| Previous Contents Index Next |
| iPlanet Directory Server Resource Kit 5.1 Tools Reference |
Chapter 32 ilash Command Reference
This chapter contains the detailed reference for each command of the ilash tool. Each reference gives the command-line syntax, the list of options and a description. In many cases, an example shows a typical usage of the command.Some commands are synonyms of others: they are aliases to other commands that are fully referenced. Synonyms have identical command-line options all of the same functionality. For a quick overview of all ilash commands, see "Summary of Commands".
This chapter contains the following sections:
Common Options
Common Options
This section describes the options that are common to many commands. These options are not repeated in the syntax or description of each command reference, unless their meaning or usage is different in a particular command.
Online Help
All of the commands support the -help option that will list all possible options for that command, including the common options. For example:
Full option names are given in the help message and used in descriptions and examples of this book. However, the ilash interpreter will recognize the shortest unique prefix of an option name. This abbreviation is sufficient to select that option on that tool. Prefixes for the same option may be different for each command due to ambiguities with other option names.
- [Siroe,com]% dshowname -help
dshowname - show the name of an entry,
[<object>] [-ufn] [-ldap] [-help]
LDAP-Specific Options
The ilash commands that perform directory access operations all have a set options for specifying LDAP functionality. The LDAP-specific options include limits and controls that may apply to an LDAP request. The following commands support the LDAP-specific options:
dmodify dmod
dmodifyrdn dmodrdn
dmoveto dmove dcd
drelocate
dschema
dsearch
dshowentry dshowLDAP-specific options either have a default value or are not mandatory, meaning that they are not needed in most cases. When they are needed, it is best to specify them in the service configuration parameter so that they always apply to all directory access commands (see "Configuration Parameters").
Any of these options may still be given on the command line, to override either the default behavior or the configuration file settings.
Display Options
The commands that display entries have common option for formatting their output. The display options control how entries are read from the directory and displayed in the output of the command. The following commands support display options:
Again, you may wish to set these options as defaults for the commands in a configuration file.
- dsearch dshowentry dshow
The default behavior listed for each command option in this reference chapter may be modified by configuration files (see "Command Defaults"). Options usually exist in pairs to allow either the command default or the configured default to be overridden. For example, the dshow command might be configured to not show attribute names. It is still possible to display the attribute names, but you must specify dshow -key.
Specifying Target Objects
Nearly every command requires you to specify the distinguished name of the entry that is the target of the command. Some commands will accept more than one entry as the target.There are several methods available for specifying a target object:
A fully qualified DN may specify a target anywhere in the directory.
When an explicit target is not specified, the current directory position is the default target for all ilash commands.
The ".." object refers to the parent of the current directory location, and "." refers to the current directory location.
A relative DN specifies a target in subtree rooted at the current directory position. A relative DN contains a trailing comma (,), for example "uid=bjensen,ou=People," is valid when the current location is "dc=Siroe,dc=com".
An abbreviation defined in the user's .lashconfig file can be used as a target: the command will operate on the entry to which it refers.
- Relative DNs may not be combined with the parent ".." notation.
A valid sequence number will designate its corresponding entry in the current sequence as the target. Specify the sequence name and a dot separator (.) in front of the sequence to refer to an entry in another sequence. Ranges of sequence numbers may be used with commands that accept multiple targets such as dshow. These commands will also accept a mix of ranges and named sequence identifiers, for example:
Command Reference Section
Synonym for the dhelp command.
Compose an entry in LDIF and perform an LDAP add operation.
SYNTAX
dadd
[object ] [-objectclass objectclass ... ]
[-draft draftLocation ] [-newdraft]
[LDAP-specificOptions ]dadd
[object ] [-template templateFile ]
[-[no]edit]] [LDAP-specificOptions ]
OPTIONS
Specify the DN of the entry to be added. The DN will be used in the new draft of an LDIF entry to which you add attributes and values before the command can add it to the directory. If you specify a relative DN, it will be expanded to its full value. The default value is the DN of the current location.
Specify the one or more object classes to which the new entry will belong. The tool will generate a new draft that, if the directory schema is loaded, will contain all parent object classes and all required and possible attributes. The default object class is person, which also implies top.
Specify a file location that contains your template for creating new entries. This template file may contain any text you wish for creating a single entry, except for its DN. You should always specify the object option with the -template option. The -objectclass option is ignored when using a template file.
The template file will be copied to the draft location, and the DN determined by the object option (or its default value) will be appended as the first line of the file. Then, you will have the opportunity to edit its contents before it is used to add a new entry. The template file is never modified.
Specify the location of the draft file. This is where the tool will generate an LDIF text file containing the entry to add. The default location is the .lashdraft file in the user's home directory.
If a file exists at that location, the tool will ask you whether or not to use it as the draft. If you choose to use the existing draft file, the object and objectclass options will be ignored. If you choose not to use an existing draft file, if you specify a template file, or if you specify the -newdraft option, any file at the draft location will be overwritten.
Force the tool to generate a new draft file using the values of the object and objectclass options. Any file at the draft location will be overwritten without the choice to edit it instead. You must edit this new draft file to specify all necessary attribute values.
