ldapexop

The LDAP extended operation tool

Synopsis

ldapexop [-C charset] [-d debuglevel][-D binddn][-e] [-G realm] 
[-h ldaphost][-help][-K keyfile] [-m mechanism] [-N certificatename]
[-p ldapport] [-P keyfilepw] [-?] [-U] [-v] [-w passwd | ?] [-Y] [-Z]
-op {cascrepl | controlqueue | controlrepl | getAttributes | 
getusertype | quiesce | readconfig | uniqueattr}      

Description

The ldapexop utility is a command-line interface that provides the capability to bind to a directory server and issue a single extended operation along with any data that makes up the extended operation value.

The ldapexop utility supports the standard host, port, SSL, and authentication options used by all of the LDAP client utilities. In addition, a set of options is defined to specify the operation to be performed, and the arguments for each extended operation

To display syntax help for ldapexop, type:

ldapexop -?

or

ldapexop -help

Options

The options for the ldapexop command are divided into two categories:

  1. General options that specify how to connect to the directory server. These options must be specified before operation specific options.
  2. Extended operation option that identifies the extended operation to be performed.

General Options

These options specify the methods of connecting to the server and must be specified before the -op option.

-C charset
Specifies that the DNs supplied as input to the ldapexop utility are represented in a local character set, as specified by charset. Use the -C charset option if the input string codepage is different from the job codepage value. Refer to the ldap_set_iconv_local_charset() API to see supported charset values.
-d debuglevel
Set the LDAP debugging level to debuglevel.
-D binddn
Use binddn to bind to the LDAP directory. binddn is a string-represented DN. When used with -m DIGEST-MD5, it is used to specify the authorization ID. It can either be a DN, or an authzId string starting with "u:" or "dn:".
-e
Displays the LDAP library version information and then exits.
-G
Specify the realm. This parameter is optional. When used with -m DIGEST-MD5, the value is passed to the server during the bind.
-h ldaphost
Specify an alternate host on which the LDAP server is running.
-help
Displays the command syntax and usage information.
-K keyfile
Specify the name of the SSL key database file. If the key database file is not in the current directory, specify the fully-qualified key database filename.

If the utility cannot locate a key database, the system key database is used. The key database file typically contains one or more certificates of certification authorities (CAs) that are trusted by the client. These types of X.509 certificates are also known as trusted roots.

This parameter effectively enables the -Z switch. For Directory Server on i5/OS if you use -Z and do not use -K or -N, the certificate associated with the Directory Services Client application ID will be used.

-m mechanism
Use mechanism to specify the SASL mechanism to be used to bind to the server. The ldap_sasl_bind_s() API is used. The -m parameter is ignored if -V 2 is set. If -m is not specified, simple authentication is used. Valid mechanisms are:
-N certificatename
Specify the label associated with the client certificate in the key database file. If the LDAP server is configured to perform server authentication only, a client certificate is not required. If the LDAP server is configured to perform client and server authentication, a client certificate might be required. certificatename is not required if a default certificate/private key pair has been designated as the default. Similarly, certificatename is not required if there is a single certificate/private key pair in the designated key database file. This parameter is ignored if neither -Z nor -K is specified. For Directory Server on i5/OS if you use -Z and do not use -K or -N, the certificate associated with the Directory Services Client application ID will be used.
-p ldapport
Specify an alternate TCP port where the LDAP server is listening. The default LDAP port is 389. If -p is not specified and -Z is specified, the default LDAP SSL port 636 is used.
-P keyfilepw
Specify the key database password. This password is required to access the encrypted information in the key database file, which can include one or more private keys. If a password stash file is associated with the key database file, the password is obtained from the password stash file, and the -P parameter is not required. This parameter is ignored if neither -Z nor -K is specified.
-?
Displays the command syntax and usage information.
-U
Specify the username. Required with -m DIGEST-MD5 and ignored with any other mechanism.
-v
Use verbose mode, with many diagnostics written to standard output.
-w passwd | ?
Use passwd as the password for authentication. Use the ? to generate a password prompt.
-Y
Use a secure LDAP connection (TLS).
-Z
Use a secure SSL connection to communicate with the LDAP server. For Directory Server on i5/OS if you use -Z and do not use -K or -N, the certificate associated with the Directory Services Client application ID will be used.

Extended operations option

The -op extended-op option identifies the extended operation to be performed. The extended operation can be one of the following values:

Diagnostics

Exit status is 0 if no errors occur. Errors result in a non-zero exit status and a diagnostic message being written to standard error.