NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | EXIT STATUS | ATTRIBUTES | SEE ALSO
The ldapdelete command requests deletion of entries stored by a directory server. You must bind as a user having access to delete the entries specified.
Specify one or more entry DNs, separated by space, and typically enclosed in double quotes ("") for the shell. Alternatively, include DNs in a file, one per line without quotes around DNs. The ldapdelete command reads each line as one literal DN.
When deleting a subtree, you must delete child entries before you delete their parent entries.
The following options are supported:
Ignore LDAP library version mismatches.
When this option is omitted, the default behavior is to assert that the revision number of the LDAP API be greater than or equal to that used to compile the tool. Also, if the library and the tool have the same vendor name, the tool will assert that the vendor version number of the API be greater than or equal to that used to compile the tool. Revision and version numbers are based on the contents of the LDAPAPIInfo structure defined in <ldap.h> or header files included by <ldap.h>.
Check host names in SSL certificates.
Use the specified bind DN to authenticate to the directory server.
If the bind DN and its password are omitted, the ldapdelete command binds anonymously. The bind DN determines what entries and attributes appear in the comparison results, according to the user's search permissions.
Request that the directories expose (report) bind identities.
Display usage information.
Use the specified SSL card password file (pin).
Use the specified control OID.
The criticality, a boolean, is false by default.
Use the certificate private key database located in the specified directory.
You may omit the -K option if the key database location is provided as an argument to the -P option.
Manage referrals, deleting the entry containing the referral instead of the entry obtained by following the referral.
Use the specified certificate for certificate-based client authentication, for example: -N "Client-Cert", where Client-Cert is the subject name of the user's certificate.
Follow at maximum limit referral hops. Default is 5.
Use the certificate database located in filename, the full path to the certificate database file.
Use PKCS 11.
Do not follow referrals automatically.
Use LDAP protocol version n, where n is 2 or 3. Default is 3.
Specify the password for the client's key database specified using the -K or -P option.
The -W option is required for certificate-based client authentication.
Use the rights of the entry having the specified DN for performing LDAP operations. When using this option, you must also specify how to bind before you assume the rights of the proxy. Thus, when using simple authentication, you would also use the -D and -w options with this option.
Before proxy authentication can work in Directory Server, you must set up the appropriate access control instructions.
Use SSL to provide certificate-based client authentication.
The -Z option requires the -N and -W options and any other SSL options needed to identify the certificate and the key database.
Run in continuous mode, not stopping on errors.
In continuous mode, errors are reported but the ldapdelete command continues performing comparisons. When not running in continuous mode, the ldapdelete command quits after the first error.
Set LDAP debug level to the specified value.
The following debug levels are supported:
Display verbose debugging messages; LDAP_DEBUG_TRACE.
Display messages about the content of network packets; LDAP_DEBUG_PACKETS.
Display messages about LDIF parsing; LDAP_DEBUG_PARSE.
Display informational messages; LDAP_DEBUG_ANY.
Use the sum of the levels to specify more than one debug level.
Read DNs from the specified file.
The file format is one DN per line without quotes around DNs. The ldapdelete command reads each line as one literal DN.
This option has no effect when you also specify DNs on standard input.
Contact the LDAP server on the specified host, which may be a host name or an IP address. Enclose IPv6 addresses in brackets ([]) as described in RFC 2732.
For example, when mapping the IPv4 address 192.168.0.99 to IPv6, pass the -h option with its argument as -h [::ffff:192.168.0.99]. Notice the brackets.
The default is localhost.
Use the specified character set as opposed to the character set specified as the value of the LANG environment variable.
Use this option for example to perform the conversion from the specified character set to UTF8, thus overriding the LANG setting.
Read the bind password for simple authentication from the specified file.
Use the conversion routines located in the specified directory.
The default is to use the current directory. Use the -k option to specify a sorting language that is not supported by the directory server.
Use the security module database located in the specified directory.
Use the -m option if the security module database is in a different directory from the certificate database itself.
Show what would be done, but do not actually do it.
Use the specified attribute values when performing SASL authentication.
The following attrname arguments are supported:
Use the specified authentication identity.
Use the specified authorization identity.
Request the specified SASL mechanism for the bind.
Use the specified realm to complete the bind.
Use the specified security level.
Contact the LDAP server on the specified port.
