diff options
Diffstat (limited to 'doc/man/man1')
-rw-r--r-- | doc/man/man1/Makefile.in | 16 | ||||
-rw-r--r-- | doc/man/man1/ldapcompare.1 | 241 | ||||
-rw-r--r-- | doc/man/man1/ldapdelete.1 | 252 | ||||
-rw-r--r-- | doc/man/man1/ldapexop.1 | 242 | ||||
-rw-r--r-- | doc/man/man1/ldapmodify.1 | 390 | ||||
-rw-r--r-- | doc/man/man1/ldapmodify.1.links | 1 | ||||
-rw-r--r-- | doc/man/man1/ldapmodrdn.1 | 268 | ||||
-rw-r--r-- | doc/man/man1/ldappasswd.1 | 231 | ||||
-rw-r--r-- | doc/man/man1/ldapsearch.1 | 495 | ||||
-rw-r--r-- | doc/man/man1/ldapurl.1 | 168 | ||||
-rw-r--r-- | doc/man/man1/ldapvc.1 | 213 | ||||
-rw-r--r-- | doc/man/man1/ldapwhoami.1 | 194 |
12 files changed, 2711 insertions, 0 deletions
diff --git a/doc/man/man1/Makefile.in b/doc/man/man1/Makefile.in new file mode 100644 index 0000000..c051765 --- /dev/null +++ b/doc/man/man1/Makefile.in @@ -0,0 +1,16 @@ +# man1 Makefile.in for OpenLDAP +# $OpenLDAP$ +## This work is part of OpenLDAP Software <http://www.openldap.org/>. +## +## Copyright 1998-2022 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## <http://www.OpenLDAP.org/license.html>. + +MANSECT=1 diff --git a/doc/man/man1/ldapcompare.1 b/doc/man/man1/ldapcompare.1 new file mode 100644 index 0000000..b15b0c4 --- /dev/null +++ b/doc/man/man1/ldapcompare.1 @@ -0,0 +1,241 @@ +.TH LDAPCOMPARE 1 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" $OpenLDAP$ +.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.SH NAME +ldapcompare \- LDAP compare tool +.SH SYNOPSIS +.B ldapcompare +[\c +.BR \-V [ V ]] +[\c +.BI \-d \ debuglevel\fR] +[\c +.BR \-n ] +[\c +.BR \-v ] +[\c +.BR \-z ] +[\c +.BR \-M [ M ]] +[\c +.BR \-x ] +[\c +.BI \-D \ binddn\fR] +[\c +.BR \-W ] +[\c +.BI \-w \ passwd\fR] +[\c +.BI \-y \ passwdfile\fR] +[\c +.BI \-H \ ldapuri\fR] +[\c +.BR \-P \ { 2 \||\| 3 }] +[\c +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BI \-o \ opt \fR[= optparam \fR]] +[\c +.BI \-O \ security-properties\fR] +[\c +.BR \-I ] +[\c +.BR \-Q ] +[\c +.BR \-N ] +[\c +.BI \-U \ authcid\fR] +[\c +.BI \-R \ realm\fR] +[\c +.BI \-X \ authzid\fR] +[\c +.BI \-Y \ mech\fR] +[\c +.BR \-Z [ Z ]] +.IR DN +{\c +.BI attr: value +| +.BI attr:: b64value\fR} +.SH DESCRIPTION +.I ldapcompare +is a shell-accessible interface to the +.BR ldap_compare_ext (3) +library call. +.LP +.B ldapcompare +opens a connection to an LDAP server, binds, and performs a compare +using specified parameters. The \fIDN\fP should be a distinguished +name in the directory. \fIAttr\fP should be a known attribute. If +followed by one colon, the assertion \fIvalue\fP should be provided +as a string. If followed by two colons, the base64 encoding of the +value is provided. The result code of the compare is provided as +the exit code and, unless ran with \fB\-z\fP, the program prints +TRUE, FALSE, or UNDEFINED on standard output. +.LP +.SH OPTIONS +.TP +.BR \-V [ V ] +Print version info. +If \fB\-VV\fP is given, only the version information is printed. +.TP +.BI \-d \ debuglevel +Set the LDAP debugging level to \fIdebuglevel\fP. +.B ldapcompare +must be compiled with LDAP_DEBUG defined for this option to have any effect. +.TP +.B \-n +Show what would be done, but don't actually perform the compare. Useful for +debugging in conjunction with \fB\-v\fP. +.TP +.B \-v +Run in verbose mode, with many diagnostics written to standard output. +.TP +.B \-z +Run in quiet mode, no output is written. You must check the return +status. Useful in shell scripts. +.TP +.BR \-M [ M ] +Enable manage DSA IT control. +.B \-MM +makes control critical. +.TP +.B \-x +Use simple authentication instead of SASL. +.TP +.BI \-D \ binddn +Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory. +For SASL binds, the server is expected to ignore this value. +.TP +.B \-W +Prompt for simple authentication. +This is used instead of specifying the password on the command line. +.TP +.BI \-w \ passwd +Use \fIpasswd\fP as the password for simple authentication. +.TP +.BI \-y \ passwdfile +Use complete contents of \fIpasswdfile\fP as the password for +simple authentication. +Note that \fIcomplete\fP means that any leading or trailing whitespaces, +including newlines, will be considered part of the password and, +unlike other software, they will not be stripped. +As a consequence, passwords stored in files by commands like +.BR echo (1) +will not behave as expected, since +.BR echo (1) +by default appends a trailing newline to the echoed string. +The recommended portable way to store a cleartext password in a file +for use with this option is to use +.BR slappasswd (8) +with \fI{CLEARTEXT}\fP as hash and the option \fB\-n\fP. +.TP +.BI \-H \ ldapuri +Specify URI(s) referring to the ldap server(s); only the protocol/host/port +fields are allowed; a list of URI, separated by whitespace or commas +is expected. +.TP +.BR \-P \ { 2 \||\| 3 } +Specify the LDAP protocol version to use. +.TP +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ] +.TP +.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ] + +Specify general extensions with \fB\-e\fP and compare extensions with \fB\-E\fP. +\'\fB!\fP\' indicates criticality. + +General extensions: +.nf + [!]assert=<filter> (an RFC 4515 Filter) + !authzid=<authzid> ("dn:<dn>" or "u:<user>") + [!]bauthzid (RFC 3829 authzid control) + [!]chaining[=<resolve>[/<cont>]] + [!]manageDSAit + [!]noop + ppolicy + [!]postread[=<attrs>] (a comma-separated attribute list) + [!]preread[=<attrs>] (a comma-separated attribute list) + [!]relax + sessiontracking[=<username>] + abandon,cancel,ignore (SIGINT sends abandon/cancel, + or ignores response; if critical, doesn't wait for SIGINT. + not really controls) +.fi + +Compare extensions: +.nf + !dontUseCopy +.fi +.TP +.BI \-o \ opt \fR[= optparam \fR] + +Specify any +.BR ldap.conf (5) +option or one of the following: +.nf + nettimeout=<timeout> (in seconds, or "none" or "max") + ldif_wrap=<width> (in columns, or "no" for no wrapping) +.fi + +.TP +.BI \-O \ security-properties +Specify SASL security properties. +.TP +.B \-I +Enable SASL Interactive mode. Always prompt. Default is to prompt +only as needed. +.TP +.B \-Q +Enable SASL Quiet mode. Never prompt. +.TP +.B \-N +Do not use reverse DNS to canonicalize SASL host name. +.TP +.BI \-U \ authcid +Specify the authentication ID for SASL bind. The form of the ID +depends on the actual SASL mechanism used. +.TP +.BI \-R \ realm +Specify the realm of authentication ID for SASL bind. The form of the realm +depends on the actual SASL mechanism used. +.TP +.BI \-X \ authzid +Specify the requested authorization ID for SASL bind. +.I authzid +must be one of the following formats: +.BI dn: "<distinguished name>" +or +.BI u: <username> +.TP +.BI \-Y \ mech +Specify the SASL mechanism to be used for authentication. If it's not +specified, the program will choose the best mechanism the server knows. +.TP +.BR \-Z [ Z ] +Issue StartTLS (Transport Layer Security) extended operation. If you use +\fB\-ZZ\fP, the command will require the operation to be successful. +.SH EXAMPLES +.nf + ldapcompare "uid=babs,dc=example,dc=com" sn:Jensen + ldapcompare "uid=babs,dc=example,dc=com" sn::SmVuc2Vu +.fi +are all equivalent. +.SH LIMITATIONS +Requiring the value be passed on the command line is limiting +and introduces some security concerns. The command should support +a mechanism to specify the location (file name or URL) to read +the value from. +.SH "SEE ALSO" +.BR ldap.conf (5), +.BR ldif (5), +.BR ldap (3), +.BR ldap_compare_ext (3) +.SH AUTHOR +The OpenLDAP Project <http://www.openldap.org/> +.SH ACKNOWLEDGEMENTS +.so ../Project diff --git a/doc/man/man1/ldapdelete.1 b/doc/man/man1/ldapdelete.1 new file mode 100644 index 0000000..e12cc56 --- /dev/null +++ b/doc/man/man1/ldapdelete.1 @@ -0,0 +1,252 @@ +.TH LDAPDELETE 1 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" $OpenLDAP$ +.