iPlanet Directory Server Configuration, Command, and File Reference: Chapter 7 Command-Line Utilities

Previous Contents Index DocHome Next

iPlanet Directory Server Configuration, Command, and File Reference

Chapter 7 Command-Line Utilities

This chapter contains reference information on command-line utilities provided by iPlanet Directory Server 5.1 that allow you to access and modify entries. These command-line utilities make it easy to perform administration tasks on the Directory Server. This chapter is divided into the following sections:

Finding and Executing Command-Line Utilities

Command-Line Utilities Quick Reference

Using Special Characters

ldapsearch

ldapmodify

ldapdelete

ldif

Finding and Executing Command-Line Utilities

The ldapsearch, ldapmodify, and ldapdelete command line utilities are stored in the following directory:

Solaris 9 platform
/usr/iplanet/ds5/shared/bin

Other platforms
installDir/shared/bin

and the ldif command line utility is stored in the following directory:

Solaris 9 platform
/usr/iplanet/ds5/bin/slapd/server

Other platforms
installDir/bin/slapd/server

Caution
In order to execute the command-line utilities, you must change to the directory where the command-line utilities are stored. Although it is possible to set command-path and library-path variables to execute the utilities, this is not recommended procedure. You run the risk of disrupting the correct execution of other utilities and of compromising the security of the system, particularly when you have more than one server version installed.
The same procedure also applies to the Perl scripts provided with Directory Server. For further information on these and other scripts, see Chapter 8 "Command-Line Scripts."

Command-Line Utilities Quick Reference

Table 7-1 Commonly Used Command-Line Utilities

Command-line utility

Description

ldapsearch

Allows you to search the directory. Returns search results in LDIF format. For details on this tool, see Appendix B, "Finding Directory Entries" in the iPlanet Directory Server Administrator's Guide.

ldapmodify

Allows you to add, delete, modify, or rename entries. All operations are specified using LDIF update statements. For details on this tool, see "Adding and Modifying Entries Using ldapmodify".

ldapdelete

Allows you to delete entries in the directory. For information on using this utility, see "Deleting Entries Using ldapdelete".

ldif

Automatically formats LDIF files for you, and creates base 64 encoded attribute values. For details on this tool, see "Base 64 Encoding".

Caution
iPlanet Directory Server ldap utilities are not to be confused with the Solaris ldap utilities. If you have Directory Server installed on a Solaris machine, the ldap man pages you can access are for the Solaris ldap utilities and NOT for iPlanet Directory Server ldap utilities.

Using Special Characters

When using the ldapsearch command-line utility, you may need to specify values containing characters that have special meaning to the command-line interpreter, such as space, asterisk (*), and backslash (\). When this situation occurs, enclose the value in quotation marks (""). For example:
-D "cn=Barbara Jensen, ou=Product Development, dc=siroe,dc=com"
Depending on which command-line interpreter you use, use either single or double quotation marks for this purpose. Refer to your operating system documentation for more information.
Also, if you are using DNs that contain commas (,) in values, you must escape the commas with a backslash. For example:
-D "cn=Patricia Fuentes, ou=people, dc=Siroe,dc=Bolivia\, S.A."

ldapsearch

A configurable utility that allows you to locate and retrieve directory entries via LDAP. This utility opens a connection to the specified server using the specified distinguished name and password, and locates entries based on a specified search filter. Search scopes can include a single entry, an entry's immediate subentries, or an entire tree or subtree. Search results are returned in LDIF format.
The ldapsearch command has the following format:

ldapsearch -b baseDN [options] filter [list_of_attributes]

where

options is a series of optional command line options. These must be specified before the search filter, if any.

filter is an LDAP search filter as described in iPlanet Directory Server Administrator's Guide. Do not specify a search filter if you are supplying search filters in a file using the -f option.

list_of_attributes is an optional list of space-separated attributes that reduce the scope of the attributes returned in the search results. This list of attributes must appear after the search filter. For a usage example, see the iPlanet Directory Server Administrator's Guide. If you do not specify a list of attributes, the search returns values for all attributes permitted by the access control set in the directory, with the exception of operational attributes.
If you want operational attributes returned as a result of a search operation, you must explicitly specify them in the search command. To retrieve regular attributes in addition to explicitly specified operational attributes, specify "*" in addition to the operational attributes.

ldapsearch options
The following three sections list the options which can be specified with ldapsearch. The first section lists those options most commonly used, the second section lists SSL options, and the third section lists less common options.

Commonly Used ldapsearch options
The following lists the most commonly used ldapsearch command-line options. If you specify a value that contains a space, the value should be surrounded by double quotation marks, for example, -b "ou=groups, dc=siroe,dc=com".

-b

Specifies the starting point for the search. The value specified here must be a distinguished name that currently exists in the database. This option is optional if the LDAP_BASEDN environment variable has been set to a base DN.
The value specified in this option should be provided in double quotation marks. For example:
-b "cn=Barbara Jensen, ou=Product Development, dc=siroe,dc=com".
The root DSE entry is a special entry that contains a list of all the suffixes supported by the local directory. To search this entry, you must supply a search base of "", a search scope of base, and a filter of "objectclass=*". For example:
-b "" -s base "objectclass=*"

-D

Specifies the distinguished name with which to authenticate to the server. This option is optional if anonymous access is supported by your server. If specified, this value must be a DN recognized by the Directory Server, and it must also have the authority to search for the entries. For example:
-D "uid=bjensen, dc=siroe,dc=com".

