mail us  |  mail this page

contact us
training  | 
tech stuff  | 

Chapter 14. LDAP Tools

  1. OpenLDAP Tools - command line utilities
  2. LDAPBrowser/Editor - our LDAP Browser of choice
  3. ApacheDS Tools - tools and utilities

Note: Many folks have adopted the flexible and powerful Apache Directory Studio as a general purpose LDAP browser and client. It is an excellent choice. We tend to stick with LDAPBrowser/Editor because we think the name is very catchy (!!) and old dog....new tricks...

OpenLDAP Tools

OpenLDAP provides a number of tools. We document them here for the sake of completeness but you can always get this information from the appropriate man pages if you are lucky enough to be using 'nix systems.

A vital rule of thumb: in general if the command starts with ldap slapd MUST be running. If it starts with slap (specifically slapcat, slapindex, slapadd) slapd MUST NOT be running and you can corrupt the ldap database if it is running. Mix them at your peril - though the latest versions of OpenLDAP notes that slapcat may be run when using a bdb or hdb backend when slapd is running. Mmmm.

There is a single exception to the rule above which is slappasswd - a benign little utility used to create passwords. It is regrettable that this crummy exception exists - so important is the need to stop slapd when running any of the other commands. While it is pretty pointless to stop slapd just to run slappasswd it's better to have a pavlovian response to the prefix slap and always stop slapd than to get a corrupt database when you run, say, slapcat. That's how important this stuff is. Some among us will say "I'll never get it wrong 'cos I'm smart". When we are panicking to get service back with 57 people breathing down our necks - ain't none of us too smart.

OpenLDAP Tools Contents

  1. ldapadd - add LDIF entries to an LDAP directory
  2. ldapauth - add LDIF entries to an LDAP directory
  3. ldapdelete - delete LDAP entries
  4. ldapmodify - modify existing LDAP entries
  5. ldapmodrdn - modify an LDAP entry's DN
  6. ldappasswd - modify an entry's password
  7. ldapsearch - search LDAP entries
  8. ldapwhoami - perform an LDAP Who Am I operation of a server
  9. slapacl - verify access to attributes by inspecting the configuration of a DIT
  10. slapadd - add LDAP entries to a database - STOP SLAPD FIRST
  11. slapauth - verify SASL data against a DIT
  12. slapcat - export an LDIF from an LDAP database - STOP SLAPD FIRST
  13. slapd - stand-alone LDAP daemon
  14. slapdn - verify a DN against a DIT configuration
  15. slapindex - re-index an LDAP database - STOP SLAPD FIRST
  16. slappasswd - generate password
  17. slaptest - verify a slapd.conf file or a cn=config directory (slapd.d)

ldapadd & ldapmodify

ldapadd and ldapmodify (Updated to 2.4) take the same arguments and are treated as essentially synonymous, that is, ldapmodify with the -a argument IS ldapadd. Both utilities require an operational LDAP server and will take input (in LDIF format) from either standard input (the console) or an LDIF using the -f argument. Both commands allow an extensive argument set. In practice it is the commands in the LDIF file that actually perform the work.

Note: Prior to 2.3(?) if the changetype were omitted in an LDIF it defaulted to add when using ldapadd and if run using ldapmodify it assumed modify. From 2.3 no assumptions are made and the LDIF must contain all the required directives.

ldapmodify/ldapadd [-a] [-c] [-d debug_level] [-f file] [-D binddn] [-H ldapuri] [-h ldaphost] [-I] [-k] [-K] [-M[M]] [-n] [-O security-properties] [-p ldapport] [-P 2|3] [-Q] [-S file] [-R realm] [-U authcid] [-v] [-W] [-w password] [-x] [-X authzid] [-y passwdfile] [-Y mech] [-Z[Z]]

Arg Description
-a Add new entries. The default for ldapmodify is to modify existing entries. If invoked as ldapadd, this flag is always set.
-c Continuous operation mode. Errors are reported, but ldapmodify will continue with modifications. The default is to exit after reporting an error.
-d debug Set the LDAP debugging level to debug. ldapmodify/add must be compiled with LDAP_DEBUG defined for this option to have any effect.
-D binddn Use the Distinguished Name binddn to bind to the LDAP directory.
-f file Read the entry modification information from file instead of from standard input.
-F Force application of all changes regardless of the contents of input lines that begin with replica: (by default, replica: lines are compared against the LDAP server host and port in use to decide if a replog record should actually be applied).
-h ldaphost Specify the host on which the ldap server is running (defaults to localhost). Deprecated in favor of -H.
-H ldapuri Replaces -h and -p. Defines one or more (separated with whitespace or comma) URI(s) referring to the ldap server(s) in the form scheme://host.name:port. If not defined defaults to ldap://localhost:389. Alternatively a DN may defined and is used to find the corresponding host(s) using DNS SRV records as defined in RFC 2782. The DN must be a non-empty sequence of AVAs whose attribute type is "dc" (domain component), and must be escaped according to RFC 2396. Examples:
# standard URI format (defaults to port 389)
-H ldap://ldap.example.com

# look for a DNS SRV RR of the form
# _ldap._tcp._example.com SRV ....
-H "dc=example,dc=com"
-I Enable SASL Interactive mode. Always prompt. Default is to prompt only as needed.
-k Use Kerberos IV authentication instead of simple authentication. It is assumed that you already have a valid ticket granting ticket. You must compile with Kerberos support for this option to have any effect.
-K Same as -k, but only does step 1 of the Kerberos IV bind. This is useful when connecting to a slapd and there is no x500dsa.hostname principal registered with your Kerberos Domain Controller(s).
-M[M] Enable manage DSA IT control. -MM makes control critical. Needed to delete referrals.
-n Show what would be done, but don't actually modify entries. Useful for debugging in conjunction with -v.
-O props Specify SASL security properties.
-Q Enable SASL Quiet mode. Never prompt.
-R realm Specify the realm of authentication ID for SASL bind. The form of the realm depends on the actual SASL mechanism used.
-S file Add or change records which where skipped due to an error are written to file and the error message returned by the server is added as a comment. When used with -c it creates an LDIF than can be corrected (edited) and used as input to ldapadd/ldapmodify.
-U authcid Specify the authentication ID for SASL bind. The form of the ID depends on the actual SASL mechanism used.
-v Verbose mode - diagnostic messages are written to standard output.
-w password Use clear text password for simple authentication. Use -W or -y in preference to secure the password.
-W Prompt for simple authentication. This is used instead of specifying the password on the command line (-w) and is significantly more secure.
-x Use simple authentication instead of SASL. Defaults to SASL authentication if not specified.
-X authzid Specify the requested authorization ID for SASL bind. authzid must be one of the following formats: dn:<distinguished name> or u:<username>
-y passfile Use complete contents of passwdfile as the password for simple authentication.
-Y mech Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows.
-Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be successful.

