| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Fusion Middleware Command-Line Usage Guide for Oracle Unified Directory 11g Release 1 (11.1.1) |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Fusion Middleware Command-Line Usage Guide for Oracle Unified Directory 11g Release 1 (11.1.1) |
1. Server Administration Commands
2. Data Administration Commands
The ldapcompare command compares LDAP entries.
ldapcompare options
The ldapcompare command is used to issue LDAP compare requests to the directory server. Compare requests can be used to determine whether a given entry or set of entries have a particular attribute-value combination. The only information returned from a successful compare operation is an indication as to whether the comparison evaluated to true or false. No other information about the entry is provided.
The syntax of the ldapcompare tool on the command-line can take any of these forms:
ldapcompare [ options ] attribute:value [ "targetDN" ... | -f DNfile] ldapcompare [ options ] attribute::base64value [ "targetDN" ... | -f DNfile ] ldapcompare [ options ] attribute:fileURL [ "targetDN" ... | -f DNfile ]
where
options are the command-line options, described in the following section.
attribute is the name of the attribute type, followed by one of the three ways to specify its comparative value. The attribute type name and value string should be enclosed in single quotes (”) for the shell.
targetDN is the distinguished name (DN) or list of DNs in which to search for the given attribute and compare its value.
DNfile is a file with a list of DNs, one per line, to search for the given attribute and compare its value.
The ldapcompare command accepts an option in either its short form (for example, -D bindDN) or its long form equivalent (for example, --bindDN bindDN).
Perform a search using the LDAP assertion control (as defined in RFC 4528) to indicate that the operation should only be processed if the assertion contained in the provided filter is true.
Continue processing even if an error occurs. This applies when multiple entry DNs have been given either as trailing options or in a file specified with the --filename option. If an error occurs while processing a compare request, then the client will continue with the next entry DN if the --continueOnError option has been provided, or it will exit with an error if it was not provided.
Specify the path to a file that contains one or more filters to use when processing the search operation. If there are to be multiple entry DNs, then the file should be structured with one DN per line. All comparisons will be performed using the same connection to the directory server in the order that they appear in the file. If this option is not provided, at least one entry DN must follow the attribute-value assertion. If this option is used, the only trailing option required is the attribute-value assertion. The --filename option takes precedence over any DNs provided as additional command-line options. Additional DNs are simply ignored.
Perform a search with the specified control in search requests sent to the directory server. This option makes it possible to include arbitrary request controls that the client cannot directly support. The value for this option must be in the form:
oid[:criticality[:value|::b64value|:<fileurl]]
The elements of this value include:
oid Use the OID for the control. For certain types of controls, a text name may be used instead of the numeric OID (for search operations, this includes managedsait for the manage DSA IT control). This element is required. Human-readable names can be used in place of the OID to reference controls that do not require values using the -J or control option. These OID names are the following:
accountusable or accountusability Use in place of the Account Usability Request Control OID: 1.3.6.1.4.1.42.2.27.9.5.8 (no value)
authzid or authorizationidentity Use in place of the Authorization Identity Request Control OID: 2.16.840.1.113730.3.4.16 (no value)
effectiverights Use in place of the Get Effective Rights Control OID: 1.3.6.1.4.1.42.2.27.9.5.2 (value = authorization ID)
managedsait Use in place of the Manage DSA IT Control OID: 2.16.840.1.113730.3.4.2 (no value)
noop or no-op Use in place of the LDAP No-op Control OID: 1.3.6.1.4.1.4203.1.10.2 (no value)
pwpolicy or password policy Use in place of the Password Policy Request OID: 1.3.6.1.4.1.42.2.27.8.5.1 (no value)
subtreedelete or treedelete Use in place of the Subtree Delete Request Control OID: 1.2.840.113556.1.4.805 (no value)
criticality If true, the control should be marked critical (meaning that the directory server should not process the operation unless it can meet the requirements of this control). If false, the control should not be marked critical. If this subcommand is not provided, then the control is not marked critical.
value Specifies the value for the control. This form should only be used if the value can be expressed as a string. It must not be used in conjunction with either the ::b64value or :< fileurl forms. If none of these subcommands is present, then the control will not have a value.
b64value Specifies the value for the control in base64-encoded form. This subcommand must not be used in conjunction with either the :value or :< fileurl forms. If none of these subcommands is present, then the control will not have a value.
fileurl Specifies a URL that references a file from which the value of the control should be taken. It must not be used in conjunction with either the :value or ::b64value forms. If none of these subcommands is present, then the control will not have a value.