Specify whether or not you want to edit the draft file interactively before it is used to add an entry. The default is the -edit option.
Use the -noedit, -template, and object options to add entries without any interaction. The template file and object must specify a complete and valid LDIF entry. This option is not compatible with -newdraft.
See further options in "LDAP-Specific Options".
DESCRIPTION
The dadd command creates an entry in LDIF, allows you to edit it, and then adds it to the directory. The credentials used to bind to the current directory must have permission to add the given entry.There are two scenarios for creating an LDIF entry interactively:
Specify a DN or relative DN along with object class names to generate a draft of the entry. If the directory schema has been imported with the dbind -schema option or the dschema -import command, the tool will automatically generate a draft with all object classes, their parent classes, and all possible attributes. The tool will open a text editor and you must complete the draft to create a valid entry in LDIF. When you close the editor, the tool will submit this entry in an LDAP add operation and rename the draft file with the suffix .old.
If an add operation fails, the draft will not be renamed, and you may run dadd again with the same command line. It will detect the draft and ask if you want to edit it. If yes, it will open the text editor, allowing you to modify and resubmit the entry. If not, it will create a new draft file using the DN and object class names or the template on the command line and overwrite the failed draft file.Specify a DN and a template file that contains your draft for new LDIF entries. The tool will copy this file to the draft location and then open a text editor for you to complete the entry. When you close the editor, the tool will submit this entry as an LDAP add operation and rename the draft file with the suffix .old.
The text editor is defined by the EDITOR variable in your environment. If this variable is not defined, you will be prompted for the name of a text editor application.
You may also use the dadd command to add an entry without interaction. Use the -noedit and -template options, specify the DN as the target object , and specify a complete valid LDIF entry, without the DN, in the template file.
EXAMPLES
The following command will create a draft entry and open it in an editor for you to complete:
The new draft will contain the parent object classes and all possible attributes for you to fill in (output edited for length):
- [People,Siroe,com]% dadd "uid=bslater," -newdraft \
-objectclass organizationalPerson
The next example uses the following template file, which expressly has no DN:
- dn: uid=bslater, ou=People, dc=Siroe, dc=com
objectClass: organizationalperson
objectClass: person
objectClass: top
#destinationIndicator:
#facsimileTelephoneNumber:
#internationaliSDNNumber:
#l:
#ou:
...
#sn:
#cn:
#description:
#seeAlso:
#telephoneNumber:
#userPassword:
Because the template contains all required information, we may add the entry without editing the intermediate draft file:
- objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Ted Morris
sn: Morris
givenname: Ted
uid: tmorris
mail: tmorris@Siroe.com
telephonenumber: +1 555 058 4282
- [People,Siroe,com]% dadd "uid=tmorris," -template morris.ldif \
-noedit
SEE ALSO
dbind -schema, dschema -import
Perform an LDAP bind operation.
SYNTAX
dbind
[-call URL-alias ] [-noconnect] [-[no]move]
[-v2|-v3] [-[no]schema] [-[no]rebind]
[[-user] bindDN ] [-password password ]
[-noauthentication] [-simple] [-hd]
[-tls] [-tlsauth] [-[no]verify]
OPTIONS
Specify the URL or alias name of the directory server target for the connection. Alias names are defined in the ilash configuration files (see "Configuration Files"). If the defaultserver option is not specified in the configuration files, the default server is ldap://localhost/ on port 389.
With the -rebind option, the dbind command will connect to the last server to which it was bound. It will also use the same connection parameters, unless they are overridden by options on this command line. The -norebind option is the default: the dbind command will connect to the default server. These options have no effect during the first connection of the ilash tool.
Prevents any binding so that the dbind command effectively does nothing. This option is used only when launching the ilash tool (see "Starting the Shell").
Specify the bind DN for authentication. The -user keyword is optional. The bindDN itself is optional even for strong authentication if the username parameter is defined in configuration files.
Specify the password for the given username DN. The password is optional because it may be specified in the configuration files for the given username . If this option is not specified and there is no password configured, the command will prompt the user for a password. This avoids ever having to store the password in a file.
Perform anonymous binding, if allowed by the server. This option is the default if no username is not given.
Perform simple, non-encrypted and non-certificate based authentication with a username and a visible password. This is the default if a username is given.
Perform CRAM-MD5 SASL authentication to encrypt the password over the network.
Perform HTTP digest-MD5 authentication to encrypt the password over the network.
Specify that the authentication process use the credentials presented by the user's certificate. The -tlsauth option will also set the -tls option for using encryption during the connection.
Perform an LDAP v2 bind. Use this options for servers that do not support LDAP v3. The default is -v3: perform an LDAP v3 bind.
Specify that the connection should initiate a Start TLS operation with the server immediately after binding. This means that all communication to and from the server will be encrypted.
The -verify option will also set the -tls option. It will cause the ilash client to attempt to verify the certificate presented by the server for the TLS encryption. If the certificate cannot be verified, the connection will not be established. The default is -noverify: do not attempt to verify the server certificate.
Specify whether or not the ilash interpreter should import the directory's schema upon connecting to the server (see dschema -import). Some commands such as dadd offer functionality that relies on the imported schema. The default is -schema.