-h

Specifies the hostname or IP address of the machine on which the Directory Server is installed. If you do not specify a host, ldapsearch uses the localhost. For example, -h mozilla.

-j

Specifies the file from which the bind password is read. Used for simple authentication. If this option is specified, the -w option must not be specified.

-l

Specifies the maximum number of seconds to wait for a search request to complete. Regardless of the value specified here, ldapsearch will never wait longer than is allowed by the server's nsslapd-timelimit attribute. For example, -l 300. The default value for the nsslapd-timelimit attribute is 3,600 seconds. See "nsslapd-timelimit (Time Limit)" for more information.

-p

Specifies the TCP port number that the Directory Server uses. For example, -p 1049. The default is 389. If -Z is used, the default is 636.

-s

Specifies the scope of the search. The scope can be one of the following:
base - Search only the entry specified in the -b option or defined by the LDAP_BASEDN environment variable.
one - Search only the immediate children of the entry specified in the -b option. Only the children are searched, the actual entry specified in the -b option is not searched.
sub - Search the entry specified in the -b option and all of its descendants. That is, perform a subtree search starting at the point identified in the -b option. This is the default.

-w

Specifies the password associated with the distinguished name that is specified in the -D option. If you do not specify this option, anonymous access is used. If you specify -w -, the utility prompts for the password. If either w option is specified, the -j option must not be specified. For example, -w diner892.

-x

Specifies that the search results are sorted on the server rather than on the client. This is useful if you want to sort according to a matching rule, as with an international search. In general, it is faster to sort on the server than on the client.

-z

Specifies the maximum number of entries to return in response to a search request. For example, -z 1000. Normally, regardless of the value specified here, ldapsearch never returns more entries than the number allowed by the server's nsslapd-sizelimit attribute. However, you can override this limitation by binding as the root DN when using this command-line argument. This is because, when you bind as the root DN, this option defaults to zero (0). The default value for the nsslapd-sizelimit attribute is 2,000 entries. See "nsslapd-sizelimit (Size Limit)" for more information.

SSL options
You use the following command-line options to specify that ldapsearch use LDAPS when communicating with your SSL-enabled Directory Server. You also use these options if you want to use certificate-based authentication. These options are valid only when LDAPS has been turned on and configured for your Directory Server. For information on certificate-based authentication and creating a certificate database for use with LDAP clients, see Chapter 11, "Managing SSL" in the iPlanet Directory Server Administrator's Guide.
In addition to the standard ldapsearch options, to run an ldapsearch command using SSL, you must specify the following:

-p to specify Directory Server's encrypted port

-Z to specify SSL

-P to specify your certificate database's file and pathname

-N to specify your certificate name

-K to specify your private key file and pathname

-W to specify your private key database password

-K

Specifies the file and path name of the private key database of the client. This information is required for certificate-based client authentication.

-m

Specifies the path to the security module database. For example, installDir/secmodule.db. You only need to specify this option if the security module database is in a different directory from the certificate database itself.

-N

Specifies the certificate name to use for certificate-based client authentication. For example, -N "Server-Cert". If this option is specified, then the -Z, -P, and -W options are required. Also, if this option is specified, then the -D and -w options must not be specified, or certificate-based authentication will not occur and the bind operation will use the authentication credentials specified on -D and -w.

-P

Specifies the path and filename of the certificate database of the client. This option is used only with the -Z option. When used on a machine where an SSL-enabled version of Netscape Communicator is configured, the path specified on this option can be that of the certificate database for Communicator. For example, -P c:\security\cert.db. The client security files can also be stored on the Directory Server in the installDir/alias directory. In this case, the -P option calls out a path and filename similar to the following:
-P c:\iplanet\servers\alias\client-cert.db.

-W

Specifies the password for the private key database identified in the -P option. For example, -W serverpassword

-Z

Specifies that SSL is to be used for the search request.

Additional ldapsearch Options
To further customize a search, use the following optional options:

-A

Specifies that the search retrieve the attributes only, not the attribute values. This option is useful if you just want to determine if an attribute is present for an entry and you are not interested in the value.

-a

Specifies how alias dereferencing is completed. Value can be "never," "always," "search," or "find." Default value is "never."

-B

Print binary values. Specifies that binary values stored in the directory should be printed in the search output. If you use -B and -o together, then the binary data will not use base 64 encoding.

-F

Specify a different separator. This option can only be used with -o. This option allows you to specify a separator other than a colon ":" to separate an attribute name from the corresponding value. For example, -F +

-f

Specifies the file containing the search filter(s) to be used in the search. For example, -f search_filters. Omit this option if you want to supply a search filter directly to the command line. For more information about search filters, see Appendix B, "Finding Directory Entries" in the iPlanet Directory Server Administrator's Guide.

-G

Virtual list search. Allows you to specify the number of entries before or after the search target, and the index or value of the first entry returned. For example, if you are sorting by surname, -G 20:30:johnson returns the first entry with a surname equal to or less than johnson, in addition to 20 entries that come before it and 30 entries that come after it. If there are fewer matching entries in the directory than the "before" or "after" number requested by the search, all available entries before/after the search target that match the search criteria are returned.