Examples:

Use the specified LDIF file to modify the defined LDAP server, authenticate using the rootdn an its password. Use simple authentication.

The line below is split for HTML formatting reasons only and should be on a single line:

ldapadd -H ldap://ldaphost.example.com -x -D "cn=jimbob,dc=example,dc=com" 
 -f /tmp/addgroups.ldif -w dirtysecret

Notes:

  1. Since OpenLDAP 2.x the default security mechanism is SASL - if this is not used the -x argument must be given.
  2. If the LDAP server is on the same host the -H argument can be omitted.
  3. If the -W argument is used (not the -w) then the utility will prompt for the password.

Go UP Icon

ldapdelete

ldapdelete opens a connection to an LDAP server, binds, and deletes one or more entries. If one or more DN arguments are provided, entries with those Distinguished Names are deleted. Each DN should be provided using the LDAPv3 string representation as defined in RFC 2253. If no dn arguments are provided, a list of DNs is read from standard input (or from file if the -f flag is used).

Note: The file referenced in this command is not in LDIF format. It is a text file containing one or more DN's (one per line) that will be processed by the command as shown:

cn=someone,ou=people,dc=example,dc=com
cn=someone else,ou=people,dc=example,dc=com

The alternate method to delete entries is to use an LDIF file with ldapmodify with a file such as:

dn: cn=someone,ou=people,dc=example,dc=com
changetype: delete

dn: cn=someone else,ou=people,dc=example,dc=com
changetype: delete

ldapdelete [-c] [-d debuglevel] [-D binddn] [-f file] [-h ldaphost] [-H ldapuri] [-I] [-k] [-K] [-M[M]] [-n] [-O security-properties] [-P 2|3] [-p ldapport] [-Q] [-R realm] [-U authcid] [-v] [-W] [-w passwd] [-x] [-X authzid] [-y passwdfile] [-Y mech] [-Z[Z]] [dn]...

Arg Description
-c Continuous operation mode. Errors are reported, but ldapmodify will continue with modifications. The default is to exit after reporting an error.
-d debug Set the LDAP debugging level to debuglevel. ldapmodify must be compiled with LDAP_DEBUG defined for this option to have any effect.
-D binddn Use the Distinguished Name binddn to bind to the LDAP directory.
-f file Read the entry modification information from file instead of from standard input. This file is NOT in LDIF format it is simply a text file with the required DN's to be deleted - one per line.
-h ldaphost Specify the host on which the ldap server is running (defaults to localhost). Deprecated in favor of -H.
-H ldapuri Replaces -h and -p. Defines one or more (separated with whitespace or comma) URI(s) referring to the ldap server(s) in the form scheme://host.name:port. If not defined defaults to ldap://localhost:389. Alternatively a DN may defined and is used to find the corresponding host(s) using DNS SRV records as defined in RFC 2782. The DN must be a non-empty sequence of AVAs whose attribute type is "dc" (domain component), and must be escaped according to RFC 2396. Examples:
# standard URI format (defaults to port 389)
-H ldap://ldap.example.com

# look for a DNS SRV RR of the form
# _ldap._tcp._example.com SRV ....
-H "dc=example,dc=com"
-I Enable SASL Interactive mode. Always prompt. Default is to prompt only as needed.
-k Use Kerberos IV authentication instead of simple authentication. It is assumed that you already have a valid ticket granting ticket. You must compile with Kerberos support for this option to have any effect.
-K Same as -k, but only does step 1 of the Kerberos IV bind. This is useful when connecting to a slapd and there is no x500dsa.hostname principal registered with your Kerberos Domain Controller(s).
-M[M] Enable manage DSA IT control. -MM makes control critical.
-n Show what would be done, but don't actually modify entries. Useful for debugging in conjunction with -v.
-O props Specify SASL security properties.
-p ldapport Specify an alternate TCP port where the ldap server is listening. Deprecated in favor of -H.
-P 2|3 Specify the LDAP protocol version to use. Default is 3 (LDAPv3)
-Q Enable SASL Quiet mode. Never prompt.
-R realm Specify the realm of authentication ID for SASL bind. The form of the realm depends on the actual SASL mechanism used.
-U authcid Specify the authentication ID for SASL bind. The form of the ID depends on the actual SASL mechanism used.
-v Use verbose mode, with many diagnostics written to standard output.
-w password Use clear text password for simple authentication. Use -W or -y in preference to secure the password.
-W Prompt for simple authentication. This is used instead of specifying the password on the command line (-w) and is significantly more secure.
-x Use simple authentication instead of SASL. Defaults to SASL authentication if not specified.
-X authzid Specify the requested authorization ID for SASL bind. authzid must be one of the following formats: dn:<distinguished name> or u:<username>
-y passfile Use complete contents of passwdfile as the password for simple authentication.
-Y mech Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows.
-Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be successful.
dn.. A comma separated list of DNs to delete (may be read from a file if the -f argument is used).

Go UP Icon

ldapmodrdn

ldapmodrdn opens a connection to an LDAP server, binds, and modifies the RDN of entries. The entry information is read from standard input, from file through the use of the -f option, or from the command-line pair dn and rdn.

ldapmodrdn [-r] [-n] [-v] [-k] [-K] [-c] [-M[M]] [-d debuglevel] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-O security-properties] [-I] [-Q] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] [-f file] [dn rdn]

Arg Description
-r Remove old RDN values from the entry. Default is to keep old values.
-n Show what would be done, but don't actually modify entries. Useful for debugging in conjunction with -v.
-v Use verbose mode, with many diagnostics written to standard output.
-k Use Kerberos IV authentication instead of simple authentication. It is assumed that you already have a valid ticket granting ticket. You must compile with Kerberos support for this option to have any effect.
-K Same as -k, but only does step 1 of the Kerberos IV bind. This is useful when connecting to a slapd and there is no x500dsa.hostname principal registered with your Kerberos Domain Controller(s).
-c Continuous operation mode. Errors are reported, but ldapmodify will continue with modifications. The default is to exit after reporting an error.
-M[M] Enable manage DSA IT control. -MM makes control critical.
-d debug Set the LDAP debugging level to debuglevel. ldapmodify must be compiled with LDAP_DEBUG defined for this option to have any effect.
-D binddn Use the Distinguished Name binddn to bind to the LDAP directory.
-h ldaphost Specify the host on which the ldap server is running (defaults to localhost). Deprecated in favor of -H.
-H ldapuri Replaces -h and -p. Defines one or more (separated with whitespace or comma) URI(s) referring to the ldap server(s) in the form scheme://host.name:port. If not defined defaults to ldap://localhost:389. Alternatively a DN may defined and is used to find the corresponding host(s) using DNS SRV records as defined in RFC 2782. The DN must be a non-empty sequence of AVAs whose attribute type is "dc" (domain component), and must be escaped according to RFC 2396. Examples:
# standard URI format (defaults to port 389)
-H ldap://ldap.example.com