The -move option specifies that the initial location in the directory should be the server's default naming context. The -nomove option specifies that the initial location should be the root DSE. The value of the local_dit option in the configuration files takes precedence over both, if it is defined. Otherwise, the default is -move.
DESCRIPTION
The dbind command connects the ilash tool to a directory server so that you can access its contents. On startup, the tool will bind to the server using this command and you may specify dbind options on the ilash command line.You may also invoke the dbind command at any time to change servers or modify the bind parameters, such as the bind DN. Any existing connections will be automatically unbound first.
Many of the options such as the server URL and bind DN may be set as parameters in the configuration files to simplify the command line. The configuration files may also enforce an authentication mechanism that requires you to provide user and password credentials when using this command. The possible authentication mechanisms are:
No authentication: no username or password is required.
When using TLS authentication and encryption, you must define the SSL options such as ssl_key and ssl_cert in the configuration files.Simple: your password will be visible on the network; unfortunately, this is the only authentication supported by older LDAP v2 servers.
CRAM-MD5: provides encryption of the password so that it is not exposed.
HTTP digest-MD5: alternate encryption of the password so that it is not exposed.
TLS authentication: provides a secure connection through certificates and encryption.
EXAMPLES
The following example illustrates an anonymous bind to a server specified by its URL-format name:
The second example shows how to initiate a secure connection with a server defined as SiroeSecure in the configuration files:
- [not bound]% dbind -call ldap://ldap.Siroe.com:398/
- [not bound]% dbind -call SiroeSecure "cn=directory manager" \
-tls -verify
- Enter password for "cn=directory manager":
SEE ALSO
drebind
Synonym for the ddelete command.
Export entries from the directory as LDIF text to a file or the standard output.
SYNTAX
dbulkdump
[object ... ] [-file filename ] [-[no]header]
[-[no]base] [-[no]below]
[LDAP-specificOptions ]
OPTIONS
Specify the root entry of the directory subtree to be exported. You may specify multiple objects: each of their subtrees will be output in the order specified.
Specify the name of a file to contain the LDIF output. When this option is omitted, the command will use the standard output.
Specify whether or not LDIF header information appears in the output. The header is a single line with a version identifier. The default is -header.
Specify whether or not the root entries of the target subtrees are included in the output. With the -nobase option, the target objects on the command line will not appear in the output, only their subtrees will. The default is -base.
Specify whether or not subtree entries are included in the output. With the -nobelow option, only the target entries on the command line will appear in the output. The default is -below.
See further options in "LDAP-Specific Options".
DESCRIPTION
The dbulkdump command writes entries in LDIF format to a file or to the standard output. Along with the dbulkload, this command provides the ability to back up your directory data or to move entries and entire subtrees to a different directory.Export to the CSV (comma-separated value) format is not supported.
By default the tool will export all entries in the subtree rooted at the target object. The order of entries in the LDIF output will preserve the structure of the subtree hierarchy. Specifying multiple target objects or using the -nobase option may not preserve the structure, in which case the output cannot be bulk-loaded into another directory.
The output of the dbulkdump command is subject to the limit on the number of entries that may be retrieved at one time from the directory. This limit may be set on the client side by the -sizelimit option in "LDAP-Specific Options". On the server side, the number is limited by the nsslapd-sizelimit attribute whose default is 2,000 entries. See "nsslapd-sizelimit (Size Limit)" in the iPlanet Directory Server Command, Configuration and File Reference. If either limit is reached, not all entries will be exported, and an error will be logged in the output.
SEE ALSO
dbulkload
Import entries into the directory from either an LDIF text file or a CSV (comma-separated values) format file.
SYNTAX
dbulkload
[object ] [-[no]overwrite]
[-dereferencealias] [LDAP-specificOptions ]
-ldif filenamedbulkload
[object ] [-[no]overwrite]
-csvdata filename -template filename
[-rdn attributeName ...] [-[no]usefirst]
[LDAP-specificOptions ]
OPTIONS
Define the path and filename of a file containing the LDIF entry records to import. This option in incompatible with all of the CSV-specific attributes.
Specify whether or not existing entries will be overwritten if the imported data contains the DN of an existing entry. The -nooverwrite option will report an error but not stop the import operation when attempting to add an entry that already exists. The default is -overwrite.
The -nooverwrite functionality involves fewer directory operations per entry. Therefore, if efficiency is a concern, specify this option when you know the imported DNs are unique. If you wish to replace entire subtrees, running ddelete then dbulkload with the -nooverwrite option will be faster.
Specify that the server should dereference any aliases in the imported entries. The default is -dontdereferencealias, unlike most other commands that have LDAP-specific options.
The dbulkload command uses the LDAP-specific options for all of the search, delete, and add operations it performs internally. See "LDAP-Specific Options".
Specify a single directory location under which the data is to be loaded. The DN of this location will be used to create the DN of new entries specified by the CSV data. The default value is the current location in the directory.
Define the path and filename of a CSV file that contains attribute values for entries to be added. You must also specify a template file, and in most cases, you will need to specify -rdn attributes.
Define the path and filename of a template file to translate CSV data into a valid entry. A template contains LDIF-like text and placeholders for attributes in the CSV data file.