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.SH NAME +ldapdelete \- LDAP delete entry tool +.SH SYNOPSIS +.B ldapdelete +[\c +.BR \-V [ V ]] +[\c +.BI \-d \ debuglevel\fR] +[\c +.BR \-n ] +[\c +.BR \-v ] +[\c +.BR \-c ] +[\c +.BI \-f \ file\fR] +[\c +.BR \-r ] +[\c +.BI \-z \ sizelimit\fR] +[\c +.BR \-M [ M ]] +[\c +.BR \-x ] +[\c +.BI \-D \ binddn\fR] +[\c +.BR \-W ] +[\c +.BI \-w \ passwd\fR] +[\c +.BI \-y \ passwdfile\fR] +[\c +.BI \-H \ ldapuri\fR] +[\c +.BR \-P \ { 2 \||\| 3 }] +[\c +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BI \-o \ opt \fR[= optparam \fR]] +[\c +.BI \-O \ security-properties\fR] +[\c +.BR \-I ] +[\c +.BR \-Q ] +[\c +.BR \-N ] +[\c +.BI \-U \ authcid\fR] +[\c +.BI \-R \ realm\fR] +[\c +.BI \-X \ authzid\fR] +[\c +.BI \-Y \ mech\fR] +[\c +.BR \-Z [ Z ]] +[\c +.IR DN \ [ ... ]] +.SH DESCRIPTION +.I ldapdelete +is a shell-accessible interface to the +.BR ldap_delete_ext (3) +library call. +.LP +.B ldapdelete +opens a connection to an LDAP server, binds, and deletes one or more +entries. If one or more \fIDN\fP arguments are provided, entries with +those Distinguished Names are deleted. Each \fIDN\fP should be provided +using the LDAPv3 string representation as defined in RFC 4514. +If no \fIDN\fP arguments +are provided, a list of DNs is read from standard input (or from +\fIfile\fP if the \fB\-f\fP flag is used). +.SH OPTIONS +.TP +.BR \-V [ V ] +Print version info. +If \fB\-VV\fP is given, only the version information is printed. +.TP +.BI \-d \ debuglevel +Set the LDAP debugging level to \fIdebuglevel\fP. +.B ldapdelete +must be compiled with LDAP_DEBUG defined for this option to have any effect. +.TP +.B \-n +Show what would be done, but don't actually delete entries. Useful for +debugging in conjunction with \fB\-v\fP. +.TP +.B \-v +Use verbose mode, with many diagnostics written to standard output. +.TP +.B \-c +Continuous operation mode. Errors are reported, but +.B ldapdelete +will continue with deletions. The default is to exit after +reporting an error. +.TP +.BI \-f \ file +Read a series of DNs from \fIfile\fP, one per line, performing an +LDAP delete for each. +.TP +.B \-r +Do a recursive delete. If the DN specified isn't a leaf, its +children, and all their children are deleted down the tree. No +verification is done, so if you add this switch, ldapdelete will +happily delete large portions of your tree. Use with care. +.TP +.BI \-z \ sizelimit +Use \fIsizelimit\fP when searching for children DN to delete, +to circumvent any server-side size limit. Only useful in conjunction +with \fB\-r\fP. +.TP +.BR \-M [ M ] +Enable manage DSA IT control. +.B \-MM +makes control critical. +.TP +.B \-x +Use simple authentication instead of SASL. +.TP +.BI \-D \ binddn +Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory. +For SASL binds, the server is expected to ignore this value. +.TP +.B \-W +Prompt for simple authentication. +This is used instead of specifying the password on the command line. +.TP +.BI \-w \ passwd +Use \fIpasswd\fP as the password for simple authentication. +.TP +.BI \-y \ passwdfile +Use complete contents of \fIpasswdfile\fP as the password for +simple authentication. +.TP +.BI \-H \ ldapuri +Specify URI(s) referring to the ldap server(s); only the protocol/host/port +fields are allowed; a list of URI, separated by whitespace or commas +is expected. +.TP +.BR \-P \ { 2 \||\| 3 } +Specify the LDAP protocol version to use. +.TP +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ] +.TP +.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ] + +Specify general extensions with \fB\-e\fP and delete extensions with \fB\-E\fP. +\'\fB!\fP\' indicates criticality. + +General extensions: +.nf + [!]assert=<filter> (an RFC 4515 Filter) + !authzid=<authzid> ("dn:<dn>" or "u:<user>") + [!]bauthzid (RFC 3829 authzid control) + [!]chaining[=<resolve>[/<cont>]] + [!]manageDSAit + [!]noop + ppolicy + [!]postread[=<attrs>] (a comma-separated attribute list) + [!]preread[=<attrs>] (a comma-separated attribute list) + [!]relax + sessiontracking[=<username>] + abandon,cancel,ignore (SIGINT sends abandon/cancel, + or ignores response; if critical, doesn't wait for SIGINT. + not really controls) +.fi + +Delete extensions: +.nf + (none) +.fi +.TP +.BI \-o \ opt \fR[= optparam \fR] + +Specify any +.BR ldap.conf (5) +option or one of the following: +.nf + nettimeout=<timeout> (in seconds, or "none" or "max") + ldif_wrap=<width> (in columns, or "no" for no wrapping) +.fi + +.TP +.BI \-O \ security-properties +Specify SASL security properties. +.TP +.B \-I +Enable SASL Interactive mode. Always prompt. Default is to prompt +only as needed. +.TP +.B \-Q +Enable SASL Quiet mode. Never prompt. +.TP +.B \-N +Do not use reverse DNS to canonicalize SASL host name. +.TP +.BI \-U \ authcid +Specify the authentication ID for SASL bind. The form of the identity depends on the +actual SASL mechanism used. +.TP +.BI \-R \ realm +Specify the realm of authentication ID for SASL bind. The form of the realm +depends on the actual SASL mechanism used. +.TP +.BI \-X \ authzid +Specify the requested authorization ID for SASL bind. +.I authzid +must be one of the following formats: +.BI dn: "<distinguished name>" +or +.BI u: <username> +.TP +.BI \-Y \ mech +Specify the SASL mechanism to be used for authentication. If it's not +specified, the program will choose the best mechanism the server knows. +.TP +.BR \-Z [ Z ] +Issue StartTLS (Transport Layer Security) extended operation. If you use +\fB\-ZZ\fP, the command will require the operation to be successful. +.SH EXAMPLE +The following command: +.LP +.nf + ldapdelete "cn=Delete Me,dc=example,dc=com" +.fi +.LP +will attempt to delete the entry named "cn=Delete Me,dc=example,dc=com". +Of course it would probably be necessary to supply authentication +credentials. +.SH DIAGNOSTICS +Exit status is 0 if no errors occur. Errors result in a non-zero exit +status and a diagnostic message being written to standard error. +.SH "SEE ALSO" +.BR ldap.conf (5), +.BR ldapadd (1), +.BR ldapmodify (1), +.BR ldapmodrdn (1), +.BR ldapsearch (1), +.BR ldap (3), +.BR ldap_delete_ext (3) +.SH AUTHOR +The OpenLDAP Project <http://www.openldap.org/> +.SH ACKNOWLEDGEMENTS +.so ../Project diff --git a/doc/man/man1/ldapexop.1 b/doc/man/man1/ldapexop.1 new file mode 100644 index 0000000..2040c3e --- /dev/null +++ b/doc/man/man1/ldapexop.1 @@ -0,0 +1,242 @@ +.\" $OpenLDAP$ +.\" This contribution is derived from OpenLDAP Software. +.\" All of the modifications to OpenLDAP Software represented in this +.\" contribution were developed by Peter Marschall <peter@adpm.de>. +.\" I have not assigned rights and/or interest in this work to any party. +.\" +.\" Copyright 2009 Peter Marschall +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted only as authorized by the OpenLDAP Public License. +.\" +.\" A copy of this license is available in file LICENSE in the +.\" top-level directory of the distribution or, alternatively, at +.\" http://www.OpenLDAP.org/license.html. + +.TH LDAPEXOP 1 + +.SH NAME +ldapexop \- issue LDAP extended operations + +.SH SYNOPSIS +ldapexop +[\c +.BR \-V [ V ]] +[\c +.BI \-d \ debuglevel\fR] +[\c +.BR \-n ] +[\c +.BR \-v ] +[\c +.BI \-f \ file\fR] +[\c +.BR \-x ] +[\c +.BI \-D \ binddn\fR] +[\c +.BR \-W ] +[\c +.BI \-w \ passwd\fR] +[\c +.BI \-y \ passwdfile\fR] +[\c +.BI \-H \ URI\fR] +[\c +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BI \-o \ opt \fR[= optparam \fR]] +[\c +.BI \-O \ security-properties\fR] +[\c +.BR \-I ] +[\c +.BR \-Q ] +[\c +.BR \-N ] +[\c +.BI \-U \ authcid\fR] +[\c +.BI \-R \ realm\fR] +[\c +.BI \-X \ authzid\fR] +[\c +.BI \-Y \ mech\fR] +[\c +.BR \-Z [ Z ]] +{\c +.I oid +| +.BI oid: data +| +.BI oid:: b64data +| +.B whoami +| +.BI cancel \ cancel-id +| +.BI refresh \ DN \ \fR[\fIttl\fR]} + +.SH DESCRIPTION +ldapexop issues the LDAP extended operation specified by \fBoid\fP +or one of the special keywords \fBwhoami\fP, \fBcancel\fP, or \fBrefresh\fP. + +Additional data for the extended operation can be passed to the server using +\fIdata\fP or base-64 encoded as \fIb64data\fP in the case of \fBoid\fP, +or using the additional parameters in the case of the specially named extended +operations above. + +Please note that ldapexop behaves differently for the same extended operation +when it was given as an OID or as a specially named operation: + +Calling ldapexop with the OID of the \fBwhoami\fP (RFC 4532) extended operation +.nf + + ldapexop [<options>] 1.3.6.1.4.1.4203.1.11.3 + +.fi +yields +.nf + + # extended operation response + data:: <base64 encoded response data> + +.fi +while calling it with the keyword \fBwhoami\fP +.nf + + ldapexop [<options>] whoami + +.fi +results in +.nf + + dn:<client's identity> + +.fi + + +.SH OPTIONS +.TP +.BI \-V [ V ] +Print version info. +If\fB\-VV\fP is given, only the version information is printed. +.TP +.BI \-d \ debuglevel +Set the LDAP debugging level to \fIdebuglevel\fP. +.TP +.BI \-n +Show what would be done but don't actually do it. +Useful for debugging in conjunction with \fB\-v\fP. +.TP +.BI \-v +Run in verbose mode, with many diagnostics written to standard output. +.TP +.BI \-f \ file +Read operations from \fIfile\fP. +.TP +.BI \-x +Use simple authentication instead of SASL. +.TP +.BI \-D \ binddn +Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory. +.TP +.BI \-W +Prompt for simple authentication. +This is used instead of specifying the password on the command line. +.TP +.BI \-w \ passwd +Use \fIpasswd\fP as the password for simple authentication. +.TP +.BI \-y \ passwdfile +Use complete contents of \fIpasswdfile\fP as the password for +simple authentication. +.TP +.BI \-H \ URI +Specify URI(s) referring to the ldap server(s); only the protocol/host/port +fields are allowed; a list of URI, separated by whitespace or commas +is expected. +.TP +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ] +Specify general extensions. \'!