Oracle® Internet Directory Administrator's Guide 10g (9.0.4) Part Number B12118-01 |
|
Syntax for LDIF and Command-Line Tools, 4 of 10
This section tells you how to use the following tools:
Oracle Internet Directory uses indexes to make attributes available for searches. When Oracle Internet Directory is installed, the cn=catalogs
entry lists available attributes that can be used in a search. You can index only those attributes that have:
If you want to use additional attributes in search filters, then you must add them to the catalog entry. You can do this at the time you create the attribute by using Oracle Directory Manager. However, if the attribute already exists, then you can index it only by using the Catalog Management tool.
Before running catalog.sh, be sure that the directory server is either stopped or in read-only mode. Otherwise, data will be inconsistent.
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
The Catalog Management tool uses this syntax:
catalog.sh -connect connect_string {-add|-delete} {-attr attr_name|-file file_ name}
When you enter the catalog.sh
command, the following message appears:
This tool can only be executed if you know the OiD user password. Enter OiD password:
If you enter the correct password, the command is executed. If you give an incorrect password, the following message is displayed:
Cannot execute this tool
To effect the changes after running the Catalog Management tool, stop, then restart, the Oracle directory server.
See Also:
|
The ldapadd command-line tool enables you to add entries, their object classes, attributes, and values to the directory. To add attributes to an existing entry, use the ldapmodify command, explained in "ldapmodify Syntax".
See Also:
"Adding Configuration Set Entries by Using ldapadd" for an explanation of using ldapadd to configure a server with an input file |
ldapadd uses this syntax:
ldapadd
[arguments
] -f file_name
where file_name is the name of an LDIF file written with the specifications explained in the section "LDAP Data Interchange Format (LDIF) Syntax".
The following example adds the entry specified in the LDIF file my_ldif_file.ldi
:
ldapadd -p 389 -h myhost -f my_ldif_file.ldi
Optional Arguments | Description |
---|---|
|
Specifies that you have included binary file names in the file, which are preceded by a forward slash character. The tool retrieves the actual values from the file referenced. |
|
Tells ldapadd to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapadd stops when it encounters an error.) |
|
When authenticating to the directory, specifies doing so as the entry specified in binddn--that is, the DN of the user seeking authentication. Use this with the |
|
Specifies native character set encoding. See Chapter G, "Globalization Support in the Directory". |
|
Specifies the input name of the LDIF format import data file. For a detailed explanation of how to format an LDIF file, see "LDAP Data Interchange Format (LDIF) Syntax". |
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
|
Same as |
|
Authenticates using Kerberos authentication instead of simple authentication. To enable this option, you must compile with KERBEROS defined.You must already have a valid ticket granting ticket. |
|
Instructs the tool to send the |
|
Shows what would occur without actually performing the operation |
|
Specifies the number of referral hops that a client should process. The default value is 5. |
|
Connects to the directory on TCP port directory_server_port_number. If you do not specify this option, the tool connects to the default port (389). |
|
Specifies wallet password required for one-way or two-way SSL connections |
|
Specifies SSL authentication mode: |
|
Specifies verbose mode |
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
|
Provides the password required to connect |
|
Specifies wallet location required for one-way or two-way SSL connections.
For example, on UNIX, you could set this parameter as follows:
On Windows NT, you could set this parameter as follows: |
|
Specifies the input name of the DSML format import data file. |
ldapaddmt is like ldapadd: It enables you to add entries, their object classes, attributes, and values to the directory. It is unlike ldapadd in that it supports multiple threads for adding entries concurrently.
While it is processing LDIF entries, ldapaddmt logs errors in the add.log
file in the current directory.
ldapaddmt uses this syntax:
ldapaddmt -T number_of_threads -h host -p port -f file_name
where file_name is the name of an LDIF file written with the specifications explained in the section "LDAP Data Interchange Format (LDIF) Syntax".
