The ldapdelete command issues LDAP delete requests to the directory server in order to remove entries.
ldapdelete [option] [DN]
The ldapdelete command issues LDAP delete requests to the directory server in order to remove entries. Unless the --filename option is given, an entry DN must be given as the only trailing option to specify which entry should be removed.
Many UNIX or Linux operating systems provide an installed version of common LDAP client commands, such as ldapsearch, ldapmodify, and ldapdelete in the /usr/bin directory. You can check if a version is on your system by entering the command: which ldapdelete. If the command returns a value (seen below), you will need to update your $PATH to the install-dir/bin directory or create an alias to the directory server instance.
$ which ldapdelete (UNIX/Linux) /usr/bin/ldapdelete
The ldapdelete command accepts an option in either its short form (for example, -D bindDN) or its long form equivalent (for example, --bindDN bindDN).
Continue processing even if an error occurs. This operation applies when multiple entry DNs have been given either as trailing options or in a file specified with the --filename option. If an error occurs while processing a compare request, then the client will continue with the next entry DN if the --continueOnError option has been provided, or it will exit with an error if that option was not provided.
Specify the path to a file that contains one or more filters to use when processing the search operation. If there are multiple entry DNs, then the file should be structured with one DN per line. If this option is used, then do not add any trailing options. The DN of the entry to remove should be the only trailing option.
Perform a search with the specified control in search requests sent to the directory server. This option makes it possible to include arbitrary request controls that the client cannot directly support. The value for this option must be in the form:
oid[:criticality[:value|::b64value|:<fileurl]]
The elements of this value include:
Use the OID for the control. For certain types of controls, a text name may be used instead of the numeric OID (for search operations, this includes managedsait for the manage DSA IT control). This element is required. Human-readable names can be used in place of the OID to reference controls that do not require values using the -J or control option. These OID names are the following:
Use in place of the Account Usability Request Control OID : 1.3.6.1.4.1.42.2.27.9.5.8 (no value)
Use in place of the Authorization Identity Request Control OID: 2.16.840.1.113730.3.4.16 (no value)
Use in place of the Get Effective Rights Control OID: 1.3.6.1.4.1.42.2.27.9.5.2 (value = authorization ID)
Use in place of the Manage DSA IT Control OID: 2.16.840.1.113730.3.4.2 (no value)
Use in place of the LDAP No-op Control OID: 1.3.6.1.4.1.4203.1.10.2 (no value)
Use in place of the Password Policy Request Control OID: 1.3.6.1.4.1.42.2.27.8.5.1 (no value)
Use in place of the Subtree Delete Request Control OID: 1.2.840.113556.1.4.805 (no value)
If true, the control should be marked critical (meaning that the directory server should not process the operation unless it can meet the requirements of this control). If false, the control should not be marked critical. If this subcommand is not provided, then the control is not marked critical.
Specifies the value for the control. This form should only be used if the value can be expressed as a string. It must not be used in conjunction with either the ::b64value or :< fileurl forms. If none of these subcommands is present, then the control will not have a value.
Specifies the value for the control in base64-encoded form. This subcommand must not be used in conjunction with either the :value or :< fileurl forms. If none of these subcommands is present, then the control will not have a value.
Specifies a URL that references a file from which the value of the control should be taken. It must not be used in conjunction with either the :value or ::b64value forms. If none of these subcommands is present, then the control will not have a value.
For example, the value 1.3.6.4.42.2.27.9.5.2:true:dn:uid=dmiller,ou=people,dc=example,dc=com will include a critical control with an OID of 1.3.6.4.42.2.27.9.5.2, marked as critical (true), and with a string value for the authorization ID dn:uid=dmiller,ou=people,dc=example,dc=com. Or, you can use the OID names: effectiverights:true:dn:uid=dmiller,ou=people,dc=example,dc=com.
Run in no-op mode. That is, report what should happen but do not actually perform any searches or communicate with the server in any way.
