friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahyldapexop.htm

417 lines
21 KiB
HTML
Raw Permalink Blame History

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - ldapexop</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<a name="rzahyldapexop"></a>
<h3 id="rzahyldapexop">ldapexop</h3>
<p>The LDAP extended operation tool</p>
<p><span class="bold">Synopsis</span></p>
<pre class="xmp">ldapexop [-C charset] [-d debuglevel][-D binddn][-e] [-G realm]
[-h ldaphost][-help][-K keyfile] [-m mechanism] [-N certificatename]
[-p ldapport] [-P keyfilepw] [-?] [-U] [-v] [-w passwd | ?] [-Y] [-Z]
-op {cascrepl | controlqueue | controlrepl | getAttributes |
getusertype | quiesce | readconfig | uniqueattr} </pre>
<p><span class="bold">Description</span></p>
<p>The <span class="bold">ldapexop</span> utility is a command-line interface
that provides the capability to bind to a directory server and issue a single
extended operation along with any data that makes up the extended operation
value.</p>
<p>The <span class="bold">ldapexop</span> utility supports the standard host,
port, SSL, and authentication options used by all of the LDAP client utilities.
In addition, a set of options is defined to specify the operation to be performed,
and the arguments for each extended operation</p>
<p>To display syntax help for <span class="bold">ldapexop</span>,
type: </p>
<pre class="xmp">ldapexop -?</pre><p class="indatacontent">or </p>
<pre class="xmp">ldapexop -help</pre>
<p><span class="bold">Options</span></p>
<p>The options for the ldapexop command are divided into two categories:</p>
<ol type="1">
<li>General options that specify how to connect to the directory server. These
options must be specified before operation specific options.</li>
<li>Extended operation option that identifies the extended operation to be
performed.</li></ol>
<p><span class="bold">General Options</span></p>
<p>These options specify the methods of connecting to the server and must
be specified before the <span class="bold">-op</span> option.</p>
<dl>
<dt class="bold">-C <span class="italic">charset</span> </dt>
<dd>Specifies that the DNs supplied as input to the <span class="bold">ldapexop</span> utility are represented in a local character set, as specified
by charset. Use the <span class="bold">-C <span class="italic">charset</span></span> option if the input string codepage is different from the
job codepage value. Refer to the <a href="../apis/ldap_set_iconv_local_charset.htm">ldap_set_iconv_local_charset()</a> API to see supported charset values.
</dd>
<dt class="bold">-d <span class="italic">debuglevel</span> </dt>
<dd>Set the LDAP debugging level to debuglevel.
</dd>
<dt class="bold">-D <span class="italic">binddn</span></dt>
<dd>Use <span class="bold-italic">binddn</span> to bind to the LDAP
directory. <span class="bold-italic">binddn</span> is a string-represented DN.
When used with -m DIGEST-MD5, it is used to specify the authorization ID.
It can either be a DN, or an authzId string starting with "u:" or "dn:".
</dd>
<dt class="bold">-e</dt>
<dd>Displays the LDAP library version information and then exits.
</dd>
<dt class="bold">-G</dt>
<dd>Specify the realm. This parameter is optional. When used with -m DIGEST-MD5,
the value is passed to the server during the bind.
</dd>
<dt class="bold">-h <span class="italic">ldaphost</span></dt>
<dd>Specify an alternate host on which the LDAP server is running.
</dd>
<dt class="bold">-help</dt>
<dd>Displays the command syntax and usage information.
</dd>
<dt class="bold">-K <span class="italic">keyfile</span></dt>
<dd>Specify the name of the SSL key database file. If the key database file
is not in the current directory, specify the fully-qualified key database
filename.