The following example uses five concurrent threads to process the entries in the file myentries.ldif
.
ldapaddmt -T 5 -h node1 -p 3000 -f myentries.ldif
Note: Increasing the number of concurrent threads improves the rate at which LDIF entries are created, but consumes more system resources. |
Optional Arguments | Description |
---|---|
|
Specifies that you have included binary file names in the data file, which are preceded by a forward slash character. The tool retrieves the actual values from the file referenced. |
|
Tells the tool to proceed in spite of errors. The errors will be reported. (If you do not use this option, the tool stops when it encounters an error.) |
|
When authenticating to the directory, specifies doing so as the entry is specified in binddn--that is, the DN of the user seeking authentication. Use this with the |
|
Specifies native character set encoding. See Chapter G, "Globalization Support in the Directory" |
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
|
Same as -k, but performs only the first step of the kerberos bind |
|
Authenticates using Kerberos authentication instead of simple authentication. To enable this option, you must compile with KERBEROS defined. You must already have a valid ticket granting ticket. |
|
Instructs the tool to send the |
|
Shows what would occur without actually performing the operation. |
|
Specifies the number of referral hops that a client should process. The default value is 5. |
|
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
|
Specifies wallet password required for one-way or two-way SSL connections |
|
Sets the number of threads for concurrently processing entries |
|
Specifies SSL Authentication Mode: |
|
Specifies verbose mode |
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
|
Provides the password required to connect |
|
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet" |
|
Specifies the input name of the DSML format import data file. |
The ldapbind command-line tool enables you to see whether you can authenticate a client to a server.
ldapbind uses this syntax:
ldapbind [arguments]
Arguments | Description |
---|---|
-D "binddn" |
When authenticating to the directory, specifies doing so as the entry specified in binddn--that is, the DN of the user seeking authentication. Use this with the |
-E ".character_set" |
Specifies native character set encoding. See Chapter G, "Globalization Support in the Directory". |
-h ldaphost |
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
-n |
Shows what would occur without actually performing the operation |
-p ldapport |
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password |
Specifies the wallet password required for one-way or two-way SSL connections |
-U SSLAuth |
Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required |
-V ldap_version |
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password |
Provides the password required to connect |
-W wallet_location |
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet" |
-O sasl_security_properties |
Specifies SASL security properties. The security property supported is -O "auth". This security property is for DIGEST-MD5 SASL mechanism. It enables authentication with no data integrity or data privacy. |
-Y sasl_mechanism |
Specifies a SASL mechanism. These mechanisms are supported: |
-R sasl_realm |
Specifies a SASL realm |
The ldapcompare command-line tool enables you to match attribute values you specify in the command line with the attribute values in the directory entry.
ldapcompare uses this syntax:
ldapcompare [
arguments
]
The following example tells you whether Person Nine
's title is associate
.
ldapcompare -p 389 -h myhost -b "cn=Person Nine,ou=EuroSInet Suite,o=IMC,c=US" -a title -v associate
Optional Arguments | Description |
---|---|
-a attribute name |
Specifies the attribute on which to perform the compare. This argument is mandatory. |
-b "basedn" |
Specifies the distinguished name of the entry on which to perform the compare. This argument is mandatory. |
-v attribute value |
Specifies the attribute value to compare. This argument is mandatory. |
-D binddn |
When authenticating to the directory, specifies doing so as the entry is specified in binddn--that is, the DN of the user seeking authentication. Use this with the |
-d debug-level |
Sets the debugging level. See "Setting Debug Logging Levels by Using the OID Control Utility". |
-E "character_set" |
Specifies native character set encoding. See Chapter G, "Globalization Support in the Directory". |
-f file_name |
Specifies the input file name |
-h ldaphost |
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
|
Instructs the tool to send the |
-O ref_hop_limit |
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport |
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password |
Specifies wallet password required for one-way or two-way SSL connections |
-U SSLAuth |
Specifies SSL authentication mode: |
-V ldap_version |
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password |
Provides the password required to connect |
-W wallet_location |
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows:
On Windows NT, you could set this parameter as follows: |
The ldapdelete command-line tool enables you to remove entire entries from the directory that you specify in the command line.
