Entry and Attribute Management Command-Line Tools Syntax

This section tells you how to use the following tools:

• The Catalog Management Tool (catalog.sh) Syntax

• ldapadd Syntax

• ldapaddmt Syntax

• ldapbind Syntax

• ldapcompare Syntax

• ldapdelete Syntax

• ldapmoddn Syntax

• ldapmodify Syntax

• ldapmodifymt Syntax

• ldapsearch Syntax

  Note: Various UNIX shells interpret some characters--for example, asterisks (*)--as special characters. Depending on the shell you are using, you may need to escape these characters.

The Catalog Management Tool (catalog.sh) Syntax

Oracle Internet Directory uses indexes to make attributes available for searches. When Oracle Internet Directory is installed, the cn=catalogs entry lists available attributes that can be used in a search. You can index only those attributes that have:

• An equality matching rule

• Matching rules supported by Oracle Internet Directory

If you want to use additional attributes in search filters, then you must add them to the catalog entry. You can do this at the time you create the attribute by using Oracle Directory Manager. However, if the attribute already exists, then you can index it only by using the Catalog Management tool.

Before running catalog.sh, be sure that the directory server is either stopped or in read-only mode. Otherwise, data will be inconsistent.

Caution: Do not use the catalog.sh -delete option on indexes created by the Oracle Internet Directory base schema. Removing indexes from base schema attributes can adversely impact the operation of Oracle Internet Directory.

Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities: Cygwin 1.3.2.2-1 or later. Visit: http://sources.redhat.com MKS Toolkit 6.1. Visit: http://www.datafocus.com/

The Catalog Management tool uses this syntax:

catalog.sh -connect connect_string {-add|-delete} {-attr attr_name|-file file_
name}

Table A-6  Arguments for the Catalog Management Tool (catalog.sh)

Argument	Description
-connect connect_string	Specifies the connect string to connect to the directory database. This argument is mandatory. See Also: Oracle9i Net Services Administrator's Guide in the Oracle Database Documentation Library
-add -attr attr_name	Indexes the specified attribute
-delete -attr attr_name	Drops the index from the specified attribute
-add -file file_name	Indexes attributes (one for each line) in the specified file
-delete -file file_name	Drops the indexes from the attributes in the specified file

When you enter the catalog.sh command, the following message appears:

This tool can only be executed if you know the OiD user password.
Enter OiD password:

If you enter the correct password, the command is executed. If you give an incorrect password, the following message is displayed:

Cannot execute this tool

To effect the changes after running the Catalog Management tool, stop, then restart, the Oracle directory server.

See Also: "The OID Control Utility (oidctl) Syntax" and for instructions on starting and restarting directory servers. Note that OID Monitor must be running before you start a directory server. "The OID Monitor (oidmon) Syntax" for information about starting OID Monitor "Matching Rules" for the matching rules supported by Oracle Internet Directory

ldapadd Syntax

The ldapadd command-line tool enables you to add entries, their object classes, attributes, and values to the directory. To add attributes to an existing entry, use the ldapmodify command, explained in "ldapmodify Syntax".

See Also: "Adding Configuration Set Entries by Using ldapadd" for an explanation of using ldapadd to configure a server with an input file

ldapadd uses this syntax:

ldapadd [arguments] -f file_name

where file_name is the name of an LDIF file written with the specifications explained in the section "LDAP Data Interchange Format (LDIF) Syntax".

The following example adds the entry specified in the LDIF file
my_ldif_file.ldi:

ldapadd -p 389 -h myhost -f my_ldif_file.ldi

Table A-7  Arguments for ldapadd

Optional Arguments	Description
-b	Specifies that you have included binary file names in the file, which are preceded by a forward slash character. The tool retrieves the actual values from the file referenced.
-c	Tells ldapadd to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapadd stops when it encounters an error.)
-D "binddn"	When authenticating to the directory, specifies doing so as the entry specified in binddn--that is, the DN of the user seeking authentication. Use this with the -w password option.
-E "character_set"	Specifies native character set encoding. See Chapter G, "Globalization Support in the Directory".
-f file_name	Specifies the input name of the LDIF format import data file. For a detailed explanation of how to format an LDIF file, see "LDAP Data Interchange Format (LDIF) Syntax".
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-K	Same as -k, but performs only the first step of the Kerberos bind
-k	Authenticates using Kerberos authentication instead of simple authentication. To enable this option, you must compile with KERBEROS defined.You must already have a valid ticket granting ticket.
-M	Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
-n	Shows what would occur without actually performing the operation
-O ref_hop_limit	Specifies the number of referral hops that a client should process. The default value is 5.
-p directory_server_port_number	Connects to the directory on TCP port directory_server_port_number. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password required for one-way or two-way SSL connections
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-V ldap_version	Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol.
-w password	Provides the password required to connect
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet"
-X dsml_file	Specifies the input name of the DSML format import data file.

