manpagez: man pages & more
man ldapexop(1)
Home | html | info | man

ldapexop(1)                                                        ldapexop(1)


       ldapexop - issue LDAP extended operations


       ldapexop   [-d level]   [-D binddn]   [-e [!]ext[=extparam]]  [-f file]
       [-h host]   [-H URI]   [-I]    [-n]    [-N]    [-O security-properties]
       [-o opt[=optparam]]  [-p port]  [-Q]  [-R realm] [-U authcid] [-v] [-V]
       [-w passwd] [-W] [-x] [-X authzid] [-y file] [-Y mech] [-Z[Z]]  {oid  |
       oid:data | oid::b64data | whoami | cancel cancel-id | refresh DN [ttl]}


       ldapexop issues the LDAP extended operation specified by oid or one  of
       the special keywords whoami, cancel, or refresh.

       Additional  data for the extended operation can be passed to the server
       using data or base-64 encoded as b64data in the case of oid,  or  using
       the  additional  parameters in the case of the specially named extended
       operations above.

       Please note that ldapexop behaves differently  for  the  same  extended
       operation  when  it was given as an OID or as a specialliy named opera-

       Calling ldapexop with the OID of the whoami (RFC 4532) extended  opera-

         ldapexop [<options>]


         # extended operation response
         data:: <base64 encoded response data>

       while calling it with the keyword whoami

         ldapexop [<options>] whoami

       results in

         dn:<client's identity>


       -d level
              Set the LDAP debugging level to level.

       -D binddn
              Use the Distinguished Name binddn to bind to the LDAP directory.

       -e [!]ext[=extparam]
              Specify general extensions.  '!' indicates criticality.
                [!]assert=<filter>     (RFC 4528; a RFC 4515 Filter string)
                [!]authzid=<authzid>   (RFC 4370; "dn:<dn>" or "u:<user>")
                   one of "chainingPreferred", "chainingRequired",
                   "referralsPreferred", "referralsRequired"
                [!]manageDSAit         (RFC 3296)
                [!]postread[=<attrs>]  (RFC 4527; comma-separated attr list)
                [!]preread[=<attrs>]   (RFC 4527; comma-separated attr list)
                abandon, cancel, ignore (SIGINT sends abandon/cancel,
                or ignores response; if critical, doesn't wait for SIGINT.
                not really controls)

       -f file
              Read operations from file.

       -h host
              Specify the host on which the ldap server  is  running.   Depre-
              cated in favor of -H.

       -H URI Specify  URI(s) referring to the ldap server(s); only the proto-
              col/host/port fields are allowed; a list of  URI,  separated  by
              whitespace or commas is expected.

       -I     Enable  SASL  Interactive  mode.   Always prompt.  Default is to
              prompt only as needed.

       -n     Show what would be done but don't actually do  it.   Useful  for
              debugging in conjunction with -v.

       -N     Do not use reverse DNS to canonicalize SASL host name.

       -O security-properties
              Specify SASL security properties.

       -o opt[=optparam]
              Specify general options:
                nettimeout=<timeout> (in seconds, or "none" or "max")

       -p port
              Specify the TCP port where the ldap server is listening.  Depre-
              cated in favor of -H.

       -Q     Enable SASL Quiet mode.  Never prompt.

       -R realm
              Specify the realm of authentication ID for SASL bind.  The  form
              of the realm depends on the actual SASL mechanism used.

       -U authcid
              Specify  the authentication ID for SASL bind. The form of the ID
              depends on the actual SASL mechanism used.

       -v     Run in verbose mode, with many diagnostics written  to  standard

       -V     Print  version info and usage message.  If-VV is given, only the
              version information is printed.

       -w passwd
              Use passwd as the password for simple authentication.

       -W     Prompt for simple authentication.  This is used instead of spec-
              ifying the password on the command line.

       -x     Use simple authentication instead of SASL.

       -X authzid
              Specify  the  requested authorization ID for SASL bind.  authzid
              must be one of the following formats: dn:<distinguished name> or

       -y file
              Use complete contents of file as the password for simple authen-

       -Y mech
              Specify the SASL mechanism to be used for authentication.  With-
              out  this option, the program will choose the best mechanism the
              server knows.

       -Z[Z]  Issue StartTLS (Transport Layer  Security)  extended  operation.
              Giving  it twice (-ZZ) will require the operation to be success-


       Exit status is zero if no errors occur.  Errors result  in  a  non-zero
       exit status and a diagnostic message being written to standard error.




       This  manual  page  was  written by Peter Marschall based on ldapexop's
       usage message and a few tests with ldapexop.  Do not expect  it  to  be
       complete or absolutely correct.


       OpenLDAP  Software  is developed and maintained by The OpenLDAP Project
       <>.  OpenLDAP Software is derived from  Univer-
       sity of Michigan LDAP 3.3 Release.


Mac OS X 10.7 - Generated Thu Aug 11 10:58:17 CDT 2011
© 2000-2021
Individual documents may contain additional copyright information.