\' indicates criticality. +.nf + [!]assert=<filter> (an RFC 4515 Filter) + !authzid=<authzid> ("dn:<dn>" or "u:<user>") + [!]bauthzid (RFC 3829 authzid control) + [!]chaining[=<resolve>[/<cont>]] + [!]manageDSAit + [!]noop + ppolicy + [!]postread[=<attrs>] (a comma-separated attribute list) + [!]preread[=<attrs>] (a comma-separated attribute list) + [!]relax + sessiontracking[=<username>] + abandon,cancel,ignore (SIGINT sends abandon/cancel, + or ignores response; if critical, doesn't wait for SIGINT. + not really controls) +.fi +.TP +.BI \-o \ opt \fR[= optparam \fR] + +Specify any +.BR ldap.conf (5) +option or one of the following: +.nf + nettimeout=<timeout> (in seconds, or "none" or "max") + ldif_wrap=<width> (in columns, or "no" for no wrapping) +.fi + +.TP +.BI \-O \ security-properties +Specify SASL security properties. +.TP +.BI \-I +Enable SASL Interactive mode. Always prompt. Default is to prompt +only as needed. +.TP +.BI \-Q +Enable SASL Quiet mode. Never prompt. +.TP +.B \-N +Do not use reverse DNS to canonicalize SASL host name. +.TP +.BI \-U \ authcid +Specify the authentication ID for SASL bind. The form of the ID +depends on the actual SASL mechanism used. +.TP +.BI \-R \ realm +Specify the realm of authentication ID for SASL bind. The form of the realm +depends on the actual SASL mechanism used. +.TP +.BI \-X \ authzid +Specify the requested authorization ID for SASL bind. +.I authzid +must be one of the following formats: +.BI dn: "<distinguished name>" +or +.BI u: <username> +.TP +.BI \-Y \ mech +Specify the SASL mechanism to be used for authentication. +Without this option, the program will choose the best mechanism the server knows. +.TP +.BR \-Z [ Z ] +Issue StartTLS (Transport Layer Security) extended operation. +Giving it twice (\fB\-ZZ\fP) will require the operation to be successful. + +.SH DIAGNOSTICS +Exit status is zero if no errors occur. +Errors result in a non-zero exit status and +a diagnostic message being written to standard error. + +.SH "SEE ALSO" +.BR ldap_extended_operation_s (3) + +.SH AUTHOR +This manual page was written by Peter Marschall +based on \fBldapexop\fP's usage message and a few tests +with \fBldapexop\fP. +Do not expect it to be complete or absolutely correct. + +.SH ACKNOWLEDGEMENTS +.so ../Project + diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1 new file mode 100644 index 0000000..1104e9f --- /dev/null +++ b/doc/man/man1/ldapmodify.1 @@ -0,0 +1,390 @@ +.TH LDAPMODIFY 1 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" $OpenLDAP$ +.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.SH NAME +ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools +.SH SYNOPSIS +.B ldapmodify +[\c +.BR \-V [ V ]] +[\c +.BI \-d \ debuglevel\fR] +[\c +.BR \-n ] +[\c +.BR \-v ] +[\c +.BR \-a ] +[\c +.BR \-c ] +[\c +.BI \-f \ file\fR] +[\c +.BI \-S \ file\fR] +[\c +.BR \-M [ M ]] +[\c +.BR \-x ] +[\c +.BI \-D \ binddn\fR] +[\c +.BR \-W ] +[\c +.BI \-w \ passwd\fR] +[\c +.BI \-y \ passwdfile\fR] +[\c +.BI \-H \ ldapuri\fR] +[\c +.BR \-P \ { 2 \||\| 3 }] +[\c +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BI \-o \ opt \fR[= optparam \fR]] +[\c +.BI \-O \ security-properties\fR] +[\c +.BR \-I ] +[\c +.BR \-Q ] +[\c +.BR \-N ] +[\c +.BI \-U \ authcid\fR] +[\c +.BI \-R \ realm\fR] +[\c +.BI \-X \ authzid\fR] +[\c +.BI \-Y \ mech\fR] +[\c +.BR \-Z [ Z ]] +.LP +.B ldapadd +[\c +.BR \-V [ V ]] +[\c +.BI \-d \ debuglevel\fR] +[\c +.BR \-n ] +[\c +.BR \-v ] +[\c +.BR \-c ] +[\c +.BI \-f \ file\fR] +[\c +.BI \-S \ file\fR] +[\c +.BR \-M [ M ]] +[\c +.BR \-x ] +[\c +.BI \-D \ binddn\fR] +[\c +.BR \-W ] +[\c +.BI \-w \ passwd\fR] +[\c +.BI \-y \ passwdfile\fR] +[\c +.BI \-H \ ldapuri\fR] +[\c +.BR \-P \ { 2 \||\| 3 }] +[\c +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BI \-o \ opt \fR[= optparam \fR]] +[\c +.BI \-O \ security-properties\fR] +[\c +.BR \-I ] +[\c +.BR \-Q ] +[\c +.BR \-N ] +[\c +.BI \-U \ authcid\fR] +[\c +.BI \-R \ realm\fR] +[\c +.BI \-X \ authzid\fR] +[\c +.BI \-Y \ mech\fR] +[\c +.BR \-Z [ Z ]] +.SH DESCRIPTION +.B ldapmodify +is a shell-accessible interface to the +.BR ldap_add_ext (3), +.BR ldap_modify_ext (3), +.BR ldap_delete_ext (3) +and +.BR ldap_rename (3). +library calls. +.B ldapadd +is implemented as a hard link to the ldapmodify tool. When invoked as +.B ldapadd +the \fB\-a\fP (add new entry) flag is turned on automatically. +.LP +.B ldapmodify +opens a connection to an LDAP server, binds, and modifies or adds entries. +The entry information is read from standard input or from \fIfile\fP through +the use of the \fB\-f\fP option. +.SH OPTIONS +.TP +.BR \-V [ V ] +Print version info. +If \fB\-VV\fP is given, only the version information is printed. +.TP +.BI \-d \ debuglevel +Set the LDAP debugging level to \fIdebuglevel\fP. +.B ldapmodify +must be compiled with LDAP_DEBUG defined for this option to have any effect. +.TP +.B \-n +Show what would be done, but don't actually modify entries. Useful for +debugging in conjunction with \fB\-v\fP. +.TP +.B \-v +Use verbose mode, with many diagnostics written to standard output. +.TP +.B \-a +Add new entries. The default for +.B ldapmodify +is to modify existing entries. If invoked as +.BR ldapadd , +this flag is always set. +.TP +.B \-c +Continuous operation mode. Errors are reported, but +.B ldapmodify +will continue with modifications. The default is to exit after +reporting an error. +.TP +.BI \-f \ file +Read the entry modification information from \fIfile\fP instead of from +standard input. +.TP +.BI \-S \ file +Add or change records which were skipped due to an error are written to \fIfile\fP +and the error message returned by the server is added as a comment. Most useful in +conjunction with \fB\-c\fP. +.TP +.BR \-M [ M ] +Enable manage DSA IT control. +.B \-MM +makes control critical. +.TP +.B \-x +Use simple authentication instead of SASL. +.TP +.BI \-D \ binddn +Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory. +For SASL binds, the server is expected to ignore this value. +.TP +.B \-W +Prompt for simple authentication. +This is used instead of specifying the password on the command line. +.TP +.BI \-w \ passwd +Use \fIpasswd\fP as the password for simple authentication. +.TP +.BI \-y \ passwdfile +Use complete contents of \fIpasswdfile\fP as the password for +simple authentication. +.TP +.BI \-H \ ldapuri +Specify URI(s) referring to the ldap server(s); only the protocol/host/port +fields are allowed; a list of URI, separated by whitespace or commas +is expected. +.TP +.BR \-P \ { 2 \||\| 3 } +Specify the LDAP protocol version to use. +.TP +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ] +.TP +.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ] + +Specify general extensions with \fB\-e\fP and modify extensions with \fB\-E\fP. +\'\fB!\fP\' indicates criticality. + +General extensions: +.nf + [!]assert=<filter> (an RFC 4515 Filter) + !authzid=<authzid> ("dn:<dn>" or "u:<user>") + [!]bauthzid (RFC 3829 authzid control) + [!]chaining[=<resolve>[/<cont>]] + [!]manageDSAit + [!]noop + ppolicy + [!]postread[=<attrs>] (a comma-separated attribute list) + [!]preread[=<attrs>] (a comma-separated attribute list) + [!]relax + sessiontracking[=<username>] + abandon,cancel,ignore (SIGINT sends abandon/cancel, + or ignores response; if critical, doesn't wait for SIGINT. + not really controls) +.fi + +Modify extensions: +.nf + [!]txn[=abort|commit] +.fi +.TP +.BI \-o \ opt \fR[= optparam \fR]] + +Specify any +.BR ldap.conf (5) +option or one of the following: +.nf + nettimeout=<timeout> (in seconds, or "none" or "max") + ldif_wrap=<width> (in columns, or "no" for no wrapping) +.fi + +.TP +.BI \-O \ security-properties +Specify SASL security properties. +.TP +.B \-I +Enable SASL Interactive mode. Always prompt. Default is to prompt +only as needed. +.TP +.B \-Q +Enable SASL Quiet mode. Never prompt. +.TP +.B \-N +Do not use reverse DNS to canonicalize SASL host name. +.TP +.BI \-U \ authcid +Specify the authentication ID for SASL bind. The form of the ID +depends on the actual SASL mechanism used. +.TP +.BI \-R \ realm +Specify the realm of authentication ID for SASL bind. The form of the realm +depends on the actual SASL mechanism used. +.TP +.BI \-X \ authzid +Specify the requested authorization ID for SASL bind. +.I authzid +must be