-i

Character set. Specifies the character set to use for command line input. The default is the character set specified in the LANG environment variable. You might want to use this option to perform the conversion from the specified character set to UTF8, thus overriding the environment variable setting.
Using this argument, you can input the bind DN, base DN, and the search filter pattern in the specified character set. ldapsearch converts the input from these arguments before it processes the search request. For example, -i no indicates that the bind DN, base DN, and search filter are provided in Norwegian.
This argument only affects the command-line input, that is, if you specify a file containing a search filter (with the -f option), ldapsearch will not convert the data in the file.

-k

Conversion routines directory. If you want to specify a sort language that is not supported by default in this release of the Directory Server, for example, one obtained from a later release of the LDAP SDK, you need to supply the directory in which you store the conversion routines. You can view the list of supported languages in Table B.1 in the iPlanet Directory Server Administrator's Guide.
When performing the search, the server looks in the current working directory. However, if the conversion routines are not in the current working directory, you need to specify this option when using ldapsearch. The conversion routines directory is located by default in installDir/lib/nls.

-M

Manage smart referrals. The server does not return the smart referral contained on the entry, but returns the actual entry containing the referral instead. Use this option if you are attempting to search for entries that contain smart referrals. For more information about smart referrals, see Chapter 2, "Configuring Directory Databases" in the iPlanet Directory Server Administrator's Guide.

-n

Specifies that the search is not actually performed, but that ldapsearch shows what it would do with the specified input.

-O

Specifies the maximum number of referral hops ldapsearch should automatically follow. For example, -O 2.

-o

Specifies that the output for individual values be formatted without line breaks and that equal signs "=" be used to separate attribute names from values. This argument produces output in a non-LDIF format.

-R

Specifies that referrals are not to be followed automatically. By default, referrals are followed automatically.

-S

Specifies the attribute to use as the sort criteria. For example, -S sn. You can use multiple -S arguments if you want to further define the sort order. In the following example, the search results will be sorted first by surname and then by given name:
-S sn -S givenname
The default is not to sort the returned entries.

-T

Specifies that no line breaks should be used within individual values in the search results.

-t

Specifies that the results be written to a set of temporary files. When you use this option, each attribute value is placed in a separate file within the system temporary directory. No base64 encoding is performed on the values, regardless of the content.

-u

Specifies that the user-friendly form of the distinguished name be used in the output.

-v

Specifies that the utility is to run in verbose mode.

-V

Specifies the LDAP version number to be used on the search. For example, -V 2. LDAP v3 is the default. You cannot perform an LDAP v3 search against a Directory Server that only supports LDAP v2. Only use LDAP v2 when connecting to LDAP v2 servers, such as Netscape Directory Server 1.x.

-y

Specifies the proxy DN to use for the search. This argument is provided for testing purposes. For more information about proxied authorization, see Chapter 6, "Managing Access Control" in the iPlanet Directory Server Administrator's Guide.

ldapmodify

Allows you to make changes to directory entries via LDAP.

Syntax
ldapmodify -D bindDN [-w password] [-acmnrvFR] [-d debugLevel]
[-h host] [-p port] [-M auth_mechanism] [-Z] [-V version]
[-l number_of_ldap_connections] [-f file | < entryfile ]

ldapmodify options
The following three sections list the options that can be specified with ldapmodify. The first section lists those options most commonly used, the second section lists SSL options, and the third section lists less common options.

Commonly Used ldapmodify options
To modify an entry or entries in an existing directory, use the ldapmodify command-line utility with the following options:

-a

Allows you to add LDIF entries to the directory without requiring the changetype:add LDIF update statement. This provides a simplified method of adding entries to the directory. This option also allows you to directly add a file created by ldapsearch.

-B

Specifies the suffix under which the new entries will be added.

-D

Specifies the distinguished name with which to authenticate to the server. The value must be a DN recognized by the Directory Server, and it must also have the authority to modify the entries. For example, -D "uid=bjensen, dc=siroe,dc=com". You cannot use this option with the -N option.

-f

Optional option that specifies the file containing the LDIF update statements used to define the directory modifications. For example, -f modify_statements. If you do not supply this option, the update statements are read from stdin. For information on supplying LDIF update statements from the command line, see Chapter 4, "Managing Directory Entries" in the iPlanet Directory Server Administrator's Guide.

-h

Specifies the name of the host on which the server is running. For example, -h cyclops.

-j

Specifies the file from which the bind password is read. Used for simple authentication. If this option is specified, the -w option must not be specified.

-p

Specifies the port number that the server uses. For example, -p 1049. The default is 389. If -Z is used, the default is 636.

-q

Causes each add to be performed silently rather than being echoed to the screen individually.

-w

Specifies the password associated with the distinguished name that is specified in the -D option. If you do not specify this option, anonymous access is used. If you specify -w -, the utility prompts for the password. If either w option is specified, the -j option must not be specified. For example, -w diner892.

-R

Specifies that referrals are not to be followed automatically. By default, the server follows referrals.

-v

Specifies that the utility is to run in verbose mode.

-V

Specifies the LDAP version number to be used on the operation. For example, -V 2. LDAP v3 is the default. You cannot perform an LDAP v3 operation against a Directory Server that only supports LDAP v2.