ldapdelete uses this syntax:
ldapdelete
[
arguments] ["
entry_DN"
| -f input_file_name]
The following example uses port 389 on a host named myhost.
ldapdelete -p 389 -h myhost "ou=EuroSInet Suite, o=IMC, c=US"
Optional Argument | Description |
---|---|
-D "binddn" |
When authenticating to the directory, uses a full DN for the binddn parameter--that is, the DN of the user seeking authentication; typically used with the |
-d debug-level |
Sets the debugging level. See "Setting Debug Logging Levels by Using the OID Control Utility". |
-E "character_set" |
Specifies native character set encoding. See Chapter G, "Globalization Support in the Directory". |
-f input_file_name |
Specifies the input file name |
-h ldaphost |
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
-k |
Authenticates using authentication instead of simple authentication. To enable this option, you must compile with Kerberos defined. You must already have a valid ticket granting ticket. |
|
Instructs the tool to send the |
-n |
Shows what would be done, but doesn't actually delete |
-O ref_hop_limit |
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport |
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password |
Specifies wallet password required for one-way or two-way SSL connections |
-U SSLAuth |
Specifies SSL authentication mode: |
-v |
Specifies verbose mode |
-V ldap_version |
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password |
Provides the password required to connect. |
-W wallet_location |
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet" |
The ldapmoddn command-line tool enables you to modify the DN or RDN of an entry.
ldapmoddn uses this syntax:
ldapmoddn [arguments]
The following example uses ldapmoddn to modify the RDN component of a DN from "cn=mary smith"
to "cn=mary jones"
. It uses port 389, and a host named myhost
.
ldapmoddn -p 389 -h myhost -b "cn=mary smith,dc=Americas,dc=imc,dc=com" -R "cn=mary jones"
Argument | Description |
---|---|
-b "basedn" |
Specifies DN of the entry to be moved. This argument is mandatory. |
-D "binddn" |
When authenticating to the directory, do so as the entry is specified in binddn--that is, the DN of the user seeking authentication. Use this with the |
-E "character_set" |
Specifies native character set encoding. See Chapter G, "Globalization Support in the Directory". |
-f file_name |
Specifies the input file name |
-h ldaphost |
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
|
Instructs the tool to send the |
-N newparent |
Specifies new parent of the RDN. Either this argument or the -R argument must be specified. |
-O ref_hop_limit |
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport |
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password |
Specifies wallet password required for one-way or two-way SSL connections |
-r |
Specifies that the old RDN is not retained as a value in the modified entry. If this argument is not included, the old RDN is retained as an attribute in the modified entry. |
-R newrdn |
Specifies new RDN. Either this argument or the -N argument must be specified. |
-U SSLAuth |
Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required |
-V ldap_version |
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password |
Provides the password required to connect. |
-W wallet_location |
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows:
On Windows NT, you could set this parameter as follows: |
The ldapmodify tool enables you to act on attributes.
ldapmodify uses this syntax:
ldapmodify
[arguments
] -f file_name
where file_name is the name of an LDIF file written with the specifications explained the section "LDAP Data Interchange Format (LDIF) Syntax".
The list of arguments in the following table is not exhaustive. These arguments are all optional.