one of the following formats: +.BI dn: "<distinguished name>" +or +.BI u: <username> +.TP +.BI \-Y \ mech +Specify the SASL mechanism to be used for authentication. If it's not +specified, the program will choose the best mechanism the server knows. +.TP +.BR \-Z [ Z ] +Issue StartTLS (Transport Layer Security) extended operation. If you use +.B \-ZZ\c +, the command will require the operation to be successful. +.SH INPUT FORMAT +The contents of \fIfile\fP (or standard input if no \fB\-f\fP flag is given on +the command line) must conform to the format defined in +.BR ldif (5) +(LDIF as defined in RFC 2849). +.SH EXAMPLES +Assuming that the file +.B /tmp/entrymods +exists and has the contents: +.LP +.nf + dn: cn=Modify Me,dc=example,dc=com + changetype: modify + replace: mail + mail: modme@example.com + \- + add: title + title: Grand Poobah + \- + add: jpegPhoto + jpegPhoto:< file:///tmp/modme.jpeg + \- + delete: description + \- +.fi +.LP +the command: +.LP +.nf + ldapmodify \-f /tmp/entrymods +.fi +.LP +will replace the contents of the "Modify Me" entry's +.I mail +attribute with the value "modme@example.com", add a +.I title +of "Grand Poobah", and the contents of the file "/tmp/modme.jpeg" +as a +.IR jpegPhoto , +and completely remove the +.I description +attribute. +.LP +Assuming that the file +.B /tmp/newentry +exists and has the contents: +.LP +.nf + dn: cn=Barbara Jensen,dc=example,dc=com + objectClass: person + cn: Barbara Jensen + cn: Babs Jensen + sn: Jensen + title: the world's most famous mythical manager + mail: bjensen@example.com + uid: bjensen +.fi +.LP +the command: +.LP +.nf + ldapadd \-f /tmp/newentry +.fi +.LP +will add a new entry for Babs Jensen, using the values from the +file +.B /tmp/newentry. +.LP +Assuming that the file +.B /tmp/entrymods +exists and has the contents: +.LP +.nf + dn: cn=Barbara Jensen,dc=example,dc=com + changetype: delete +.fi +.LP +the command: +.LP +.nf + ldapmodify \-f /tmp/entrymods +.fi +.LP +will remove Babs Jensen's entry. +.SH DIAGNOSTICS +Exit status is zero if no errors occur. Errors result in a non-zero +exit status and a diagnostic message being written to standard error. +.SH "SEE ALSO" +.BR ldapadd (1), +.BR ldapdelete (1), +.BR ldapmodrdn (1), +.BR ldapsearch (1), +.BR ldap.conf (5), +.BR ldap (3), +.BR ldap_add_ext (3), +.BR ldap_delete_ext (3), +.BR ldap_modify_ext (3), +.BR ldap_modrdn_ext (3), +.BR ldif (5). +.SH AUTHOR +The OpenLDAP Project <http://www.openldap.org/> +.SH ACKNOWLEDGEMENTS +.so ../Project diff --git a/doc/man/man1/ldapmodify.1.links b/doc/man/man1/ldapmodify.1.links new file mode 100644 index 0000000..eb4fb76 --- /dev/null +++ b/doc/man/man1/ldapmodify.1.links @@ -0,0 +1 @@ +ldapadd.1 diff --git a/doc/man/man1/ldapmodrdn.1 b/doc/man/man1/ldapmodrdn.1 new file mode 100644 index 0000000..777c539 --- /dev/null +++ b/doc/man/man1/ldapmodrdn.1 @@ -0,0 +1,268 @@ +.TH LDAPMODRDN 1 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" $OpenLDAP$ +.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.SH NAME +ldapmodrdn \- LDAP rename entry tool +.SH SYNOPSIS +.B ldapmodrdn +[\c +.BR \-V [ V ]] +[\c +.BI \-d \ debuglevel\fR] +[\c +.BR \-n ] +[\c +.BR \-v ] +[\c +.BR \-r ] +[\c +.BI \-s \ newsup\fR] +[\c +.BR \-c ] +[\c +.BI \-f \ file\fR] +[\c +.BR \-M [ M ]] +[\c +.BR \-x ] +[\c +.BI \-D \ binddn\fR] +[\c +.BR \-W ] +[\c +.BI \-w \ passwd\fR] +[\c +.BI \-y \ passwdfile\fR] +[\c +.BI \-H \ ldapuri\fR] +[\c +.BR \-P \ { 2 \||\| 3 }] +[\c +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BI \-o \ opt \fR[= optparam \fR]] +[\c +.BI \-O \ security-properties\fR] +[\c +.BR \-I ] +[\c +.BR \-Q ] +[\c +.BR \-N ] +[\c +.BI \-U \ authcid\fR] +[\c +.BI \-R \ realm\fR] +[\c +.BI \-X \ authzid\fR] +[\c +.BI \-Y \ mech\fR] +[\c +.BR \-Z [ Z ]] +[\c +.I dn rdn\fR] +.SH DESCRIPTION +.B ldapmodrdn +is a shell-accessible interface to the +.BR ldap_rename (3) +library call. +.LP +.B ldapmodrdn +opens a connection to an LDAP server, binds, and modifies the RDN of entries. +The entry information is read from standard input, from \fIfile\fP through +the use of the +.RI \- f +option, or from the command-line pair \fIdn\fP and +\fIrdn\fP. +.SH OPTIONS +.TP +.BR \-V [ V ] +Print version info. +If \fB\-VV\fP is given, only the version information is printed. +.TP +.BI \-d \ debuglevel +Set the LDAP debugging level to \fIdebuglevel\fP. +.B ldapmodrdn +must be compiled with LDAP_DEBUG defined for this option to have any effect. +.TP +.B \-n +Show what would be done, but don't actually change entries. Useful for +debugging in conjunction with \fB\-v\fP. +.TP +.B \-v +Use verbose mode, with many diagnostics written to standard output. +.TP +.B \-r +Remove old RDN values from the entry. Default is to keep old values. +.TP +.BI \-s \ newsup +Specify a new superior entry. (I.e., move the target entry and make it a +child of the new superior.) This option is not supported in LDAPv2. +.TP +.B \-c +Continuous operation mode. Errors are reported, but ldapmodrdn +will continue with modifications. The default is to exit after +reporting an error. +.TP +.BI \-f \ file +Read the entry modification information from \fIfile\fP instead of from +standard input or the command-line. +.TP +.BR \-M [ M ] +Enable manage DSA IT control. +.B \-MM +makes control critical. +.TP +.B \-x +Use simple authentication instead of SASL. +.TP +.BI \-D \ binddn +Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory. +For SASL binds, the server is expected to ignore this value. +.TP +.B \-W +Prompt for simple authentication. +This is used instead of specifying the password on the command line. +.TP +.BI \-w \ passwd +Use \fIpasswd\fP as the password for simple authentication. +.TP +.BI \-y \ passwdfile +Use complete contents of \fIpasswdfile\fP as the password for +simple authentication. +.TP +.BI \-H \ ldapuri +Specify URI(s) referring to the ldap server(s); only the protocol/host/port +fields are allowed; a list of URI, separated by whitespace or commas +is expected. +.TP +.BR \-P \ { 2 \||\| 3 } +Specify the LDAP protocol version to use. +.TP +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ] +.TP +.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ] + +Specify general extensions with \fB\-e\fP and modrdn extensions with \fB\-E\fP. +\'\fB!\fP\' indicates criticality. + +General extensions: +.nf + [!]assert=<filter> (an RFC 4515 Filter) + !authzid=<authzid> ("dn:<dn>" or "u:<user>") + [!]bauthzid (RFC 3829 authzid control) + [!]chaining[=<resolve>[/<cont>]] + [!]manageDSAit + [!]noop + ppolicy + [!]postread[=<attrs>] (a comma-separated attribute list) + [!]preread[=<attrs>] (a comma-separated attribute list) + [!]relax + sessiontracking[=<username>] + abandon,cancel,ignore (SIGINT sends abandon/cancel, + or ignores response; if critical, doesn't wait for SIGINT. + not really controls) +.fi + +Modrdn extensions: +.nf + (none) +.fi +.TP +.BI \-o \ opt \fR[= optparam \fR] + +Specify any +.BR ldap.conf (5) +option or one of the following: +.nf + nettimeout=<timeout> (in seconds, or "none" or "max") + ldif_wrap=<width> (in columns, or "no" for no wrapping) +.fi + +.TP +.BI \-O \ security-properties +Specify SASL security properties. +.TP +.B \-I +Enable SASL Interactive mode. Always prompt. Default is to prompt +only as needed. +.TP +.B \-Q +Enable SASL Quiet mode. Never prompt. +.TP +.B \-N +Do not use reverse DNS to canonicalize SASL host name. +.TP +.BI \-U \ authcid +Specify the authentication ID for SASL bind. The form of the ID +depends on the actual SASL mechanism used. +.TP +.BI \-R \ realm +Specify the realm of authentication ID for SASL bind. The form of the realm +depends on the actual SASL mechanism used. +.TP +.BI \-X \ authzid +Specify the requested authorization ID for SASL bind. +.I authzid +must be one of the following formats: +.BI dn: "<distinguished name>" +or +.BI u: <username> +.TP +.BI \-Y \ mech +Specify the SASL mechanism to be used for authentication. If it's not +specified, the program will choose the best mechanism the server knows. +.TP +.BR \-Z [ Z ] +Issue StartTLS (Transport Layer Security) extended operation. If you use +\fB\-ZZ\fP, the command will require the operation to be successful. +.SH INPUT FORMAT +If the command-line arguments \fIdn\fP and \fIrdn\fP are given, \fIrdn\fP +will replace the RDN of the entry specified by the DN, \fIdn\fP. +.LP +Otherwise, the contents of \fIfile\fP (or standard input if +no \fB\-f\fP flag is given) should consist of one or more entries. +.LP +.nf + Distinguished Name (DN) + Relative Distinguished Name (RDN) +.fi +.LP +One or more blank lines may be used to separate each DN/RDN pair. +.SH EXAMPLE +Assuming that the file +.B /tmp/entrymods +exists and has the contents: +.LP +.nf + cn=Modify Me,dc=example,dc=com + cn=The New Me +.fi +.LP +the command: +.LP +.nf + ldapmodrdn \-r \-f /tmp/entrymods +.fi +.LP +will change the RDN of the "Modify Me" entry from "Modify Me" to +"The New Me" and the old cn, "Modify Me" will be removed. +.LP +.SH DIAGNOSTICS +Exit status is 0 if no errors occur. Errors result in a non-zero exit +status and a diagnostic message being written to standard error. +.SH "SEE ALSO" +.BR ldapadd (1), +.BR ldapdelete (1), +.BR ldapmodify (1), +.BR ldapsearch (1), +.BR ldap.conf (5), +.BR ldap (3), +.BR ldap_rename (3) +.SH AUTHOR +The OpenLDAP Project <http://www.openldap.org/> +.SH ACKNOWLEDGEMENTS +.so ../Project diff --git a/doc/man/man1/ldappasswd.1 b/doc/man/man1/ldappasswd.1 new file mode 100644 index 0000000..d1aea0c --- /dev/null +++ b/doc/man/man1/ldappasswd.1 @@ -0,0 +1,231 @@ +.TH LDAPPASSWD 1 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" $OpenLDAP$ +.