ldapaddmt Syntax

ldapaddmt is like ldapadd: It enables you to add entries, their object classes, attributes, and values to the directory. It is unlike ldapadd in that it supports multiple threads for adding entries concurrently.

While it is processing LDIF entries, ldapaddmt logs errors in the add.log file in the current directory.

ldapaddmt uses this syntax:

ldapaddmt -T number_of_threads -h host -p port -f file_name

where file_name is the name of an LDIF file written with the specifications explained in the section "LDAP Data Interchange Format (LDIF) Syntax".

The following example uses five concurrent threads to process the entries in the file myentries.ldif.

ldapaddmt -T 5 -h node1 -p 3000 -f myentries.ldif

Note: Increasing the number of concurrent threads improves the rate at which LDIF entries are created, but consumes more system resources.

Table A-8  Arguments for ldapaddmt

Optional Arguments	Description
-b	Specifies that you have included binary file names in the data file, which are preceded by a forward slash character. The tool retrieves the actual values from the file referenced.
-c	Tells the tool to proceed in spite of errors. The errors will be reported. (If you do not use this option, the tool stops when it encounters an error.)
-D "binddn"	When authenticating to the directory, specifies doing so as the entry is specified in binddn--that is, the DN of the user seeking authentication. Use this with the -w password option.
-E "character_set"	Specifies native character set encoding. See Chapter G, "Globalization Support in the Directory"
-h ldap_host	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-K	Same as -k, but performs only the first step of the kerberos bind
-k	Authenticates using Kerberos authentication instead of simple authentication. To enable this option, you must compile with KERBEROS defined. You must already have a valid ticket granting ticket.
-M	Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
-n	Shows what would occur without actually performing the operation.
-O ref_hop_limit	Specifies the number of referral hops that a client should process. The default value is 5.
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password required for one-way or two-way SSL connections
-T	Sets the number of threads for concurrently processing entries
-U SSLAuth	Specifies SSL Authentication Mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-V ldap_version	Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol.
-w password	Provides the password required to connect
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet"
-X dsml_file	Specifies the input name of the DSML format import data file.

ldapbind Syntax

The ldapbind command-line tool enables you to see whether you can authenticate a client to a server.

ldapbind uses this syntax:

ldapbind [arguments]

Table A-9  Arguments for ldapbind

Arguments	Description
-D "binddn"	When authenticating to the directory, specifies doing so as the entry specified in binddn--that is, the DN of the user seeking authentication. Use this with the -w password option.
-E ".character_set"	Specifies native character set encoding. See Chapter G, "Globalization Support in the Directory".
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-n	Shows what would occur without actually performing the operation
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies the wallet password required for one-way or two-way SSL connections
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-V ldap_version	Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol.
-w password	Provides the password required to connect
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet"
-O sasl_security_properties	Specifies SASL security properties. The security property supported is -O "auth". This security property is for DIGEST-MD5 SASL mechanism. It enables authentication with no data integrity or data privacy.
-Y sasl_mechanism	Specifies a SASL mechanism. These mechanisms are supported: Y "DIGEST-MD5" Y "EXTERNAL": The SASL authentication in this mechanism is done on top of two-way SSL authentication. In this case the identity of the user stored in the SSL wallet is used for SASL authentication.
-R sasl_realm	Specifies a SASL realm

ldapcompare Syntax

The ldapcompare command-line tool enables you to match attribute values you specify in the command line with the attribute values in the directory entry.

ldapcompare uses this syntax:

ldapcompare [arguments] 

The following example tells you whether Person Nine's title is associate.

ldapcompare -p 389 -h myhost -b "cn=Person Nine,ou=EuroSInet Suite,o=IMC,c=US" 
-a title -v associate