-y

Specifies the proxy DN to use for the delete operation. This argument is provided for testing purposes. For more information about proxied authorization, see Chapter 4, "Managing Directory Entries" in the iPlanet Directory Server Administrator's Guide.

SSL options
You can use the following command-line options to specify that ldapmodify is to use LDAP over SSL (LDAPS) when communicating with your Directory Server. LDAPS encrypts data during transit. You also use these options if you want to use certificate-based authentication. These options are valid only when SSL has been turned on and configured for your Directory Server. For more information on certificate-based authentication and on creating a certificate database for use with LDAP clients, see Chapter 11, "Managing SSL" in the iPlanet Directory Server Administrator's Guide.
Make sure that you specify your Directory Server's encrypted port when you use these options:

-K

Specifies the name of the certificate key used for certificate-based client authentication. For example, -K Server-Key.

-N

Specifies the certificate name to use for certificate-based client authentication. For example, -N Server-Cert. If this option is specified, then the -Z, and -W options are required. Also, if this option is specified, then the -D and -w options must not be specified, or certificate-based authentication will not occur and the bind operation will use the authentication credentials specified on -D and -w.

-P

Specifies the path and filename of the security files for the client. This option is used only with the -Z option. When used on a machine where a SSL-enabled web browser is configured, the path specified on this option can be pointed to the security database for the web browser. For example, -P c:\security\cert.db. You can also store the client security files on the Directory Server in the installDir/alias directory.

-W

Specifies the password for the certificate database identified on the -P option. For example, -W serverpassword.

-Z

Specifies that SSL is to be used for the directory request.

Additional ldapmodify options
The following options offer additional functionality:

-b

Causes the utility to check every attribute value to determine whether the value is a valid file reference. If the value is a valid file reference, then the content of the referenced file is used as the attribute value. This is often used for specifying a path to a file containing binary data, such as images. For example, if you wanted to add a jpegPhoto attribute, then specify the -b option on the ldapmodify call. In the LDIF you provide to ldapmodify, include a statement using the following notation:
jpegPhoto: /tmp/photo.jpeg
ldapmodify reads the contents of the photo.jpeg file into the jpegPhoto attribute that you are placing on the entry.
On Windows NT, the format of this option is exactly the same (including the forward slashes, except that you can specify a drive letter). For example:
jpegPhoto: c:\tmp\photo.jpeg.
Note that this behavior is not supported by Directory Console. In the Console, values that begin with a slash are added literally to the directory.
For further information on importing binary data into the directory, see Chapter 4, "Managing Directory Entries" in the iPlanet Directory Server Administrator's Guide.

-c

Specifies that the utility run in continuous operation mode. Errors are reported, but the utility continues with modifications. The default is to quit after reporting an error.

-H

Lists all available ldapmodify options.

-M

Manage smart referrals. The server does not return the smart referral contained on the entry, but applies the modification request directly to the entry instead. Use this option if you are attempting to add, change, or delete a directory entry that contains a smart referral. For more information about smart referrals, see Chapter 2, "Configuring Directory Databases" in the iPlanet Directory Server Administrator's Guide.

-n

Specifies that the entries are not actually modified, but that ldapmodify shows what it would do with the specified input.

-O

Specifies the maximum number of referral hops to follow. For example, -O 2.

-R

Specifies that referrals are not to be followed automatically.

-v

Specifies that the utility is to run in verbose mode.

-V

Specifies the LDAP version number to be used on the operation. For example, -V 2. LDAP v3 is the default. You can not perform an LDAP v3 operation against a Directory Server that only supports LDAP v2.

-y

Specifies the proxy DN to use for the modify operation. This argument is provided for testing purposes. For more information about proxied authorization, see Chapter 6, "Managing Access Control" in the iPlanet Directory Server Administrator's Guide.

ldapdelete

Allows you to perform delete operations on directory entries via LDAP.

Syntax
ldapdelete [options]

ldapdelete options
The following three sections list the options that can be specified with ldapsdelete. The first section lists those options most commonly used, the second section lists SSL options, and the third section lists less common options.

Commonly Used ldapdelete options
To delete an entry or entries from an existing database, use the ldapdelete command-line utility with the following options:

-D

Specifies the distinguished name with which to authenticate to the server. The value must be a DN recognized by the Directory Server, and it must also have the authority to delete the entries. For example, -D "uid=bjensen, dc=siroe,dc=com". For more information on access control, see Chapter 6, "Managing Access Control" in the iPlanet Directory Server Administrator's Guide. If you use the -D option, you cannot use the -N option.

-h

Specifies the name of the host on which the server is running. For example, -h cyclops. The default is localhost.

-j

Specifies the file from which the bind password is read. Used for simple authentication. If this option is specified, the -w option must not be specified.

-p

Specifies the port number that the server uses. Default is 389. If -Z is used, the default is 636.

-w

Specifies the password associated with the distinguished name that is specified in the -D option. If you do not specify this option, anonymous access is used. If you specify -w -, the utility prompts for the password. If either w option is specified, the -j option must not be specified. For example, -w diner892.

dn

Specifies the dn of the entry to delete.