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.SH NAME +ldappasswd \- change the password of an LDAP entry +.SH SYNOPSIS +.B ldappasswd +[\c +.BR \-V [ V ]] +[\c +.BI \-d \ debuglevel\fR] +[\c +.BR \-n ] +[\c +.BR \-v ] +[\c +.BR \-A ] +[\c +.BI \-a \ oldPasswd\fR] +[\c +.BI \-t \ oldpasswdfile\fR] +[\c +.BR \-S ] +[\c +.BI \-s \ newPasswd\fR] +[\c +.BI \-T \ newpasswdfile\fR] +[\c +.BR \-x ] +[\c +.BI \-D \ binddn\fR] +[\c +.BR \-W ] +[\c +.BI \-w \ passwd\fR] +[\c +.BI \-y \ passwdfile\fR] +[\c +.BI \-H \ ldapuri\fR] +[\c +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BI \-o \ opt \fR[= optparam \fR]] +[\c +.BI \-O \ security-properties\fR] +[\c +.BR \-I ] +[\c +.BR \-Q ] +[\c +.BR \-N ] +[\c +.BI \-U \ authcid\fR] +[\c +.BI \-R \ realm\fR] +[\c +.BI \-X \ authzid\fR] +[\c +.BI \-Y \ mech\fR] +[\c +.BR \-Z [ Z ]] +[\c +.IR user ] +.SH DESCRIPTION +.B ldappasswd +is a tool to set the password of an LDAP user. +.B ldappasswd +uses the LDAPv3 Password Modify (RFC 3062) extended operation. +.LP +.B ldappasswd +sets the password of associated with the user [or an optionally +specified +.IR user ]. +If the new +password is not specified on the command line and the user +doesn't enable prompting, the server will be asked to generate +a password for the user. +.LP +.B ldappasswd +is neither designed nor intended to be a replacement for +.BR passwd (1) +and should not be installed as such. +.SH OPTIONS +.TP +.BR \-V [ V ] +Print version info. +If \fB\-VV\fP is given, only the version information is printed. +.TP +.BI \-d \ debuglevel +Set the LDAP debugging level to \fIdebuglevel\fP. +.B ldappasswd +must be compiled with LDAP_DEBUG defined for this option to have any effect. +.TP +.B \-n +Do not set password. (Can be useful when used in conjunction with +\fB\-v\fP or \fB\-d\fP) +.TP +.B \-v +Increase the verbosity of output. Can be specified multiple times. +.TP +.BI \-A +Prompt for old password. +This is used instead of specifying the password on the command line. +.TP +.BI \-a \ oldPasswd +Set the old password to \fIoldPasswd\fP. +.TP +.BI \-t \ oldPasswdFile +Set the old password to the contents of \fIoldPasswdFile\fP. +.TP +.BI \-S +Prompt for new password. +This is used instead of specifying the password on the command line. +.TP +.BI \-s \ newPasswd +Set the new password to \fInewPasswd\fP. +.TP +.BI \-T \ newPasswdFile +Set the new password to the contents of \fInewPasswdFile\fP. +.TP +.B \-x +Use simple authentication instead of SASL. +.TP +.BI \-D \ binddn +Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory. +For SASL binds, the server is expected to ignore this value. +.TP +.BI \-W +Prompt for bind password. +This is used instead of specifying the password on the command line. +.TP +.BI \-w \ passwd +Use \fIpasswd\fP as the password to bind with. +.TP +.BI \-y \ passwdfile +Use complete contents of \fIpasswdfile\fP as the password for +simple authentication. +.TP +.BI \-H \ ldapuri +Specify URI(s) referring to the ldap server(s); only the protocol/host/port +fields are allowed; a list of URI, separated by whitespace or commas +is expected. +.TP +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ] +.TP +.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ] + +Specify general extensions with \fB\-e\fP and passwd modify extensions with \fB\-E\fP. +\'\fB!\fP\' indicates criticality. + +General extensions: +.nf + [!]assert=<filter> (an RFC 4515 Filter) + !authzid=<authzid> ("dn:<dn>" or "u:<user>") + [!]bauthzid (RFC 3829 authzid control) + [!]chaining[=<resolve>[/<cont>]] + [!]manageDSAit + [!]noop + ppolicy + [!]postread[=<attrs>] (a comma-separated attribute list) + [!]preread[=<attrs>] (a comma-separated attribute list) + [!]relax + sessiontracking[=<username>] + abandon,cancel,ignore (SIGINT sends abandon/cancel, + or ignores response; if critical, doesn't wait for SIGINT. + not really controls) +.fi + +Passwd Modify extensions: +.nf + (none) +.fi +.TP +.BI \-o \ opt \fR[= optparam \fR]] + +Specify any +.BR ldap.conf (5) +option or one of the following: +.nf + nettimeout=<timeout> (in seconds, or "none" or "max") + ldif_wrap=<width> (in columns, or "no" for no wrapping) +.fi + +.TP +.BI \-O \ security-properties +Specify SASL security properties. +.TP +.B \-I +Enable SASL Interactive mode. Always prompt. Default is to prompt +only as needed. +.TP +.B \-Q +Enable SASL Quiet mode. Never prompt. +.TP +.B \-N +Do not use reverse DNS to canonicalize SASL host name. +.TP +.BI \-U \ authcid +Specify the authentication ID for SASL bind. The form of the ID +depends on the actual SASL mechanism used. +.TP +.BI \-R \ realm +Specify the realm of authentication ID for SASL bind. The form of the realm +depends on the actual SASL mechanism used. +.TP +.BI \-X \ authzid +Specify the requested authorization ID for SASL bind. +.I authzid +must be one of the following formats: +.BI dn: "<distinguished name>" +or +.BI u: <username>\fP. +.TP +.BI \-Y \ mech +Specify the SASL mechanism to be used for authentication. If it's not +specified, the program will choose the best mechanism the server knows. +.TP +.BR \-Z [ Z ] +Issue StartTLS (Transport Layer Security) extended operation. If you use +\fB\-ZZ\fP, the command will require the operation to be successful +.SH SEE ALSO +.BR ldap_sasl_bind (3), +.BR ldap_extended_operation (3), +.BR ldap_start_tls_s (3) +.SH AUTHOR +The OpenLDAP Project <http://www.openldap.org/> +.SH ACKNOWLEDGEMENTS +.so ../Project diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1 new file mode 100644 index 0000000..2aec7c5 --- /dev/null +++ b/doc/man/man1/ldapsearch.1 @@ -0,0 +1,495 @@ +.TH LDAPSEARCH 1 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" $OpenLDAP$ +.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.SH NAME +ldapsearch \- LDAP search tool +.SH SYNOPSIS +.B ldapsearch +[\c +.BR \-V [ V ]] +[\c +.BI \-d \ debuglevel\fR] +[\c +.BR \-n ] +[\c +.BR \-v ] +[\c +.BR \-c ] +[\c +.BR \-u ] +[\c +.BR \-t [ t ]] +[\c +.BI \-T \ path\fR] +[\c +.BI \-F \ prefix\fR] +[\c +.BR \-A ] +[\c +.BR \-L [ L [ L ]]] +[\c +.BI \-S \ attribute\fR] +[\c +.BI \-b \ searchbase\fR] +[\c +.BR \-s \ { base \||\| one \||\| sub \||\| children }] +[\c +.BR \-a \ { never \||\| always \||\| search \||\| find }] +[\c +.BI \-l \ timelimit\fR] +[\c +.BI \-z \ sizelimit\fR] +[\c +.BI \-f \ file\fR] +[\c +.BR \-M [ M ]] +[\c +.BR \-x ] +[\c +.BI \-D \ binddn\fR] +[\c +.BR \-W ] +[\c +.BI \-w \ passwd\fR] +[\c +.BI \-y \ passwdfile\fR] +[\c +.BI \-H \ ldapuri\fR] +[\c +.BR \-P \ { 2 \||\| 3 }] +[\c +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BI \-o \ opt \fR[= optparam \fR]] +[\c +.BI \-O \ security-properties\fR] +[\c +.BR \-I ] +[\c +.BR \-Q ] +[\c +.BR \-N ] +[\c +.BI \-U \ authcid\fR] +[\c +.BI \-R \ realm\fR] +[\c +.BI \-X \ authzid\fR] +[\c +.BI \-Y \ mech\fR] +[\c +.BR \-Z [ Z ]] +.I filter +[\c +.IR attrs... ] +.SH DESCRIPTION +.I ldapsearch +is a shell-accessible interface to the +.BR ldap_search_ext (3) +library call. +.LP +.B ldapsearch +opens a connection to an LDAP server, binds, and performs a search +using specified parameters. The \fIfilter\fP should conform to +the string representation for search filters as defined in RFC 4515. +If not provided, the default filter, \fB(objectClass=*)\fP, is used. +.LP +If +.B ldapsearch +finds one or more entries, the attributes specified by +\fIattrs\fP are returned. If \fB*\fP is listed, all user attributes are +returned. If \fB+\fP is listed, all operational attributes are returned. +If no \fIattrs\fP are listed, all user attributes are returned. If only +1.1 is listed, no attributes will be returned. +.LP +The search results are displayed using an extended version of LDIF. +Option \fI\-L\fP controls the format of the output. +.SH OPTIONS +.TP +.BR \-V [ V ] +Print version info. +If \fB\-VV\fP is given, exit after providing version info. Otherwise proceed +with the specified search +.TP +.BI \-d \ debuglevel +Set the LDAP debugging level to \fIdebuglevel\fP. +.B ldapsearch +must be compiled with LDAP_DEBUG defined for this option to have any effect. +.TP +.B \-n +Show what would be done, but don't actually perform the search. Useful for +debugging in conjunction with \fB\-v\fP. +.TP +.B \-v +Run in verbose mode, with many diagnostics written to standard output. +.TP +.B \-c +Continuous operation mode. Errors are reported, but ldapsearch will continue +with searches. The default is to exit after reporting an error. Only useful +in conjunction with \fB\-f\fP. +.TP +.B \-u +Include the User Friendly Name form of the Distinguished Name (DN) +in the output. +.TP +.BR \-t [ t ] +A single \fB\-t\fP writes retrieved non-printable values to a set of temporary +files. This is useful for dealing with values containing non-character +data such as jpegPhoto or audio. A second \fB\-t\fP writes all retrieved values to +files. +.TP +.BI \-T \ path +Write temporary files to directory specified by \fIpath\fP (default: +\fB/var/tmp/\fP) +.TP +.BI \-F \ prefix +URL prefix for temporary files. Default is \fBfile://\fIpath\fP where +\fIpath\fP is \fB/var/tmp/\fP or specified with \fB\-T\fP. +.TP +.B \-A +Retrieve attributes only (no values). This is useful when you just want to +see if an attribute is present in an entry and are not interested in the +specific values. +.TP +.B \-L +Search results are display in LDAP Data Interchange Format detailed in +.BR ldif (5). +A single \fB\-L\fP restricts the output to LDIFv1. + A second \fB\-L\fP disables comments. +A third \fB\-L\fP disables printing of the LDIF version. +The default is to use an extended version of LDIF. +.TP +.BI \-S \ attribute +Sort the entries returned based on \fIattribute\fP. The default is not +to sort entries returned. If \fIattribute\fP is a zero-length string (""), +the entries are sorted by the components of their Distinguished Name. See +.BR ldap_sort (3) +for more details. Note that +.B ldapsearch +normally prints out entries as it receives them. The use of the \fB\-S\fP +option defeats this behavior, causing all entries to be retrieved, +then sorted, then printed. +.TP +.BI \-b \ searchbase +Use \fIsearchbase\fP as the starting point for the search instead of +the default. +.TP +.BR \-s \ { base \||\| one \||\| sub \||\| children } +Specify the scope of the search to be one of +.BR base , +.BR one , +.BR sub , +or +.B children +to specify a base object, one-level, subtree, or children search. +The default is +.BR sub . +Note: +.I children +scope requires LDAPv3 subordinate feature extension. +.TP +.BR \-a \ { never \||\| always \||\| search \||\| find } +Specify how aliases dereferencing is done. Should be one of +.BR never , +.BR always , +.BR search , +or +.B find +to specify that aliases are never dereferenced, always dereferenced, +dereferenced when searching, or dereferenced only when locating the +base object for the search. The default is to never dereference aliases. +.TP +.BI \-l \ timelimit +wait at most \fItimelimit\fP seconds for a search to complete. +A timelimit of +.I 0 +(zero) or +.I none +means no limit. +A timelimit of +.I max +means the maximum integer allowable by the protocol. +A server may impose a maximal timelimit which only +the root user may override. +.TP +.BI \-z \ sizelimit +retrieve at most \fIsizelimit\fP entries for a search. +A sizelimit of +.I 0 +(zero) or +.I none +means no limit. +A sizelimit of +.I max +means the maximum integer allowable by the protocol. +A server may impose a maximal sizelimit which only +the root user may override. +.TP +.BI \-f \ file +Read a series of lines from \fIfile\fP, performing one LDAP search for +each line. In this case, the \fIfilter\fP given on the command line +is treated as a pattern where the first and only occurrence of \fB%s\fP +is replaced with a line from \fIfile\fP. Any other occurrence of the +the \fB%\fP character in the pattern will be regarded as an error. +Where it is desired that the search filter include a \fB%\fP character, +the character should be encoded as \fB\\25\fP (see RFC 4515). +If \fIfile\fP is a single +\fB\-\fP character, then the lines are read from standard input. +.B ldapsearch +will exit when the first non-successful search result is returned, +unless \fB\-c\fP is used. +.TP +.BR \-M [ M ] +Enable manage DSA IT control. +.B \-MM +makes control critical. +.TP +.B \-x +Use simple authentication instead of SASL. +.TP +.BI \-D \ binddn +Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory. +For SASL binds, the server is expected to ignore this value. +.TP +.B \-W +Prompt for simple authentication. +This is used instead of specifying the password on the command line. +.TP +.BI \-w \ passwd +Use \fIpasswd\fP as the password for simple authentication. +.TP +.BI \-y \ passwdfile +Use complete contents of \fIpasswdfile\fP as the password for +simple authentication. +.TP +.BI \-H \ ldapuri +Specify URI(s) referring to the ldap server(s); +a list of URI, separated by whitespace or commas is expected; +only the protocol/host/port fields are allowed. +As an exception, if no host/port is specified, but a DN is, +the DN is used to look up the corresponding host(s) using the +DNS SRV records, according to RFC 2782. The DN must be a non-empty +sequence of AVAs whose attribute type is "dc" (domain component), +and must be escaped according to RFC 2396. +.TP +.BR \-P \ { 2 \||\| 3 } +Specify the LDAP protocol version to use. +.TP +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ] +.TP +.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ] + +Specify general extensions with \fB\-e\fP and search extensions with \fB\-E\fP. +\'\fB!\fP\' indicates criticality. + +General extensions: +.nf + [!]assert=<filter> (an RFC 4515 Filter) + !authzid=<authzid> ("dn:<dn>" or "u:<user>") + [!]bauthzid (RFC 3829 authzid control) + [!]chaining[=<resolve>[/<cont>]] + [!]manageDSAit + [!]noop + ppolicy + [!]postread[=<attrs>] (a comma-separated attribute list) + [!]preread[=<attrs>] (a comma-separated attribute list) + [!]relax + sessiontracking[=<username>] + abandon,cancel,ignore (SIGINT sends abandon/cancel, + or ignores response; if critical, doesn't wait for SIGINT. + not really controls) +.fi + +Search extensions: +.nf + !dontUseCopy + [!]domainScope (domain scope) + [!]mv=<filter> (matched values filter) + [!]pr=<size>[/prompt|noprompt] (paged results/prompt) + [!]sss=[\-]<attr[:OID]>[/[\-]<attr[:OID]>...] (server side sorting) + [!]subentries[=true|false] (subentries) + [!]sync=ro[/<cookie>] (LDAP Sync refreshOnly) + rp[/<cookie>][/<slimit>] (LDAP Sync refreshAndPersist) + [!]vlv=<before>/<after>(/<offset>/<count>|:<value>) (virtual list view) + [!]deref=derefAttr:attr[,attr[...]][;derefAttr:attr[,attr[...]]] + [!]<oid>[=:<value>|::<b64value>] +.fi +.TP +.BI \-o \ opt \fR[= optparam \fR] + +Specify any +.BR ldap.conf (5) +option or one of the following: +.nf + nettimeout=<timeout> (in seconds, or "none" or "max") + ldif_wrap=<width> (in columns, or "no" for no wrapping) +.fi + +.TP +.BI \-O \ security-properties +Specify SASL security properties. +.TP +.B \-I +Enable SASL Interactive mode. Always prompt. Default is to prompt +only as needed. +.TP +.B \-Q +Enable SASL Quiet mode. Never prompt. +.TP +.B \-N +Do not use reverse DNS to canonicalize SASL host name. +.TP +.BI \-U \ authcid +Specify the authentication ID for SASL bind. The form of the ID +depends on the actual SASL mechanism used. +.TP +.BI \-R \ realm +Specify the realm of authentication ID for SASL bind. The form of the realm +depends on the actual SASL mechanism used. +.TP +.BI \-X \ authzid +Specify the requested authorization ID for SASL bind. +.I authzid +must be one of the following formats: +.BI dn: "<distinguished name>" +or +.BI u: <username> +.TP +.BI \-Y \ mech +Specify the SASL mechanism to be used for authentication. If it's not +specified, the program will choose the best mechanism the server knows. +.TP +.BR \-Z [ Z ] +Issue StartTLS (Transport Layer Security) extended operation. If you use +\fB\-ZZ\fP, the command will require the operation to be successful. +.SH OUTPUT FORMAT +If one or more entries are found, each entry is written to standard +output in LDAP Data Interchange Format or +.BR ldif (5): +.LP +.nf + version: 1 + + # bjensen, example, net + dn: uid=bjensen,dc=example,dc=net + objectClass: person + objectClass: dcObject + uid: bjensen + cn: Barbara Jensen + sn: Jensen + ... +.fi +.LP +If the \fB\-t\fP option is used, the URI of a temporary file +is used in place of the actual