option.



Give the name of a file containing the DNs of entries to be deleted. The DNs should be listed one per line in this file, in the order in which they must be deleted. When this option is omitted, ldapdelete will read DNs directly from the standard input.



Specify the LDAP protocol version number to be used for the delete operation, either 2 or 3. LDAP v3 is the default; only specify LDAP v2 when connecting to servers that do not support v3.



Specify the proxy DN to use for the delete operation, usually in double quotes ("") for the shell. For more information about proxy authorization, see Chapter 6, “Managing Access Control,” in the Sun ONE Directory Server Administration Guide.



Manage smart referrals: when they are the target of the operation, delete the actual entry containing the referral instead of the entry obtained by following the referral. For more information, see “Creating Smart Referrals” in Chapter 2 of the Sun ONE Directory Server Administration Guide.



(Capital letter O) Specify the maximum number of referral hops to follow while finding an entry to delete. By default, there is no limit.



Specify that referrals should not be followed. By default, referrals are followed automatically.



Verbose output mode: the tool will display additional information about the operations it performs.



No-op mode: use with the -v option to show what the tool would do with the given input but do not perform the delete operations.



Allow runtime library version mismatches. When this option is omitted, the default behavior is to assert that the revision number of the LDAP API is greater than or equal to that used to compile the tool. Also, if the API library and the tool have the same vendor name, the tool will also assert that the vendor version number of the API is greater than or equal to that used to compile the tool. This information is based on the contents of the LDAPAPIInfo structure. (See the Sun ONE LDAP SDK for C Programming Guide.)



Display the usage help text that briefly describes all options.

Input And Output Options

The input and output options listed in Table 5-2 control how ldapdelete processes input files and handles errors.

Table 5-2  Input and Output Options for ldapdelete 






Specify the character set to use for command-line input. The default is the character set specified in the LANG environment variable. This option can be used to convert from the specified character set to UTF8, thus overriding the LANG setting. Using this argument, you can also input the bind DN and target DNs in a specific character set. The ldapdelete tool converts the input before it processes the search request. For example, -i no indicates that the bind DN and target DNs are provided in Norwegian. This option affects only the command-line input; that is, if you specify a file containing DNs (with the -f option), ldapdelete will not convert the data in the file.



Specify the path to a directory containing conversion routines. These routines are used if you wish to specify a locale that is not supported by default by your directory server. For more information, see Appendix C, “Directory Internationalization” in the Sun ONE Directory Server Reference Manual.



Continuous mode: when errors are reported, the ldapdelete tool will continue processing input and performing operations. When this option is omitted, the default is to quit after reporting an error.

SSL (Secure Socket Layer) Options

The options in Table 5-3 allow you to use LDAPS (LDAP over SSL) to establish a secure connection for the delete operation. These options are valid only when LDAPS has been enabled and configured in your SSL-enabled directory server. For information on certificate-based authentication and creating a certificate database for use with LDAP clients, see Chapter 11, “Implementing Security,” in the Sun ONE Directory Server Administration Guide. See Using Authentication for examples using the SSL options.


Only the -P option is required for server authentication. For a more secure client authentication, the -P, -N, -K and -W options are required.

Table 5-3  SSL Options for ldapdelete 






Specify the path and filename of the client’s certificate database. This file may be the same as the certificate database for an SSL-enabled version of Netscape™ Communicator, if available; for example:
-P /home/uid/.netscape/cert7.db.

When using the command on the same host as the directory server, you may use the server’s own certificate database, for example:
-P installDir/slapd-serverID/alias/cert7.db.

Use the -P option alone to specify server authentication only.



Specify that SSL be used to provide certificate-based client authentication. This option requires the -N and -W options and any other of the SSL options needed to identify the certificate and the key database.



Specify the certificate name to use for certificate-based client authentication, for example: -N "Directory-Cert".



Specify the path to the security module database. For example, /usr/iplanet/servers/slapd-serverID/secmodule.db. You need to specify this option only if the security module database is in a different directory from the certificate database itself.



Specify the file and path name of the client’s private key database. This option may be omitted if the key database is in the location already given by the -P option.



Specify the password for the client’s key database given in the -K or -P options. This option is required for certificate-based client authentication.

Return Values

The ldapdelete tool is based on the Sun ONE LDAP SDK for C and its return values are those of the functions it uses, such as ldap_simple_bind_s() and ldap_delete_ext_s(). These functions return both client-side and server-side errors and codes. Table 5-4 shows the possible return values when the directory is hosted on a Sun ONE Directory Server. Other LDAP servers may send these values under different circumstances or may send different values. They may also send other result codes entirely; for example, custom result codes from a custom plug-in. For further information about result codes, see the Sun ONE LDAP SDK for C Programming Guide.

Table 5-4  Return Values of ldapdelete 

Return Value

Result Code
and Explanation

  0 (0x00)

LDAP_SUCCESS: the operation was successful.

  1 (0x01)

LDAP_OPERATIONS_ERROR: sent by Directory Server for general errors encountered by the server when processing the request.

  2 (0x02)

LDAP_PROTOCOL_ERROR: the delete request did not comply with the LDAP protocol. Directory Server may send this error code in the results for a variety of reasons, such as encountering an error when decoding the BER-encoded request.