For example, the value 1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=dmiller,ou=people,dc=example,dc=com will include a critical control with an OID of 1.3.6.1.4.1.42.2.27.9.5.2, marked as critical (true), and with a string value for the authorization ID dn:uid=dmiller,ou=people,dc=example,dc=com. Or, you can use the OID names: effectiverights:true:dn:uid=dmiller,ou=people,dc=example,dc=com.
Run in no-op mode. That is, report what should happen but do not actually perform any searches or communicate with the server in any way.
Use the bind DN to authenticate to the directory server. This option is used when performing simple authentication and is not required if SASL authentication is to be used. The default value for this option is cn=Directory Manager.
Contact the directory server on the specified host name or IP address. If it is not provided, then a default address of localhost will be used.
Use the bind password in the specified file when authenticating to the directory server. The option is used for simple authentication, as well as for password-based SASL mechanisms such as CRAM-MD5, DIGEST-MD5, and PLAIN. It is not required if no authentication is to be performed. This option must not be used in conjunction with --bindPassword.
SASL is not supported for Oracle Unified Directory proxy.
Use the client keystore certificate in the specified path for secure communication when using the SSL or the StartTLS extended operation. This option should only be necessary if the client needs to present a certificate to the directory server, for example, when using SASL EXTERNAL authentication.
SASL is not supported for Oracle Unified Directory proxy.
Use the specified certificate for certificate-based client authentication.
Use the specified option when performing SASL authentication. Multiple SASL options can be provided by using this option multiple times, once for each option.
SASL is not supported for Oracle Unified Directory proxy.
Contact the directory server at the specified port. If this option is not provided, then a default port of 389 will be used.
Use the client trust store certificate in the specified path for secure communication when using the SSL or the StartTLS extended operation. This option is not needed if --trustAll is used, although a trust store should be used when working in a production environment.
Use the StartTLS Extended Operation when communicating with the directory server. This option must not be used in conjunction with --useSSL.
Use the SASL EXTERNAL mechanism for authentication, which attempts to identify the client by using an SSL certificate that it presents to the directory server. If this option is used, then the --keyStorePath option must also be provided to specify the path to the client keystore and either the --useSSL or the --useStartTLS option must be used to establish a secure communication channel with the server.
SASL is not supported for Oracle Unified Directory proxy.
Use the password needed to access the certificates in the client trust store. This option is only required if --trustStorePath is used and the specified trust store requires a password in order to access its contents (which most trust stores do not require). This option must not be used in conjunction with --trustStorePasswordFile.
Use the password in the specified file to access the certificates in the client keystore. This option is only required if --keyStorePath is used. This option must not be used in conjunction with --keyStorePassword.
Use the password in the specified file to access the certificates in the client trust store. This option is only required if --trustStorePath is used and the specified trust store requires a password in order to access its contents (most trust stores do not require this). This option must not be used in conjunction with --trustStorePassword.
Set the LDAP protocol version that the client should use when communicating with the directory server. The value must be either 2 (for LDAPv2 communication) or 3 (for LDAPv3). If this option is not provided, then the client will use LDAPv3.
Use the bind password when authenticating to the directory server. This option can be used for simple authentication as well as password-based SASL mechanisms. This option must not be used in conjunction with --bindPasswordFile. To prompt for the password, type -w -.
SASL is not supported for Oracle Unified Directory proxy.
Use the password needed to access the certificates in the client keystore. This option is only required if --keyStorePath is used. This option must not be used in conjunction with --keyStorePasswordFile.
Trust any certificate that the directory server might present during SSL or StartTLS negotiation. This option can be used for convenience and testing purposes, but for security reasons a trust store should be used to determine whether the client should accept the server certificate.
Use Secure Sockets Layer when communicating with the directory server. If SSL is to be used, then the --port option should be used to specify the server's secure port.
Indicate that a properties file will not be used to get the default command-line options.
Specify the path to the properties file that contains the default command-line options.