SSL options
You use the following options to specify that ldapdelete use LDAPS when communicating with your Directory Server. You also use these options if you want to use certificate-based authentication. These options are valid only when LDAPS has been turned on and configured for your Directory Server. For more information on certificate-based authentication and how to create a certificate database for use with LDAP clients, see Chapter 11, "Managing SSL" in the iPlanet Directory Server Administrator's Guide.
Make sure that you specify your Directory Server's encrypted port when you use these options:

-K

Specifies the name of the certificate key used for certificate-based client authentication. For example, -K Server-Key.

-N

Specifies the certificate name to use for certificate-based client authentication. For example, -N Server-Cert. If this option is specified, then the -Z and -W options are required. Also, if this option is specified, then the -D and -w options must not be specified, or certificate-based authentication will not occur and the bind operation will use the authentication credentials specified on -D and -w

-P

Specifies the path and filename of the security files for the client. This option is used only with the -Z option. When used on a machine where an SSL-enabled web browser is configured, the path specified on this option can point to the security database for the web browser. For example, -P c:\security\cert.db. The client security files can also be stored on the Directory Server in the installDir/alias directory.

-W

Specifies the password for the certificate database identified on the -P option. For example, -W serverpassword.

-Z

Specifies that SSL is to be used for the delete request.

Additional ldapdelete options
The following options offer additional functionality:

-c

Specifies that the utility must run in continuous operation mode. Errors are reported, but the utility continues with deletions. The default is to quit after reporting an error.

-f

Specifies the file containing the distinguished names of entries to be deleted. For example, -f modify_statements. Omit this option if you want to supply the distinguished name of the entry to be deleted directly to the command line.

-H

Lists all available ldapdelete options.

-M

Manage smart referrals. The server does not return the smart referral contained on the entry, but deletes the actual entry containing the smart referral instead. For more information about smart referrals, see Chapter 2, "Configuring Directory Databases" in the iPlanet Directory Server Administrator's Guide.

-n

Specifies that the entries are not actually deleted, but that ldapdelete shows what it would do with the specified input.

-O

Specifies the maximum number of referral hops to follow. For example, -O 2. There is no maximum number of referral hops.

-R

Specifies that referrals are not to be followed automatically. By default, the server follows referrals.

-v

Specifies that the utility is to run in verbose mode.

-V

Specifies the LDAP version number to be used on the operation. For example, -V 2. LDAP v3 is the default. You cannot perform an LDAP v3 operation against a Directory Server that only supports LDAP v2.

-y

Specifies the proxy DN to use for the delete operation. This argument is provided for testing purposes. For more information about proxied authorization, see Chapter 6, "Managing Access Control" in the iPlanet Directory Server Administrator's Guide.

ldif

Automatically formats LDIF files for you, and creates base 64 encoded attribute values. With Base 64 Encoding you can represent Binary data, such as a JPEG image, in LDIF by using base 64 encoding. You identify base 64 encoded data by using the :: symbol. For example:
jpegPhoto:: <encoded data>
In addition to binary data, other values that must be base 64 encoded include:

any value that begins with a semicolon (;) or a space

any value that contains non-ASCII data, including newlines
The ldif command-line utility will take any input and format it with the correct line continuation and appropriate attribute information. The ldif utility also senses whether the input requires base 64 encoding.

Syntax
The ldif command has the following format:

Solaris 9 platform
/usr/sbin/directoryserver ldif [-b] [attrtypes]

Other platforms
installDir/bin/slapd/server ldif [-b] [attrtypes]

Options

-b

Specifies that the ldif utility should interpret the entire input as a single binary value. If -b is not present, each line is considered to be a separate input value.
As an alternative to the -b option, you can you can use the :< URL specifier notation, which is in fact simpler to use. For example:
jpegphoto:< file:///tmp/myphoto.jpg
Although the official notation requires three ///, the use of one / is tolerated.

Command-line utility	Description
ldapsearch	Allows you to search the directory. Returns search results in LDIF format. For details on this tool, see Appendix B, "Finding Directory Entries" in the iPlanet Directory Server Administrator's Guide.
ldapmodify	Allows you to add, delete, modify, or rename entries. All operations are specified using LDIF update statements. For details on this tool, see "Adding and Modifying Entries Using ldapmodify".
ldapdelete	Allows you to delete entries in the directory. For information on using this utility, see "Deleting Entries Using ldapdelete".
ldif	Automatically formats LDIF files for you, and creates base 64 encoded attribute values. For details on this tool, see "Base 64 Encoding".

