summaryrefslogtreecommitdiffstats
path: root/doc/man/man1
diff options
context:
space:
mode:
Diffstat (limited to 'doc/man/man1')
-rw-r--r--doc/man/man1/Makefile.in16
-rw-r--r--doc/man/man1/ldapcompare.1241
-rw-r--r--doc/man/man1/ldapdelete.1252
-rw-r--r--doc/man/man1/ldapexop.1242
-rw-r--r--doc/man/man1/ldapmodify.1390
-rw-r--r--doc/man/man1/ldapmodify.1.links1
-rw-r--r--doc/man/man1/ldapmodrdn.1268
-rw-r--r--doc/man/man1/ldappasswd.1231
-rw-r--r--doc/man/man1/ldapsearch.1495
-rw-r--r--doc/man/man1/ldapurl.1168
-rw-r--r--doc/man/man1/ldapvc.1213
-rw-r--r--doc/man/man1/ldapwhoami.1194
12 files changed, 2711 insertions, 0 deletions
diff --git a/doc/man/man1/Makefile.in b/doc/man/man1/Makefile.in
new file mode 100644
index 0000000..c051765
--- /dev/null
+++ b/doc/man/man1/Makefile.in
@@ -0,0 +1,16 @@
+# man1 Makefile.in for OpenLDAP
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2022 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+MANSECT=1
diff --git a/doc/man/man1/ldapcompare.1 b/doc/man/man1/ldapcompare.1
new file mode 100644
index 0000000..b15b0c4
--- /dev/null
+++ b/doc/man/man1/ldapcompare.1
@@ -0,0 +1,241 @@
+.TH LDAPCOMPARE 1 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" $OpenLDAP$
+.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.SH NAME
+ldapcompare \- LDAP compare tool
+.SH SYNOPSIS
+.B ldapcompare
+[\c
+.BR \-V [ V ]]
+[\c
+.BI \-d \ debuglevel\fR]
+[\c
+.BR \-n ]
+[\c
+.BR \-v ]
+[\c
+.BR \-z ]
+[\c
+.BR \-M [ M ]]
+[\c
+.BR \-x ]
+[\c
+.BI \-D \ binddn\fR]
+[\c
+.BR \-W ]
+[\c
+.BI \-w \ passwd\fR]
+[\c
+.BI \-y \ passwdfile\fR]
+[\c
+.BI \-H \ ldapuri\fR]
+[\c
+.BR \-P \ { 2 \||\| 3 }]
+[\c
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BI \-o \ opt \fR[= optparam \fR]]
+[\c
+.BI \-O \ security-properties\fR]
+[\c
+.BR \-I ]
+[\c
+.BR \-Q ]
+[\c
+.BR \-N ]
+[\c
+.BI \-U \ authcid\fR]
+[\c
+.BI \-R \ realm\fR]
+[\c
+.BI \-X \ authzid\fR]
+[\c
+.BI \-Y \ mech\fR]
+[\c
+.BR \-Z [ Z ]]
+.IR DN
+{\c
+.BI attr: value
+|
+.BI attr:: b64value\fR}
+.SH DESCRIPTION
+.I ldapcompare
+is a shell-accessible interface to the
+.BR ldap_compare_ext (3)
+library call.
+.LP
+.B ldapcompare
+opens a connection to an LDAP server, binds, and performs a compare
+using specified parameters. The \fIDN\fP should be a distinguished
+name in the directory. \fIAttr\fP should be a known attribute. If
+followed by one colon, the assertion \fIvalue\fP should be provided
+as a string. If followed by two colons, the base64 encoding of the
+value is provided. The result code of the compare is provided as
+the exit code and, unless ran with \fB\-z\fP, the program prints
+TRUE, FALSE, or UNDEFINED on standard output.
+.LP
+.SH OPTIONS
+.TP
+.BR \-V [ V ]
+Print version info.
+If \fB\-VV\fP is given, only the version information is printed.
+.TP
+.BI \-d \ debuglevel
+Set the LDAP debugging level to \fIdebuglevel\fP.
+.B ldapcompare
+must be compiled with LDAP_DEBUG defined for this option to have any effect.
+.TP
+.B \-n
+Show what would be done, but don't actually perform the compare. Useful for
+debugging in conjunction with \fB\-v\fP.
+.TP
+.B \-v
+Run in verbose mode, with many diagnostics written to standard output.
+.TP
+.B \-z
+Run in quiet mode, no output is written. You must check the return
+status. Useful in shell scripts.
+.TP
+.BR \-M [ M ]
+Enable manage DSA IT control.
+.B \-MM
+makes control critical.
+.TP
+.B \-x
+Use simple authentication instead of SASL.
+.TP
+.BI \-D \ binddn
+Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
+For SASL binds, the server is expected to ignore this value.
+.TP
+.B \-W
+Prompt for simple authentication.
+This is used instead of specifying the password on the command line.
+.TP
+.BI \-w \ passwd
+Use \fIpasswd\fP as the password for simple authentication.
+.TP
+.BI \-y \ passwdfile
+Use complete contents of \fIpasswdfile\fP as the password for
+simple authentication.
+Note that \fIcomplete\fP means that any leading or trailing whitespaces,
+including newlines, will be considered part of the password and,
+unlike other software, they will not be stripped.
+As a consequence, passwords stored in files by commands like
+.BR echo (1)
+will not behave as expected, since
+.BR echo (1)
+by default appends a trailing newline to the echoed string.
+The recommended portable way to store a cleartext password in a file
+for use with this option is to use
+.BR slappasswd (8)
+with \fI{CLEARTEXT}\fP as hash and the option \fB\-n\fP.
+.TP
+.BI \-H \ ldapuri
+Specify URI(s) referring to the ldap server(s); only the protocol/host/port
+fields are allowed; a list of URI, separated by whitespace or commas
+is expected.
+.TP
+.BR \-P \ { 2 \||\| 3 }
+Specify the LDAP protocol version to use.
+.TP
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+.TP
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+
+Specify general extensions with \fB\-e\fP and compare extensions with \fB\-E\fP.
+\'\fB!\fP\' indicates criticality.
+
+General extensions:
+.nf
+ [!]assert=<filter> (an RFC 4515 Filter)
+ !authzid=<authzid> ("dn:<dn>" or "u:<user>")
+ [!]bauthzid (RFC 3829 authzid control)
+ [!]chaining[=<resolve>[/<cont>]]
+ [!]manageDSAit
+ [!]noop
+ ppolicy
+ [!]postread[=<attrs>] (a comma-separated attribute list)
+ [!]preread[=<attrs>] (a comma-separated attribute list)
+ [!]relax
+ sessiontracking[=<username>]
+ abandon,cancel,ignore (SIGINT sends abandon/cancel,
+ or ignores response; if critical, doesn't wait for SIGINT.
+ not really controls)
+.fi
+
+Compare extensions:
+.nf
+ !dontUseCopy
+.fi
+.TP
+.BI \-o \ opt \fR[= optparam \fR]
+
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
+.nf
+ nettimeout=<timeout> (in seconds, or "none" or "max")
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
+.fi
+
+.TP
+.BI \-O \ security-properties
+Specify SASL security properties.
+.TP
+.B \-I
+Enable SASL Interactive mode. Always prompt. Default is to prompt
+only as needed.
+.TP
+.B \-Q
+Enable SASL Quiet mode. Never prompt.