Delete the specified entry and all entries below it.
Use the bind DN to authenticate to the directory server. This option is used when performing simple authentication and is not required if SASL authentication is to be used. The default value for this option is cn=Directory Manager.
Contact the directory server on the specified host name or IP address. If it is not provided, then a default address of localhost will be used.
Use the bind password in the specified file when authenticating to the directory server. The option is used for simple authentication, as well as for password-based SASL mechanisms such as CRAM-MD5, DIGEST-MD5, and PLAIN. It is not required if no authentication is to be performed. This option must not be used in conjunction with --bindPassword.
SASL is not supported for Sun OpenDS Standard Edition proxy.
Use the client keystore certificate in the specified path for secure communication when using the SSL or the StartTLS extended operation. This option should only be necessary if the client needs to present a certificate to the directory server, for example, when using SASL EXTERNAL authentication.
SASL is not supported for Sun OpenDS Standard Edition proxy.
Use the specified certificate for certificate-based client authentication.
Use the specified option when performing SASL authentication. Multiple SASL options can be provided by using this option multiple times, once for each option. See Using SASL Authentication in Sun OpenDS Standard Edition 2.2 Administration Guide for more information.
SASL is not supported for Sun OpenDS Standard Edition proxy.
Contact the directory server at the specified port. If this option is not provided, then a default port of 389 will be used.
Use the client trust store certificate in the specified path for secure communication when using the SSL or the StartTLS extended operation. This option is not needed if --trustAll is used, although a trust store should be used when working in a production environment.
Use the StartTLS Extended Operation when communicating with the directory server. This option must not be used in conjunction with --useSSL.
Use the SASL EXTERNAL mechanism for authentication, which attempts to identify the client by using an SSL certificate that it presents to the directory server. If this option is used, then the --keyStorePath option must also be provided to specify the path to the client keystore and either the --useSSL or the --useStartTLS option must be used to establish a secure communication channel with the server.
SASL is not supported for Sun OpenDS Standard Edition proxy.
Use the password needed to access the certificates in the client trust store. This option is only required if --trustStorePath is used and the specified trust store requires a password in order to access its contents (which most trust stores do not require). This option must not be used in conjunction with --trustStorePasswordFile.
Use the password in the specified file to access the certificates in the client keystore. This option is only required if --keyStorePath is used. This option must not be used in conjunction with --keyStorePassword.
Use the password in the specified file to access the certificates in the client trust store. This option is only required if --trustStorePath is used and the specified trust store requires a password in order to access its contents (most trust stores do not require this). This option must not be used in conjunction with --trustStorePassword.
Set the LDAP protocol version that the client should use when communicating with the directory server. The value must be either 2 (for LDAPv2 communication) or 3 (for LDAPv3). If this option is not provided, then the client will use LDAPv3.
Use the bind password when authenticating to the directory server. This option can be used for simple authentication as well as password-based SASL mechanisms. This option must not be used in conjunction with --bindPasswordFile. To prompt for the password, type -w -.
SASL is not supported for Sun OpenDS Standard Edition proxy.
Use the password needed to access the certificates in the client keystore. This option is only required if --keyStorePath is used. This option must not be used in conjunction with --keyStorePasswordFile.
Trust any certificate that the directory server might present during SSL or StartTLS negotiation. This option can be used for convenience and testing purposes, but for security reasons a trust store should be used to determine whether the client should accept the server certificate.
Use Secure Sockets Layer when communicating with the directory server. If SSL is to be used, then the --port option should be used to specify the server's secure port.
Use the specified character set to override the value of the LANG environment variable. If this option is not provided, then a default of UTF-8 will be used.
Indicate that a properties file will not be used to get the default command-line options.
Specify the path to the properties file that contains the default command-line options.
Run in verbose mode, displaying process and diagnostic information on standard output.