value. If the \fB\-A\fP option +is given, only the "attributename" part is written. +.SH EXAMPLE +The following command: +.LP +.nf + ldapsearch \-LLL "(sn=smith)" cn sn telephoneNumber +.fi +.LP +will perform a subtree search (using the default search base and +other parameters defined in +.BR ldap.conf (5)) +for entries with a surname (sn) of smith. The common name (cn), surname +(sn) and telephoneNumber values will be retrieved and printed to +standard output. +The output might look something like this if two entries are found: +.LP +.nf + dn: uid=jts,dc=example,dc=com + cn: John Smith + cn: John T. Smith + sn: Smith + sn;lang\-en: Smith + sn;lang\-de: Schmidt + telephoneNumber: 1 555 123\-4567 + + dn: uid=sss,dc=example,dc=com + cn: Steve Smith + cn: Steve S. Smith + sn: Smith + sn;lang\-en: Smith + sn;lang\-de: Schmidt + telephoneNumber: 1 555 765\-4321 +.fi +.LP +The command: +.LP +.nf + ldapsearch \-LLL \-u \-t "(uid=xyz)" jpegPhoto audio +.fi +.LP +will perform a subtree search using the default search base for entries +with user id of "xyz". The user friendly form of the entry's DN will be +output after the line that contains the DN itself, and the jpegPhoto +and audio values will be retrieved and written to temporary files. The +output might look like this if one entry with one value for each of the +requested attributes is found: +.LP +.nf + dn: uid=xyz,dc=example,dc=com + ufn: xyz, example, com + audio:< file:///tmp/ldapsearch\-audio\-a19924 + jpegPhoto:< file:///tmp/ldapsearch\-jpegPhoto\-a19924 +.fi +.LP +This command: +.LP +.nf + ldapsearch \-LLL \-s one \-b "c=US" "(o=University*)" o description +.fi +.LP +will perform a one-level search at the c=US level for all entries +whose organization name (o) begins with \fBUniversity\fP. +The organization name and description attribute values will be retrieved +and printed to standard output, resulting in output similar to this: +.LP +.nf + dn: o=University of Alaska Fairbanks,c=US + o: University of Alaska Fairbanks + description: Naturally Inspiring + description: leaf node only + + dn: o=University of Colorado at Boulder,c=US + o: University of Colorado at Boulder + description: No personnel information + description: Institution of education and research + + dn: o=University of Colorado at Denver,c=US + o: University of Colorado at Denver + o: UCD + o: CU/Denver + o: CU\-Denver + description: Institute for Higher Learning and Research + + dn: o=University of Florida,c=US + o: University of Florida + o: UFl + description: Warper of young minds + + ... +.fi +.SH DIAGNOSTICS +Exit status is zero if no errors occur. +Errors result in a non-zero exit status and +a diagnostic message being written to standard error. +.SH "SEE ALSO" +.BR ldapadd (1), +.BR ldapdelete (1), +.BR ldapmodify (1), +.BR ldapmodrdn (1), +.BR ldap.conf (5), +.BR ldif (5), +.BR ldap (3), +.BR ldap_search_ext (3), +.BR ldap_sort (3) +.SH AUTHOR +The OpenLDAP Project <http://www.openldap.org/> +.SH ACKNOWLEDGEMENTS +.so ../Project diff --git a/doc/man/man1/ldapurl.1 b/doc/man/man1/ldapurl.1 new file mode 100644 index 0000000..7e38270 --- /dev/null +++ b/doc/man/man1/ldapurl.1 @@ -0,0 +1,168 @@ +.TH LDAPURL 1 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" $OpenLDAP$ +.\" Copyright 2008-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.SH NAME +ldapurl \- LDAP URL formatting tool +.SH SYNOPSIS +.B ldapurl +[\c +.BR \-a \ attrs\fR] +[\c +.BI \-b \ searchbase\fR] +[\c +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BI \-f \ filter\fR] +[\c +.BI \-H \ ldapuri\fR] +[\c +.BI \-h \ ldaphost\fR] +[\c +.BI \-p \ ldapport\fR] +[\c +.BR \-s \ { base \||\| one \||\| sub \||\| children }] +[\c +.BI \-S \ scheme\fR] +.SH DESCRIPTION +.I ldapurl +is a command that allows one to either compose or decompose LDAP URIs. +.LP +When invoked with the \fB\-H\fP option, +.B ldapurl +extracts the components of the \fIldapuri\fP option argument, +unescaping hex-escaped chars as required. +It basically acts as a frontend to the +.BR ldap_url_parse (3) +call. +Otherwise, it builds an LDAP URI based on the components +passed with the appropriate options, performing the inverse operation. +Option \fB\-H\fP is incompatible with options +.BR \-a , +.BR \-b , +.BR \-E , +.BR \-f , +.BR \-H , +.BR \-h , +.BR \-p , +.BR \-S , +and +.BR \-s . +.SH OPTIONS +.TP +.TP +.BI \-a \ attrs +Set a comma-separated list of attribute selectors. +.TP +.BI \-b \ searchbase +Set the \fIsearchbase\fP. +.TP +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ] + +Specify general extensions with \fB\-e\fP +\'\fB!\fP\' indicates criticality. + +General extensions: +.nf + [!]assert=<filter> (an RFC 4515 Filter) + !authzid=<authzid> ("dn:<dn>" or "u:<user>") + [!]bauthzid (RFC 3829 authzid control) + [!]chaining[=<resolve>[/<cont>]] + [!]manageDSAit + [!]noop + ppolicy + [!]postread[=<attrs>] (a comma-separated attribute list) + [!]preread[=<attrs>] (a comma-separated attribute list) + [!]relax + sessiontracking[=<username>] + abandon,cancel,ignore (SIGINT sends abandon/cancel, + or ignores response; if critical, doesn't wait for SIGINT. + not really controls) +.fi + +.TP +.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ] +Set URL extensions; incompatible with +.BR \-H . +.TP +.BI \-f \ filter +Set the URL filter. No particular check on conformity with RFC 4515 +LDAP filters is performed, but the value is hex-escaped as required. +.TP +.BI \-H \ ldapuri +Specify URI to be exploded. +.TP +.BI \-h \ ldaphost +Set the host. +.TP +.BI \-p \ ldapport +Set the TCP port. +.TP +.BI \-S \ scheme +Set the URL scheme. Defaults for other fields, like \fIldapport\fP, +may depend on the value of \fIscheme\fP. +.TP +.BR \-s \ { base \||\| one \||\| sub \||\| children } +Specify the scope of the search to be one of +.BR base , +.BR one , +.BR sub , +or +.B children +to specify a base object, one-level, subtree, or children search. +The default is +.BR sub . +Note: +.B children +scope requires LDAPv3 subordinate feature extension. + +.SH OUTPUT FORMAT +If the \fB\-H\fP option is used, the \fIldapuri\fP supplied +is exploded in its components, which are printed to standard output +in an LDIF-like form. +.LP +Otherwise, the URI built using the values passed with the other options +is printed to standard output. +.SH EXAMPLE +The following command: +.LP +.nf + ldapurl \-h ldap.example.com \-b dc=example,dc=com \-s sub \-f "(cn=Some One)" +.fi +.LP +returns +.LP +.nf + ldap://ldap.example.com:389/dc=example,dc=com??sub?(cn=Some%20One) +.fi +.LP +The command: +.LP +.nf + ldapurl \-H ldap://ldap.example.com:389/dc=example,dc=com??sub?(cn=Some%20One) +.fi +.LP +returns +.LP +.nf + scheme: ldap + host: ldap.example.com + port: 389 + dn: dc=example,dc=com + scope: sub + filter: (cn=Some One) +.fi +.LP +.SH DIAGNOSTICS +Exit status is zero if no errors occur. +Errors result in a non-zero exit status and +a diagnostic message being written to standard error. +.SH "SEE ALSO" +.BR ldap (3), +.BR ldap_url_parse (3), +.SH AUTHOR +The OpenLDAP Project <http://www.openldap.org/> +.SH ACKNOWLEDGEMENTS +.so ../Project diff --git a/doc/man/man1/ldapvc.1 b/doc/man/man1/ldapvc.1 new file mode 100644 index 0000000..4733080 --- /dev/null +++ b/doc/man/man1/ldapvc.1 @@ -0,0 +1,213 @@ +.TH LDAPVC 1 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" $OpenLDAP$ +.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.SH NAME +ldapvc \- LDAP verify credentials tool +.SH SYNOPSIS +.B ldapvc +[\c +.BR \-V [ V ]] +[\c +.BI \-d \ debuglevel\fR] +[\c +.BR \-a ] +[\c +.BR \-b ] +[\c +.BR \-n ] +[\c +.BR \-v ] +[\c +.BR \-x ] +[\c +.BI \-D \ binddn\fR] +[\c +.BR \-W ] +[\c +.BI \-w \ passwd\fR] +[\c +.BI \-y \ passwdfile\fR] +[\c +.BI \-H \ ldapuri\fR] +[\c +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BI \-o \ opt \fR[= optparam \fR]] +[\c +.BI \-O \ security-properties\fR] +[\c +.BR \-I ] +[\c +.BR \-Q ] +[\c +.BR \-N ] +[\c +.BI \-U \ authcid\fR] +[\c +.BI \-R \ realm\fR] +[\c +.BI \-X \ authzid\fR] +[\c +.BI \-Y \ mech\fR] +[\c +.BR \-Z [ Z ]] +\c +.I Distinguished Name \ +\c +.I [Credentials] +.SH DESCRIPTION +.I ldapvc +implements the LDAP "Verify Credentials" extended operation. +.LP +.B Verify Credentials +operation behaves like LDAP Bind but has no impact upon the underlying LDAP session. +.SH OPTIONS +.TP +.BR \-V [ V ] +Print version info. +If \fB\-VV\fP is given, only the version information is printed. +.TP +.BI \-d \ debuglevel +Set the LDAP debugging level to \fIdebuglevel\fP. +.B ldapvc +must be compiled with LDAP_DEBUG defined for this option to have any effect. +.TP +.B \-a +Print the authzID resulting from a successful verification of credentials. +.TP +.B \-b +Print the results from the ppolicy control after verification of credentials. +.TP +.B \-n +Show what would be done, but don't actually perform the operation. +Useful for +debugging in conjunction with \fB\-v\fP. +.TP +.B \-v +Run in verbose mode, with many diagnostics written to standard output. +.TP +.B \-x +Use simple authentication instead of SASL. +.TP +.BI \-D \ binddn +Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory. +For SASL binds, the server is expected to ignore this value. +.TP +.B \-W +Prompt for simple authentication. +This is used instead of specifying the password on the command line. +.TP +.BI \-w \ passwd +Use \fIpasswd\fP as the password for simple authentication. +.TP +.BI \-y \ passwdfile +Use complete contents of \fIpasswdfile\fP as the password for +simple authentication. +.TP +.BI \-H \ ldapuri +Specify URI(s) referring to the ldap server(s); only the protocol/host/port +fields are allowed; a list of URI, separated by whitespace or commas +is expected. +.TP +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ] +.TP +.