+.TP
+.B \-N
+Do not use reverse DNS to canonicalize SASL host name.
+.TP
+.BI \-U \ authcid
+Specify the authentication ID for SASL bind. The form of the ID
+depends on the actual SASL mechanism used.
+.TP
+.BI \-R \ realm
+Specify the realm of authentication ID for SASL bind. The form of the realm
+depends on the actual SASL mechanism used.
+.TP
+.BI \-X \ authzid
+Specify the requested authorization ID for SASL bind.
+.I authzid
+must be one of the following formats:
+.BI dn: "<distinguished name>"
+or
+.BI u: <username>
+.TP
+.BI \-Y \ mech
+Specify the SASL mechanism to be used for authentication. If it's not
+specified, the program will choose the best mechanism the server knows.
+.TP
+.BR \-Z [ Z ]
+Issue StartTLS (Transport Layer Security) extended operation. If you use
+\fB\-ZZ\fP, the command will require the operation to be successful.
+.SH EXAMPLES
+.nf
+ ldapcompare "uid=babs,dc=example,dc=com" sn:Jensen
+ ldapcompare "uid=babs,dc=example,dc=com" sn::SmVuc2Vu
+.fi
+are all equivalent.
+.SH LIMITATIONS
+Requiring the value be passed on the command line is limiting
+and introduces some security concerns. The command should support
+a mechanism to specify the location (file name or URL) to read
+the value from.
+.SH "SEE ALSO"
+.BR ldap.conf (5),
+.BR ldif (5),
+.BR ldap (3),
+.BR ldap_compare_ext (3)
+.SH AUTHOR
+The OpenLDAP Project <http://www.openldap.org/>
+.SH ACKNOWLEDGEMENTS
+.so ../Project
diff --git a/doc/man/man1/ldapdelete.1 b/doc/man/man1/ldapdelete.1
new file mode 100644
index 0000000..e12cc56
--- /dev/null
+++ b/doc/man/man1/ldapdelete.1
@@ -0,0 +1,252 @@
+.TH LDAPDELETE 1 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" $OpenLDAP$
+.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.SH NAME
+ldapdelete \- LDAP delete entry tool
+.SH SYNOPSIS
+.B ldapdelete
+[\c
+.BR \-V [ V ]]
+[\c
+.BI \-d \ debuglevel\fR]
+[\c
+.BR \-n ]
+[\c
+.BR \-v ]
+[\c
+.BR \-c ]
+[\c
+.BI \-f \ file\fR]
+[\c
+.BR \-r ]
+[\c
+.BI \-z \ sizelimit\fR]
+[\c
+.BR \-M [ M ]]
+[\c
+.BR \-x ]
+[\c
+.BI \-D \ binddn\fR]
+[\c
+.BR \-W ]
+[\c
+.BI \-w \ passwd\fR]
+[\c
+.BI \-y \ passwdfile\fR]
+[\c
+.BI \-H \ ldapuri\fR]
+[\c
+.BR \-P \ { 2 \||\| 3 }]
+[\c
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BI \-o \ opt \fR[= optparam \fR]]
+[\c
+.BI \-O \ security-properties\fR]
+[\c
+.BR \-I ]
+[\c
+.BR \-Q ]
+[\c
+.BR \-N ]
+[\c
+.BI \-U \ authcid\fR]
+[\c
+.BI \-R \ realm\fR]
+[\c
+.BI \-X \ authzid\fR]
+[\c
+.BI \-Y \ mech\fR]
+[\c
+.BR \-Z [ Z ]]
+[\c
+.IR DN \ [ ... ]]
+.SH DESCRIPTION
+.I ldapdelete
+is a shell-accessible interface to the
+.BR ldap_delete_ext (3)
+library call.
+.LP
+.B ldapdelete
+opens a connection to an LDAP server, binds, and deletes one or more
+entries. If one or more \fIDN\fP arguments are provided, entries with
+those Distinguished Names are deleted. Each \fIDN\fP should be provided
+using the LDAPv3 string representation as defined in RFC 4514.
+If no \fIDN\fP arguments
+are provided, a list of DNs is read from standard input (or from
+\fIfile\fP if the \fB\-f\fP flag is used).
+.SH OPTIONS
+.TP
+.BR \-V [ V ]
+Print version info.
+If \fB\-VV\fP is given, only the version information is printed.
+.TP
+.BI \-d \ debuglevel
+Set the LDAP debugging level to \fIdebuglevel\fP.
+.B ldapdelete
+must be compiled with LDAP_DEBUG defined for this option to have any effect.
+.TP
+.B \-n
+Show what would be done, but don't actually delete entries. Useful for
+debugging in conjunction with \fB\-v\fP.
+.TP
+.B \-v
+Use verbose mode, with many diagnostics written to standard output.
+.TP
+.B \-c
+Continuous operation mode. Errors are reported, but
+.B ldapdelete
+will continue with deletions. The default is to exit after
+reporting an error.
+.TP
+.BI \-f \ file
+Read a series of DNs from \fIfile\fP, one per line, performing an
+LDAP delete for each.
+.TP
+.B \-r
+Do a recursive delete. If the DN specified isn't a leaf, its
+children, and all their children are deleted down the tree. No
+verification is done, so if you add this switch, ldapdelete will
+happily delete large portions of your tree. Use with care.
+.TP
+.BI \-z \ sizelimit
+Use \fIsizelimit\fP when searching for children DN to delete,
+to circumvent any server-side size limit. Only useful in conjunction
+with \fB\-r\fP.
+.TP
+.BR \-M [ M ]
+Enable manage DSA IT control.
+.B \-MM
+makes control critical.
+.TP
+.B \-x
+Use simple authentication instead of SASL.
+.TP
+.BI \-D \ binddn
+Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
+For SASL binds, the server is expected to ignore this value.
+.TP
+.B \-W
+Prompt for simple authentication.
+This is used instead of specifying the password on the command line.
+.TP
+.BI \-w \ passwd
+Use \fIpasswd\fP as the password for simple authentication.
+.TP
+.BI \-y \ passwdfile
+Use complete contents of \fIpasswdfile\fP as the password for
+simple authentication.
+.TP
+.BI \-H \ ldapuri
+Specify URI(s) referring to the ldap server(s); only the protocol/host/port
+fields are allowed; a list of URI, separated by whitespace or commas
+is expected.
+.TP
+.BR \-P \ { 2 \||\| 3 }
+Specify the LDAP protocol version to use.
+.TP
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+.TP
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+
+Specify general extensions with \fB\-e\fP and delete extensions with \fB\-E\fP.
+\'\fB!\fP\' indicates criticality.
+
+General extensions:
+.nf
+ [!]assert=<filter> (an RFC 4515 Filter)
+ !authzid=<authzid> ("dn:<dn>" or "u:<user>")
+ [!]bauthzid (RFC 3829 authzid control)
+ [!]chaining[=<resolve>[/<cont>]]
+ [!]manageDSAit
+ [!]noop
+ ppolicy
+ [!]postread[=<attrs>] (a comma-separated attribute list)
+ [!]preread[=<attrs>] (a comma-separated attribute list)
+ [!]relax
+ sessiontracking[=<username>]
+ abandon,cancel,ignore (SIGINT sends abandon/cancel,
+ or ignores response; if critical, doesn't wait for SIGINT.
