B.3 LDAP Tools

OpenLDAP's set of LDAP client tools can be used to communicate with any LDAPv3 server (see Table B-6).

Table B-6. Command-line options common to ldapsearch, ldapcompare, ldapadd, ldapdelete, ldapmodify, and ldapmodrdn



-d integer

Specifies what debugging information to log. See the loglevel slapd.conf parameter for a listing of log levels.

-D binddn

Specifies the DN to use for binding to the LDAP server.

-e [!]ctrl[=ctrlparam]

Defines an LDAP control to be used on the current operation. See also the -M option for the manageDSAit control.

-f filename

Specifies the file containing the LDIF entries to be used in the operations.


Defines the LDAP URI to be used in the connection request.


Enables the SASL "interactive" mode. By default, the client prompts for information only when necessary.


Enables Kerberos 4 authentication.


Enables only the first step of the Kerberos 4 bind for authentication.


Enable the Manager DSA IT control. This option is necessary when modifying an entry that is a referral or an alias. -MM requires that the Manager DSA IT control be supported by the server.


Does not perform the search; just displays what would be done.

-O security_properties

Defines the SASL security properties for authentication. See previous information on the sasl-secprops parameter in slapd.conf.

-P [2|3]

Defines which protocol version to use in the connection (Version 2 or 3). The default is LDAP v3.


Suppresses SASL-related messages such as how the authentication mechanism is used, username, and realm.

-R sasl_realm

Defines the realm to be used by the SASL authentication mechanism.

-U username

Defines the username to be used by the SASL authentication mechanism.


Enables verbose mode.

-w password

Specifies the password to be used for authentication.


Instructs the client to prompt for the password.


Enables simple authentication. The default is to use SASL authentication.

-X id

Defines the SASL authorization identity. The identity has the form dn:dn oru:user. The default is to use the same authorization identity that the user authenticated.

-y passwdfile

Instructs the ldap tool to read the password for a simple bind from the given filename.

-Y sasl_mechanism

Tells the client which SASL mechanism should be used. The bind request will fail if the server does not support the chosen mechanism.


Issue a StartTLS request. Use of -ZZ makes the support of this request mandatory for a successful connection.

B.3.1 ldapadd(1), ldapmodify(1)

These tools send updates to directory servers (see Table B-7).

Table B-7. ldapadd/ldapmodify options




Adds entries. This option is the default for ldapadd.


Replaces (or modifies) entries and values. This is the default for ldapmodify.


Forces all change records to be used from the input.

B.3.2 ldapcompare(1)

This tool asks a directory server to compare two values:

ldapcompare [options] DN <attr:value|attr::b64value>.

There are no additional command-line flags for this tool.

B.3.3 ldapdelete(1)

This tool deletes entries from an LDAP directory (see Table B-8).

Table B-8. ldapdelete [option] DN




Deletes the subtree whose root is designated by DN. The delete is not performed atomically.

B.3.4 ldapmodrdn(1)

This tool changes the RDN of an entry in an LDAP directory (see Table B-9).

Table B-9. ldapmodrdn [options] [dn rdn]




Instructs ldapmodrdn to continue if errors occur. By default, it terminates if there is an error.


Removes the old RDN value. The default behavior is to add another value of the RDN and leave the old value intact. The default behavior makes it easier to modify a directory without leaving orphaned entries.

-s new_superior_node

Defines the new superior, or parent, entry under which the renamed entry should be located.

B.3.5 ldappasswd(1)

This tool changes the password stored in a directory entry (see Table B-10).

Table B-10. ldappasswd [options] [user]



-a secret

The old password value


Prompt for the old password

-s new_secret

The new password value


Prompt for the new password

B.3.6 ldapsearch(1)

This tool issues LDAP search queries to directory servers (see Table B-11).

Table B-11. ldapsearch [options] [filter [attributes...]]



-a [never|always|search|find]

Specifies how to handle aliases when they are located during a search. Possible values include never (default), always, search, or find.


For any entries found, returns the attribute names, but not their values.

-b basedn

Defines the base DN for the directory search.

-F prefix

Defines the URL prefix for filenames. The default is to use the value stored in $LDAP_FILE_URI_PREFIX.

-l limit

Defines a time limit (in seconds) for the server in the search.


Print the resulting output in LDIF v1 format. -LL causes the result to be printed in LDIF format without comments. -LLL prints the resulting output in LDIF format without comments and without version information.

-s [sub|base|one]

Defines the scope of the search to be base, one, or sub (the default).

-S attribute

Causes the ldapsearch client to sort the results by the value of attribute.


Write binary values to files in a temporary directory defined by the -T option. -tt specifies that all values should be written to files in a temporary directory defined by the -T option.

-T directory

Defines the directory used to store the resulting output files. The default is the directory specified by $LDAP_TMPDIR.


Includes user-friendly entry names in the output.

-z limit

Specifies the maximum number of entries to return.