Name
ldapcompare — LDAP compare tool
Synopsis
ldapcompare [−n] [−v] [−z] [−M[M]] [ −d debuglevel ] [ −D binddn ] [−W] [ −w passwd ] [ −y passwdfile ] [ −H ldapuri ] [ −h ldaphost ] [ −p ldapport ] [ −P 2 | 3 ] [ −O security−properties ]
[−I] [−Q] [ −U authcid ] [ −R realm ] [−x] [ −X authzid ] [ −Y mech ] [−Z[Z]] DN < attr:value |
attr::b64value >
DESCRIPTION
ldapcompare
is a shell-accessible interface to the ldap_compare(3) library
call.
ldapcompare
opens a connection to an LDAP server, binds, and performs a
compare using specified parameters. The DN should be a distinguished
name in the directory. Attr should be a known
attribute. If followed by one colon, the assertion value should be provided as a
string. If followed by two colons, the base64 encoding of the
value is provided. The result code of the compare is provided
as the exit code and, unless ran with -z, the program prints
TRUE, FALSE, or UNDEFINED on standard output.
OPTIONS
−n-
Show what would be done, but don't actually perform
the compare. Useful for debugging in conjunction with
-v.
−v-
Run in verbose mode, with many diagnostics written
to standard output.
−z-
Run in quiet mode, no output is written. You must
check the return status. Useful in shell scripts.
−M[M]-
Enable manage DSA IT control. −MM makes control critical.
−d
debuglevel-
Set the LDAP debugging level to debuglevel.
ldapcompare must be compiled
with LDAP_DEBUG defined for this option to have any
effect.
−x-
Use simple authentication instead of SASL.
−D
binddn-
Use the Distinguished Name binddn to bind to the
LDAP directory.
−W-
Prompt for simple authentication. This is used
instead of specifying the password on the command
line.
−w
passwd-
Use passwd
as the password for simple authentication.
−y
passwdfile-
Use complete contents of passwdfile as the
password for simple authentication.
−H
ldapuri-
Specify URI(s) referring to the ldap server(s); only
the protocol/host/port fields are allowed; a list of
URI, separated by whitespace or commas is expected.
−h
ldaphost-
Specify an alternate host on which the ldap server
is running. Deprecated in favor of -H.
−p
ldapport-
Specify an alternate TCP port where the ldap server
is listening. Deprecated in favor of -H.
−P
2|3-
Specify the LDAP protocol version to use.
−O
security−properties-
Specify SASL security properties.
−I-
Enable SASL Interactive mode. Always prompt. Default
is to prompt only as needed.
−Q-
Enable SASL Quiet mode. Never prompt.
−U
authcid-
Specify the authentication ID for SASL bind. The
form of the ID depends on the actual SASL mechanism
used.
−R
realm-
Specify the realm of authentication ID for SASL
bind. The form of the realm depends on the actual SASL
mechanism used.
−X
authzid-
Specify the requested authorization ID for SASL
bind. authzid
must be one of the following formats: dn: <distinguished name>
or u:
<username>
−Y
mech-
Specify the SASL mechanism to be used for
authentication. If it's not specified, the program will
choose the best mechanism the server knows.
−Z[Z]-
Issue StartTLS (Transport Layer Security) extended
operation. If you use −ZZ , the command will require
the operation to be successful.
EXAMPLES
are all equivalent.
LIMITATIONS
Requiring the value be passed on the command line is
limiting and introduces some security concerns. The command
should support a mechanism to specify the location (file name
or URL) to read the value from.
AUTHOR
The OpenLDAP Project <http://www.openldap.org/>
ACKNOWLEDGEMENTS
OpenLDAP is
developed and maintained by The OpenLDAP Project
(http://www.openldap.org/). OpenLDAP is derived from
University of Michigan LDAP 3.3 Release.