+ not really controls)
+.fi
+
+Delete extensions:
+.nf
+ (none)
+.fi
+.TP
+.BI \-o \ opt \fR[= optparam \fR]
+
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
+.nf
+ nettimeout=<timeout> (in seconds, or "none" or "max")
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
+.fi
+
+.TP
+.BI \-O \ security-properties
+Specify SASL security properties.
+.TP
+.B \-I
+Enable SASL Interactive mode. Always prompt. Default is to prompt
+only as needed.
+.TP
+.B \-Q
+Enable SASL Quiet mode. Never prompt.
+.TP
+.B \-N
+Do not use reverse DNS to canonicalize SASL host name.
+.TP
+.BI \-U \ authcid
+Specify the authentication ID for SASL bind. The form of the identity depends on the
+actual SASL mechanism used.
+.TP
+.BI \-R \ realm
+Specify the realm of authentication ID for SASL bind. The form of the realm
+depends on the actual SASL mechanism used.
+.TP
+.BI \-X \ authzid
+Specify the requested authorization ID for SASL bind.
+.I authzid
+must be one of the following formats:
+.BI dn: "<distinguished name>"
+or
+.BI u: <username>
+.TP
+.BI \-Y \ mech
+Specify the SASL mechanism to be used for authentication. If it's not
+specified, the program will choose the best mechanism the server knows.
+.TP
+.BR \-Z [ Z ]
+Issue StartTLS (Transport Layer Security) extended operation. If you use
+\fB\-ZZ\fP, the command will require the operation to be successful.
+.SH EXAMPLE
+The following command:
+.LP
+.nf
+ ldapdelete "cn=Delete Me,dc=example,dc=com"
+.fi
+.LP
+will attempt to delete the entry named "cn=Delete Me,dc=example,dc=com".
+Of course it would probably be necessary to supply authentication
+credentials.
+.SH DIAGNOSTICS
+Exit status is 0 if no errors occur. Errors result in a non-zero exit
+status and a diagnostic message being written to standard error.
+.SH "SEE ALSO"
+.BR ldap.conf (5),
+.BR ldapadd (1),
+.BR ldapmodify (1),
+.BR ldapmodrdn (1),
+.BR ldapsearch (1),
+.BR ldap (3),
+.BR ldap_delete_ext (3)
+.SH AUTHOR
+The OpenLDAP Project <http://www.openldap.org/>
+.SH ACKNOWLEDGEMENTS
+.so ../Project
diff --git a/doc/man/man1/ldapexop.1 b/doc/man/man1/ldapexop.1
new file mode 100644
index 0000000..2040c3e
--- /dev/null
+++ b/doc/man/man1/ldapexop.1
@@ -0,0 +1,242 @@
+.\" $OpenLDAP$
+.\" This contribution is derived from OpenLDAP Software.
+.\" All of the modifications to OpenLDAP Software represented in this
+.\" contribution were developed by Peter Marschall <peter@adpm.de>.
+.\" I have not assigned rights and/or interest in this work to any party.
+.\"
+.\" Copyright 2009 Peter Marschall
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted only as authorized by the OpenLDAP Public License.
+.\"
+.\" A copy of this license is available in file LICENSE in the
+.\" top-level directory of the distribution or, alternatively, at
+.\" http://www.OpenLDAP.org/license.html.
+
+.TH LDAPEXOP 1
+
+.SH NAME
+ldapexop \- issue LDAP extended operations
+
+.SH SYNOPSIS
+ldapexop
+[\c
+.BR \-V [ V ]]
+[\c
+.BI \-d \ debuglevel\fR]
+[\c
+.BR \-n ]
+[\c
+.BR \-v ]
+[\c
+.BI \-f \ file\fR]
+[\c
+.BR \-x ]
+[\c
+.BI \-D \ binddn\fR]
+[\c
+.BR \-W ]
+[\c
+.BI \-w \ passwd\fR]
+[\c
+.BI \-y \ passwdfile\fR]
+[\c
+.BI \-H \ URI\fR]
+[\c
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BI \-o \ opt \fR[= optparam \fR]]
+[\c
+.BI \-O \ security-properties\fR]
+[\c
+.BR \-I ]
+[\c
+.BR \-Q ]
+[\c
+.BR \-N ]
+[\c
+.BI \-U \ authcid\fR]
+[\c
+.BI \-R \ realm\fR]
+[\c
+.BI \-X \ authzid\fR]
+[\c
+.BI \-Y \ mech\fR]
+[\c
+.BR \-Z [ Z ]]
+{\c
+.I oid
+|
+.BI oid: data
+|
+.BI oid:: b64data
+|
+.B whoami
+|
+.BI cancel \ cancel-id
+|
+.BI refresh \ DN \ \fR[\fIttl\fR]}
+
+.SH DESCRIPTION
+ldapexop issues the LDAP extended operation specified by \fBoid\fP
+or one of the special keywords \fBwhoami\fP, \fBcancel\fP, or \fBrefresh\fP.
+
+Additional data for the extended operation can be passed to the server using
+\fIdata\fP or base-64 encoded as \fIb64data\fP in the case of \fBoid\fP,
+or using the additional parameters in the case of the specially named extended
+operations above.
+
+Please note that ldapexop behaves differently for the same extended operation
+when it was given as an OID or as a specially named operation:
+
+Calling ldapexop with the OID of the \fBwhoami\fP (RFC 4532) extended operation
+.nf
+
+ ldapexop [<options>] 1.3.6.1.4.1.4203.1.11.3
+
+.fi
+yields
+.nf
+
+ # extended operation response
+ data:: <base64 encoded response data>
+
+.fi
+while calling it with the keyword \fBwhoami\fP
+.nf
+
+ ldapexop [<options>] whoami
+
+.fi
+results in
+.nf
+
+ dn:<client's identity>
+
+.fi
+
+
+.SH OPTIONS
+.TP
+.BI \-V [ V ]
+Print version info.
+If\fB\-VV\fP is given, only the version information is printed.
+.TP
+.BI \-d \ debuglevel
+Set the LDAP debugging level to \fIdebuglevel\fP.
+.TP
+.BI \-n
+Show what would be done but don't actually do it.
+Useful for debugging in conjunction with \fB\-v\fP.
+.TP
+.BI \-v
+Run in verbose mode, with many diagnostics written to standard output.
+.TP
+.BI \-f \ file
+Read operations from \fIfile\fP.
+.TP
+.BI \-x
+Use simple authentication instead of SASL.
+.TP
+.BI \-D \ binddn
+Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
+.TP
+.BI \-W
+Prompt for simple authentication.
+This is used instead of specifying the password on the command line.
+.TP
+.BI \-w \ passwd
+Use \fIpasswd\fP as the password for simple authentication.
+.TP
+.BI \-y \ passwdfile
+Use complete contents of \fIpasswdfile\fP as the password for
+simple authentication.
+.TP
+.BI \-H \ URI
+Specify URI(s) referring to the ldap server(s); only the protocol/host/port
+fields are allowed; a list of URI, separated by whitespace or commas
+is expected.
+.TP
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+Specify general extensions. \'!\' indicates criticality.
+.nf
+ [!]assert=<filter> (an RFC 4515 Filter)
+ !authzid=<authzid> ("dn:<dn>" or "u:<user>")
+ [!]bauthzid (RFC 3829 authzid control)
+ [!]chaining[=<resolve>[/<cont>]]
+ [!]manageDSAit
+ [!]noop
+ ppolicy
+ [!]postread[=<attrs>] (a comma-separated attribute list)
+ [!]preread[=<attrs>] (a comma-separated attribute list)
+ [!]relax
+ sessiontracking[=<username>]
+ abandon,cancel,ignore (SIGINT sends abandon/cancel,
+ or ignores response; if critical, doesn't wait for SIGINT.