Specify any number of attributes that will form the relative DN of the entries to be added from a CSV file. The values for these attributes will be used in the order given and appended to the front of the target object to create the DN of each entry. If no attribute names are specified using this option, cn is selected by default.
Specify whether or not to allow attributes given by the -rdn option to have multiple values in the new entry. Setting the -usefirst option allows RDN attributes to be multivalued and selects the first value defined in the CSV data or the template to figure in the RDN. The default is -nousefirst, which will report an error for an entry when one of its RDN attributes has more than one value.
DESCRIPTION
The dbulkload command loads multiple entries from a data file into the directory. The command has two distinct uses, one for each of the LDIF and CSV (comma-separated value) file types it can import:
LDIF files should contain complete entry records, including the DN that determines the absolute location of new entries in the directory. The dbulkdump command and many other tools in the iPlanet Directory Server Resource Kit output LDIF files that can be imported into the directory.
Any errors in the format of an entry or when adding it to the directory will only prevent the entry in question from being loaded. The tool will output an error message but continue loading other entries. Finally, the credentials used to bind to the current directory must have permission to add all given entries.
The CSV format requires a template that determines how the values in the CSV data file are assigned to attributes. CSV is not a standard LDAP format, but many products such as spreadsheets can export columns or fields as comma-separated values.
- The dbulkload command does not support LDIF change records. It supports only LDIF attribute specification records that define all necessary attributes of an entry.
- LDIF files may contain a hierarchy of entries that form an entire subtree. Entries are imported in the order they appear, so parent entries must be given before their children. Also, the DNs of the new entries must fit into the existing directory hierarchy.
- The target object given on the command line will be the parent of all new entries, meaning they may be loaded anywhere in the directory. However, all entries created from CSV data must have the same RDN structure, meaning that they must all be imported at the same level in the directory hierarchy.
EXAMPLE
The following example demonstrates bulk loading using CSV files. The CSV data file is a text file where each line is an entry with fields separated by commas:Adam Alder, Alder, 555-0441, aa@Siroe.com, aa, {FILE}/h/adam.jpg
Bob Brown, Brown, , bb@Siroe.com, bb, {FILE}/h/bob.jpg
Carl Cade, Cade, 555-0443, , cc, {FILE}/h/carl.jpg
Dave Dibbs, Dibbs, 555-0445, dd@Siroe.com, , {FILE}/h/dave.jpg
Eric Elmar, Eric, 555-0447, ee@Siroe.com, ee, {FILE}/h/eric.jpg
A value containing whitespace, a comma, or a quote character should be surrounded by quotes. A quote is specified by two quotes in a row. For example:
The template file contains an LDIF entry with placeholders for field values and no DN. The DN is generated from the target object and the -rdn option specified on the command line. The placeholders are replaced with their corresponding field number. The following is a sample template for the CSV data above:
- employee,"Fred ""Ford""","3rd floor, room 12",0449
Placeholders must appear as attribute values at the end of a template line and must refer to a valid field number. However, field numbers may be repeated and not all fields need to be used in the template.
- objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
sn: $2
cn: $1
telephoneNumber: $3
postalAddress: Siroe.com $ P.O. Box 555 $ Santa Clara, CA 94303
mail: $4
uid: $5
jpegPhoto: $6
The following examples use the CSV sample data and template files above:
The "Scripting Example" also uses the dbulkload command to automate a bulk loading operation.
- [Siroe,com]% dbulkload "ou=People," -csvdata path /data.csv \
-template path /template -rdn cn uid
- Added cn=Adam Alder + uid=aa, ou=People, dc=Siroe, dc=com
Added cn=Bob Brown + uid=bb, ou=People, dc=Siroe, dc=com
Added cn=Carl Cade + uid=cc, ou=People, dc=Siroe, dc=com
path /data.csv:4 error processing record: entry doesn't have the
rdn attribute uid
Added cn=Eric Elmar + uid=ee, ou=People, dc=Siroe, dc=com
SEE ALSO
dbulkdump
Synonym for the dmoveto command.
Perform an LDAP compare operation on an attribute value.
SYNTAX
dcompare
[object ] -attribute name =value
[-[no]print] [LDAP-specificOptions ]
OPTIONS
Specify the DN of the entry in which to compare the given attribute value. The default is the entry at the current location.
Specify the format of the output:
-print (the default) will return the value TRUE or FALSE.
-noprint will return the value 1 or 0, respectively.Specify the name of the attribute to verify and the value to which it should be compared. Multivalued attributes will compare positively if any one of their values equals the given value .
See further options in "LDAP-Specific Options".
DESCRIPTION
The dcompare command checks to see whether or not the target entry holds a particular attribute value. It returns TRUE if the entry contains an attribute with the given name and value, FALSE otherwise. Use the -noprint option to return a numeric value of 1 or 0, respectively, which is easier to test programmatically in a script.The LDAP-specific options are used as parameters to the internal directory access operation needed to read the attribute value.
Perform an LDAP delete operation with the option to delete subtrees.
SYNTAX
ddelete
[object ... ] [-base] [-below] [-subtree]
[-[no]prompt] [LDAP-specificOptions ]
OPTIONS
Specify the target objects to be deleted. Unless you specify either the -below or -subtree option, the target must be a leaf entry.