10 (0x0a)

LDAP_REFERRAL: sent by Directory Server if the specified DN is an entry not handled by the current server and the referral URL identifies a different server to handle the entry.

32 (0x20)

LDAP_NO_SUCH_OBJECT: sent by Directory Server if the entry that you want deleted does not exist and no referral URLs are available.

50 (0x32)

LDAP_INSUFFICIENT_ACCESS: sent by Directory Server if the DN used for authentication does not have permission to write to the entry.

53 (0x35)

LDAP_UNWILLING_TO_PERFORM: sent by Directory Server if the database is read-only.

66 (0x42)

LDAP_NOT_ALLOWED_ON_NONLEAF: sent by Directory Server if the entry that you want deleted has child entries (i.e.: if this entry is a parent entry to other entries).

81 (0x51)

LDAP_SERVER_DOWN: the LDAP server did not receive the request or the connection to the server was lost.

82 (0x52)

LDAP_LOCAL_ERROR: an error occurred when receiving the results from the server.

83 (0x53)

LDAP_ENCODING_ERROR: BER-encoding the request is not possible.

84 (0x54)

LDAP_DECODING_ERROR: an error occurred when decoding the BER-encoded results from the server.

89 (0x59)

LDAP_PARAM_ERROR: one of the options or parameters is invalid.

90 (0x5a)

LDAP_NO_MEMORY: memory cannot be allocated as needed.

91 (0x5b)

LDAP_CONNECT_ERROR: the specified hostname or port is invalid.

92 (0x5c)

LDAP_NOT_SUPPORTED: the -V 2 option is needed to access a server that only supports LDAP v2.

Common Use Examples

The examples in this section demonstrate common uses of the ldapdelete tool. All examples assume the following context:

Using the Command Line

The simplest usage of the tool is to specify the target DNs on the command-line, making sure to enclose them in double quote marks for the shell. In addition, special characters such as commas must be escaped with a backslash (\) when they appear in components of a DN on the command-line. In the following example, the user bjensen wishes to delete an entry in the “Company Bolivia, S.A.” subtree of the directory:

$ ldapdelete -h hostname -D "uid=bjensen,dc=Company,dc=com" -w bindPassword "cn=Lucia Fuentes,ou=People,o=Company Bolivia\S.A."

Using the Standard Input

Using the -v and -c options, you can enter DNs interactively through the standard input. In Code Example 5-1, user bjensen wishes to remove an entry but at first enters the DN incorrectly. bjensen is typing the lines in bold.

Code Example 5-1  Using lapdelete via Standard Input

$ ldapdelete -h hostname -v -c -D "uid=bjensen,dc=example,dc=com" -w bindPassword

ldapdelete: started Thu Jun 14 11:34:17 2001

ldap_init( host, 389 )

$ cn=Pete Mimsky,ou=People,dc=example,dc=com

deleting entry cn=Pete Mimsky,ou=People,dc=example,dc=com

ldap_delete: No such object

$ cn=Pete Minsky,ou=People,dc=example,dc=com

deleting entry cn=Pete Minsky,ou=People,dc=example,dc=com

entry removed

$ ^D

Using a DN File

For bulk operations, list all of the DNs to delete in a text file. This text file should specify each DN on a separate line. The ldapdelete command will perform a delete operation on each entry, in the order in which they appear in the file. For example:

cn=Pete Minsky,ou=People,dc=example,dc=com
cn=Sue Jacobs,ou=People,dc=example,dc=com

Use the -f option to specify this DNfile on the command-line. Use the -c option so that bulk processing will continue even if errors are encountered.

$ ldapdelete -h hostname -c -f DNfile -D "uid=bjensen,dc=example,dc=com" -w bindPassword

Using Authentication

There are two levels of authentication that the directory server may enforce on clients such as the ldapdelete tool: server authentication and client authentication. In server authentication, the server only accepts connections from clients that have a trusted certificate. In the stronger client authentication, the client must sign the certificate with a password-protected private key.


In both cases, use the -p option to specify the directory server’s SSL port. All other non-SSL options retain their original meaning and may be used as necessary.

Using Server Authentication

To run the ldapdelete tool with server authentication, give only the -P SSL option [as discussed in SSL (Secure Socket Layer) Options] on the command-line, in addition to other options.

$ ldapdelete -h hostname -p 636 -f DNfile \
             -D "uid=bjensen,dc=siroe,dc=com" -w bindPassword \
              -P /home/bjensen/certs/cert.db

Using Client Authentication

To perform an update with client authentication, you must give all SSL options [as discussed in SSL (Secure Socket Layer) Options], on the command-line in addition to other common options.

$ ldapdelete -h hostname -p 636 -f DNfile -Z \
             -P /home/bjensen/security/cert.db -N "bjscert" \
             -K /home/bjensen/security/key.db -W KeyPassword


Do not use the -D and -w common options with client authentication, as the bind operation will use the authentication credentials specified with -D and -w instead of the certificate credentials desired.

Previous      Contents      Index      Next     

Copyright 2004 Sun Microsystems, Inc. All rights reserved.