+ not really controls)
+.fi
+.TP
+.BI \-o \ opt \fR[= optparam \fR]
+
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
+.nf
+ nettimeout=<timeout> (in seconds, or "none" or "max")
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
+.fi
+
+.TP
+.BI \-O \ security-properties
+Specify SASL security properties.
+.TP
+.BI \-I
+Enable SASL Interactive mode. Always prompt. Default is to prompt
+only as needed.
+.TP
+.BI \-Q
+Enable SASL Quiet mode. Never prompt.
+.TP
+.B \-N
+Do not use reverse DNS to canonicalize SASL host name.
+.TP
+.BI \-U \ authcid
+Specify the authentication ID for SASL bind. The form of the ID
+depends on the actual SASL mechanism used.
+.TP
+.BI \-R \ realm
+Specify the realm of authentication ID for SASL bind. The form of the realm
+depends on the actual SASL mechanism used.
+.TP
+.BI \-X \ authzid
+Specify the requested authorization ID for SASL bind.
+.I authzid
+must be one of the following formats:
+.BI dn: "<distinguished name>"
+or
+.BI u: <username>
+.TP
+.BI \-Y \ mech
+Specify the SASL mechanism to be used for authentication.
+Without this option, the program will choose the best mechanism the server knows.
+.TP
+.BR \-Z [ Z ]
+Issue StartTLS (Transport Layer Security) extended operation.
+Giving it twice (\fB\-ZZ\fP) will require the operation to be successful.
+
+.SH DIAGNOSTICS
+Exit status is zero if no errors occur.
+Errors result in a non-zero exit status and
+a diagnostic message being written to standard error.
+
+.SH "SEE ALSO"
+.BR ldap_extended_operation_s (3)
+
+.SH AUTHOR
+This manual page was written by Peter Marschall
+based on \fBldapexop\fP's usage message and a few tests
+with \fBldapexop\fP.
+Do not expect it to be complete or absolutely correct.
+
+.SH ACKNOWLEDGEMENTS
+.so ../Project
+
diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
new file mode 100644
index 0000000..1104e9f
--- /dev/null
+++ b/doc/man/man1/ldapmodify.1
@@ -0,0 +1,390 @@
+.TH LDAPMODIFY 1 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" $OpenLDAP$
+.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.SH NAME
+ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools
+.SH SYNOPSIS
+.B ldapmodify
+[\c
+.BR \-V [ V ]]
+[\c
+.BI \-d \ debuglevel\fR]
+[\c
+.BR \-n ]
+[\c
+.BR \-v ]
+[\c
+.BR \-a ]
+[\c
+.BR \-c ]
+[\c
+.BI \-f \ file\fR]
+[\c
+.BI \-S \ file\fR]
+[\c
+.BR \-M [ M ]]
+[\c
+.BR \-x ]
+[\c
+.BI \-D \ binddn\fR]
+[\c
+.BR \-W ]
+[\c
+.BI \-w \ passwd\fR]
+[\c
+.BI \-y \ passwdfile\fR]
+[\c
+.BI \-H \ ldapuri\fR]
+[\c
+.BR \-P \ { 2 \||\| 3 }]
+[\c
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BI \-o \ opt \fR[= optparam \fR]]
+[\c
+.BI \-O \ security-properties\fR]
+[\c
+.BR \-I ]
+[\c
+.BR \-Q ]
+[\c
+.BR \-N ]
+[\c
+.BI \-U \ authcid\fR]
+[\c
+.BI \-R \ realm\fR]
+[\c
+.BI \-X \ authzid\fR]
+[\c
+.BI \-Y \ mech\fR]
+[\c
+.BR \-Z [ Z ]]
+.LP
+.B ldapadd
+[\c
+.BR \-V [ V ]]
+[\c
+.BI \-d \ debuglevel\fR]
+[\c
+.BR \-n ]
+[\c
+.BR \-v ]
+[\c
+.BR \-c ]
+[\c
+.BI \-f \ file\fR]
+[\c
+.BI \-S \ file\fR]
+[\c
+.BR \-M [ M ]]
+[\c
+.BR \-x ]
+[\c
+.BI \-D \ binddn\fR]
+[\c
+.BR \-W ]
+[\c
+.BI \-w \ passwd\fR]
+[\c
+.BI \-y \ passwdfile\fR]
+[\c
+.BI \-H \ ldapuri\fR]
+[\c
+.BR \-P \ { 2 \||\| 3 }]
+[\c
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BI \-o \ opt \fR[= optparam \fR]]
+[\c
+.BI \-O \ security-properties\fR]
+[\c
+.BR \-I ]
+[\c
+.BR \-Q ]
+[\c
+.BR \-N ]
+[\c
+.BI \-U \ authcid\fR]
+[\c
+.BI \-R \ realm\fR]
+[\c
+.BI \-X \ authzid\fR]
+[\c
+.BI \-Y \ mech\fR]
+[\c
+.BR \-Z [ Z ]]
+.SH DESCRIPTION
+.B ldapmodify
+is a shell-accessible interface to the
+.BR ldap_add_ext (3),
+.BR ldap_modify_ext (3),
+.BR ldap_delete_ext (3)
+and
+.BR ldap_rename (3).
+library calls.
+.B ldapadd
+is implemented as a hard link to the ldapmodify tool. When invoked as
+.B ldapadd
+the \fB\-a\fP (add new entry) flag is turned on automatically.
+.LP
+.B ldapmodify
+opens a connection to an LDAP server, binds, and modifies or adds entries.
+The entry information is read from standard input or from \fIfile\fP through
+the use of the \fB\-f\fP option.
+.SH OPTIONS
+.TP
+.BR \-V [ V ]
+Print version info.
+If \fB\-VV\fP is given, only the version information is printed.
+.TP
+.BI \-d \ debuglevel
+Set the LDAP debugging level to \fIdebuglevel\fP.
+.B ldapmodify
+must be compiled with LDAP_DEBUG defined for this option to have any effect.
+.TP
+.B \-n
+Show what would be done, but don't actually modify entries. Useful for
+debugging in conjunction with \fB\-v\fP.
+.TP
+.B \-v
+Use verbose mode, with many diagnostics written to standard output.
+.TP
+.B \-a
+Add new entries. The default for
+.B ldapmodify
+is to modify existing entries. If invoked as
+.BR ldapadd ,
+this flag is always set.
+.TP
+.B \-c
+Continuous operation mode. Errors are reported, but
+.B ldapmodify
+will continue with modifications. The default is to exit after
+reporting an error.
+.TP
+.BI \-f \ file
+Read the entry modification information from \fIfile\fP instead of from
+standard input.
+.TP
+.BI \-S \ file
+Add or change records which were skipped due to an error are written to \fIfile\fP
+and the error message returned by the server is added as a comment. Most useful in
+conjunction with \fB\-c\fP.
+.TP
+.BR \-M [ M ]
+Enable manage DSA IT control.
+.B \-MM
+makes control critical.
+.TP
+.B \-x
+Use simple authentication instead of SASL.
+.TP
+.BI \-D \ binddn
+Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
+For SASL binds, the server is expected to ignore this value.