Specify that only the target objects should be deleted. This is the default behavior.
Specify that all entries in the subtree below each target object should be deleted. The target entries are not deleted.
Specify that the entire subtree rooted at each target object, including the targets themselves, should be deleted.
Specify whether or not the command should ask the user for confirmation before performing the delete operation The default is -prompt.
See further options in "LDAP-Specific Options".
DESCRIPTION
The ddelete command removes entries from the directory, with the option to delete entire subtrees. When deleting a single entry, it must not have any children. When deleting a subtree, you specify a non-leaf entry and you have the choice of deleting only those entries below it. In all cases, the credentials used to bind to the current directory must have permission to delete entries.The command will use the subtree delete control (OID 1.2.840.113556.1.4.805) when the server supports it. When the control is not available, the command will delete subtrees by recursively descending the directory tree to remove entries.
Synonym for the dbulkdump command.
Invoke an extension, given by its OID, on the server.
SYNTAX
dextension
[-oid OID ] [-data data ] [-[no]force]
[-stop] [-reset]
[LDAP-specificOptions ]
OPTIONS
Specify the OID (object identifier) of the extension in dotted decimal format, for example: 1.2.840.113556.1.4.805 .
Give additional data as a string that will be sent with the extension request. Some extensions require additional parameters that can be entered here.
This option is a shortcut for invoking a shutdown extension (OID 1.3.6.1.4.1.1466.20001) recognized by some servers.
This option is a shortcut for invoking a reset extension (OID 1.3.6.1.4.1.1466.20002) recognized by some servers.
The -force option specifies that the extension should be invoked without checking whether the server supports it. The default is -noforce.
See further options in "LDAP-Specific Options".
DESCRIPTION
The dextension command invokes extensions on the directory server. Extensions are server-dependent operations that may perform non-LDAP operations or modify the functionality of the server. The tool will check whether or not the server supports the extension before sending it.The directory server may send a reply to the extension request, in which case the dextension command will display the OID and data contained in the response.
Display the list of all ilash commands and their brief description. This list does not include synonyms for commands.
Synonym for the dstatus command.
List the RDNs of all first-level children of a given entry.
SYNTAX
dlist
[object ] [-[no]move] [-[no]push]
[-sequence name ] [LDAP-specificOptions ]
OPTIONS
Specify a single target object. The default is the current location.
Specify whether or not the command should also change the current location to that of the target object . The -move option is not compatible with -push. The default is -nomove.
Specify whether or not the command should also push the current location onto the location stack and change to the location of the target object . The -push option is overridden by -move and -nomove when they occur after it on the command line. The default is -nopush.
Save the DNs of entries from the output under the given sequence name and do not modify the current sequence. Sequence names may contain only alphabetical characters. If the sequence does not exist, it will be created. If the sequence exists, new DNs will be appended to the end of it. When this option is omitted, the DNs are appended to the current sequence.
See further options in "LDAP-Specific Options".
DESCRIPTION
The dlist command searches the directory and displays the list of all entries that are immediate children of the target object. The output of the command is a list of RDNs that are relative to the target object, not to the current location.In the output, the number to the left of each RDNs is its number in the sequence. If the corresponding DN already exists in the current or the named sequence, the numbers may not begin at 1 or even be numbered sequentially.
The number of RDNs returned can be limited by using the -sizelimit option described in "LDAP-Specific Options".
This command may be considered the equivalent of the ls or dir command, although it doesn't support filtering on the DN. To search for specific DNs, you must use the dsearch command. To display the contents of an entry, use the dshowentry command.
SEE ALSO
dsearch, dsequence, dshowentry, dmoveto
Synonym for the dbulkload command.
Synonym for the dlist command.
Synonym for the dmodify command.
Perform an LDAP modify operation to add, modify, or remove attributes.
SYNTAX
dmodify
[object ... ] [-draft draft [-[no]edit]] [-newdraft]
[LDAP-specificOptions ]dmodify
[object ... ] [-add attribute =value ] ...
[-remove attribute =value ] ... [-remove attribute ] ...
[LDAP-specificOptions ]
OPTIONS
Specify the target objects to modify. The default is the current location. When using a draft file, you will be able to edit the target entries as LDIF in a text editor. When adding or removing only attributes, all target entries will be modified in same way.
Specify the location of the draft file. This is where the tool will generate an LDIF text file containing the entries to modify. The default location is the .lashdraft file in the user's home directory.
Specify whether or not you want to edit the draft file interactively before it is used to modify entries. The default is -edit.
If a file exists at the draft location, the tool will ask you whether or not to use it as the draft. Use this option to suppress the query and force the tool to generate a new draft file from the target entries. Any file at the draft location will be overwritten. This option is overridden by the -noedit option.
Specify the name and initial value of an attribute to add. If the attribute is already present in the target, it becomes a multivalued attribute. This option may be repeated to add multiple attributes or multiple values to the same attribute.
Specify the name of an attribute to remove. If you also specify a value, the attribute is assumed to be multivalued and only that value will be removed. When you specify the attribute name only, all values will be removed. This option may be repeated to remove multiple attributes or multiple values.