Table A-10 Arguments for ldapcompare

Optional Arguments	Description
-a attribute name	Specifies the attribute on which to perform the compare. This argument is mandatory.
-b "basedn"	Specifies the distinguished name of the entry on which to perform the compare. This argument is mandatory.
-v attribute value	Specifies the attribute value to compare. This argument is mandatory.
-D binddn	When authenticating to the directory, specifies doing so as the entry is specified in binddn--that is, the DN of the user seeking authentication. Use this with the -w password option.
-d debug-level	Sets the debugging level. See "Setting Debug Logging Levels by Using the OID Control Utility".
-E "character_set"	Specifies native character set encoding. See Chapter G, "Globalization Support in the Directory".
-f file_name	Specifies the input file name
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-M	Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
-O ref_hop_limit	Specifies the number of referral hops that a client should process. The default value is 5.
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password required for one-way or two-way SSL connections
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-V ldap_version	Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol.
-w password	Provides the password required to connect
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet"

ldapdelete Syntax

The ldapdelete command-line tool enables you to remove entire entries from the directory that you specify in the command line.

ldapdelete uses this syntax:

ldapdelete [arguments] ["entry_DN" | -f input_file_name]

Note: If you specify the entry DN, then do not use the -f option.

The following example uses port 389 on a host named myhost.

ldapdelete -p 389 -h myhost "ou=EuroSInet Suite, o=IMC, c=US"

Table A-11  Arguments for ldapdelete

Optional Argument	Description
-D "binddn"	When authenticating to the directory, uses a full DN for the binddn parameter--that is, the DN of the user seeking authentication; typically used with the -w password option.
-d debug-level	Sets the debugging level. See "Setting Debug Logging Levels by Using the OID Control Utility".
-E "character_set"	Specifies native character set encoding. See Chapter G, "Globalization Support in the Directory".
-f input_file_name	Specifies the input file name
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-k	Authenticates using authentication instead of simple authentication. To enable this option, you must compile with Kerberos defined. You must already have a valid ticket granting ticket.
-M	Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
-n	Shows what would be done, but doesn't actually delete
-O ref_hop_limit	Specifies the number of referral hops that a client should process. The default value is 5.
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password required for one-way or two-way SSL connections
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-V ldap_version	Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol.
-w password	Provides the password required to connect.
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet"

ldapmoddn Syntax

The ldapmoddn command-line tool enables you to modify the DN or RDN of an entry.

ldapmoddn uses this syntax:

ldapmoddn [arguments]

The following example uses ldapmoddn to modify the RDN component of a DN from "cn=mary smith" to "cn=mary jones". It uses port 389, and a host named myhost.

ldapmoddn -p 389 -h myhost -b "cn=mary smith,dc=Americas,dc=imc,dc=com" -R 
"cn=mary jones"

Table A-12 Arguments for ldapmoddn

Argument	Description
-b "basedn"	Specifies DN of the entry to be moved. This argument is mandatory.
-D "binddn"	When authenticating to the directory, do so as the entry is specified in binddn--that is, the DN of the user seeking authentication. Use this with the -w password option.
-E "character_set"	Specifies native character set encoding. See Chapter G, "Globalization Support in the Directory".
-f file_name	Specifies the input file name
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-M	Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
-N newparent	Specifies new parent of the RDN. Either this argument or the -R argument must be specified.
-O ref_hop_limit	Specifies the number of referral hops that a client should process. The default value is 5.
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password required for one-way or two-way SSL connections
-r	Specifies that the old RDN is not retained as a value in the modified entry. If this argument is not included, the old RDN is retained as an attribute in the modified entry.
-R newrdn	Specifies new RDN. Either this argument or the -N argument must be specified.
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-V ldap_version	Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol.
-w password	Provides the password required to connect.
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet"

ldapmodify Syntax

The ldapmodify tool enables you to act on attributes.

ldapmodify uses this syntax:

ldapmodify [arguments] -f file_name

where file_name is the name of an LDIF file written with the specifications explained the section "LDAP Data Interchange Format (LDIF) Syntax".

The list of arguments in the following table is not exhaustive. These arguments are all optional.