+.TP
+.B \-W
+Prompt for simple authentication.
+This is used instead of specifying the password on the command line.
+.TP
+.BI \-w \ passwd
+Use \fIpasswd\fP as the password for simple authentication.
+.TP
+.BI \-y \ passwdfile
+Use complete contents of \fIpasswdfile\fP as the password for
+simple authentication.
+.TP
+.BI \-H \ ldapuri
+Specify URI(s) referring to the ldap server(s); only the protocol/host/port
+fields are allowed; a list of URI, separated by whitespace or commas
+is expected.
+.TP
+.BR \-P \ { 2 \||\| 3 }
+Specify the LDAP protocol version to use.
+.TP
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+.TP
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+
+Specify general extensions with \fB\-e\fP and modify extensions with \fB\-E\fP.
+\'\fB!\fP\' indicates criticality.
+
+General extensions:
+.nf
+ [!]assert=<filter> (an RFC 4515 Filter)
+ !authzid=<authzid> ("dn:<dn>" or "u:<user>")
+ [!]bauthzid (RFC 3829 authzid control)
+ [!]chaining[=<resolve>[/<cont>]]
+ [!]manageDSAit
+ [!]noop
+ ppolicy
+ [!]postread[=<attrs>] (a comma-separated attribute list)
+ [!]preread[=<attrs>] (a comma-separated attribute list)
+ [!]relax
+ sessiontracking[=<username>]
+ abandon,cancel,ignore (SIGINT sends abandon/cancel,
+ or ignores response; if critical, doesn't wait for SIGINT.
+ not really controls)
+.fi
+
+Modify extensions:
+.nf
+ [!]txn[=abort|commit]
+.fi
+.TP
+.BI \-o \ opt \fR[= optparam \fR]]
+
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
+.nf
+ nettimeout=<timeout> (in seconds, or "none" or "max")
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
+.fi
+
+.TP
+.BI \-O \ security-properties
+Specify SASL security properties.
+.TP
+.B \-I
+Enable SASL Interactive mode. Always prompt. Default is to prompt
+only as needed.
+.TP
+.B \-Q
+Enable SASL Quiet mode. Never prompt.
+.TP
+.B \-N
+Do not use reverse DNS to canonicalize SASL host name.
+.TP
+.BI \-U \ authcid
+Specify the authentication ID for SASL bind. The form of the ID
+depends on the actual SASL mechanism used.
+.TP
+.BI \-R \ realm
+Specify the realm of authentication ID for SASL bind. The form of the realm
+depends on the actual SASL mechanism used.
+.TP
+.BI \-X \ authzid
+Specify the requested authorization ID for SASL bind.
+.I authzid
+must be one of the following formats:
+.BI dn: "<distinguished name>"
+or
+.BI u: <username>
+.TP
+.BI \-Y \ mech
+Specify the SASL mechanism to be used for authentication. If it's not
+specified, the program will choose the best mechanism the server knows.
+.TP
+.BR \-Z [ Z ]
+Issue StartTLS (Transport Layer Security) extended operation. If you use
+.B \-ZZ\c
+, the command will require the operation to be successful.
+.SH INPUT FORMAT
+The contents of \fIfile\fP (or standard input if no \fB\-f\fP flag is given on
+the command line) must conform to the format defined in
+.BR ldif (5)
+(LDIF as defined in RFC 2849).
+.SH EXAMPLES
+Assuming that the file
+.B /tmp/entrymods
+exists and has the contents:
+.LP
+.nf
+ dn: cn=Modify Me,dc=example,dc=com
+ changetype: modify
+ replace: mail
+ mail: modme@example.com
+ \-
+ add: title
+ title: Grand Poobah
+ \-
+ add: jpegPhoto
+ jpegPhoto:< file:///tmp/modme.jpeg
+ \-
+ delete: description
+ \-
+.fi
+.LP
+the command:
+.LP
+.nf
+ ldapmodify \-f /tmp/entrymods
+.fi
+.LP
+will replace the contents of the "Modify Me" entry's
+.I mail
+attribute with the value "modme@example.com", add a
+.I title
+of "Grand Poobah", and the contents of the file "/tmp/modme.jpeg"
+as a
+.IR jpegPhoto ,
+and completely remove the
+.I description
+attribute.
+.LP
+Assuming that the file
+.B /tmp/newentry
+exists and has the contents:
+.LP
+.nf
+ dn: cn=Barbara Jensen,dc=example,dc=com
+ objectClass: person
+ cn: Barbara Jensen
+ cn: Babs Jensen
+ sn: Jensen
+ title: the world's most famous mythical manager
+ mail: bjensen@example.com
+ uid: bjensen
+.fi
+.LP
+the command:
+.LP
+.nf
+ ldapadd \-f /tmp/newentry
+.fi
+.LP
+will add a new entry for Babs Jensen, using the values from the
+file
+.B /tmp/newentry.
+.LP
+Assuming that the file
+.B /tmp/entrymods
+exists and has the contents:
+.LP
+.nf
+ dn: cn=Barbara Jensen,dc=example,dc=com
+ changetype: delete
+.fi
+.LP
+the command:
+.LP
+.nf
+ ldapmodify \-f /tmp/entrymods
+.fi
+.LP
+will remove Babs Jensen's entry.
+.SH DIAGNOSTICS
+Exit status is zero if no errors occur. Errors result in a non-zero
+exit status and a diagnostic message being written to standard error.
+.SH "SEE ALSO"
+.BR ldapadd (1),
+.BR ldapdelete (1),
+.BR ldapmodrdn (1),
+.BR ldapsearch (1),
+.BR ldap.conf (5),
+.BR ldap (3),
+.BR ldap_add_ext (3),
+.BR ldap_delete_ext (3),
+.BR ldap_modify_ext (3),
+.BR ldap_modrdn_ext (3),
+.BR ldif (5).
+.SH AUTHOR
+The OpenLDAP Project <http://www.openldap.org/>
+.SH ACKNOWLEDGEMENTS
+.so ../Project
diff --git a/doc/man/man1/ldapmodify.1.links b/doc/man/man1/ldapmodify.1.links
new file mode 100644
index 0000000..eb4fb76
--- /dev/null
+++ b/doc/man/man1/ldapmodify.1.links
@@ -0,0 +1 @@
+ldapadd.1
diff --git a/doc/man/man1/ldapmodrdn.1 b/doc/man/man1/ldapmodrdn.1
new file mode 100644
index 0000000..777c539
--- /dev/null
+++ b/doc/man/man1/ldapmodrdn.1
@@ -0,0 +1,268 @@
+.TH LDAPMODRDN 1 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" $OpenLDAP$
+.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.SH NAME
+ldapmodrdn \- LDAP rename entry tool
+.SH SYNOPSIS
+.B ldapmodrdn
+[\c
+.BR \-V [ V ]]
+[\c
+.BI \-d \ debuglevel\fR]
+[\c
+.BR \-n ]
+[\c
+.BR \-v ]
+[\c
+.BR \-r ]
+[\c
+.BI \-s \ newsup\fR]
+[\c
+.BR \-c ]
+[\c
+.BI \-f \ file\fR]
+[\c
+.BR \-M [ M ]]
+[\c
+.BR \-x ]
+[\c
+.BI \-D \ binddn\fR]
+[\c
+.BR \-W ]
+[\c
+.BI \-w \ passwd\fR]
+[\c
+.BI \-y \ passwdfile\fR]
+[\c
+.BI \-H \ ldapuri\fR]
+[\c
+.BR \-P \ { 2 \||\| 3 }]
+[\c
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BI \-o \ opt \fR[= optparam \fR]]
+[\c
+.BI \-O \ security-properties\fR]
+[\c
+.BR \-I ]
+[\c
+.BR \-Q ]
+[\c
+.BR \-N ]
+[\c
+.BI \-U \ authcid\fR]
+[\c
+.BI \-R \ realm\fR]
+[\c
+.BI \-X \ authzid\fR]
+[\c
+.BI \-Y \ mech\fR]
+[\c
+.BR \-Z [ Z ]]
+[\c
+.I dn rdn\fR]
+.SH DESCRIPTION
+.B ldapmodrdn
+is a shell-accessible interface to the
+.BR ldap_rename (3)
+library call.