See further options in "LDAP-Specific Options".
DESCRIPTION
The dmodify command has two usage scenarios:
Interactive: edit the target entries in an LDIF text file to add, modify, or remove attributes or to add and remove entire entries.
To modify entries interactively, the command generates the LDIF text for all target entries in a draft file and opens it in a text editor. You may then edit this file to modify attribute values, remove attributes or add new ones. You may also add or remove entire entries. The tool will then compare this file with the existing entries and perform all necessary LDAP operations to update the directory.Batch: specify on the command line the attribute values to add or remove in order to modify attributes on all target entries in the same way.
When you close the editor, the tool will display the number of added, modified, and deleted entries and ask for confirmation before committing all changes. If you change your mind, the directory will not be modified. Once you have edited the LDIF entries in the draft file you may:
If you did not commit the changes and you now wish to do so, run the same command again with the -noedit flag. This will commit all changes in the current draft file with no further interaction.
The text editor is defined by the EDITOR variable in your environment. If this variable is not defined, you will be prompted for the name of a text editor application.Whether or not you committed any changes, run the same command again and use the existing draft file. You will be able to make further modifications before committing.
Specify the -newdraft option to ignore any existing draft and read the target entries again for editing.
In the batch scenario, you specify modifications on the command line and the command performs them on all target entries. By using sequence numbers to specify targets, you may add, modify, or delete an attribute across the entire directory. You may specify any number of attribute modifications on the command line, allowing you to perform global updates.
In both scenarios, the credentials used to bind to the current directory must have permission to modify all given entries. Finally, the server may also reject modifications that do not follow the schema of the directory.
Perform an LDAP modify-RDN (relative distinguished name) operation.
SYNTAX
dmodifyrdn
[object ] -name name=value
[-[no]delete]
[LDAP-specificOptions ]
OPTIONS
Specify a single target object. The default is the current location.
Define the new RDN of the target entry. The named attribute and its value will also be added to the entry.
Specify whether or not the attribute and value corresponding to the old RDN component should be removed from the entry. The default is -delete.
See further options in "LDAP-Specific Options".
DESCRIPTION
The dmodifyrdn command modifies the RDN of an entry. The effect of this command is to rename the target entry by replacing the first component in its distinguished name. Use the -nodelete option if you wish to keep the old RDN as an attribute in the entry.Most directory servers allow this operation on leaf entries only. Modifying the RDN of a non-leaf entry is equivalent to renaming the entire subtree below that entry. Use the drelocate command to modify entire subtrees.
After modifying an RDN, any sequence number referring to the target entry will still refer to the old RDN. If you use this old sequence number, the old RDN will no longer be recognized by the directory.
SEE ALSO
drelocate
Synonym for the dmodifyrdn command.
Synonym for the dmoveto command.
Change the current directory location of the ilash interpreter.
SYNTAX
dmoveto
object
[-[no]pwd] [-[no]pop] [-[no]push] [-[no]check]
[LDAP-specificOptions ]
OPTIONS
Specify a single target object to become the new location. If you omit the target object, the default value is the current location. Changing to the current location has no effect unless you use the -push option to place it on the stack. Specifying a target has no effect when using the -pop option.
Specify whether or not to display the DN of the new location. When using either -push or -pop, the -pwd option will also display the new contents of the location stack beneath the current location. The default is -nopwd, which will suppress all output.
Regardless of any command options, the current location is always displayed in abbreviated form in the ilash command prompt.
The -pop option changes the current location to that of the DN at the top of the location stack and removes that DN from the stack.
The -pop option will override all other options except when -nopop occurs after it on the command line.The -push option will place the current location on the location stack before changing to the new location. This option is not compatible with -pop. The default behavior is -nopush: the location stack is not modified, and only the current location changes.
Specify whether or not to check the validity of the target location before making it the current location. The default is -check. This option has no effect when using the -pop option; locations popped from the stack are not checked.
See further options in "LDAP-Specific Options".
DESCRIPTION
The dmoveto command changes the current directory location to the given target DN, much like the cd command of a standard shell. You may also push the old location onto the location stack.The -pop option will return to the location specified by the DN taken from the top of the location stack. Specifying an empty string ("") as the target object or using the -pop option when the location stack is empty will change to `The World.' This location is the root DSE, a virtual entry representing the directory server itself (see "`The World'").
When you specify a target DN, the tool will check the validity of the new location with the server. The LDAP-specific options are used during this directory access only. It will not change the current location if the target DN is not valid. If you use the -nocheck option and specify an invalid target location, all further commands that rely on the current location will return errors.
The current position can also be changed with the -move option of the dlist and dshowentry commands.
SEE ALSO
dlist, dshowentry
Synonym for the dshowname command.
Alias for the dunbind -quit command.
Alias for the dbind -nomove -rebind command.
Move entries from one subtree to another ("reparent") or move entire subtrees.