<p>If the utility cannot locate a key database, the system key database
is used. The key database file typically contains one or more certificates
of certification authorities (CAs) that are trusted by the client. These types
of X.509 certificates are also known as trusted roots.</p>
<p>This parameter
effectively enables the <span class="bold">-Z</span> switch. For
Directory Server on i5/OS if you use -Z and do not use -K or -N, the certificate
associated with the Directory Services Client application ID will be used.</p>
</dd>
<dt class="bold">-m <span class="italic">mechanism</span></dt>
<dd>Use <span class="bold-italic">mechanism</span> to specify the
SASL mechanism to be used to bind to the server. The <a href="../apis/ldap_sasl_bind_s.htm">ldap_sasl_bind_s()</a> API is used. The <span class="bold">-m</span> parameter is ignored if <span class="bold">-V 2</span> is
set. If <span class="bold">-m</span> is not specified, simple
authentication is used. Valid mechanisms are:
<ul>
<li>CRAM-MD5 - protects the password sent to the server.</li>
<li>EXTERNAL - uses the SSL certificate. Requires -Z.</li>
<li>GSSAPI - uses the user's Kerberos credentials</li>
<li><img src="delta.gif" alt="Start of change" />DIGEST-MD5 - requires that the client send a username value
to the server. Requires -U. The -D parameter (usually the bind DN) is used
to specify the authorization ID. It can be a DN, or an authzId string starting
with u: or dn:.<img src="deltaend.gif" alt="End of change" /></li>
<li><img src="delta.gif" alt="Start of change" />OS400_PRFTKN - authenticates to the local LDAP server as the
current i5/OS user using the DN of the user in the system projected backend.
The -D (bind DN) and -w (password) parameters should not be specified.<img src="deltaend.gif" alt="End of change" /></li></ul>
</dd>
<dt class="bold">-N <span class="italic">certificatename</span></dt>
<dd>Specify the label associated with the client certificate in the key
database file. If the LDAP server is configured to perform server authentication
only, a client certificate is not required. If the LDAP server is configured
to perform client and server authentication, a client certificate might be
required. <span class="bold-italic">certificatename</span> is not required
if a default certificate/private key pair has been designated as the default.
Similarly, <span class="bold-italic">certificatename</span> is not
required if there is a single certificate/private key pair in the designated
key database file. This parameter is ignored if neither <span class="bold">-Z</span> nor <span class="bold">-K</span> is specified. For Directory
Server on i5/OS if you use -Z and do not use -K or -N, the certificate associated
with the Directory Services Client application ID will be used.
</dd>
<dt class="bold">-p <span class="italic">ldapport </span></dt>
<dd>Specify an alternate TCP port where the LDAP server is listening.
The default LDAP port is 389. If <span class="bold">-p</span> is
not specified and <span class="bold">-Z</span> is specified, the
default LDAP SSL port 636 is used.
</dd>
<dt class="bold">-P <span class="italic">keyfilepw</span></dt>
<dd>Specify the key database password. This password is required to access
the encrypted information in the key database file, which can include one
or more private keys. If a password stash file is associated with the key
database file, the password is obtained from the password stash file,
and the <span class="bold">-P</span> parameter is not required.
This parameter is ignored if neither <span class="bold">-Z</span> nor <span class="bold">-K</span> is specified.
</dd>
<dt class="bold">-?</dt>
<dd>Displays the command syntax and usage information.
</dd>
<dt class="bold">-U</dt>
<dd>Specify the username. Required with -m DIGEST-MD5 and ignored with any
other mechanism.
</dd>
<dt class="bold">-v</dt>
<dd>Use verbose mode, with many diagnostics written to standard
output.
</dd>
<dt class="bold">-w <span class="italic">passwd</span> | ?</dt>
<dd>Use <span class="bold-italic">passwd</span> as the password
for authentication. Use the ? to generate a password prompt.
</dd>
<dt class="bold">-Y</dt>
<dd>Use a secure LDAP connection (TLS).
</dd>
<dt class="bold">-Z</dt>
<dd>Use a secure SSL connection to communicate with the LDAP server. For
Directory Server on i5/OS if you use -Z and do not use -K or -N, the certificate
associated with the Directory Services Client application ID will be used.