Argument | Description |
---|---|
-a |
Denotes that entries are to be added, and that the input file is in LDIF format. |
-b |
Specifies that you have included binary file names in the data file, which are preceded by a forward slash character. |
-c |
Tells ldapmodify to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapmodify stops when it encounters an error.) |
-D "binddn" |
When authenticating to the directory, specifies doing so as the entry is specified in binddn--that is, the DN of the user seeking authentication. Use this with the |
-E "character_set" |
Specifies native character set encoding. See Chapter G, "Globalization Support in the Directory". |
-h ldaphost |
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
|
Instructs the tool to send the |
-n |
Shows what would occur without actually performing the operation. |
|
Can be used with the |
-O ref_hop_limit |
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport |
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password |
Specifies wallet password required for one-way or two-way SSL connections |
-U SSLAuth |
Specifies SSL authentication mode: |
-v |
Specifies verbose mode |
-V ldap_version |
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password |
Overrides the default, unauthenticated, null bind. To force authentication, use this option with the |
-W wallet_location |
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows:
On Windows NT, you could set this parameter as follows: |
To run modify
, delete
, and modifyrdn
operations using the -f
flag, use LDIF for the input file format (see "LDAP Data Interchange Format (LDIF) Syntax") with the specifications noted in this section:
If you are making several modifications, then, between each modification you enter, add a line that contains a hyphen (-) only. For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
changetype: modify
add: work-phone
work-phone: 510/506-7000
work-phone: 510/506-7001
-delete: home-fax
Unnecessary space characters in the LDIF input file, such as a space at the end of an attribute value, will cause the LDAP operations to fail.
Line 1: Every change record has, as its first line, the literal dn:
followed by the DN value for the entry, for example:
dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
Line 2: Every change record has, as its second line, the literal changetype:
followed by the type of change (add, delete, modify, modrdn
), for example:
changetype: modify
or
changetype: modrdn
Format the remainder of each record according to the following requirements for each type of change:
changetype: add
Uses LDIF format (see "LDAP Data Interchange Format (LDIF) Syntax").
changetype: modify
The lines that follow this changetype consist of changes to attributes belonging to the entry that you identified previously in Line 1. You can specify three different types of attribute modifications--add, delete, and replace--which are explained next:
add:
attribute nameattribute name:
value1attribute name:
value2...
For example:
dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
changetype: modify
add: work-phone
work-phone: 510/506-7000
work-phone: 510/506-7001
delete:
attribute name[attribute name:
value1]
For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
changetype: modify
delete: home-fax
replace:
attribute name[attribute name:
value1...]
If you do not provide any attributes with replace
, then the directory adds an empty set. It then interprets the empty set as a delete request, and complies by deleting the attribute from the entry. This is useful if you want to delete attributes that may or may not exist.
For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
changetype: modify
replace: work-phone
work-phone: 510/506-7002
changetype:delete
This change type deletes entries. It requires no further input, since you identified the entry in Line 1 and specified a changetype of delete in Line 2.
For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
changetype: delete
changetype:modrdn
The line following the change type provides the new relative distinguished name using this format:
newrdn: RDN
For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
changetype: modrdn
newrdn: cn=Barbara
Fritchy-Blomberg
To specify an attribute as single-valued, include in the attribute definition entry in the LDIF file the keyword SINGLE-VALUE with surrounding white space.
This example adds a new attribute called myAttr
. The LDIF file for this operation is:
dn: cn=subschemasubentry changetype: modify add: attributetypes attributetypes: (1.2.3.4.5.6.7 NAME `myAttr' DESC `New attribute definition' EQUALITY caseIgnoreMatch SYNTAX `1.3.6.1.4.1.1466.115.121.1.15' )
On the first line, enter the DN specifying where this new attribute is to be located. All attributes and object classes they are stored in cn=subschemasubentry
.
The second and third lines show the proper format for adding a new attribute.
The last line is the attribute definition itself. The first part of this is the object identifier number: 1.2.3.4.5.6.7
. It must be unique among all other object classes and attributes. Next is the NAME
of the attribute. In this case the attribute NAME is myAttr
. It must be surrounded by single quotes. Next is a description of the attribute. Enter whatever description you want between single quotes. At the end of this attribute definition in this example are optional formatting rules to the attribute. In this case we are adding a matching rule of EQUALITY caseIgnoreMatch
and a SYNTAX of Directory String
. This example uses the object ID number of 1.3.6.1.4.1.1466.115.121.1.15 instead of the SYNTAXES name which is "Directory String".