Table A-13  Arguments for ldapmodify

Argument	Description
-a	Denotes that entries are to be added, and that the input file is in LDIF format.
-b	Specifies that you have included binary file names in the data file, which are preceded by a forward slash character.
-c	Tells ldapmodify to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapmodify stops when it encounters an error.)
-D "binddn"	When authenticating to the directory, specifies doing so as the entry is specified in binddn--that is, the DN of the user seeking authentication. Use this with the -w password option.
-E "character_set"	Specifies native character set encoding. See Chapter G, "Globalization Support in the Directory".
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-M	Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
-n	Shows what would occur without actually performing the operation.
-o log_file_name	Can be used with the -c option to write the erroneous LDIF entries in the logfile. You must specify the absolute path for the log file name.
-O ref_hop_limit	Specifies the number of referral hops that a client should process. The default value is 5.
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password required for one-way or two-way SSL connections
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-V ldap_version	Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol.
-w password	Overrides the default, unauthenticated, null bind. To force authentication, use this option with the -D option.
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet"

To run modify, delete, and modifyrdn operations using the -f flag, use LDIF for the input file format (see "LDAP Data Interchange Format (LDIF) Syntax") with the specifications noted in this section:

If you are making several modifications, then, between each modification you enter, add a line that contains a hyphen (-) only. For example:

dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
changetype: modify
add: work-phone
work-phone: 510/506-7000
work-phone: 510/506-7001
-
delete: home-fax

Unnecessary space characters in the LDIF input file, such as a space at the end of an attribute value, will cause the LDAP operations to fail.

Line 1: Every change record has, as its first line, the literal dn: followed by the DN value for the entry, for example:

dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US

Line 2: Every change record has, as its second line, the literal changetype: followed by the type of change (add, delete, modify, modrdn), for example:

changetype: modify

or

changetype: modrdn

Format the remainder of each record according to the following requirements for each type of change:

• changetype: add

  Uses LDIF format (see "LDAP Data Interchange Format (LDIF) Syntax").

• changetype: modify

  The lines that follow this changetype consist of changes to attributes belonging to the entry that you identified previously in Line 1. You can specify three different types of attribute modifications--add, delete, and replace--which are explained next:

  • Add attribute values. This option to changetype modify adds more values to an existing multi-valued attribute. If the attribute does not exist, it adds the new attribute with the specified values:

    add: attribute name
    attribute name: value1
    attribute name: value2...
    

    For example:

    dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
    changetype: modify
    add: work-phone
    work-phone: 510/506-7000
    work-phone: 510/506-7001
    

  • Delete values. If you supply only the delete line, all the values for the specified attribute are deleted. Otherwise, if you specify an attribute line, you can delete specific values from the attribute:

    delete: attribute name
    [attribute name: value1]
    

    For example:

    dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
    changetype: modify
    delete: home-fax
    

  • Replace values. Use this option to replace all the values belonging to an attribute with the new, specified set:

    replace: attribute name
    [attribute name: value1 ...]
    

    If you do not provide any attributes with replace, then the directory adds an empty set. It then interprets the empty set as a delete request, and complies by deleting the attribute from the entry. This is useful if you want to delete attributes that may or may not exist.

    For example:

    dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US 
    changetype: modify
    replace: work-phone
    work-phone: 510/506-7002
    
    
    

    • changetype:delete

      This change type deletes entries. It requires no further input, since you identified the entry in Line 1 and specified a changetype of delete in Line 2.

      For example:

      dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US 
      changetype: delete
      
      
      

    • changetype:modrdn

      The line following the change type provides the new relative distinguished name using this format:

      newrdn: RDN
      
      
      

      For example:

      dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
      changetype: modrdn
      newrdn: cn=Barbara Fritchy-Blomberg
      

To specify an attribute as single-valued, include in the attribute definition entry in the LDIF file the keyword SINGLE-VALUE with surrounding white space.

Example: Using ldapmodify to Add an Attribute

This example adds a new attribute called myAttr. The LDIF file for this operation is:

dn: cn=subschemasubentry 
changetype: modify 
add: attributetypes 
attributetypes: (1.2.3.4.5.6.7 NAME `myAttr' DESC `New attribute definition' 
EQUALITY caseIgnoreMatch SYNTAX
`1.3.6.1.4.1.1466.115.121.1.15' ) 

On the first line, enter the DN specifying where this new attribute is to be located. All attributes and object classes they are stored in cn=subschemasubentry.

The second and third lines show the proper format for adding a new attribute.