Display command-line usage information for the command and exit without making any attempt to run the command.
Display the version information for the directory server.
The following examples show how to use the directory server commands. You can use the commands on any UNIX, Linux, or Windows system that has at least the Java SE 5 (at least Sun version 1.5.0_08, preferably the latest version of Java SE 6) runtime environment installed on its target system. See Sun OpenDS Standard Edition System Requirements in Sun OpenDS Standard Edition 2.2 Installation Guide for more information.
The following command specifies the host name (-h), the port (-p), the bind DN (-D), the bind password (-w), and deletes a single entry:
$ ldapdelete -h hostname -p 1389 -D "cn=Directory Manager" -w password \ "uid=mgarza,ou=People,dc=example,dc=com"
The following file contains a list of DN's for deletion. The file must list each DN on a separate line.
uid=mgarza,ou=People,dc=example,dc=com uid=wsmith,ou=People,dc=example,dc=com uid=jarrow,ou=People,dc=example,dc=com uid=mbean,ou=People,dc=example,dc=com
The following command specifies the host name (-h), the port (-p), the bind DN (-D), and the bind password (-w), and reads the entries in a file for deletion. If an error occurs, the command continues (-c) to the next search item. For Windows platforms, use the path where the deletion file resides (for example, -f \temp\delete.ldif):
$ ldapdelete -h hostname -p 1389 -D "cn=Directory Manager" -w password \ -c -f /usr/local/delete.ldif
The following command uses server authentication to delete an entry. The command specifies the host name (-h), SSL port (-p), bind DN (-D), the bind password (-w), trust store file path (-P), and LDIF file (-f) that contains the deletes. If an error occurs, the command continues (-c) to the next search item. For Windows platforms, use the path where the deletion file resides (for example, -f \temp\delete.ldif) and the file where the trust store password resides (for example, -P \temp\certs\cert.db):
$ ldapdelete -h hostname -p 1636 -c -f /usr/local/delete.ldif \ -D "cn=Directory Manager" -w password \ -P /home/kwinters/certs/cert.db
The following command uses client authentication to perform a delete option. The command uses SSL (-Z) with the SSL port (-p), specifies the trust store file path (-P), the certificate nickname (-N), the keystore file path (-K), the keystore password (-W) and the LDIF file (-f) that contains the deletions. If an error occurs, the command continues (-c) to the next search item. For Windows platforms, use the path where the deletion file resides (for example, -f \temp\delete.ldif), the file where the trust store password resides (for example, -P \temp\certs\cert.db), and the file where the keystore password resides (for example, -K \temp\security\key.db).
$ ldapdelete -h hostname -p 1636 -c -f /usr/local/delete.ldif \ -Z -P /home/kwinters/security/cert.db -N "kwcert" \ -K /home/kwinters/security/key.db -W keypassword
An exit code of 0 indicates that the operation completed successfully. A nonzero exit code indicates that an error occurred during processing.
The directory server supports the use of a properties file that passes in any default option values used with the ldapdelete command. The properties file is convenient when working in different configuration environments, especially in scripted or embedded applications. See Using a Properties File With Server Commands for more information.
The following options can be stored in a properties file:
bindDN
bindPassword
bindPasswordFile
certNickname
continueOnError
control
deleteSubtree
dry-run
encoding
filename
hostname
keyStorePassword
keyStorePasswordFile
keyStorePath
ldapVersion
port
saslOption
SASL is not supported for Sun OpenDS Standard Edition proxy
trustAll
trustStorePassword
trustStorePasswordFile
trustStorePath
useSASLExternal
SASL is not supported for Sun OpenDS Standard Edition proxy.
useSSL
useStartTLS
verbose
Entries in the properties file have the following format:
toolname.propertyname=propertyvalue
For example:
ldapdelete.ldapport=12345
UNIX and Linux: install-dir/bin/ldapdelete
Windows: install-dir\bat\ldapdelete.bat