Put your attribute information in a file formatted like this example. Then run the following command to add the attribute to the schema of your Oracle directory server.
ldapmodify -h yourhostname -p 389 -D "orcladmin" -w "welcome" -v -f /tmp/newattr.ldif
This ldapmodify command assumes that your Oracle directory server is running on port 389, that your super user account name is orcladmin
, that your super user password is welcome
and that the name of your LDIF file is newattr.ldif
. Substitute the host name of your computer where you see yourhostname.
If you are not in the directory where the LDIF file is located, then you must enter the full directory path to the file at the end of your command. This example assumes that your LDIF file is located in the /tmp
directory.
The ldapmodifymt command-line tool enables you to modify several entries concurrently.
ldapmodifymt uses this syntax:
ldapmodifymt -T number_of_threads [arguments
] -ffile_name
where file_name is the name of an LDIF file written with the specifications explained the section "LDAP Data Interchange Format (LDIF) Syntax".
See Also:
"ldapmodify Syntax" for additional formatting specifications used by ldapmodifymt |
The following example uses five concurrent threads to modify the entries in the file myentries.ldif
.
ldapmodifymt -T 5 -h node1 -p 3000 -f myentries.ldif
The arguments in the following table are all optional.
Argument | Description |
---|---|
|
Denotes that entries are to be added, and that the input file is in LDIF format. (If you are running ldapadd, this flag is not required.) |
|
Specifies that you have included binary file names in the data file, which are preceded by a forward slash character. |
|
Tells ldapmodify to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapmodify stops when it encounters an error.) |
|
When authenticating to the directory, specifies doing so as the entry is specified in |
|
Specifies native character set encoding. See Chapter G, "Globalization Support in the Directory". |
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
|
Instructs the tool to send the |
|
Shows what would occur without actually performing the operation. |
|
Specifies the number of referral hops that a client should process. The default value is 5. |
|
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
|
Specifies wallet password required for one-way or two-way SSL connections |
|
Sets the number of threads for concurrently processing entries |
|
Specifies SSL authentication mode: |
|
Specifies verbose mode |
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
|
Overrides the default, unauthenticated, null bind. To force authentication, use this option with the -D option. |
|
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet"
On Windows NT, you could set this parameter as follows: |
The ldapsearch command-line tool enables you to search for and retrieve specific entries in the directory.
The ldapsearch tool uses this syntax:
ldapsearch [
arguments
]
filter[
attributes
]
The filter format must be compliant with RFC-2254.
See Also:
RFC-2254 available at |
Separate attributes with a space. If you do not list any attributes, all attributes are retrieved.
Argument | Description |
---|---|
-b "basedn" |
Specifies the base DN for the search. This argument is mandatory. |
-s scope |
Specifies search scope: base, one-level, or sub-tree
Base: Retrieves a particular directory entry. Along with this search depth, you use the search criteria bar to select the attribute One Level: Limits your search to all entries beginning one level down from the root of your search Subtree: Searches entries within the entire subtree, including the root of your search If you do not specify a scope, then ldapsearch performs a search on the subtree. |
-A |
Retrieves attribute names only (no values) |
-a deref |
Specifies alias dereferencing: never, always, search, or find |
-B |
Allows printing of non-ASCII values |
-D "binddn" |
When authenticating to the directory, specifies doing so as the entry specified in binddn--that is, the DN of the user seeking authentication. Use this with the |
-d debug level |
Sets debugging level to the level specified (see Table 10-2) |
-E "character_set" |
Specifies native character set encoding. See Chapter G, "Globalization Support in the Directory". |
-f file |
Performs sequence of searches listed in file |
-F sep |
Prints ` |
-h ldaphost |
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
-L |
Prints entries in LDIF format ( |
-l timelimit |
Specifies maximum time (in seconds) to wait for ldapsearch command to complete |
|
Instructs the tool to send the |
-n |
Shows what would be done without actually searching |
-O ref_hop_limit |
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport |
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password |
Specifies wallet password required for one-way or two-way SSL connections |
-S attr |
Sorts the results by attribute attr |
-t |
Writes to files in |
-u |
Includes user friendly entry names in the output |
-U SSLAuth |
Specifies the SSL authentication mode: |
-v |
Specifies verbose mode |
-w passwd |
Specifies bind passwd for simple authentication |
-W wallet_location |
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows:
On Windows NT, you could set this parameter as follows: |
-z sizelimit |
Specifies maximum number of entries to retrieve |
-X |
Prints the entries in DSML v1 format. |
Study the following examples to see how to build your own search commands.