# look for a DNS SRV RR of the form
# _ldap._tcp._example.com SRV ....
-H "dc=example,dc=com"
-p ldapport Specify an alternate TCP port where the ldap server is listening. Deprecated in favor of -H.
-P 2|3 Specify the LDAP protocol version to use. Default is 3 (LDAPv3)
-w password Use clear text password for simple authentication. Use -W or -y in preference to secure the password.
-W Prompt for simple authentication. This is used instead of specifying the password on the command line (-w) and is significantly more secure.
-x Use simple authentication instead of SASL. Defaults to SASL authentication if not specified.
-X authzid Specify the requested authorization ID for SASL bind. authzid must be one of the following formats: dn:<distinguished name> or u:<username>
-y passfile Use complete contents of passwdfile as the password for simple authentication.
-Y mech Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows.
-O props Specify SASL security properties.
-I Enable SASL Interactive mode. Always prompt. Default is to prompt only as needed.
-Q Enable SASL Quiet mode. Never prompt.
-U authcid Specify the authentication ID for SASL bind. The form of the ID depends on the actual SASL mechanism used.
-R realm Specify the realm of authentication ID for SASL bind. The form of the realm depends on the actual SASL mechanism used.
-Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be successful.
-f file Read the entry modification information from file instead of standard input.
dn rdn modifies the dn using the supplied rdn.

Go UP Icon

ldappasswd

ldappasswd uses the LDAP Password Modify Extended Operation defined in RFC 3062 to modify the password of user who may reside within the LDAP DIT (where user is specified with a DN) or maintained externally by SASL. While the RFC suggests that some form of authentication should be used ldappasswd does not apparently police such usage.

ldappasswd [-A] [-a oldpasswd] [-t oldpasswdfile] [-D binddn] 
  [-d debuglevel] [-H ldapuri] [-h ldaphost]  [-n]  [-p ldapport]
  [-S]  [-s newpasswd]   [-T newpasswdfile]   [-v]  [-W]  [-w passwd]
  [-y passwdfile]  [-O props]  [-I]  [-Q]  [-U authcid]
  [-x]  [-X authzid] [-R realm] [-Y mech] [-Z[Z]] [user]
Arg Description
-A Prompt for old (current) password. Incompatible with -a or -t option.
-a oldpassword The current password is defined by oldpassword value. Incompatible with -A or -t option.
-d debug Set the LDAP debugging level to debug. ldapsearch must be compiled with LDAP_DEBUG defined for this option to have any effect.
-D binddn Use the Distinguished Name binddn to bind to the LDAP directory.
-h ldaphost Specify the host on which the ldap server is running (defaults to localhost). Deprecated in favor of -H.
-H ldapuri Replaces -h and -p. Defines one or more (separated with whitespace or comma) URI(s) referring to the ldap server(s) in the form scheme://host.name:port. If not defined defaults to ldap://localhost:389. Alternatively a DN may defined and is used to find the corresponding host(s) using DNS SRV records as defined in RFC 2782. The DN must be a non-empty sequence of AVAs whose attribute type is "dc" (domain component), and must be escaped according to RFC 2396. Examples:
# standard URI format (defaults to port 389)
-H ldap://ldap.example.com

# look for a DNS SRV RR of the form
# _ldap._tcp._example.com SRV ....
-H "dc=example,dc=com"
-I Enable SASL Interactive mode. Always prompt. Default is to prompt only as needed.
-n Perform all connection and protocol operation but do NOT set password. Useful for debugging in conjunction with -v and/or -d.
-O props Specify SASL security properties.
-p ldapport Specify an alternate TCP port where the ldap server is listening. Deprecated in favor of -H.
-P 2|3 Specify the LDAP protocol version to use. Default is 3 (LDAPv3)
-Q Enable SASL Quiet mode. Never prompt.
-R realm Specify the realm of authentication ID for SASL bind. The form of the realm depends on the actual SASL mechanism used.
-s newpasswd Use the newpasswd value. Incompatible with -S and -T option.
-S Prompt for new password (will occur twice). Incompatible with -s and -T option.
-t oldpasswdfile Read the old (current) password from the defined file. Incompatible with -a and -A option.
-T path Read the new password from the defined file. Incompatible with -s and -S option.
-U authcid Specify the authentication ID for SASL bind. The form of the ID depends on the actual SASL mechanism used.
-v Use verbose mode, with diagnostics to standard output.
-w password Use clear text password for simple authentication. Use -W or -y in preference to secure the password.
-W Prompt for simple authentication. This is used instead of specifying the password on the command line (-w) and is significantly more secure.
-x Use simple authentication instead of SASL. Defaults to SASL authentication if not specified.
-X authzid Specify the requested authorization ID for SASL bind. authzid must be one of the following formats: dn:<distinguished name> or u:<username>
-y passfile Use complete contents of passwdfile as the password for simple authentication.
-Y mech Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows.
-Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If -Z used and TLS fails the operation will continue, if -ZZ is used TLS startup must be successful.
user The user is defined by its DN enclosed in double quotes, for example: "cn=slimy toad,ou=people,dc=example,dc=com".

Examples:

Modifies the userPassword entry for cn=slimy toad,ou=people,dc=example,dc=com using the rootdn as a bind DN and prompts for the old password, new password and the rootdn password.

ldappasswd [-H ldap://localhost] -D cn=admin,dc=example,dc=com -W -A 
 -S "cn=slimy toad,ou=people,dc=example,dc=com"

Go UP Icon

ldapsearch

ldapsearch opens a connection to an LDAP server, binds, and performs a search using specified parameters. The filter should conform to the string representation for search filters as defined in RFC 4515. If not provided, the default filter, (objectClass=*), is used.

