ldapcompare

Description

This is an LDAP utility that performs compare queries and prints a message whether the result returned a match or not.

This utility opens a connection to an LDAP directory server, binds, and performs the comparison specified on the command line or from a specified file.

Notes:

Syntax

ldapcompare [-d <Debug Level>] [<Options>] <DN> {<Attribute> <Value> | <Attribute> <Base64 Value>}

Parameters

Parameter

Description

-d <Debug Level>

Runs the command in debug mode with the specified TDERROR debug level.

Valid values are from 0 (disabled) to 5 (maximal level, recommended).

<Options>

See the tables below:

  • Compare options

  • Common options

<DN>

Specifies the Distinguished Name.

<Attribute>

Specifies the assertion attribute.

<Value>

Specifies the assertion value.

<Base64 Value>

Specifies the Base64 encoding of the assertion value.

Compare options

Option

Description

-E [!]<Extension>[=<Extension Parameter>]

Specifies the compare extensions.

Note - The exclamation sign "!" indicates criticality.

For example: !dontUseCopy = Do not use Copy

-M

Enables the Manage DSA IT control.

Use the "-MM" option to make it critical.

-P <LDAP Protocol Version>

Specifies the LDAP protocol version. Default version is 3.

-z

Enables the quiet mode.

The command does not print anything. You can use the command return values.

Common options

Option

Description

-D <Bind DN>

Specifies the LDAP Server administrator Distinguished Name.

-e [!]<Extension>[=<Extension Parameter>]

Specifies the general extensions:

Note - The exclamation sign "!" indicates criticality.

  • [!]assert=<Filter>

    RFC 4528; an RFC 4515 filter string

  • [!]authzid=<Authorization ID>

    RFC 4370; either "dn:<DN>", or "u:<Username>"

  • [!]chaining[=<Resolve Behavior>[/<Continuation Behavior>]]

    One of these:

    • "chainingPreferred"

    • "chainingRequired"

    • "referralsPreferred"

    • "referralsRequired"

  • [!]manageDSAit

    RFC 3296

  • [!]noop

  • ppolicy

  • [!]postread[=<Attributes>]

    RFC 4527; a comma-separated list of attributes

  • [!]preread[=<Attributes>]

    RFC 4527; a comma-separated list of attributes

  • [!]relax

  • abandon

    SIGINT sends the abandon signal; if critical, does not wait for SIGINT. Not really controls.

  • cancel

    SIGINT sends the cancel signal; if critical, does not wait for SIGINT. Not really controls.

  • ignore

    SIGINT ignores the response; if critical, does not wait for SIGINT. Not really controls.

-h <LDAP Server>

Specifies the LDAP Server computer by its IP address or resolvable hostname.

-H <LDAP URI>

Specifies the LDAP Server Uniform Resource Identifier(s).

-I

Specifies to use the SASL Interactive mode.

-n

Dry run - shows what would be done, but does not actually do it.

-N

Specifies not to use the reverse DNS to canonicalize SASL host name.

-o <Option>[=<Option Parameter>]

Specifies the general options:

nettimeout={<Timeout in Sec> | none | max}

-O <Properties>

Specifies the SASL security properties.

-p <LDAP Server Port>

Specifies the LDAP Server port. Default is 389.

-Q

Specifies to use the SASL Quiet mode.

-R <Realm>

Specifies the SASL realm.

-U <Authentication Identity>

Specifies the SASL authentication identity.

-v

Runs in verbose mode (prints the diagnostics to stdout).

-V

Prints version information (use the "-VV" option only).

-w <LDAP Admin Password>

Specifies the LDAP Server administrator password (for simple authentication).

-W

Specifies to prompt the user for the LDAP Server administrator password.

-x

Specifies to use simple authentication.

-X <Authorization Identity>

Specifies the SASL authorization identity (either "dn:<DN>", or "u:<Username>" option).

-y <File>

Specifies to read the LDAP Server administrator password from the <File>.

-Y <SASL Mechanism>

Specifies the SASL mechanism.

-Z

Specifies to start the TLS request.

Use the "-ZZ" option to require successful response.