+.LP
+.B ldapmodrdn
+opens a connection to an LDAP server, binds, and modifies the RDN of entries.
+The entry information is read from standard input, from \fIfile\fP through
+the use of the
+.RI \- f
+option, or from the command-line pair \fIdn\fP and
+\fIrdn\fP.
+.SH OPTIONS
+.TP
+.BR \-V [ V ]
+Print version info.
+If \fB\-VV\fP is given, only the version information is printed.
+.TP
+.BI \-d \ debuglevel
+Set the LDAP debugging level to \fIdebuglevel\fP.
+.B ldapmodrdn
+must be compiled with LDAP_DEBUG defined for this option to have any effect.
+.TP
+.B \-n
+Show what would be done, but don't actually change entries. Useful for
+debugging in conjunction with \fB\-v\fP.
+.TP
+.B \-v
+Use verbose mode, with many diagnostics written to standard output.
+.TP
+.B \-r
+Remove old RDN values from the entry. Default is to keep old values.
+.TP
+.BI \-s \ newsup
+Specify a new superior entry. (I.e., move the target entry and make it a
+child of the new superior.) This option is not supported in LDAPv2.
+.TP
+.B \-c
+Continuous operation mode. Errors are reported, but ldapmodrdn
+will continue with modifications. The default is to exit after
+reporting an error.
+.TP
+.BI \-f \ file
+Read the entry modification information from \fIfile\fP instead of from
+standard input or the command-line.
+.TP
+.BR \-M [ M ]
+Enable manage DSA IT control.
+.B \-MM
+makes control critical.
+.TP
+.B \-x
+Use simple authentication instead of SASL.
+.TP
+.BI \-D \ binddn
+Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
+For SASL binds, the server is expected to ignore this value.
+.TP
+.B \-W
+Prompt for simple authentication.
+This is used instead of specifying the password on the command line.
+.TP
+.BI \-w \ passwd
+Use \fIpasswd\fP as the password for simple authentication.
+.TP
+.BI \-y \ passwdfile
+Use complete contents of \fIpasswdfile\fP as the password for
+simple authentication.
+.TP
+.BI \-H \ ldapuri
+Specify URI(s) referring to the ldap server(s); only the protocol/host/port
+fields are allowed; a list of URI, separated by whitespace or commas
+is expected.
+.TP
+.BR \-P \ { 2 \||\| 3 }
+Specify the LDAP protocol version to use.
+.TP
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+.TP
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+
+Specify general extensions with \fB\-e\fP and modrdn extensions with \fB\-E\fP.
+\'\fB!\fP\' indicates criticality.
+
+General extensions:
+.nf
+ [!]assert=<filter> (an RFC 4515 Filter)
+ !authzid=<authzid> ("dn:<dn>" or "u:<user>")
+ [!]bauthzid (RFC 3829 authzid control)
+ [!]chaining[=<resolve>[/<cont>]]
+ [!]manageDSAit
+ [!]noop
+ ppolicy
+ [!]postread[=<attrs>] (a comma-separated attribute list)
+ [!]preread[=<attrs>] (a comma-separated attribute list)
+ [!]relax
+ sessiontracking[=<username>]
+ abandon,cancel,ignore (SIGINT sends abandon/cancel,
+ or ignores response; if critical, doesn't wait for SIGINT.
+ not really controls)
+.fi
+
+Modrdn extensions:
+.nf
+ (none)
+.fi
+.TP
+.BI \-o \ opt \fR[= optparam \fR]
+
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
+.nf
+ nettimeout=<timeout> (in seconds, or "none" or "max")
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
+.fi
+
+.TP
+.BI \-O \ security-properties
+Specify SASL security properties.
+.TP
+.B \-I
+Enable SASL Interactive mode. Always prompt. Default is to prompt
+only as needed.
+.TP
+.B \-Q
+Enable SASL Quiet mode. Never prompt.
+.TP
+.B \-N
+Do not use reverse DNS to canonicalize SASL host name.
+.TP
+.BI \-U \ authcid
+Specify the authentication ID for SASL bind. The form of the ID
+depends on the actual SASL mechanism used.
+.TP
+.BI \-R \ realm
+Specify the realm of authentication ID for SASL bind. The form of the realm
+depends on the actual SASL mechanism used.
+.TP
+.BI \-X \ authzid
+Specify the requested authorization ID for SASL bind.
+.I authzid
+must be one of the following formats:
+.BI dn: "<distinguished name>"
+or
+.BI u: <username>
+.TP
+.BI \-Y \ mech
+Specify the SASL mechanism to be used for authentication. If it's not
+specified, the program will choose the best mechanism the server knows.
+.TP
+.BR \-Z [ Z ]
+Issue StartTLS (Transport Layer Security) extended operation. If you use
+\fB\-ZZ\fP, the command will require the operation to be successful.
+.SH INPUT FORMAT
+If the command-line arguments \fIdn\fP and \fIrdn\fP are given, \fIrdn\fP
+will replace the RDN of the entry specified by the DN, \fIdn\fP.
+.LP
+Otherwise, the contents of \fIfile\fP (or standard input if
+no \fB\-f\fP flag is given) should consist of one or more entries.
+.LP
+.nf
+ Distinguished Name (DN)
+ Relative Distinguished Name (RDN)
+.fi
+.LP
+One or more blank lines may be used to separate each DN/RDN pair.
+.SH EXAMPLE
+Assuming that the file
+.B /tmp/entrymods
+exists and has the contents:
+.LP
+.nf
+ cn=Modify Me,dc=example,dc=com
+ cn=The New Me
+.fi
+.LP
+the command:
+.LP
+.nf
+ ldapmodrdn \-r \-f /tmp/entrymods
+.fi
+.LP
+will change the RDN of the "Modify Me" entry from "Modify Me" to
+"The New Me" and the old cn, "Modify Me" will be removed.
+.LP
+.SH DIAGNOSTICS
+Exit status is 0 if no errors occur. Errors result in a non-zero exit
+status and a diagnostic message being written to standard error.