Run in verbose mode, displaying process and diagnostic information on standard output.
Display command-line usage information for the command and exit without making any attempt to run the command.
Display the version information for the directory server.
The following examples show how to use the directory server commands.
For more information, see System Requirements and Certification in Oracle Fusion Middleware Installation Guide for Oracle Unified Directory.
Example 3-1 Comparing an Entity for Group Membership
The following command specifies the host name (-h) that is connected to port 1389 (-p) and verifies if an employee (uid=scarter) is a member of a group (cn=Accounting Managers).
$ ldapcompare -h hostname -p 1389 \ "uniquemember:uid=scarter,ou=People,dc=example,dc=com" \ "cn=Accounting Managers,ou=groups,dc=example,dc=com" Comparing type uniquemember with value uid=scarter,ou=People,dc=example,dc=com in entry cn=Accounting Managers,ou=groups,dc=example,dc=com Compare operation returned true for entry cn=Accounting Managers,ou=groups,dc=example,dc=com
Example 3-2 Comparing an Attribute Value to an Entry
The following command specifies the hostname (-h) that is connected to port 1389 (-p) and verifies if an attribute (ou=Accounting) is present in an entity's (cn=Sam Carter) record.
$ ldapcompare -h hostname -p 1389 "ou:Accounting" \ "uid=scarter,ou=People,dc=example,dc=com" Comparing type ou with value Accounting in entry uid=scarter,ou=People,dc=example,dc=com Compare operation returned true for entry uid=scarter,ou=People,dc=example,dc=com
Example 3-3 Using ldapcompare with Server Authentication
The following command uses server authentication, specifies the host name (-h), SSL port (-p), base DN (-b), the bind DN (-D), the bind password (-w), trust store file path (-P), and checks if the attribute is present in the entry. For Windows platforms, use the path where your trust store file resides (for example, -P \temp\certs\cert.db).
$ ldapcompare -h hostname -p 1636 -D "cn=Directory Manager" \ -w password -P /home/kwinters/certs/cert.db \ 'givenname:Sam' "uid=scarter,ou=People,dc=example,dc=com" Comparing type givenname with value Sam in entry uid=scarter,ou=People,dc=example,dc=com Compare operation returned true for entry uid=scarter,ou=People,dc=example,dc=com
Example 3-4 Using ldapcompare with Client Authentication
The following command uses client authentication with the compare. The command uses SSL (-Z) with the SSL port (-p), specifies the trust store file path (-P), the certificate nickname (-N), the keystore file path (-K), the keystore password (-W) and checks if the entity's given name givenname=Sam is present in the entry. For Windows platforms, use the path where your trust store file resides (for example, -P \temp\certs\cert.db) and where the path where your keystore file resides (-K \temp\security\key.db).
$ ldapcompare -h hostname -p 1636 -Z \ -P /home/kwinters/security/cert.db -N "kwcert" \ -K /home/kwinters/security/key.db -W KeyPassword \ 'givenname:Sam' "uid=scarter,ou=People,dc=example,dc=com" Comparing type givenname with value Sam in entry uid=scarter,ou=People,dc=example,dc=com Compare operation returned true for entry uid=scarter,ou=People,dc=example,dc=com
An exit code of 6 indicates that the comparison is successful. An exit code of 5 indicates that the comparison is unsuccessful. Any other exit code indicates that an error occurred during processing.
The directory server supports the use of a properties file that passes in any default option values used with the ldapcompare command. The properties file is convenient when working in different configuration environments, especially in scripted or embedded applications. For more information, see Using a Properties File With Server Commands.
The following options can be stored in a properties file:
assertionFilter
bindDN
bindPassword
bindPasswordFile
certNickname
continueOnError
control
dry-run
filename
hostname
keyStorePassword
keyStorePasswordFile
keyStorePath
ldapVersion
port
saslOption
trustAll
trustStorePassword
trustStorePasswordFile
trustStorePath
useSASLExternal
useSSL
useStartTLS
verbose
Entries in the properties file have the following format:
toolname.propertyname=propertyvalue
For example:
ldapcompare.ldapport=12345
UNIX and Linux: instance-dir/OUD/bin/ldapcompare
Windows: instance-dir\OUD\bat\ldapcompare.bat
|