If ldapsearch finds one or more entries, the attributes specified by attrs are returned. If * is present, all user attributes are returned. If + is present, all operational attributes are returned. If no attrs are listed, all user attributes are returned (* is assumed).

ldapsearch results are displayed in LDIF format (detailed format controlled by -L -LL and -LLL).

ldapsearch  [-a never|always|search|find] [-A] [-b searchbase] [-c] [-d debuglevel]
   [-D binddn] [-e [!]ext[=extparam]] [-E [!]ext[=extparam]] [-f file] [-F prefix]
   [-h ldaphost] [-H ldapuri] [-I] [-l time] [-L[L[L]]] [-M[M]] [-n] 
   [-O security-properties] [-p ldapport] [-P 2|3] [-Q] [-R realm]
   [-s base|one|sub|children] [-S attribute] [-t[t]] [-T path] [-u] [-U authcid]
   [-v] [-w passwd] [-W] [-x] [-X authzid] [-y passwdfile] [-Y mech] [-z sizelimit] 
   [-Z[Z]] filter [attrs...]
Arg Description
-a never|always|search|find Specify how alias dereferencing is done. May be never, always, search, or find to specify that aliases are never dereferenced, always dereferenced, dereferenced when searching, or dereferenced only when locating the base object for the search. The default is to never dereference aliases.
-A Retrieve attributes only (no values). This is useful when you just want to see if an attribute is present in an entry and are not interested in the specific values.
-b base Use base (DN) as the starting point for the search instead of the default.
-c (LDAP 2.4+) continue after error. Default will terminate after error encountered. Only relevant if used in conjunction with -f (read searches from file).
-d debug Set the LDAP debugging level to debug. ldapsearch must be compiled with LDAP_DEBUG defined for this option to have any effect.
-D binddn Use the Distinguished Name binddn to bind to the LDAP directory.
-e [!]ext[=extparam] See -E below
-E [!]ext[=extparam] Specify general extensions with -e and search extensions with -E. '!' indicates criticality.
General extensions:

[!]assert=<filter>   (an RFC 4515 Filter)
[!]authzid=<authzid> ("dn:<dn>" or "u:<user>")
[!]manageDSAit
[!]noop
ppolicy
[!]postread[=<attrs>] (a comma-separated attribute list)
[!]preread[=<attrs>]  (a comma-separated attribute list)
abandon, cancel          (SIGINT sends abandon/cancel)

Search extensions:
[!]domainScope                    (domain scope)
[!]mv=<filter>                 (matched values filter)
[!]pr=<size>[/prompt|noprompt]	(paged results/prompt)
[!]subentries[=true|false]        (subentries)
[!]sync=ro[/<cookie>]          (LDAP Sync refreshOnly)
rp[/<cookie>][/<slimit>]    (LDAP Sync refreshAndPersist)
-f file Read a series of lines from file, performing one LDAP search for each line. In this case, the filter given on the command line is treated as a pattern where the first and only occurrence of %s is replaced with a line from file. Any other occurrence of the the % character in the pattern will be regarded as an error. Where it is desired that the search filter include a % character, the character should be encoded as \25 (see RFC 4515). If file is a single - character, then the lines are read from standard input. ldapsearch will exit when the first non-successful search result is returned, unless -c is used (2.4+ only).
-F prefix URL prefix for temporary files. Default is file:/path/ where path is /var/tmp/ or specified with -T.
-h ldaphost Specify the host on which the ldap server is running (defaults to localhost). Deprecated in favor of -H.
-H ldapuri Replaces -h and -p. Defines one or more (separated with whitespace or comma) URI(s) referring to the ldap server(s) in the form scheme://host.name:port. If not defined defaults to ldap://localhost:389. Alternatively a DN may defined and is used to find the corresponding host(s) using DNS SRV records as defined in RFC 2782. The DN must be a non-empty sequence of AVAs whose attribute type is "dc" (domain component), and must be escaped according to RFC 2396. Examples:
# standard URI format (defaults to port 389)
-H ldap://ldap.example.com

# look for a DNS SRV RR of the form
# _ldap._tcp._example.com SRV ....
-H "dc=example,dc=com"
-I Enable SASL Interactive mode. Always prompt. Default is to prompt only as needed.
-l time wait at most time seconds for a search to complete. A time of 0 (zero) removes the ldap.conf limit. This value cannot exceed any timelimit (in slapd.conf) unless authenticated as (-D) rootdn .
-L[L[L]] Search results are displayed in LDIF format. A single -L restricts the output to LDIFv1. A second L (-LL) disables comments. A third L (-LLL) disables printing of the LDIF version. The default (no -L) is to use an extended version of LDIF.
-M[M] Enable manage DSA IT control. -MM makes control critical.
-n Show what would be done, but don't actually modify entries. Useful for debugging in conjunction with -v.
-O props Specify SASL security properties.
-p ldapport Specify an alternate TCP port where the ldap server is listening. Deprecated in favor of -H.
-P 2|3 Specify the LDAP protocol version to use. Default is 3 (LDAPv3)
-Q Enable SASL Quiet mode. Never prompt.
-R realm Specify the realm of authentication ID for SASL bind. The form of the realm depends on the actual SASL mechanism used.
-s scope Specify the scope of the search to be base, one, sub or children to specify the base object, one-level, or subtree search. The default is sub. Note: children scope requires LDAPv3 subordinate feature extension.
-S attribute Sort the entries returned based on attribute. The default is not to sort entries returned. If attribute is a zero-length string (""), the entries are sorted by the components of their Distinguished Name. See ldap_sort(3) for more details. Note that ldapsearch normally prints out entries as it receives them. The use of the -S option defeats this behavior, causing all entries to be retrieved, then sorted, then printed.
-t Write retrieved values to a set of temporary files. This is useful for dealing with non-ASCII values such as jpegPhoto or audio. A second t (-tt) saves all values to temporary files. Default files are in /var/tmp.
-T path Defines the path to a directory to be used to store files created using the -t argument (use to override /var/tmp default).
-u Include the User Friendly Name form of the Distinguished Name (DN) in the output.
-U authcid Specify the authentication ID for SASL bind. The form of the ID depends on the actual SASL mechanism used.
-v Use verbose mode, with many diagnostics written to standard output.
-w password Use clear text password for simple authentication. Use -W or -y in preference to secure the password.
-W Prompt for simple authentication. This is used instead of specifying the password on the command line (-w) and is significantly more secure.
-x Use simple authentication instead of SASL. Defaults to SASL authentication if not specified.
-X authzid Specify the requested authorization ID for SASL bind. authzid must be one of the following formats: dn:<distinguished name> or u:<username>
-y passfile Use complete contents of passwdfile as the password for simple authentication.
-Y mech Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows.
-z size retrieve at most size entries for a search. A size of 0 (zero) removes the ldap.conf limit. This value cannot exceed any sizelimit (in slapd.conf) unless authenticated as (-D) rootdn .
-Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be successful.
filter The search filter to be used. This is enclosed in double quotes and bounded by parentheses.
attrs space separated list of attributes to be returned.

Examples:

The following will search multiple levels (sub is -s default) for attribute mail with mail address of anything containing smith and display sn, cn and mail attributes and output in LDIFv1 format without comments. The -LL is included to ensure that any displayed LDIF can be output to a file and then read by, say, ldapmodify.

ldapsearch -H ldap://ldap.example.com -LL -b ou=people,dc=example,dc=com 
 "(mail=*smith*)" sn cn mail

# using standard redirection the above results could be written to a file
# > /tmp/search1.ldif

Go UP Icon

ldapwhoami

One Day Real Soon Now™

Go UP Icon

slapacl

Updated to 2.4. slapacl allows the user to test access from a given bind DN (-b) to specific attributes given the current access directives in the slapd.conf file. The utility only requires read-only access to slapd.conf file and the DIT(s) therefore may be used when slapd is running.

slapacl -b DN [-d level] [-D authcDN | -U authcID] [-f slapd.conf] [-F confdir] [-o name[=value]] [-u] [-v] [-X authzID | -o authzDN=DN] [attr[/access][:value]] [...]