</dd>
</dl>
<p><span class="bold">Extended operations option</span></p>
<p>The <span class="bold">-op</span> extended-op option identifies the extended
operation to be performed. The extended operation can be one of the following
values:</p>
<ul>
<li><span class="bold">cascrepl</span>: cascading control replication
extended operation. The requested action is applied to the specified server
and also passed along to all replicas of the given subtree. If any of these
are forwarding replicas, they pass the extended operation along to their replicas.
The operation cascades over the entire replication topology.
<dl>
<dt class="bold">-action quiesce | unquiesce | replnow |
wait</dt>
<dd>This is a required attribute that specifies the action to
be performed.
<dl>
<dt class="bold">quiesce</dt>
<dd>No further updates are allowed, except by replication.
</dd>
<dt class="bold">unquiesce</dt>
<dd>Resume normal operation, client updates are accepted.
</dd>
<dt class="bold">replnow</dt>
<dd>Replicate all queued changes to all replica servers as soon
as possible, regardless of schedule.
</dd>
<dt class="bold">wait</dt>
<dd>Wait for all updates to be replicated to all replicas.
</dd>
</dl>
</dd>
<dt class="bold">-rc <span class="italic">contextDn</span></dt>
<dd>This is a required attribute that specifies the root of the
subtree.
</dd>
<dt class="bold">-timeout <span class="italic">secs</span></dt>
<dd>This is an optional attribute that if present, specifies the
timeout period in seconds. If not present, or 0, the operation waits indefinitely.
</dd>
</dl><span class="bold">Example:</span>
<pre class="xmp">ldapexop -op cascrepl -action -quiesce -rc "o=acme,c=us" -timeout 60</pre></li>
<li><span class="bold">controlqueue</span>: control queue replication
extended operation. This operation allows you to delete or remove pending
changes from the list of replication changes that have queued up and were
not run because of replication failures. This operation is useful when the
replica data is manually fixed. You would then use this operation to skip
doing some of the queued up failures.
<dl>
<dt class="bold">-skip all | change-id</dt>
<dd>This is a required attribute.
<ul>
<li><span class="bold">-skip all</span> indicates to skip
all pending changes for this agreement.</li>
<li><span class="bold">change-id</span> identifies the single
change to be skipped. If the server is not currently replicating this change,
the request fails.</li></ul>
</dd>
<dt class="bold">-ra <span class="italic">agreementDn</span></dt>
<dd>This is a required attribute that specifies the DN of the
replication agreement.
</dd>
</dl><span class="bold">Examples</span>:
<pre class="xmp">ldapexop -op controlqueue -skip all -ra "cn=server3,
ibm-replicaSubentry=master1-id,ibm-replicaGroup=default,
o=acme,c=us"
ldapexop -op controlqueue -skip 2185 -ra "cn=server3,
ibm-replicaSubentry=master1-id,ibm-replicaGroup=default,
o=acme,c=us"
</pre></li>
<li><span class="bold">controlrepl</span>: control replication extended
operation
<dl>
<dt class="bold">-action suspend | resume | replnow</dt>
<dd>This is a required attribute that specifies the action to
be performed.
</dd>
<dt class="bold">-rc <span class="italic">contextDn</span> | -ra <span class="italic">agreementDn</span></dt>
<dd>The <span class="bold">-rc</span> <span class="italic">contextDn</span> is the DN of the replication context. The action is performed
for all agreements for this context. The <span class="bold">-ra</span> <span class="italic">agreementDn</span> is the DN of the replication agreement.
The action is performed for the specified replication agreement.
</dd>
</dl><span class="bold">Example</span>:
<pre class="xmp">ldapexop -op controlrepl -action suspend -ra "cn=server3,
ibm-replicaSubentry=master1-id,ibm-replicaGroup=default,
o=acme,c=us"</pre></li>
<li><span class="bold">getattributes -attrType<span class="italic">&lt;type></span> -matches bool<span class="italic">&lt;value></span> </span>
<dl>
<dt class="bold">-attrType {operational | language_tag | attribute_cache | unique
| configuration}</dt>
<dd>This is a required attribute that specifies type of attribute being
requested.