The following example performs a base-level search on the directory from the root.
ldapsearch -p 389 -h myhost -b "" -s base -v "objectclass=*"
-b
specifies base DN for the search, root in this case.
-s
specifies whether the search is a base search (base
), one level search (one
) or subtree search (sub
).
"objectclass=*"
specifies the filter for search.
The following example performs a one level search starting at "ou=HR, ou=Americas, o=IMC, c=US"
.
ldapsearch -p 389 -h myhost -b "ou=HR, ou=Americas, o=IMC, c=US" -s one -v "objectclass=*"
The following example performs a subtree search and returns all entries having a DN starting with "cn=us"
.
ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "cn=Person*"
The following example actually retrieves only two entries, even if there are more than two matches.
ldapsearch -h myhost -p 389 -z 2 -b "ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US" -s one "objectclass=*"
The following example returns only the DN
attribute values of the matching entries:
ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "objectclass=*" dn
The following example retrieves only the distinguished name along with the surname (sn
) and description (description
) attribute values:
ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "cn=Person*" dn sn description
The following example retrieves entries with common name (cn
) attributes that have an option specifying a language code attribute option. This particular example retrieves entries in which the common names are in French and begin with the letter R.
ldapsearch -p 389 -h myhost -b "c=US" -s sub "cn;lang-fr=R*"
Suppose that, in the entry for John, no value is set for the cn;lang-it
language code attribute option. In this case, the following example does not return John's entry:
ldapsearch -p 389 -h myhost -b "c=us" -s sub "cn;lang-it=Giovanni"
The following example retrieves all user attributes and the createtimestamp
and orclguid
operational attributes:
ldapsearch -p 389 -h myhost -b "ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US" -s sub "cn=Person*" * createtimestamp orclguid
The following example retrieves entries modified by Anne Smith:
ldapsearch -h sun1 -b "" "(&(objectclass=*)(modifiersname=cn=Anne Smith))"
The following example retrieves entries modified between 01 April 2001 and 06 April 2001:
ldapsearch -h sun1 -b "" "(&(objectclass=*)(modifytimestamp >= 20000401000000)
(modifytimestamp <= 20000406235959))"
Each of the following examples searches on port 389 of host sun1, and searches the whole subtree starting from the DN "ou=hr,o=acme,c=us"
.
The following example searches for all entries with any value for the objectclass attribute.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "objectclass=*"
The following example searches for all entries that have orcl
at the beginning of the value for the objectclass
attribute.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "objectclass=orcl*"
The following example searches for entries where the objectclass
attribute begins with orcl
and cn
begins with foo.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "(&(objectclass=orcl*)(cn=foo*))"
The following example searches for entries in which the common name (cn
) is not foo
.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "(!(cn=foo))"
The following example searches for entries in which cn
begins with foo
or sn
begins with bar
.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "(|(cn=foo*)(sn=bar*))"
The following example searches for entries in which employeenumber
is less than or equal to 10000.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "employeenumber<=10000"
|
![]() Copyright © 1999, 2003 Oracle Corporation. All Rights Reserved. |
|