+.SH "SEE ALSO"
+.BR ldapadd (1),
+.BR ldapdelete (1),
+.BR ldapmodify (1),
+.BR ldapsearch (1),
+.BR ldap.conf (5),
+.BR ldap (3),
+.BR ldap_rename (3)
+.SH AUTHOR
+The OpenLDAP Project <http://www.openldap.org/>
+.SH ACKNOWLEDGEMENTS
+.so ../Project
diff --git a/doc/man/man1/ldappasswd.1 b/doc/man/man1/ldappasswd.1
new file mode 100644
index 0000000..d1aea0c
--- /dev/null
+++ b/doc/man/man1/ldappasswd.1
@@ -0,0 +1,231 @@
+.TH LDAPPASSWD 1 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" $OpenLDAP$
+.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.SH NAME
+ldappasswd \- change the password of an LDAP entry
+.SH SYNOPSIS
+.B ldappasswd
+[\c
+.BR \-V [ V ]]
+[\c
+.BI \-d \ debuglevel\fR]
+[\c
+.BR \-n ]
+[\c
+.BR \-v ]
+[\c
+.BR \-A ]
+[\c
+.BI \-a \ oldPasswd\fR]
+[\c
+.BI \-t \ oldpasswdfile\fR]
+[\c
+.BR \-S ]
+[\c
+.BI \-s \ newPasswd\fR]
+[\c
+.BI \-T \ newpasswdfile\fR]
+[\c
+.BR \-x ]
+[\c
+.BI \-D \ binddn\fR]
+[\c
+.BR \-W ]
+[\c
+.BI \-w \ passwd\fR]
+[\c
+.BI \-y \ passwdfile\fR]
+[\c
+.BI \-H \ ldapuri\fR]
+[\c
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BI \-o \ opt \fR[= optparam \fR]]
+[\c
+.BI \-O \ security-properties\fR]
+[\c
+.BR \-I ]
+[\c
+.BR \-Q ]
+[\c
+.BR \-N ]
+[\c
+.BI \-U \ authcid\fR]
+[\c
+.BI \-R \ realm\fR]
+[\c
+.BI \-X \ authzid\fR]
+[\c
+.BI \-Y \ mech\fR]
+[\c
+.BR \-Z [ Z ]]
+[\c
+.IR user ]
+.SH DESCRIPTION
+.B ldappasswd
+is a tool to set the password of an LDAP user.
+.B ldappasswd
+uses the LDAPv3 Password Modify (RFC 3062) extended operation.
+.LP
+.B ldappasswd
+sets the password of associated with the user [or an optionally
+specified
+.IR user ].
+If the new
+password is not specified on the command line and the user
+doesn't enable prompting, the server will be asked to generate
+a password for the user.
+.LP
+.B ldappasswd
+is neither designed nor intended to be a replacement for
+.BR passwd (1)
+and should not be installed as such.
+.SH OPTIONS
+.TP
+.BR \-V [ V ]
+Print version info.
+If \fB\-VV\fP is given, only the version information is printed.
+.TP
+.BI \-d \ debuglevel
+Set the LDAP debugging level to \fIdebuglevel\fP.
+.B ldappasswd
+must be compiled with LDAP_DEBUG defined for this option to have any effect.
+.TP
+.B \-n
+Do not set password. (Can be useful when used in conjunction with
+\fB\-v\fP or \fB\-d\fP)
+.TP
+.B \-v
+Increase the verbosity of output. Can be specified multiple times.
+.TP
+.BI \-A
+Prompt for old password.
+This is used instead of specifying the password on the command line.
+.TP
+.BI \-a \ oldPasswd
+Set the old password to \fIoldPasswd\fP.
+.TP
+.BI \-t \ oldPasswdFile
+Set the old password to the contents of \fIoldPasswdFile\fP.
+.TP
+.BI \-S
+Prompt for new password.
+This is used instead of specifying the password on the command line.
+.TP
+.BI \-s \ newPasswd
+Set the new password to \fInewPasswd\fP.
+.TP
+.BI \-T \ newPasswdFile
+Set the new password to the contents of \fInewPasswdFile\fP.
+.TP
+.B \-x
+Use simple authentication instead of SASL.
+.TP
+.BI \-D \ binddn
+Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
+For SASL binds, the server is expected to ignore this value.
+.TP
+.BI \-W
+Prompt for bind password.
+This is used instead of specifying the password on the command line.
+.TP
+.BI \-w \ passwd
+Use \fIpasswd\fP as the password to bind with.
+.TP
+.BI \-y \ passwdfile
+Use complete contents of \fIpasswdfile\fP as the password for
+simple authentication.
+.TP
+.BI \-H \ ldapuri
+Specify URI(s) referring to the ldap server(s); only the protocol/host/port
+fields are allowed; a list of URI, separated by whitespace or commas
+is expected.
+.TP
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+.TP
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+
+Specify general extensions with \fB\-e\fP and passwd modify extensions with \fB\-E\fP.
+\'\fB!\fP\' indicates criticality.
+
+General extensions:
+.nf
+ [!]assert=<filter> (an RFC 4515 Filter)
+ !authzid=<authzid> ("dn:<dn>" or "u:<user>")
+ [!]bauthzid (RFC 3829 authzid control)
+ [!]chaining[=<resolve>[/<cont>]]
+ [!]manageDSAit
+ [!]noop
+ ppolicy
+ [!]postread[=<attrs>] (a comma-separated attribute list)
+ [!]preread[=<attrs>] (a comma-separated attribute list)
+ [!]relax
+ sessiontracking[=<username>]
+ abandon,cancel,ignore (SIGINT sends abandon/cancel,
+ or ignores response; if critical, doesn't wait for SIGINT.
+ not really controls)
+.fi
+
+Passwd Modify extensions:
+.nf
+ (none)
+.fi
+.TP
+.BI \-o \ opt \fR[= optparam \fR]]
+
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
+.nf
+ nettimeout=<timeout> (in seconds, or "none" or "max")
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
+.fi
+
+.TP
+.BI \-O \ security-properties
+Specify SASL security properties.
+.TP
+.B \-I
+Enable SASL Interactive mode. Always prompt. Default is to prompt
+only as needed.
+.TP
+.B \-Q
+Enable SASL Quiet mode. Never prompt.
+.TP
+.B \-N
+Do not use reverse DNS to canonicalize SASL host name.
+.TP
+.BI \-U \ authcid
+Specify the authentication ID for SASL bind. The form of the ID
+depends on the actual SASL mechanism used.
+.TP
+.BI \-R \ realm
+Specify the realm of authentication ID for SASL bind. The form of the realm
+depends on the actual SASL mechanism used.
+.TP
+.BI \-X \ authzid
+Specify the requested authorization ID for SASL bind.
+.I authzid
+must be one of the following formats:
+.BI dn: "<distinguished name>"
+or
+.BI u: <username>\fP.
+.TP
+.BI \-Y \ mech
+Specify the SASL mechanism to be used for authentication. If it's not
+specified, the program will choose the best mechanism the server knows.