The default is 389 (636 if SSL is used).
Run in verbose mode, displaying diagnostics on standard output.
Prompt for the bind password for simple authentication.
Use the specified bind password for simple authentication.
Examples in this section use the following conventions:
The bind DN given corresponds to a user with permission to delete entries.
The directory server is located on a system named host.
The directory server listens on port number 389, the default for non-SSL traffic.
The directory server listens on port number 636, the default for SSL traffic. SSL is enabled.
The following command deletes a single entry from the directory:
$ ./ldapdelete -h host -D "uid=bjensen,ou=people,dc=example,dc=com" -w - "uid=scarter,ou=People,dc=example,dc=com" Enter bind password: $ |
The following commands demonstrate deleting an entry whose DN is specified on standard input:
$ ./ ldapdelete -h host -c -v -D "uid=bjensen,ou=People,dc=example,dc=com" -w - Enter bind password: ldapdelete: started Fri Jul 2 08:31:14 2004 ldap_init( host, 389 ) uid=kvaughan, ou=People, dc=example,dc=com deleting entry uid=kvaughan, ou=People, dc=example,dc=com entry removed ^D $ |
The following commands demonstrate reading DNs of entries to delete from a file. Notice that the -c option is used to continue if an error occurs.
$ cat DNfile uid=scarter, ou=People, dc=example,dc=com uid=kvaughan, ou=People, dc=example,dc=com $ ./ldapdelete -h host -c -f DNfile -D "uid=bjensen,ou=People,dc=example,dc=com" -w - Enter bind password: $ |
The following command uses server authentication during the bind, where the server only accepts binds by clients with trusted certificates. Notice only the -P option is used without other SSL-related options.
$ ./ldapdelete -h host -p 636 -c -f DNfile -P /home/bjensen/security -D "uid=bjensen,ou=People,dc=example,dc=com" -w - Enter bind password: |
The following command uses client authentication during the bind, where the server only accepts binds by clients with trusted certificates, and the client must sign the certificate with a password-protected private key. Notice the options used in this example.
$ ./ldapdelete -h host -p 636 -c -f DNfile -Z -P /home/bjensen/security -N "bjscert" -K /home/bjensen/security -W keypassword |
The exit status returned reflects the return values of the underlying functions used, which may depend on return values sent by the server. Common exit status codes follow:
Successful completion; LDAP_SUCCESS; 0x00.
Server encountered errors while processing the request; LDAP_OPERATIONS_ERROR; 0x01.
Server encountered errors, such as a BER-decoding error, while processing the request; LDAP_PROTOCOL_ERROR; 0x02.
DN of the entry to delete belongs to an entry handled by neither server, and the referral URL identifies another server that handles the entry; LDAP_REFERRAL; 0x0a.
DN of the entry to delete belongs to an entry handled by neither server, and no referral URL is available for the entry; LDAP_NO_SUCH_OBJECT; 0x20.
DN of the entry to delete is not a valid DN; LDAP_INVALID_DN_SYNTAX; 0x22.
Bind DN user does not have permission to read the entry from the directory; LDAP_INSUFFICIENT_ACCESS; 0x32.
Directory is read-only; LDAP_UNWILLING_TO_PERFORM; 0x35.
Entry specified has child-entries that must be deleted first; LDAP_NOT_ALLOWED_ON_NONLEAF; 0x42.
One of the directories did not respond to the request, or the connection was lost; LDAP_SERVER_DOWN; 0x51.
An error occurred while receiving results; LDAP_LOCAL_ERROR; 0x52.
The request could not be BER-encoded; LDAP_ENCODING_ERROR; 0x53.
A result could not be decoded; LDAP_DECODING_ERROR; 0x54.
An option or argument is not valid; LDAP_PARAM_ERROR; 0x59.
Needed memory could not be allocated; LDAP_NO_MEMORY; 0x5a.
A specified host name or port is not valid; LDAP_CONNECT_ERROR; 0x5b.
At least one server supports only LDAPv2, and the -V 2 option was not used, or the -V 2 option was used, but the server no longer supports LDAP v2; LDAP_NOT_SUPPORTED; 0x5c.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWldk |
Stability Level | Evolving |
ldapcompare(1), ldapmodify(1), ldapsearch(1)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | EXIT STATUS | ATTRIBUTES | SEE ALSO