-b	Specifies the starting point for the search. The value specified here must be a distinguished name that currently exists in the database. This option is optional if the LDAP_BASEDN environment variable has been set to a base DN. The value specified in this option should be provided in double quotation marks. For example: -b "cn=Barbara Jensen, ou=Product Development, dc=siroe,dc=com". The root DSE entry is a special entry that contains a list of all the suffixes supported by the local directory. To search this entry, you must supply a search base of "", a search scope of base, and a filter of "objectclass=". For example: -b "" -s base "objectclass="
-D	Specifies the distinguished name with which to authenticate to the server. This option is optional if anonymous access is supported by your server. If specified, this value must be a DN recognized by the Directory Server, and it must also have the authority to search for the entries. For example: -D "uid=bjensen, dc=siroe,dc=com".
-h	Specifies the hostname or IP address of the machine on which the Directory Server is installed. If you do not specify a host, ldapsearch uses the localhost. For example, -h mozilla.
-j	Specifies the file from which the bind password is read. Used for simple authentication. If this option is specified, the -w option must not be specified.
-l	Specifies the maximum number of seconds to wait for a search request to complete. Regardless of the value specified here, ldapsearch will never wait longer than is allowed by the server's nsslapd-timelimit attribute. For example, -l 300. The default value for the nsslapd-timelimit attribute is 3,600 seconds. See "nsslapd-timelimit (Time Limit)" for more information.
-p	Specifies the TCP port number that the Directory Server uses. For example, -p 1049. The default is 389. If -Z is used, the default is 636.
-s	Specifies the scope of the search. The scope can be one of the following: base - Search only the entry specified in the -b option or defined by the LDAP_BASEDN environment variable. one - Search only the immediate children of the entry specified in the -b option. Only the children are searched, the actual entry specified in the -b option is not searched. sub - Search the entry specified in the -b option and all of its descendants. That is, perform a subtree search starting at the point identified in the -b option. This is the default.
-w	Specifies the password associated with the distinguished name that is specified in the -D option. If you do not specify this option, anonymous access is used. If you specify -w -, the utility prompts for the password. If either w option is specified, the -j option must not be specified. For example, -w diner892.
-x	Specifies that the search results are sorted on the server rather than on the client. This is useful if you want to sort according to a matching rule, as with an international search. In general, it is faster to sort on the server than on the client.
-z	Specifies the maximum number of entries to return in response to a search request. For example, -z 1000. Normally, regardless of the value specified here, ldapsearch never returns more entries than the number allowed by the server's nsslapd-sizelimit attribute. However, you can override this limitation by binding as the root DN when using this command-line argument. This is because, when you bind as the root DN, this option defaults to zero (0). The default value for the nsslapd-sizelimit attribute is 2,000 entries. See "nsslapd-sizelimit (Size Limit)" for more information.

-K	Specifies the file and path name of the private key database of the client. This information is required for certificate-based client authentication.
-m	Specifies the path to the security module database. For example, installDir/secmodule.db. You only need to specify this option if the security module database is in a different directory from the certificate database itself.
-N	Specifies the certificate name to use for certificate-based client authentication. For example, -N "Server-Cert". If this option is specified, then the -Z, -P, and -W options are required. Also, if this option is specified, then the -D and -w options must not be specified, or certificate-based authentication will not occur and the bind operation will use the authentication credentials specified on -D and -w.
-P	Specifies the path and filename of the certificate database of the client. This option is used only with the -Z option. When used on a machine where an SSL-enabled version of Netscape Communicator is configured, the path specified on this option can be that of the certificate database for Communicator. For example, -P c:\security\cert.db. The client security files can also be stored on the Directory Server in the installDir/alias directory. In this case, the -P option calls out a path and filename similar to the following: -P c:\iplanet\servers\alias\client-cert.db.
-W	Specifies the password for the private key database identified in the -P option. For example, -W serverpassword
-Z	Specifies that SSL is to be used for the search request.

-A	Specifies that the search retrieve the attributes only, not the attribute values. This option is useful if you just want to determine if an attribute is present for an entry and you are not interested in the value.
-a	Specifies how alias dereferencing is completed. Value can be "never," "always," "search," or "find." Default value is "never."
-B	Print binary values. Specifies that binary values stored in the directory should be printed in the search output. If you use -B and -o together, then the binary data will not use base 64 encoding.
-F	Specify a different separator. This option can only be used with -o. This option allows you to specify a separator other than a colon ":" to separate an attribute name from the corresponding value. For example, -F +
-f	Specifies the file containing the search filter(s) to be used in the search. For example, -f search_filters. Omit this option if you want to supply a search filter directly to the command line. For more information about search filters, see Appendix B, "Finding Directory Entries" in the iPlanet Directory Server Administrator's Guide.
-G	Virtual list search. Allows you to specify the number of entries before or after the search target, and the index or value of the first entry returned. For example, if you are sorting by surname, -G 20:30:johnson returns the first entry with a surname equal to or less than johnson, in addition to 20 entries that come before it and 30 entries that come after it. If there are fewer matching entries in the directory than the "before" or "after" number requested by the search, all available entries before/after the search target that match the search criteria are returned.
-i	Character set. Specifies the character set to use for command line input. The default is the character set specified in the LANG environment variable. You might want to use this option to perform the conversion from the specified character set to UTF8, thus overriding the environment variable setting. Using this argument, you can input the bind DN, base DN, and the search filter pattern in the specified character set. ldapsearch converts the input from these arguments before it processes the search request. For example, -i no indicates that the bind DN, base DN, and search filter are provided in Norwegian. This argument only affects the command-line input, that is, if you specify a file containing a search filter (with the -f option), ldapsearch will not convert the data in the file.
-k	Conversion routines directory. If you want to specify a sort language that is not supported by default in this release of the Directory Server, for example, one obtained from a later release of the LDAP SDK, you need to supply the directory in which you store the conversion routines. You can view the list of supported languages in Table B.1 in the iPlanet Directory Server Administrator's Guide. When performing the search, the server looks in the current working directory. However, if the conversion routines are not in the current working directory, you need to specify this option when using ldapsearch. The conversion routines directory is located by default in installDir/lib/nls.
-M	Manage smart referrals. The server does not return the smart referral contained on the entry, but returns the actual entry containing the referral instead. Use this option if you are attempting to search for entries that contain smart referrals. For more information about smart referrals, see Chapter 2, "Configuring Directory Databases" in the iPlanet Directory Server Administrator's Guide.
-n	Specifies that the search is not actually performed, but that ldapsearch shows what it would do with the specified input.
-O	Specifies the maximum number of referral hops ldapsearch should automatically follow. For example, -O 2.
-o	Specifies that the output for individual values be formatted without line breaks and that equal signs "=" be used to separate attribute names from values. This argument produces output in a non-LDIF format.
-R	Specifies that referrals are not to be followed automatically. By default, referrals are followed automatically.
-S	Specifies the attribute to use as the sort criteria. For example, -S sn. You can use multiple -S arguments if you want to further define the sort order. In the following example, the search results will be sorted first by surname and then by given name: -S sn -S givenname The default is not to sort the returned entries.
-T	Specifies that no line breaks should be used within individual values in the search results.
-t	Specifies that the results be written to a set of temporary files. When you use this option, each attribute value is placed in a separate file within the system temporary directory. No base64 encoding is performed on the values, regardless of the content.
-u	Specifies that the user-friendly form of the distinguished name be used in the output.
-v	Specifies that the utility is to run in verbose mode.
-V	Specifies the LDAP version number to be used on the search. For example, -V 2. LDAP v3 is the default. You cannot perform an LDAP v3 search against a Directory Server that only supports LDAP v2. Only use LDAP v2 when connecting to LDAP v2 servers, such as Netscape Directory Server 1.x.
-y	Specifies the proxy DN to use for the search. This argument is provided for testing purposes. For more information about proxied authorization, see Chapter 6, "Managing Access Control" in the iPlanet Directory Server Administrator's Guide.