Arg Description
-b DN The DN of a user which is assumed to bind to the DIT. The entry is fetched from the DIT and thus must exist. The DN is tested against the relevant ACLs (global and DIT specific) to determine if the defined attributes can be accessed with their required permissions. See also -u.
-d level enable debugging messages as defined by the specified level.
-D authcDN specify a DN to be used as identity through the test session when selecting appropriate <by> clauses in access control lists.
-f slapd.conf Defines the location of slapd.conf. The default locations/names are [fc] /etc/openldap/slapd.conf or [bsd] /usr/local/etc/openldap/slapd.conf.
-F confdir Defines the configuration directory for use with cn=config. If both -f and -F are specified, the config file (defined by -f) will be read and converted to cn=config directory format and written to the directory specified by the -F argument. If neither the -f nor -F option is specified, OpenLDAP will first attempt to read the default configuration directory ([fc] /etc/opendlap/slapd.d, [bsd] /usr/local/etc/openldap/slapd.d) and if this does not exist will revert to use the default config file (slapd.conf). If a valid config directory exists then the config file is ignored. If dryrun mode (-u dryrun) is supported and specified (by most utilities but not by slapd), no conversion will occur.
-o name[=value] Specify a slapd option with an optional value. Examples are:
syslog=subsystems  (`-s' in slapd)
syslog-user=user   (`-l' in slapd)

Possible options/values specific to slapacl are:

 authzDN
 domain
 peername
 sasl_ssf
 sockname
 sockurl
 ssf
 tls_ssf
 transport_ssf
-u do not fetch the entry from the database. In this case, if the entry does not exist, a fake entry with the DN given with the -b option is used, with no attributes. As a consequence, those rules that depend on the contents of the target object will not behave as with the real object. The DN given with the -b option is still used to select what rules apply thus, it must be in the naming context of a configured database. See also -b.
-v enable verbose mode.
-X authzID specify an ID to be mapped to a DN by means of authz-regexp or authz-rewrite rules; mutually exclusive with -D.
attr[/access][:value] [...] Each attribute sequence is enclosed in a quoted string as shown in this example:
# tests whether it is possible to read the
# organizationName (o) with the value 'Example, inc.'
"o/read:Example, Inc."

Go UP Icon

slapadd

Updated to 2.4+. Slapadd is used to add entries specified in LDIF format to a LDAP database. LDAP MUST NOT BE RUNNING WHEN THIS COMMAND IS ISSUED OR SERIOUS DATABASE CORRUPTION MAY RESULT. It applied the LDIF to the database determined by the database number or suffix. The LDIF input is read from standard input or the specified file (-l argument).

STOP SLAPD BEFORE RUNNING slapadd is designed to accept an LDIF in database order, it does not verify that superior entries exist before adding an entry, does not perform user and system schema checks, and does not maintain operational attributes (such as createTimeStamp and modifiersName).

slapadd [-b suffix] [-c] [-d level] [-f slapd.conf] 
        [-F confdir] [-g] [-j lineno] [-l ldif-file]
        [-n dbnum]  [-o  name[=value]]
        [-q] [-s] [-S SID] [-u dryrun] [-v] [-w]
Arg Description
-b suffix Use the specified suffix to determine which database to add entries to. The -b cannot be used in conjunction with the -n option.
-c enable continue (ignore errors) mode.
-d level enable debugging messages as defined by the specified level.
-f slapd.conf Defines the location of slapd.conf. The default locations/names are [fc] /etc/openldap/slapd.conf or [bsd] /usr/local/etc/openldap/slapd.conf.
-F confdir Defines the configuration directory for use with cn=config. If both -f and -F are specified, the config file (defined by -f) will be read and converted to cn=config directory format and written to the directory specified by the -F argument. If neither the -f nor -F option is specified, OpenLDAP will first attempt to read the default configuration directory ([fc] /etc/opendlap/slapd.d, [bsd] /usr/local/etc/openldap/slapd.d) and if this does not exist will revert to use the default config file (slapd.conf). If a valid config directory exists then the config file is ignored. If dryrun mode (-u dryrun) is supported and specified (by most utilities but not by slapd), no conversion will occur.
-g disable subordinate gluing. Only the specified database will be processed, and not its glued subordinates (if any).
-j lineno Jump to the specified lineno (line number) in the LDIF file before processing any entries. This allows a load that was aborted due to errors in the input LDIF to be resumed after the errors are corrected.
-l ldif-file Read LDIF from the specified file instead of standard input.
-n dbnum Add entries to the dbnum-th database listed in the configuration file. The -n cannot be used in conjunction with the -b option.
-o name[=value] Specify a slapd option with an optional value. Examples are are:
syslog=subsystems  (`-s' in slapd)
syslog-user=user   (`-l' in slapd)
-q enable quick (fewer integrity checks) mode. Does fewer consistency checks on the input data, and no consistency checks when writing the database. Improves the load time but if any errors or interruptions occur the resulting database will be unusable.
-s disable schema checking. This option is intended to be used when loading databases containing special objects, such as fractional objects on a partial replica. Loading normal objects which do not conform to schema may result in an unusable DIT and is not recommended.
-S SID Server ID to use in generated entryCSN. Also used for contextCSN if `-w' is set as well. Defaults to 0.
-u Verify/validate configuration (slapd.conf or slapd.d - see -f and -F arguments) only. By default the utility will check the presence and integrity of the defined database(s) section(s). This flags inhibits such checks. To check only a single database use the -n flag. Use of this flag also inhibits conversion of a slapd.cong file to cn=config when both -f and -F flags are used. Effectively the utility verifies only when this flag is used.
-v enable verbose mode.
-w 2.3+. write syncrepl context information. After all entries are added, the contextCSN will be updated with the greatest CSN in the database. This is implies that the LDIF file contains attributes (was created from a post version 2.2 DIT). Using this option will allow the consumer to generate a SyncCookie minimise the time taken to initially synchronize a syncrepl style replication. see also syncrepl synchronization.

Go UP Icon

slapauth

One Day Real Soon Now™

Go UP Icon

slapcat

Updated to 2.4. STOP SLAPD BEFORE RUNNING - though the latest versions (2.3+) of OpenLDAP suggest that if either an HDB or BDB backend is being used then it is safe to leave slapd running when using slapcat. slapcat is used to generate an LDIF based upon the contents of an LDAP database. It opens the database determined by the database number or suffix and writes the corresponding LDIF to standard output or the specified file (-l argument). OpenLDAP should not be running when this command is issued.