The last line is the attribute definition itself. The first part of this is the object identifier number: 1.2.3.4.5.6.7. It must be unique among all other object classes and attributes. Next is the NAME of the attribute. In this case the attribute NAME is myAttr. It must be surrounded by single quotes. Next is a description of the attribute. Enter whatever description you want between single quotes. At the end of this attribute definition in this example are optional formatting rules to the attribute. In this case we are adding a matching rule of EQUALITY caseIgnoreMatch and a SYNTAX of Directory String. This example uses the object ID number of 1.3.6.1.4.1.1466.115.121.1.15 instead of the SYNTAXES name which is "Directory String".

Put your attribute information in a file formatted like this example. Then run the following command to add the attribute to the schema of your Oracle directory server.

ldapmodify -h yourhostname -p 389 -D "orcladmin" -w "welcome" -v -f 
/tmp/newattr.ldif 

This ldapmodify command assumes that your Oracle directory server is running on port 389, that your super user account name is orcladmin, that your super user password is welcome and that the name of your LDIF file is newattr.ldif. Substitute the host name of your computer where you see yourhostname.

If you are not in the directory where the LDIF file is located, then you must enter the full directory path to the file at the end of your command. This example assumes that your LDIF file is located in the /tmp directory.

ldapmodifymt Syntax

The ldapmodifymt command-line tool enables you to modify several entries concurrently.

ldapmodifymt uses this syntax:

ldapmodifymt -T number_of_threads [arguments] -f file_name

where file_name is the name of an LDIF file written with the specifications explained the section "LDAP Data Interchange Format (LDIF) Syntax".

See Also: "ldapmodify Syntax" for additional formatting specifications used by ldapmodifymt

The following example uses five concurrent threads to modify the entries in the file myentries.ldif.

ldapmodifymt -T 5 -h node1 -p 3000 -f myentries.ldif

Note: The ldapmodifymt tool logs error messages in the file add.log, which is located in the directory where you are running the command.

The arguments in the following table are all optional.

Table A-14  Arguments for ldapmodifymt

Argument	Description
-a	Denotes that entries are to be added, and that the input file is in LDIF format. (If you are running ldapadd, this flag is not required.)
-b	Specifies that you have included binary file names in the data file, which are preceded by a forward slash character.
-c	Tells ldapmodify to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapmodify stops when it encounters an error.)
-D "binddn"	When authenticating to the directory, specifies doing so as the entry is specified in binddn--that is, the DN of the user seeking authentication. Use this with the -w password option.
-E "character_set"	Specifies native character set encoding. See Chapter G, "Globalization Support in the Directory".
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-M	Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
-n	Shows what would occur without actually performing the operation.
-O ref_hop_limit	Specifies the number of referral hops that a client should process. The default value is 5.
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password required for one-way or two-way SSL connections
-T	Sets the number of threads for concurrently processing entries
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-V ldap_version	Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol.
-w password	Overrides the default, unauthenticated, null bind. To force authentication, use this option with the -D option.
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet"

ldapsearch Syntax

The ldapsearch command-line tool enables you to search for and retrieve specific entries in the directory.

The ldapsearch tool uses this syntax:

ldapsearch [arguments] filter [attributes]

The filter format must be compliant with RFC-2254.

See Also: RFC-2254 available at http://www.ietf.org for further information about the standard for the filter format

Separate attributes with a space. If you do not list any attributes, all attributes are retrieved.

Note: The ldapsearch tool does not generate LDIF output by default. To generate LDIF output from the ldapsearch command-line tool, use the -L flag. Various UNIX shells interpret some characters--for example, asterisks (*)--as special characters. Depending on the shell you are using, you may need to escape these characters.

Table A-15  Arguments for ldapsearch

Argument	Description
-b "basedn"	Specifies the base DN for the search. This argument is mandatory.
-s scope	Specifies search scope: base, one-level, or sub-tree Base: Retrieves a particular directory entry. Along with this search depth, you use the search criteria bar to select the attribute objectClass and the filter Present. One Level: Limits your search to all entries beginning one level down from the root of your search Subtree: Searches entries within the entire subtree, including the root of your search If you do not specify a scope, then ldapsearch performs a search on the subtree.
-A	Retrieves attribute names only (no values)
-a deref	Specifies alias dereferencing: never, always, search, or find
-B	Allows printing of non-ASCII values
-D "binddn"	When authenticating to the directory, specifies doing so as the entry specified in binddn--that is, the DN of the user seeking authentication. Use this with the -w password option.
-d debug level	Sets debugging level to the level specified (see Table 10-2)
-E "character_set"	Specifies native character set encoding. See Chapter G, "Globalization Support in the Directory".
-f file	Performs sequence of searches listed in file
-F sep	Prints `sep' instead of `=' between attribute names and values
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-L	Prints entries in LDIF format (-B is implied)
-l timelimit	Specifies maximum time (in seconds) to wait for ldapsearch command to complete
-M	Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
-n	Shows what would be done without actually searching
-O ref_hop_limit	Specifies the number of referral hops that a client should process. The default value is 5.
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password required for one-way or two-way SSL connections
-S attr	Sorts the results by attribute attr
-t	Writes to files in /tmp
-u	Includes user friendly entry names in the output
-U SSLAuth	Specifies the SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-w passwd	Specifies bind passwd for simple authentication
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet"
-z sizelimit	Specifies maximum number of entries to retrieve
-X	Prints the entries in DSML v1 format.