-a	Allows you to add LDIF entries to the directory without requiring the changetype:add LDIF update statement. This provides a simplified method of adding entries to the directory. This option also allows you to directly add a file created by ldapsearch.
-B	Specifies the suffix under which the new entries will be added.
-D	Specifies the distinguished name with which to authenticate to the server. The value must be a DN recognized by the Directory Server, and it must also have the authority to modify the entries. For example, -D "uid=bjensen, dc=siroe,dc=com". You cannot use this option with the -N option.
-f	Optional option that specifies the file containing the LDIF update statements used to define the directory modifications. For example, -f modify_statements. If you do not supply this option, the update statements are read from stdin. For information on supplying LDIF update statements from the command line, see Chapter 4, "Managing Directory Entries" in the iPlanet Directory Server Administrator's Guide.
-h	Specifies the name of the host on which the server is running. For example, -h cyclops.
-j	Specifies the file from which the bind password is read. Used for simple authentication. If this option is specified, the -w option must not be specified.
-p	Specifies the port number that the server uses. For example, -p 1049. The default is 389. If -Z is used, the default is 636.
-q	Causes each add to be performed silently rather than being echoed to the screen individually.
-w	Specifies the password associated with the distinguished name that is specified in the -D option. If you do not specify this option, anonymous access is used. If you specify -w -, the utility prompts for the password. If either w option is specified, the -j option must not be specified. For example, -w diner892.
-R	Specifies that referrals are not to be followed automatically. By default, the server follows referrals.
-v	Specifies that the utility is to run in verbose mode.
-V	Specifies the LDAP version number to be used on the operation. For example, -V 2. LDAP v3 is the default. You cannot perform an LDAP v3 operation against a Directory Server that only supports LDAP v2.
-y	Specifies the proxy DN to use for the delete operation. This argument is provided for testing purposes. For more information about proxied authorization, see Chapter 4, "Managing Directory Entries" in the iPlanet Directory Server Administrator's Guide.

-K	Specifies the name of the certificate key used for certificate-based client authentication. For example, -K Server-Key.
-N	Specifies the certificate name to use for certificate-based client authentication. For example, -N Server-Cert. If this option is specified, then the -Z, and -W options are required. Also, if this option is specified, then the -D and -w options must not be specified, or certificate-based authentication will not occur and the bind operation will use the authentication credentials specified on -D and -w.
-P	Specifies the path and filename of the security files for the client. This option is used only with the -Z option. When used on a machine where a SSL-enabled web browser is configured, the path specified on this option can be pointed to the security database for the web browser. For example, -P c:\security\cert.db. You can also store the client security files on the Directory Server in the installDir/alias directory.
-W	Specifies the password for the certificate database identified on the -P option. For example, -W serverpassword.
-Z	Specifies that SSL is to be used for the directory request.