The LDIF generated by this utility can be used by slapadd. As the entries are in database order, not superior first order, they cannot be loaded with ldapadd without being reordered.

slapcat	[-a filter]  [-b suffix] [-c] [-d level] 
        [-f slapd.conf] [-F confdir] [-g] [-l ldif-file]
        [-n dbnum] [-o name[=value]] [-s subtree-dn] [-v]
Arg Description
-a filter Only dump entries matching the asserted filter. For example"
slapcat -a \
  "(!(entryDN:dnSubtreeMatch:=ou=People,dc=example,dc=com))"
will dump all but the "ou=People,dc=example,dc=com" subtree of the "dc=example,dc=com" database.
-b suffix Use the specified suffix (as defined in the slapd.conf suffix directive to determine which database to generate output for. The -b cannot be used in conjunction with the -n option.
-c enable continue (ignore errors) mode.
-d level enable debugging messages as defined by the specified level.
-f slapd.conf Defines the location of slapd.conf. The default locations/names are [fc] /etc/openldap/slapd.conf or [bsd] /usr/local/etc/openldap/slapd.conf.
-F confdir Defines the configuration directory for use with cn=config. If both -f and -F are specified, the config file (defined by -f) will be read and converted to cn=config directory format and written to the directory specified by the -F argument. If neither the -f nor -F option is specified, OpenLDAP will first attempt to read the default configuration directory ([fc] /etc/opendlap/slapd.d, [bsd] /usr/local/etc/openldap/slapd.d) and if this does not exist will revert to use the default config file (slapd.conf). If a valid config directory exists then the config file is ignored. If dryrun mode (-u dryrun) is supported and specified (by most utilities but not by slapd), no conversion will occur.
-g disable subordinate gluing. Only the specified database will be processed, and not its glued subordinates (if any).
-l ldif.file Write LDIF to specified file instead of standard output.
-n dbnum Generate output for the dbnum-th database listed in the configuration file. The -n cannot be used in conjunction with the -b option.
-o name[=value] Specify a slapd option with an optional value. Examples are are:
syslog=subsystems  (`-s' in slapd)
syslog-user=user   (`-l' in slapd)
-q enable quick (fewer integrity checks) mode. Does fewer consistency checks on the input data, and no consistency checks when writing the database. Improves the load time but if any errors or interruptions occur the resulting database will be unusable.
-s subtree-dn Only dump entries in the subtree specified by this DN. Implies `-b subtree-dn' if no -b or -n option is given.
-v enable verbose mode.

Go UP Icon

slapd

Updated to 2.4+. slapd is the standalone OpenLDAP daemon. It is normally initiated via a script ([fc] /etc/rc.d/init.d/slapd or [fbsd] /usr/local/rc.d/slapd with stop|start|restart). slapd is normally installed in [fc] /usr/lib/slapd or [fbsd] /usr/local/libexec/slapd. The following are arguments that control the operation of the daemon.

slapd [-[4|6]] [-c cookie] [-d debug-level] [-f slapd-config-file]
      [-F slapd-config-directory] [-g group] [-h URLs] 
      [-l syslog-local-user] [-n service-name] [-s syslog-level]
      [-r directory] [-T {acl|add|auth|cat|dn|index|passwd|test}]
      [-u user]  
Arg Description
-4|6 Specifies that only IPv4 (4) or IPv6 (6) interfaces will be listened on. The default is to listen on all network interfaces for the standard ldap (389) and ldaps (636) ports on all supported protocols.
-c cookie The -c option allows replication to be forced from a user defined point, by forcing a defined SyncCookie value to be sent on opening the synchronization connection, as opposed to the default behavior which is to read the last stored SyncCookie value from the underlying database on load. The cookie is a comma separated list of name=value pairs. Currently supported cookie name values are rid and csn. rid identifies the syncrepl directive in slapd.conf by matching the rid parameter. csn is a commit sequence number which normally is the last value received from the provider.
-d debug-level Turn on debugging as defined by debug-level. debug-level is a number and takes the same values as defined for the loglevel directive of slapd.conf. Thus -d -1 will turn on the maximum diagnostics. When slapd is invoked from a command line it normally forks from the console/tty that initiated the command. When the -d argument is used - even with a value of 0 - slapd will not fork or disassociate from the invoking terminal thus error messages are always output directly to the terminal/console/tty making this feature invaluable especially for debugging load problems. To allow forking from the terminal/console/tty but to change the loglevel use the -s argument. The -d argument ovverides any configured olcLogLevel/loglevel values including post load updating of olcLogLevel using OLC (cn=config).
-f slapd.conf Defines the location of slapd.conf. The default locations/names are [fc] /etc/openldap/slapd.conf or [bsd] /usr/local/etc/openldap/slapd.conf.
-F confdir Defines the configuration directory for use with cn=config. If both -f and -F are specified, the config file (defined by -f) will be read and converted to cn=config directory format and written to the directory specified by the -F argument. If neither the -f nor -F option is specified, OpenLDAP will first attempt to read the default configuration directory ([fc] /etc/opendlap/slapd.d, [bsd] /usr/local/etc/openldap/slapd.d) and if this does not exist will revert to use the default config file (slapd.conf). If a valid config directory exists then the config file is ignored. If dryrun mode (-u dryrun) is supported and specified (by most utilities but not by slapd), no conversion will occur.
-g group Specifies the group name or ID under which OpenLDAP will run. By default on most systesm this will be group ldap. OpenLDAP loads as root in order to allocate its priviledged ports (389 and 636), verifies that the slapd.conf has the correct priviledge levels (changing them as necessary) and then drops down to use the defined group and optional user (-u user) accounts. If the -r argument is specified then the group file ([fc &] /etc/group) must lie within the defined directory structure.
-h URLs Defines the IP addresses and ports that will be used when OpenLDAP initializes its socket binds and listen requests. By default this is only port 389 on all supported network interfaces (IPv4 and/or IPv6) and equates to -h ldap:///. The -4 and -6 arguments can be used to force listens only on the IPv4 or IPv6 interfaces if dual-stack configurations are present. The -h argument replaces the default allocations for ldap URLs and may be used to force listens on ldaps port(s). The -h argument takes one or more space separated URLs. If more than one URL is present they must be enclosed in double quotes ("). The generic URL format is scheme://[host[:port]]/. Where host may be an IP address (IPv4 or IPv6) or a host name. If an IPv6 address it must be enclosed in square brackets ([]). The form 0.0.0.0 will bind to IPv4 addresses only on all interfaces and the equivalent IPv6 version is [::]. If no port number is specified then ldap scheme URLs will bind to port 389 and ldaps scheme URLs will bind to port 636. Multiple instances of the same protocol may be defined if support for multiple port numbers is required. Examples:
# bind only on IPv4 - default port 389 - all interfaces
slapd -h ldap://0.0.0.0/
# functionally equivalent to
slapd -4
# bind only on IPv6 - default port 389 - all interfaces
slapd -h ldap://[::]/
# functionally equivalent to
slapd -6