</dd>
<dt class="bold">-matches bool {true | false}</dt>
<dd>Specifies whether the list of attributes returned matches
the attribute type specified by the -attrType&lt; option.
</dd>
</dl>
<p><span class="bold">Example</span></p>
<pre class="xmp">ldapexop -op getattributes -attrType unique -matches bool true</pre>
<p>Returns a list of all attributes that have been designated as unique
attributes.</p>
<pre class="xmp">ldapexop -op getattributes -attrType unique -matches bool false</pre>
<p>Returns a list of all attributes that have been not been designated
as unique attributes.</p></li>
<li><span class="bold">getusertype:</span> request user type extended operation
<p>This extended operation returns the user type based on the bound DN.</p>
<p><span class="bold">Example:</span></p>
<p></p>
<pre class="xmp">ldapexop - D <span class="italic">&lt;AdminDN></span> -w <span class="italic">&lt;Adminpw></span> -op getusertype</pre>
<p>returns:</p>
<p></p>
<pre class="xmp">User : root_administrator
Role(s) : server_config_administrator directory_administrator</pre></li>
<li><span class="bold">quiesce</span>: quiesce or unquiesce subtree replication
extended operation
<dl>
<dt class="bold">-rc <span class="italic">contextDn</span></dt>
<dd>This is a required attribute that specifies the DN of the
replication context (subtree) to be quiesced or unquiesced.
</dd>
<dt class="bold">-end</dt>
<dd>This is an optional attribute that if present, specifies to
unquiesce the subtree. If not specified the default is to quiesce the subtree.
</dd>
</dl><span class="bold">Examples</span>:
<pre class="xmp">ldapexop -op quiesce -rc "o=acme,c=us"
ldapexop -op quiesce -end -rc "o=ibm,c=us"</pre></li>
<li><span class="bold">readconfig</span>: reread configuration file extended operation
<dl>
<dt class="bold">-scope entire | single&lt;<span class="italic">entry DN</span>>&lt;<span class="italic">attribute</span>></dt>
<dd>This is a required attribute.
<ul>
<li><span class="bold">entire</span> indicates to reread the
entire configuration file.</li>
<li><span class="bold">single</span> means to read the single
entry and attribute specified.</li></ul>
</dd>
</dl><span class="bold">Examples</span>:
<pre class="xmp">ldapexop -op readconfig -scope entire
ldapexop -op readconfig -scope single "cn=configuration" ibm-slapdAdminPW
</pre>
<a name="wq382"></a>
<div class="notetitle" id="wq382">Note:</div>
<div class="notebody">The following entries marked with:
<ul>
<li><sup>1</sup> take effect immediately after a readconfig</li>
<li><sup>2</sup> take effect on new operations</li>
<li><sup>3</sup> take effect as soon as the password is
changed (no readconfig required)</li>
<li><sup>4</sup> are supported by the command line utility
on i5/OS, but are not supported by the Directory Server on i5/OS</li></ul>
<pre class="xmp">cn=Configuration
ibm-slapdadmindn<sup>2</sup>
ibm-slapdadminpw<sup>2, 3</sup>
ibm-slapderrorlog<sup>1, 4</sup>
ibm-slapdpwencryption<sup>1</sup>
ibm-slapdsizelimit<sup>1</sup>
ibm-slapdsysloglevel<sup>1, 4</sup>
ibm-slapdtimelimit<sup>1</sup>
cn=Front End, cn=Configuration
ibm-slapdaclcache<sup>1</sup>
ibm-slapdaclcachesize<sup>1</sup>
ibm-slapdentrycachesize<sup>1</sup>
ibm-slapdfiltercachebypasslimit<sup>1</sup>
ibm-slapdfiltercachesize<sup>1</sup>
ibm-slapdidletimeout<sup>1</sup>
cn=Event Notification, cn=Configuration
ibm-slapdmaxeventsperconnection<sup>2</sup>
ibm-slapdmaxeventstotal<sup>2</sup>
cn=Transaction, cn=Configuration
ibm-slapdmaxnumoftransactions<sup>2</sup>
ibm-slapdmaxoppertransaction<sup>2</sup>
ibm-slapdmaxtimelimitoftransactions<sup>2</sup>