-b	Causes the utility to check every attribute value to determine whether the value is a valid file reference. If the value is a valid file reference, then the content of the referenced file is used as the attribute value. This is often used for specifying a path to a file containing binary data, such as images. For example, if you wanted to add a jpegPhoto attribute, then specify the -b option on the ldapmodify call. In the LDIF you provide to ldapmodify, include a statement using the following notation: jpegPhoto: /tmp/photo.jpeg ldapmodify reads the contents of the photo.jpeg file into the jpegPhoto attribute that you are placing on the entry. On Windows NT, the format of this option is exactly the same (including the forward slashes, except that you can specify a drive letter). For example: jpegPhoto: c:\tmp\photo.jpeg. Note that this behavior is not supported by Directory Console. In the Console, values that begin with a slash are added literally to the directory. For further information on importing binary data into the directory, see Chapter 4, "Managing Directory Entries" in the iPlanet Directory Server Administrator's Guide.
-c	Specifies that the utility run in continuous operation mode. Errors are reported, but the utility continues with modifications. The default is to quit after reporting an error.
-H	Lists all available ldapmodify options.
-M	Manage smart referrals. The server does not return the smart referral contained on the entry, but applies the modification request directly to the entry instead. Use this option if you are attempting to add, change, or delete a directory entry that contains a smart referral. For more information about smart referrals, see Chapter 2, "Configuring Directory Databases" in the iPlanet Directory Server Administrator's Guide.
-n	Specifies that the entries are not actually modified, but that ldapmodify shows what it would do with the specified input.
-O	Specifies the maximum number of referral hops to follow. For example, -O 2.
-R	Specifies that referrals are not to be followed automatically.
-v	Specifies that the utility is to run in verbose mode.
-V	Specifies the LDAP version number to be used on the operation. For example, -V 2. LDAP v3 is the default. You can not perform an LDAP v3 operation against a Directory Server that only supports LDAP v2.
-y	Specifies the proxy DN to use for the modify operation. This argument is provided for testing purposes. For more information about proxied authorization, see Chapter 6, "Managing Access Control" in the iPlanet Directory Server Administrator's Guide.

-D	Specifies the distinguished name with which to authenticate to the server. The value must be a DN recognized by the Directory Server, and it must also have the authority to delete the entries. For example, -D "uid=bjensen, dc=siroe,dc=com". For more information on access control, see Chapter 6, "Managing Access Control" in the iPlanet Directory Server Administrator's Guide. If you use the -D option, you cannot use the -N option.
-h	Specifies the name of the host on which the server is running. For example, -h cyclops. The default is localhost.
-j	Specifies the file from which the bind password is read. Used for simple authentication. If this option is specified, the -w option must not be specified.
-p	Specifies the port number that the server uses. Default is 389. If -Z is used, the default is 636.
-w	Specifies the password associated with the distinguished name that is specified in the -D option. If you do not specify this option, anonymous access is used. If you specify -w -, the utility prompts for the password. If either w option is specified, the -j option must not be specified. For example, -w diner892.
dn	Specifies the dn of the entry to delete.

-K	Specifies the name of the certificate key used for certificate-based client authentication. For example, -K Server-Key.
-N	Specifies the certificate name to use for certificate-based client authentication. For example, -N Server-Cert. If this option is specified, then the -Z and -W options are required. Also, if this option is specified, then the -D and -w options must not be specified, or certificate-based authentication will not occur and the bind operation will use the authentication credentials specified on -D and -w
-P	Specifies the path and filename of the security files for the client. This option is used only with the -Z option. When used on a machine where an SSL-enabled web browser is configured, the path specified on this option can point to the security database for the web browser. For example, -P c:\security\cert.db. The client security files can also be stored on the Directory Server in the installDir/alias directory.
-W	Specifies the password for the certificate database identified on the -P option. For example, -W serverpassword.
-Z	Specifies that SSL is to be used for the delete request.

-c	Specifies that the utility must run in continuous operation mode. Errors are reported, but the utility continues with deletions. The default is to quit after reporting an error.
-f	Specifies the file containing the distinguished names of entries to be deleted. For example, -f modify_statements. Omit this option if you want to supply the distinguished name of the entry to be deleted directly to the command line.
-H	Lists all available ldapdelete options.
-M	Manage smart referrals. The server does not return the smart referral contained on the entry, but deletes the actual entry containing the smart referral instead. For more information about smart referrals, see Chapter 2, "Configuring Directory Databases" in the iPlanet Directory Server Administrator's Guide.
-n	Specifies that the entries are not actually deleted, but that ldapdelete shows what it would do with the specified input.
-O	Specifies the maximum number of referral hops to follow. For example, -O 2. There is no maximum number of referral hops.
-R	Specifies that referrals are not to be followed automatically. By default, the server follows referrals.
-v	Specifies that the utility is to run in verbose mode.
-V	Specifies the LDAP version number to be used on the operation. For example, -V 2. LDAP v3 is the default. You cannot perform an LDAP v3 operation against a Directory Server that only supports LDAP v2.
-y	Specifies the proxy DN to use for the delete operation. This argument is provided for testing purposes. For more information about proxied authorization, see Chapter 6, "Managing Access Control" in the iPlanet Directory Server Administrator's Guide.

-b	Specifies that the ldif utility should interpret the entire input as a single binary value. If -b is not present, each line is considered to be a separate input value. As an alternative to the -b option, you can you can use the :< URL specifier notation, which is in fact simpler to use. For example: jpegphoto:< file:///tmp/myphoto.jpg Although the official notation requires three ///, the use of one / is tolerated.

Previous Contents Index DocHome Next
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.

Last Updated October 29, 2001

Solaris 9 platform	/usr/iplanet/ds5/shared/bin
Other platforms	installDir/shared/bin

Solaris 9 platform	/usr/iplanet/ds5/bin/slapd/server
Other platforms	installDir/bin/slapd/server

Solaris 9 platform	/usr/sbin/directoryserver ldif [-b] [attrtypes]
Other platforms	installDir/bin/slapd/server ldif [-b] [attrtypes]