# bind for IPv4 and IPv6 on port 2000 only
slapd -h ldap://:2000/
# bind for IPv4 and IPv6 on port 389 and 2000
slapd -h "ldap:/// ldap://:2000/"
# bind for IPv4 and IPv6 on port 389 and IPv4 only on port 2000
slapd -h "ldap:/// ldap://0.0.0.0:2000/"

# bind on IPv4 and IPv6 - default port 636 only - all interfaces
slapd -h ldaps:///

# bind on IPv4 and IPv6 - default ports 389 and 636 - all interfaces
slapd -h "ldap:/// ldaps:///"
# bind on IPv4 and IPv6 - default port 389 
# and ldaps (IPv6 only) port 2001 - all interfaces
slapd -h "ldap:/// ldaps://[::]:2001/"
-l syslog-local-user By default OpenLDAP logs using the syslogd daemon with a local user value of local4. This argument allows a dirfferent local user to be used and which must be either user, daemon or lie in the range local0 - local7. Examples:
slapd -l local5

# to stream syslog for local5
# edit /etc/syslog.conf
local5.* /var/log/ldap.log

# then restart syslogd
[fc] /etc/init.d/syslog restart
[bsd]killall -HUP syslogd
-n service-name Specifies the openldap daemon service name for logging and other purposes. Defaults to argv[0], that is, slapd. If, for instance, it is required or simpler to have all logging under ldap then use -n ldap.
-r directory Runs slapd in chroot mode using the defined directory as the chroot base. This is done after opening listeners and verfying permissions on configuration files or directories but before reading the configuration file/directory or initializing any backend. It should be used in conjunction with -u and -g options. All files and dirctories used by OpenLDAP in this mode will append directory to the defined path before trying to access requested files such as database, logging and all other operational files. It should be noted that the chroot request is issued before OpenLDAP drops down to the defined user and group thus the chroot directory must include copies of the security files containing passwords/show passwords and groups (see -u and -g argument descriptions).
-s syslog-level Defines the debug level used via syslogd. It replaces value of the loglevel directive in slapd.conf (or adds if not present). Unlike the -d argument -s allows the slapd daemon to fork from the terminal after load.
-T {a|c|d|i|p|t|acl|auth} Run in Tool mode. The additional argument selects whether to run as (in order speciafied in the prototype argument above slapadd, slapcat, slapdn, slapindex, slappasswd, or slaptest, slapacl and slapauth. This option must be the first option specified and any further options will be interpreted by the corresponding slap tool program. This option is provided only for situations where symbolic links are not provided or not usable.
-u user Specifies the user name or ID under which OpenLDAP will run. By default on most systesm this will be user ldap. OpenLDAP loads as root in order to allocate its priviledges ports (389 and 636), verifies that the slapd.conf has the correct priviledge levels (changing them as necessary) and then drops down to use the defined user and option group (-g group) accounts. If the -r argument is specified then the password/shadow files/databases ([fc] /etc/passwd, /etc/shadow [bsd] /etc/passwd/, /etc/master.passwd, /etc/pwd.db and /etc/spwd.db ) must lie within the defined directory structure.

Go UP Icon

slapdn

One Day Real Soon Now™

Go UP Icon

slapindex

Updated to 2.4+. STOP SLAPD BEFORE RUNNING. Slapindex is used to regenerate LDAP indices based upon the current contents of a database. It opens the given database determined by the database number or suffix and updates the indices for all values of all attributes of all entries using the slapd.conf.

slapindex  [-b  suffix] [-c] [-d level] [-f slapd.conf] 
           [-F confdir] [-g] [-n dbnum] [-o name[=value]]
           [-q] [-t] [-v] [attr] [...]
Arg Description
-b suffix Use the specified suffix to determine which database to generate output for. The -b cannot be used in conjunction with the -n option.
-c enable continue (ignore errors) mode.
-d level enable debugging messages as defined by the specified level.
-f slapd.conf Defines the location of slapd.conf. The default locations/names are [fc] /etc/openldap/slapd.conf or [bsd] /usr/local/etc/openldap/slapd.conf.
-F confdir Defines the configuration directory for use with cn=config. If both -f and -F are specified, the config file (defined by -f) will be read and converted to cn=config directory format and written to the directory specified by the -F argument. If neither the -f nor -F option is specified, OpenLDAP will first attempt to read the default configuration directory ([fc] /etc/opendlap/slapd.d, [bsd] /usr/local/etc/openldap/slapd.d) and if this does not exist will revert to use the default config file (slapd.conf). If a valid config directory exists then the config file is ignored. If dryrun mode (-u dryrun) is supported and specified (by most utilities but not by slapd), no conversion will occur.
-g disable subordinate gluing. Only the specified database will be processed, and not its glued subordinates (if any).
-n dbnum Generate output for the dbnum-th database listed in the configuration file. The -n cannot be used in conjunction with the -b option.
-o name[=value] Specify a slapd option with an optional value. Examples are are:
syslog=subsystems  (`-s' in slapd)
syslog-user=user   (`-l' in slapd)
-q enable quick (fewer integrity checks) mode. Does fewer consistency checks on the input data, and no consistency checks when writing the database. Improves the load time but if any errors or interruptions occur the resulting database will be unusable.
-t enable truncate mode. Truncates (empties) an index database before indexing any entries. May only be used with Quick mode (-q).
-v enable verbose mode.
attr The index is normally built from the slapd.conf file but one or more attributes may be specified on the command line.

Up Arrow

slappasswd

Slappasswd is used to generate password strings - using a variety of algorithms - that can be used in files such as slapd.conf or LDIFs (for population of userPassword or authPassword attributes). This utility may be used to create the rootpw value. See examples below for how to add the password to the file.

slappasswd  [-v] [-u] [-s secret|-T file] [-h hash] [-c salt-format]
Arg Description
-c salt-format Defines the format of the salt used when generating {CRYPT} (DES) passwords. This string is in quoted sprintf format and may include one (and only one) %s conversion. This conversion will be substituted with a string of random characters from the set [A-Za-z0-9./]. For example, "%.2s" provides a two character salt and "$1$%.8s" tells some versions of crypt(3) to use an MD5 algorithm and provides 8 random characters of salt. The default is "%s", which provides 31 characters of salt. For more information check the crypt man page page for your platform.
-h hash

If -h is not specified it defaults to {SSHA} suitable for use with userPassword (and authPassword). If -h is specified, it may take one of the following RFC 2307 scheme values: {CRYPT}, {MD5}, {SMD5}, {SSHA}, {SHA} and {CLEARTEXT}. Note: The enclosing braces (curly brackets {}) may need to be escaped depending on shell being used.

{SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.

{MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter with a seed.

{CRYPT} uses the crypt(3) library to generate DES strings.

{CLEARTEXT} indicates that clear text will be used (no encoding of the user password will occur - pretty useful stuff).

-s secret The secret to hash or encode using the defined hash algorithm (-h). Options -s and -T are mutually incompatible. If neither -s nor -T is supplied the utility will prompt (twice) for the secret to be hashed and is significantly safer that specifying the secret using the -s option and safer than using the -T option.
-T /path/to/file Use the entire contents of the file defined by /path/to/file as the secret to hash or encode using the defined hash algorithm (-h). Options -s and -T are mutually incompatible. If neither -s nor -T is supplied the utility will prompt (twice) for the secret to be hashed and is significantly safer that specifying the secret using the -s option and safer than using the -T option.
-u Generate RFC 2307 userPassword attribute values (the default) used in many ObjectClasses such as inetOrgPerson, organization, organizationalUnit. Future versions may generate alternative syntaxes by default and this option is provided for forward compatibility.
-v enable verbose mode.

slappasswd Examples

Generate an SSHA password suitable for use as rootpw (in slapd.conf) or for use in a LDIF file for userPassword or authPassword attributes.

# no options required
slappasswd

# prompts twice for password string and then outputs 
{SSHA}kjhfhfehflejhfvlldkl

# save to a file using normal re-direction
slapppasswd > /tmp/slappassword

# generate {SSHA} encoding of password secret
slappasswd -s secret

# generate {MD5) encoding of password secret
slappasswd -s secret -h {MD5}

To place the output in LDIF or slapd.conf, save to a file and copy, paste to relevant file if GUI editing tools are being used. If vi is being used, navigate to location in file where password is to be inserted then use :r !slappasswd [opts] - this runs the command and inserts stdout into editing file at last cursor position. Alternatively save the output of slappasswd to a file, navigate to insert location in vi and execute :r /path/to/file - inserts file contents into last cursor location.

Go UP Icon

slaptest

Slaptest can be used to verify the slapd.conf configuration file, convert the slapd.conf file to OLC (cn=config) and to modify .schema files into .ldif files for use with OLC (cn=config) configurations. It opens the defined configuration file, checks directive syntax including backend-specific and overlay directives and displays the results. The utility by default opens the database but the -u flag can be used to inhibit this check. The utility is the preferred method of converting from slapd.conf to OLC cn=config style configurations (see examples) though any utility, for instance slapdadd, which supports both the -f and -F flags can be used for this purpose.

slaptest  [-d  level] [-f slapd.conf] [-F confdir] 
          [-n dbnum] [-o name[=value]] [-Q] [-u] [-v]
Arg Description
-d level Enable debugging messages as defined by the specified level.
-f slapd.conf Defines the location of slapd.conf. The default locations/names are [fc] /etc/openldap/slapd.conf or [bsd] /usr/local/etc/openldap/slapd.conf.
-F confdir Defines the configuration directory for use with cn=config. If both -f and -F are specified, the config file (defined by -f) will be read and converted to cn=config directory format and written to the directory specified by the -F argument. If neither the -f nor -F option is specified, OpenLDAP will first attempt to read the default configuration directory ([fc] /etc/opendlap/slapd.d, [bsd] /usr/local/etc/openldap/slapd.d) and if this does not exist will revert to use the default config file (slapd.conf). If a valid config directory exists then the config file is ignored. If dryrun mode (-u dryrun) is supported and specified (by most utilities but not by slapd), no conversion will occur.
-n dbnum Perform normal syntax checking on the whole slapd.conf file (including database and overlay directives) but only test databse presence and integrity for dbnum. Databases are numbered sequentially from 0 as they are defined in the slapd.conf file so to test the database defined in second database section use -n 1.
-o name[=value] Specify a slapd option/flag with an optional value. Examples are:
syslog=subsystems  (equivalent to using `-s' in slapd)
syslog-user=user   (equivalent to using `-l' in slapd)
-Q Quiet mode. Only the final exit code indicating success (0) or failure is displayed.
-u Verify/validate configuration (slapd.conf or slapd.d - see -f and -F arguments) only. By default the utility will check the presence and integrity of the defined database(s) section(s). This flags inhibits such checks. To check only a single database use the -n flag. Use of this flag also inhibits conversion of a slapd.cong file to cn=config when both -f and -F flags are used. Effectively the utility verifies only when this flag is used.
-v Verbose mode. Output all failures.

Examples

Simple verification of slapd.conf (or slapd.d if present) in normal location - inhibits all database(s) presence and integrity checks.

slaptest -u

Full verification of slapd.conf (or slapd.d if present) and database(s) with verbose messages:

slaptest -v

Full verification of configuration file (slapd.conf.test) and any database(s) with verbose messages:

slaptest -f slapd.conf.test -v

Full verification of slapd.conf or cn=config and check only the presence and integrity of database 0 (which will be cn=config database definition if present) with verbose messages:

slaptest -n 0 -v

Convert slapd.conf to cn=config in the normal slapd.d location:

[fc]slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d -u
[bsd]slaptest -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d -u

Convert a .schema file into a .ldif file capable of being loaded using OLC (cn=config):

This is a messy, but straightforward process, which is described in gruesome detail.

Go UP Icon



Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.

Contents

tech info
guides home
intro
contents
1 objectives
big picture
2 concepts
3 ldap objects
quickstart
4 install ldap
5 samples
6 configuration
7 replica & refer
reference
8 ldif
9 protocol
10 ldap api
operations
11 howtos
12 trouble
13 performance
14 ldap tools
security
15 security
appendices
notes & info
ldap resources
rfc's & x.500
glossary
ldap objects
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox

Search

web zytrax.com

Share

Icons made by Icomoon from www.flaticon.com is licensed by CC 3.0 BY
share page via facebook tweet this page

Page

email us Send to a friend feature print this page Display full width page Decrease font size Increase font size

Resources

Systems

FreeBSD
NetBSD
OpenBSD
DragonFlyBSD
Linux.org
Debian Linux

Software

LibreOffice
OpenOffice
Mozilla
GitHub
GNU-Free SW Foundation
get-dns

Organizations

Open Source Initiative
Creative Commons

Misc.

Ibiblio - Library
Open Book Project
Open Directory
Wikipedia

Site

CSS Technology SPF Record Conformant Domain
Copyright © 1994 - 2025 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax
hosted by javapipe.com
web-master at zytrax
Page modified: January 20 2022.