SYNTAX
drelocate
[object ... ] -parent object
[-[no]copy]drelocate
[object ] -target object
[-[no]copy]
OPTIONS
DESCRIPTION
The drelocate command performs either the LDAP rename operation with the "newparent" option or adds and deletes entries to perform the equivalent operation. Many servers have limitations on relocating entries such as allowing only leaf entries to be moved and allowing them to be moved only within their original naming context.Some servers may not even support the rename operation, in which case you must use the -copy option to perform the operation by copying entries. Most servers will not allow you to move subtrees with the rename operation, so use -copy as well. Even with this option, the drelocate command has its own limitations, and not all subtree configurations can be moved.
In all cases, the tool preserves all original entries if an operation cannot be completed correctly, either by the server or by the -copy option.
Synonym for the ddelete command.
List the schema entries associated with an object or import schema definitions.
SYNTAX
dschema
[object ... ] [-sequence name ] [LDAP-specificOptions ]dschema
[object ... ] [-[no]import] [-[no]overwrite]
[LDAP-specificOptions ]
OPTIONS
Specify all objects for which to list the associated schema entries. When using the -import option, specify the subschema entries to import. The default is the current location.
Specify whether or not the target objects are schema entries with definitions to import. When -import is used, all object class and attribute definitions in the target entries will be loaded into the ilash interpreter. The default is -noimport.
Specify whether or not existing definitions should be overwritten when importing new definitions with the same OID. The default is -nooverwrite. These options are meaningful only when -import is specified.
Save the DNs of schema entries in the output under the given sequence name and do not modify the current sequence. Sequence names may contain alphabetical characters only. If the sequence does not exist, it will be created. If the sequence exists, new DNs will be appended to the end of it. When this option is omitted, the DNs are added to the current sequence. This option is ignored when -import is specified.
See further options in "LDAP-Specific Options".
DESCRIPTION
The dschema command handles the special attribute values used to reference and define the schema in the directory. There are two forms to this command:
The default behavior is to display the DN of schema entries that are referenced by the target entries. To view these schema definitions, use the dshowentry command on the DNs of schema entries in the output.
The LDAP-specific options are used in both cases when the command accesses the directory to read attribute values from the given entries.
When you specify the -import option, the dschema command will import any schema definitions found in the target objects. The target must be an entry of the objectclass subschema, whose ldapSchemas, objectClasses, attributeTypes, ldapSyntaxes, and matchingRules attributes define the schema.
- Schema entries are referenced by the values of the subschemaSubentry attribute in the target entries. This attribute is available only in LDAPv3 directories, and dschema will report an error on LDAPv2 directories.
- Importing the schema entries into the ilash interpreter allows some commands to offer functionality that relies on the directory schema. For example, the dadd -objectclass command uses the schema to generate a template file containing all parent classes and attributes of the given object class.
SEE ALSO
dbind -schema
Perform an LDAP search operation using a filter.
SYNTAX
dsearch
[object ]
[-baseobject | -onelevel | -subtree]
[-filter filter ] [-[no]relative]
[-matchedvaluesonly]
[-[no]searchaliases] [-sequence name ]
[displayOptions ] [LDAP-specificOptions ]
OPTIONS
Specify the DN of the base entry for the search. The default is the current location.
Specify the scope of the search: either the base entry itself, only the immediate children of the base entry, or the entire subtree rooted at the base entry. The three scope options are mutually exclusive. The default is -subtree.
Specify an RFC 2254-compliant LDAP search filter, usually in double quotes ("") for the interpreter (see "LDAP Search Filters" in Appendix B of the iPlanet Directory Server Administrator's Guide).
Specify whether or not the DNs in the output are shown in their relative or full format. Relative DNs are relative to the base entry of the search, not to the current location. The default is -relative.
Specify whether or not aliases in the search scope are dereferenced before applying the filter. The default is -nosearchaliases.
These options are different from the -[dont]dereference options listed in "LDAP-Specific Options". The latter apply only to aliases encountered when determining the base entry given by the target object, as opposed to the entries being searched in the scope.
Specify that only attributes being matched by the search filter should be returned in matching entries. This functionality depends on a control that the directory server must support. By default, this option is not active.
Save the DNs of entries from the output under the given sequence name and do not modify the current sequence. Sequence names may contain alphabetical characters only. If the sequence does not exist, it will be created. If the sequence exists, new DNs will be appended to the end of it. When this option is omitted, the DNs are appended to the current sequence.
See other options in "Display Options".
See further options in "LDAP-Specific Options".
DESCRIPTION
The dsearch command searches the directory for entries whose attributes match the filter in the given scope under the base DN. By default, only the DN or the relative DN of matching entries are displayed. Use -show along with the other options listed in "Display Options" to view selected attributes.
EXAMPLE
The following search returns the full name and telephone number of all entries with a last name (surname sn) that starts with J. It stores the reference to the corresponding DNs in the sequence also named J.
- [The World]% dsearch "dc=Siroe,dc=com" -filter "sn=J*" \
-show -type cn telephonenumber \
-sequence J
- J.1 uid=bjablons, ou=People,
cn: Barbara Jablonski
telephoneNumber: +1 408 555 8815
- J.2 uid=ejohnson, ou=People,
cn: Emanuel Johnson
telephoneNumber: +1 408 555 3287
- J.3 uid=kjensen, ou=People,
cn: Kurt Jensen
telephoneNumber: +1 408 555 6127
- J.4 uid=bjensen, ou=People,
cn: Barbara Jensen
cn: Babs Jensen
telephoneNumber: +1 408 555 1862
Synonym for the dsequence command.
Manage the existing sequences and run commands using their entries.
dsequence
[[-sequence] name ]
[-reset] [-status] [-all]dsequence
[[-sequence] name ]
[-iterate TclCode ]
OPTIONS
DESCRIPTION
The dsequence command manages sequences and their contents, allowing you to swap the current sequence for another. The current sequence is the one to which dlist, dschema and dsearch results will be appended by default. You may refer to entries in the current sequence simply by giving their number on a command line. Entries are not duplicated in any one sequence, so an entry will always have the same number.When the ilash interpreter is launched, the name of the current sequence is default. The dlist, dschema and dsearch commands may create new sequences with their -sequence name option. Sequence names may contain only alphabetical characters. The command:
will make the named sequence the current one. If the name sequence does not exit, it will be created empty and still become the current sequence. The command by itself will display the name of the current sequence:
- dsequence [-sequence] name
The contents of the previously current sequence are still available under its name. You may refer to any sequence contents at any time with the following notation:
- [Siroe,com]% dsequence
default
[Siroe,com]% dsequence mysearch
[Siroe,com]% dsequence
mysearch
Use the -status option to view the number of entries in each sequence. Sequences without any entries are not listed by this option. Use the -reset option to delete a sequence:
- sequenceName .entryNumber
Use the -iterate option to run the given Tcl code in the context of each entry. This command will change the current location to each of the entries in the sequence and interpret the code. The Tcl code may be a simple command or it may be a complete script that uses Tcl commands, ilash commands, or both.
- [Siroe,com]% dsequence -status -all
47 entries in sequence <mysearch>
34 entries in sequence <default>
4 entries in sequence <J>
- [Siroe,com]% dsequence -reset default
[Siroe,com]% dsequence -status -all
47 entries in sequence <mysearch>
4 entries in sequence <J>
Synonym for the dshowentry command.
List the attributes of the entry at the given location.
SYNTAX
dshowentry
[object ... ] [-[no]name]
[-[no]move] [-[no]push]
[displayOptions ] [LDAP-specificOptions ]
OPTIONS
Specify one or more objects to display. The default is the entry at the current location.
Specify whether or not to display the DN (distinguished name) of the entry before its contents. The default is -name.
Specify whether or not the command should also change the current location to that of the target object . The -nomove option overrides -move and -push when it occurs after them on the command line. The default behavior is -nomove.
Specify whether or not the command should also push the current location onto the location stack and change to the location of the target object . When showing multiple entries, they will be pushed onto the stack in the order given. The -push option is overridden by -move and -nomove when they occur after it on the command line. The default is -nopush.
See other options in "Display Options".
See further options in "LDAP-Specific Options".
DESCRIPTION
The dshowentry command will show the attributes contained in the given entry and optionally change the current location. Use this command along with dlist, dshowname, and dmoveto, or their synonyms dls, dpwd, and dcd respectively, to navigate through the directory and view its contents.The displayOptions will control the output by allowing you to select the set of attributes to display. The LDAP-specific options will control how internal operations access the directory, such as dereferencing aliases or not when accessing the target entry.
Synonym for the dshowname command.
Display the full DN of the current location or of the specified target object.
SYNTAX
dshowname [object ] [-ufn] [-ldap]
OPTIONS
DESCRIPTION
The dshowname command will display the full distinguished name of the target entry. Use this command on a sequence number to see the DN of the corresponding entry in the sequence. The "user-friendly" display of the -ufn option is equivalent to the format used in the ilash command prompt.
- [People,Siroe,com]% dshowname
ou=People, dc=Siroe,dc=com
- [People,Siroe,com]% dshowname J.4 -ufn
bjensen, People, Siroe,com
SYNONYMS
dshown, dpwd
Give information about the connection to the current directory server.
SYNTAX
dstatus
[-user] [-[no]stats] [-[no]session]
[-[no]controls] [-[no]extensions] [-[no]config]
[-[no]syntax]
OPTIONS
DESCRIPTION
The dstatus command displays information about the connection and the configuration of the currently bound directory server. When used without any options, it shows the status of the ilash interpreter, such as the current location and the current sequence. You may specify any number of options to list all of the configuration information at one time.
- [Siroe,com]% dstatus
Connected to : ldap://ldap.Siroe.com:389/
Current position : dc=Siroe,dc=com
User name : cn=directory manager
Current sequence : mysearch
Authentication level : simple
SYNONYMS
dinfo
Close the connection to the current directory and optionally exit the ilash tool.
OPTIONS
Specify whether or not to exit the ilash tool after unbinding. The default is -noquit.
DESCRIPTION
The dunbind command closes the current connection. If you do not use the -quit option, the ilash tool will be in the unbound state. You will need to call the dbind command to bind to another server or to rebind to the same server as a different user.
SEE ALSO
dquit, quit, dbind, drebind
Synonym for the dhelp command.
Synonym for the dunbind -quit command.
Previous Contents Index Next
Copyright 2002 Sun Microsystems, Inc.. All rights reserved.Last Updated April 15, 2002