cn=ConfigDB, cn=Config Backends, cn=IBM SecureWay, cn=Schemas, cn=Configuration
ibm-slapdreadonly<sup>2</sup>
cn=Directory, cn=RDBM Backends, cn=IBM SecureWay, cn=Schemas, cn=Configuration
ibm-slapdbulkloaderrors<sup>1, 4</sup>
ibm-slapdclierrors<sup>1, 4</sup>
ibm-slapdpagedresallownonadmin<sup>2</sup>
ibm-slapdpagedreslmt<sup>2</sup>
ibm-slapdpagesizelmt<sup>2</sup>
ibm-slapdreadonly<sup>2</sup>
ibm-slapdsortkeylimit<sup>2</sup>
ibm-slapdsortsrchallownonadmin<sup>2</sup>
ibm-slapdsuffix<sup>2</sup></pre></div></li>
<li><span class="bold">unbind</span> {<span class="bold">-dn</span><span class="italic">&lt;specificDN></span>| <span class="bold">-ip</span><span class="italic">&lt;sourceIP></span> | <span class="bold">-dn</span><span class="italic">&lt;specificDN</span>> <span class="bold">-ip</span><span class="italic">&lt;sourceIP></span> | <span class="bold">all</span>}:
<p>disconnect connections based
on DN, IP, DN/IP or disconnect all connections. All connections without any
operations and all connections with operations on the work queue are ended
immediately. If a worker is currently working on a connection, it is ended
as soon as the worker completes that one operation.</p>
<dl>
<dt class="bold">-dn<span class="italic">&lt;specificDN></span></dt>
<dd>Issues a request to end a connection by DN only. This request results
in the purging of all the connections bound on the specified DN.
</dd>
<dt class="bold">-ip<span class="italic">&lt;sourceIP></span></dt>
<dd>Issues a request to end a connection by IP only. This request
results in the purging of all the connections from the specified IP source.
</dd>
<dt class="bold">-dn<span class="italic">&lt;specificDN></span> -ip<span class="italic">&lt;sourceIP></span></dt>
<dd>Issues a request to end a connection determined by a DN/IP
pair. This request results in the purging of all the connections bound on
the specified DN and from the specified IP source.
</dd>
<dt class="bold">-all</dt>
<dd>Issues a request to end all the connections. This request
results in the purging of all the connections except the connection from where
this request originated. This attribute cannot be used with the -D or -IP.
attributes
</dd>
</dl>
<p><span class="bold">Examples:</span></p>
<pre class="xmp">ldapexop -op unbind -dn cn=john
ldapexop -op unbind -ip 9.182.173.43
ldapexop -op unbind -dn cn=john -ip 9.182.173.43
ldapexop -op unbind -all</pre></li>
<li><span class="bold">uniqueattr -a <span class="italic">&lt;attributeType></span>:</span> identify all nonunique values for a particular
attribute.
<dl>
<dt class="bold">-a <span class="italic">&lt;attribute></span></dt>
<dd>Specify the attribute for which all conflicting values are listed.
</dd>
</dl>
<a name="wq383"></a>
<div class="notetitle" id="wq383">Note:</div>
<div class="notebody">Duplicate values for binary, operational, configuration
attributes, and the objectclass attribute are not displayed. These attributes
are not supported extended operations for unique attributes.</div>
<p><span class="bold">Example:</span></p>
<pre class="xmp">ldapexop -op uniqueattr -a "uid"</pre>
<p>The following line is added to the configuration file under the "cn=Directory,cn=RDBM
Backends,cn=IBM Directory,cn=schema,cn=Configuration" entry for this extended
operation:</p>
<pre class="xmp">ibm-slapdPlugin:extendedop /bin/libback-rdbm.dll initUniqueAttr</pre></li></ul>
<p><span class="bold">Diagnostics</span></p>
<p>Exit status is 0 if no errors occur. Errors result in a non-zero exit status
and a diagnostic message being written to standard error.</p>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink