Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
LDAPEXOP(1)		    General Commands Manual		   LDAPEXOP(1)

       ldapexop	- issue	LDAP extended operations

       ldapexop	 [-V[V]]  [-d debuglevel] [-n] [-v] [-f	file] [-x] [-D binddn]
       [-W] [-w	passwd]	[-y passwdfile]	[-H URI]  [-h ldaphost]	 [-p ldapport]
       [-e [!]ext[=extparam]]	[-o opt[=optparam]]   [-O security-properties]
       [-I] [-Q] [-N] [-U authcid] [-R realm] [-X authzid]  [-Y	mech]  [-Z[Z]]
       {oid  |	oid:data  |  oid::b64data  |  whoami  |	cancel cancel-id | re-
       fresh DN	[ttl]}

       ldapexop	issues the LDAP	extended operation specified by	oid or one  of
       the special keywords whoami, cancel, or refresh.

       Additional  data	for the	extended operation can be passed to the	server
       using data or base-64 encoded as	b64data	in the case of oid,  or	 using
       the  additional	parameters in the case of the specially	named extended
       operations above.

       Please note that	ldapexop behaves differently for the same extended op-
       eration when it was given as an OID or as a specialliy named operation:

       Calling	ldapexop with the OID of the whoami (RFC 4532) extended	opera-

	 ldapexop [<options>]


	 # extended operation response
	 data::	<base64	encoded	response data>

       while calling it	with the keyword whoami

	 ldapexop [<options>] whoami

       results in

	 dn:<client's identity>

       -V[V]  Print version info.  If-VV is given, only	the  version  informa-
	      tion is printed.

       -d debuglevel
	      Set the LDAP debugging level to debuglevel.

       -n     Show  what  would	 be done but don't actually do it.  Useful for
	      debugging	in conjunction with -v.

       -v     Run in verbose mode, with	many diagnostics written  to  standard

       -f file
	      Read operations from file.

       -x     Use simple authentication	instead	of SASL.

       -D binddn
	      Use the Distinguished Name binddn	to bind	to the LDAP directory.

       -W     Prompt for simple	authentication.	 This is used instead of spec-
	      ifying the password on the command line.

       -w passwd
	      Use passwd as the	password for simple authentication.

       -y passwdfile
	      Use complete contents of passwdfile as the password  for	simple

       -H URI Specify  URI(s) referring	to the ldap server(s); only the	proto-
	      col/host/port fields are allowed;	a list of  URI,	 separated  by
	      whitespace or commas is expected.

       -h ldaphost
	      Specify  the  host  on which the ldap server is running.	Depre-
	      cated in favor of	-H.

       -p ldapport
	      Specify the TCP port where the ldap server is listening.	Depre-
	      cated in favor of	-H.

       -e [!]ext[=extparam]
	      Specify general extensions.  '!' indicates criticality.
		[!]assert=<filter>    (an RFC 4515 Filter)
		!authzid=<authzid>    ("dn:<dn>" or "u:<user>")
		[!]bauthzid	      (RFC 3829	authzid	control)
		[!]postread[=<attrs>] (a comma-separated attribute list)
		[!]preread[=<attrs>]  (a comma-separated attribute list)
		abandon,cancel,ignore (SIGINT sends abandon/cancel,
		or ignores response; if	critical, doesn't wait for SIGINT.
		not really controls)

       -o opt[=optparam]

	      Specify general options.

	      General options:
		nettimeout=<timeout>  (in seconds, or "none" or	"max")
		ldif-wrap=<width>     (in columns, or "no" for no wrapping)

       -O security-properties
	      Specify SASL security properties.

       -I     Enable  SASL  Interactive	 mode.	 Always	prompt.	 Default is to
	      prompt only as needed.

       -Q     Enable SASL Quiet	mode.  Never prompt.

       -N     Do not use reverse DNS to	canonicalize SASL host name.

       -U authcid
	      Specify the authentication ID for	SASL bind. The form of the  ID
	      depends on the actual SASL mechanism used.

       -R realm
	      Specify  the  realm of authentication ID for SASL	bind. The form
	      of the realm depends on the actual SASL mechanism	used.

       -X authzid
	      Specify the requested authorization ID for SASL  bind.   authzid
	      must be one of the following formats: dn:_distinguished name_ or

       -Y mech
	      Specify the SASL mechanism to be used for	authentication.	 With-
	      out  this	option,	the program will choose	the best mechanism the
	      server knows.

       -Z[Z]  Issue StartTLS (Transport	Layer  Security)  extended  operation.
	      Giving  it twice (-ZZ) will require the operation	to be success-

       Exit status is zero if no errors	occur.	Errors result  in  a  non-zero
       exit status and a diagnostic message being written to standard error.


       This manual page	was written by Peter Marschall based on	ldapexop's us-
       age message and a few tests with	ldapexop.  Do not expect it to be com-
       plete or	absolutely correct.

       OpenLDAP	 Software  is developed	and maintained by The OpenLDAP Project
       <>.  OpenLDAP Software is derived from the Uni-
       versity of Michigan LDAP	3.3 Release.



Want to link to this manual page? Use this URL:

home | help