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ] + +Specify general extensions with \fB\-e\fP and Verify Credentials extensions with \fB\-E\fP. +\'\fB!\fP\' indicates criticality. + +General extensions: +.nf + [!]assert=<filter> (an RFC 4515 Filter) + [!]bauthzid (RFC 3829 authzid control) + [!]chaining[=<resolve>[/<cont>]] + [!]manageDSAit + [!]noop + ppolicy + [!]postread[=<attrs>] (a comma-separated attribute list) + [!]preread[=<attrs>] (a comma-separated attribute list) + [!]relax + sessiontracking[=<username>] + abandon,cancel,ignore (SIGINT sends abandon/cancel, + or ignores response; if critical, doesn't wait for SIGINT. + not really controls) +.fi +.sp +Verify Credentials extensions: +.sp +The following options set SASL params on the Verify Credentials request: +.nf + authcid=<authcid> (SASL Authentication Identity "dn:<dn>" or "u:<user>") + authzid=<authzid> (SASL Authorization Identity "dn:<dn>" or "u:<user>") + mech=<mech> (SASL mechanism default e.g. Simple) + realm=<realm> (SASL Realm, defaults to none) + sasl=a[utomatic]|i[nteractive]|q[uiet] (SASL mode defaults to automatic if any other -E option provided, otherwise none) + secprops=<secprops> (SASL Security Properties) +.fi +.TP +.BI \-o \ opt \fR[= optparam \fR] + +Specify any +.BR ldap.conf (5) +option or one of the following: +.nf + nettimeout=<timeout> (in seconds, or "none" or "max") + ldif_wrap=<width> (in columns, or "no" for no wrapping) +.fi + +.B -o +option that can be passed here, check +.BR ldap.conf (5) +for details. +.TP +.BI \-O \ security-properties +Specify SASL security properties. +.TP +.B \-I +Enable SASL Interactive mode. Always prompt. Default is to prompt +only as needed. +.TP +.B \-Q +Enable SASL Quiet mode. Never prompt. +.TP +.B \-N +Do not use reverse DNS to canonicalize SASL host name. +.TP +.BI \-U \ authcid +Specify the authentication ID for SASL bind. The form of the ID +depends on the actual SASL mechanism used. +.TP +.BI \-R \ realm +Specify the realm of authentication ID for SASL bind. The form of the realm +depends on the actual SASL mechanism used. +.TP +.BI \-X \ authzid +Specify the requested authorization ID for SASL bind. +.I authzid +must be one of the following formats: +.BI dn: "<distinguished name>" +or +.BI u: <username> +.TP +.BI \-Y \ mech +Specify the SASL mechanism to be used for authentication. If it's not +specified, the program will choose the best mechanism the server knows. +.TP +.BR \-Z [ Z ] +Issue StartTLS (Transport Layer Security) extended operation. If you use +\fB\-ZZ\fP, the command will require the operation to be successful. +.SH EXAMPLE +.nf + ldapvc \-x "uid=Alice,ou=People,dc=example,dc=com" +.fi +.SH "SEE ALSO" +.BR ldap.conf (5), +.BR ldap (3), +.BR ldap_extended_operation (3) +.SH AUTHOR +The OpenLDAP Project <http://www.openldap.org/> +.SH ACKNOWLEDGEMENTS +.so ../Project diff --git a/doc/man/man1/ldapwhoami.1 b/doc/man/man1/ldapwhoami.1 new file mode 100644 index 0000000..49b1187 --- /dev/null +++ b/doc/man/man1/ldapwhoami.1 @@ -0,0 +1,194 @@ +.TH LDAPWHOAMI 1 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" $OpenLDAP$ +.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.SH NAME +ldapwhoami \- LDAP who am i? tool +.SH SYNOPSIS +.B ldapwhoami +[\c +.BR \-V [ V ]] +[\c +.BI \-d \ debuglevel\fR] +[\c +.BR \-n ] +[\c +.BR \-v ] +[\c +.BR \-x ] +[\c +.BI \-D \ binddn\fR] +[\c +.BR \-W ] +[\c +.BI \-w \ passwd\fR] +[\c +.BI \-y \ passwdfile\fR] +[\c +.BI \-H \ ldapuri\fR] +[\c +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]] +[\c +.BI \-o \ opt \fR[= optparam \fR]] +[\c +.BI \-O \ security-properties\fR] +[\c +.BR \-I ] +[\c +.BR \-Q ] +[\c +.BR \-N ] +[\c +.BI \-U \ authcid\fR] +[\c +.BI \-R \ realm\fR] +[\c +.BI \-X \ authzid\fR] +[\c +.BI \-Y \ mech\fR] +[\c +.BR \-Z [ Z ]] +.SH DESCRIPTION +.I ldapwhoami +implements the LDAP "Who Am I?" extended operation. +.LP +.B ldapwhoami +opens a connection to an LDAP server, binds, and performs a whoami +operation. +.SH OPTIONS +.TP +.BR \-V [ V ] +Print version info. +If \fB\-VV\fP is given, only the version information is printed. +.TP +.BI \-d \ debuglevel +Set the LDAP debugging level to \fIdebuglevel\fP. +.B ldapwhoami +must be compiled with LDAP_DEBUG defined for this option to have any effect. +.TP +.B \-n +Show what would be done, but don't actually perform the whoami operation. +Useful for +debugging in conjunction with \fB\-v\fP. +.TP +.B \-v +Run in verbose mode, with many diagnostics written to standard output. +.TP +.B \-x +Use simple authentication instead of SASL. +.TP +.BI \-D \ binddn +Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory. +For SASL binds, the server is expected to ignore this value. +.TP +.B \-W +Prompt for simple authentication. +This is used instead of specifying the password on the command line. +.TP +.BI \-w \ passwd +Use \fIpasswd\fP as the password for simple authentication. +.TP +.BI \-y \ passwdfile +Use complete contents of \fIpasswdfile\fP as the password for +simple authentication. +.TP +.BI \-H \ ldapuri +Specify URI(s) referring to the ldap server(s); only the protocol/host/port +fields are allowed; a list of URI, separated by whitespace or commas +is expected. +.TP +.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ] +.TP +.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ] + +Specify general extensions with \fB\-e\fP and whoami extensions with \fB\-E\fP. +\'\fB!\fP\' indicates criticality. + +General extensions: +.nf + [!]assert=<filter> (an RFC 4515 Filter) + !authzid=<authzid> ("dn:<dn>" or "u:<user>") + [!]bauthzid (RFC 3829 authzid control) + [!]chaining[=<resolve>[/<cont>]] + [!]manageDSAit + [!]noop + ppolicy + [!]postread[=<attrs>] (a comma-separated attribute list) + [!]preread[=<attrs>] (a comma-separated attribute list) + [!]relax + sessiontracking[=<username>] + abandon,cancel,ignore (SIGINT sends abandon/cancel, + or ignores response; if critical, doesn't wait for SIGINT. + not really controls) +.fi + +WhoAmI extensions: +.nf + (none) +.fi +.TP +.BI \-o \ opt \fR[= optparam \fR] + +Specify any +.BR ldap.conf (5) +option or one of the following: +.nf + nettimeout=<timeout> (in seconds, or "none" or "max") + ldif_wrap=<width> (in columns, or "no" for no wrapping) +.fi + +.B -o +option that can be passed here, check +.BR ldap.conf (5) +for details. +.TP +.BI \-O \ security-properties +Specify SASL security properties. +.TP +.B \-I +Enable SASL Interactive mode. Always prompt. Default is to prompt +only as needed. +.TP +.B \-Q +Enable SASL Quiet mode. Never prompt. +.TP +.B \-N +Do not use reverse DNS to canonicalize SASL host name. +.TP +.BI \-U \ authcid +Specify the authentication ID for SASL bind. The form of the ID +depends on the actual SASL mechanism used. +.TP +.BI \-R \ realm +Specify the realm of authentication ID for SASL bind. The form of the realm +depends on the actual SASL mechanism used. +.TP +.BI \-X \ authzid +Specify the requested authorization ID for SASL bind. +.I authzid +must be one of the following formats: +.BI dn: "<distinguished name>" +or +.BI u: <username> +.TP +.BI \-Y \ mech +Specify the SASL mechanism to be used for authentication. If it's not +specified, the program will choose the best mechanism the server knows. +.TP +.BR \-Z [ Z ] +Issue StartTLS (Transport Layer Security) extended operation. If you use +\fB\-ZZ\fP, the command will require the operation to be successful. +.SH EXAMPLE +.nf + ldapwhoami \-x \-D "cn=Manager,dc=example,dc=com" \-W +.fi +.SH "SEE ALSO" +.BR ldap.conf (5), +.BR ldap (3), +.BR ldap_extended_operation (3) +.SH AUTHOR +The OpenLDAP Project <http://www.openldap.org/> +.SH ACKNOWLEDGEMENTS +.so ../Project |