Examples of ldapsearch Filters

Study the following examples to see how to build your own search commands.

Example 1: Base Object Search

The following example performs a base-level search on the directory from the root.

ldapsearch -p 389 -h myhost -b "" -s base -v "objectclass=*"

• -b specifies base DN for the search, root in this case.

• -s specifies whether the search is a base search (base), one level search (one) or subtree search (sub).

• "objectclass=*" specifies the filter for search.

Example 2: One-Level Search

The following example performs a one level search starting at "ou=HR, ou=Americas, o=IMC, c=US".

ldapsearch -p 389 -h myhost -b "ou=HR, ou=Americas, o=IMC, c=US" -s one -v 
"objectclass=*"

Example 3: Subtree Search

The following example performs a subtree search and returns all entries having a DN starting with "cn=us".

ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "cn=Person*"

Example 4: Search Using Size Limit

The following example actually retrieves only two entries, even if there are more than two matches.

ldapsearch -h myhost -p 389 -z 2 -b "ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US" 
-s one "objectclass=*"

Example 5: Search with Required Attributes

The following example returns only the DN attribute values of the matching entries:

ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "objectclass=*" dn

The following example retrieves only the distinguished name along with the surname (sn) and description (description) attribute values:

ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "cn=Person*" dn sn description

Example 6: Search for Entries with Attribute Options

The following example retrieves entries with common name (cn) attributes that have an option specifying a language code attribute option. This particular example retrieves entries in which the common names are in French and begin with the letter R.

ldapsearch -p 389 -h myhost -b "c=US" -s sub "cn;lang-fr=R*"

Suppose that, in the entry for John, no value is set for the cn;lang-it language code attribute option. In this case, the following example does not return John's entry:

ldapsearch -p 389 -h myhost -b "c=us" -s sub "cn;lang-it=Giovanni"

Example 7: Searching for All User Attributes and Specified Operational Attributes

The following example retrieves all user attributes and the createtimestamp and orclguid operational attributes:

ldapsearch -p 389 -h myhost -b "ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US" -s sub 
"cn=Person*" * createtimestamp orclguid

The following example retrieves entries modified by Anne Smith:

ldapsearch -h sun1 -b "" "(&(objectclass=*)(modifiersname=cn=Anne
Smith))"

The following example retrieves entries modified between 01 April 2001 and 06 April 2001:

ldapsearch -h sun1 -b "" "(&(objectclass=*)(modifytimestamp >= 20000401000000)

(modifytimestamp <= 20000406235959))"

Note: Because modifiersname and modifytimestamp are not indexed attributes, use catalog.sh to index these two attributes. Then, restart the Oracle directory server before issuing the two previous ldapsearch commands.

Other Examples:

Each of the following examples searches on port 389 of host sun1, and searches the whole subtree starting from the DN "ou=hr,o=acme,c=us".

The following example searches for all entries with any value for the objectclass attribute.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "objectclass=*"

The following example searches for all entries that have orcl at the beginning of the value for the objectclass attribute.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree 
"objectclass=orcl*"

The following example searches for entries where the objectclass attribute begins with orcl and cn begins with foo.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree 
"(&(objectclass=orcl*)(cn=foo*))"

The following example searches for entries in which the common name (cn) is not foo.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "(!(cn=foo))"

The following example searches for entries in which cn begins with foo or sn begins with bar.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree 
"(|(cn=foo*)(sn=bar*))"

The following example searches for entries in which employeenumber is less than or equal to 10000.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree 
"employeenumber<=10000"