+.TP
+.BR \-Z [ Z ]
+Issue StartTLS (Transport Layer Security) extended operation. If you use
+\fB\-ZZ\fP, the command will require the operation to be successful
+.SH SEE ALSO
+.BR ldap_sasl_bind (3),
+.BR ldap_extended_operation (3),
+.BR ldap_start_tls_s (3)
+.SH AUTHOR
+The OpenLDAP Project <http://www.openldap.org/>
+.SH ACKNOWLEDGEMENTS
+.so ../Project
diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1
new file mode 100644
index 0000000..2aec7c5
--- /dev/null
+++ b/doc/man/man1/ldapsearch.1
@@ -0,0 +1,495 @@
+.TH LDAPSEARCH 1 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" $OpenLDAP$
+.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.SH NAME
+ldapsearch \- LDAP search tool
+.SH SYNOPSIS
+.B ldapsearch
+[\c
+.BR \-V [ V ]]
+[\c
+.BI \-d \ debuglevel\fR]
+[\c
+.BR \-n ]
+[\c
+.BR \-v ]
+[\c
+.BR \-c ]
+[\c
+.BR \-u ]
+[\c
+.BR \-t [ t ]]
+[\c
+.BI \-T \ path\fR]
+[\c
+.BI \-F \ prefix\fR]
+[\c
+.BR \-A ]
+[\c
+.BR \-L [ L [ L ]]]
+[\c
+.BI \-S \ attribute\fR]
+[\c
+.BI \-b \ searchbase\fR]
+[\c
+.BR \-s \ { base \||\| one \||\| sub \||\| children }]
+[\c
+.BR \-a \ { never \||\| always \||\| search \||\| find }]
+[\c
+.BI \-l \ timelimit\fR]
+[\c
+.BI \-z \ sizelimit\fR]
+[\c
+.BI \-f \ file\fR]
+[\c
+.BR \-M [ M ]]
+[\c
+.BR \-x ]
+[\c
+.BI \-D \ binddn\fR]
+[\c
+.BR \-W ]
+[\c
+.BI \-w \ passwd\fR]
+[\c
+.BI \-y \ passwdfile\fR]
+[\c
+.BI \-H \ ldapuri\fR]
+[\c
+.BR \-P \ { 2 \||\| 3 }]
+[\c
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BI \-o \ opt \fR[= optparam \fR]]
+[\c
+.BI \-O \ security-properties\fR]
+[\c
+.BR \-I ]
+[\c
+.BR \-Q ]
+[\c
+.BR \-N ]
+[\c
+.BI \-U \ authcid\fR]
+[\c
+.BI \-R \ realm\fR]
+[\c
+.BI \-X \ authzid\fR]
+[\c
+.BI \-Y \ mech\fR]
+[\c
+.BR \-Z [ Z ]]
+.I filter
+[\c
+.IR attrs... ]
+.SH DESCRIPTION
+.I ldapsearch
+is a shell-accessible interface to the
+.BR ldap_search_ext (3)
+library call.
+.LP
+.B ldapsearch
+opens a connection to an LDAP server, binds, and performs a search
+using specified parameters. The \fIfilter\fP should conform to
+the string representation for search filters as defined in RFC 4515.
+If not provided, the default filter, \fB(objectClass=*)\fP, is used.
+.LP
+If
+.B ldapsearch
+finds one or more entries, the attributes specified by
+\fIattrs\fP are returned. If \fB*\fP is listed, all user attributes are
+returned. If \fB+\fP is listed, all operational attributes are returned.
+If no \fIattrs\fP are listed, all user attributes are returned. If only
+1.1 is listed, no attributes will be returned.
+.LP
+The search results are displayed using an extended version of LDIF.
+Option \fI\-L\fP controls the format of the output.
+.SH OPTIONS
+.TP
+.BR \-V [ V ]
+Print version info.
+If \fB\-VV\fP is given, exit after providing version info. Otherwise proceed
+with the specified search
+.TP
+.BI \-d \ debuglevel
+Set the LDAP debugging level to \fIdebuglevel\fP.
+.B ldapsearch
+must be compiled with LDAP_DEBUG defined for this option to have any effect.
+.TP
+.B \-n
+Show what would be done, but don't actually perform the search. Useful for
+debugging in conjunction with \fB\-v\fP.
+.TP
+.B \-v
+Run in verbose mode, with many diagnostics written to standard output.
+.TP
+.B \-c
+Continuous operation mode. Errors are reported, but ldapsearch will continue
+with searches. The default is to exit after reporting an error. Only useful
+in conjunction with \fB\-f\fP.
+.TP
+.B \-u
+Include the User Friendly Name form of the Distinguished Name (DN)
+in the output.
+.TP
+.BR \-t [ t ]
+A single \fB\-t\fP writes retrieved non-printable values to a set of temporary
+files. This is useful for dealing with values containing non-character
+data such as jpegPhoto or audio. A second \fB\-t\fP writes all retrieved values to
+files.
+.TP
+.BI \-T \ path
+Write temporary files to directory specified by \fIpath\fP (default:
+\fB/var/tmp/\fP)
+.TP
+.BI \-F \ prefix
+URL prefix for temporary files. Default is \fBfile://\fIpath\fP where
+\fIpath\fP is \fB/var/tmp/\fP or specified with \fB\-T\fP.
+.TP
+.B \-A
+Retrieve attributes only (no values). This is useful when you just want to
+see if an attribute is present in an entry and are not interested in the
+specific values.
+.TP
+.B \-L
+Search results are display in LDAP Data Interchange Format detailed in
+.BR ldif (5).
+A single \fB\-L\fP restricts the output to LDIFv1.
+ A second \fB\-L\fP disables comments.
+A third \fB\-L\fP disables printing of the LDIF version.
+The default is to use an extended version of LDIF.
+.TP
+.BI \-S \ attribute
+Sort the entries returned based on \fIattribute\fP. The default is not
+to sort entries returned. If \fIattribute\fP is a zero-length string (""),
+the entries are sorted by the components of their Distinguished Name. See
+.BR ldap_sort (3)
+for more details. Note that
+.B ldapsearch
+normally prints out entries as it receives them. The use of the \fB\-S\fP
+option defeats this behavior, causing all entries to be retrieved,
+then sorted, then printed.
+.TP
+.BI \-b \ searchbase
+Use \fIsearchbase\fP as the starting point for the search instead of
+the default.
+.TP
+.BR \-s \ { base \||\| one \||\| sub \||\| children }
+Specify the scope of the search to be one of
+.BR base ,
+.BR one ,
+.BR sub ,
+or
+.B children
+to specify a base object, one-level, subtree, or children search.
+The default is
+.BR sub .
+Note:
+.I children
+scope requires LDAPv3 subordinate feature extension.
+.TP
+.BR \-a \ { never \||\| always \||\| search \||\| find }
+Specify how aliases dereferencing is done. Should be one of
+.BR never ,
+.BR always ,
+.BR search ,
+or
+.B find
+to specify that aliases are never dereferenced, always dereferenced,
+dereferenced when searching, or dereferenced only when locating the
+base object for the search. The default is to never dereference aliases.
+.TP
+.BI \-l \ timelimit
+wait at most \fItimelimit\fP seconds for a search to complete.
+A timelimit of
+.I 0
+(zero) or
+.I none
+means no limit.
+A timelimit of
+.I max
+means the maximum integer allowable by the protocol.
+A server may impose a maximal timelimit which only
+the root user may override.
+.TP
+.BI \-z \ sizelimit
+retrieve at most \fIsizelimit\fP entries for a search.
+A sizelimit of
+.I 0
+(zero) or
+.I none
+means no limit.
+A sizelimit of
+.I max
+means the maximum integer allowable by the protocol.
+A server may impose a maximal sizelimit which only
+the root user may override.
+.TP
+.BI \-f \ file
+Read a series of lines from \fIfile\fP, performing one LDAP search for
+each line. In this case, the \fIfilter\fP given on the command line
+is treated as a pattern where the first and only occurrence of \fB%s\fP
+is replaced with a line from \fIfile\fP. Any other occurrence of the
+the \fB%\fP character in the pattern will be regarded as an error.
+Where it is desired that the search filter include a \fB%\fP character,
+the character should be encoded as \fB\\25\fP (see RFC 4515).
+If \fIfile\fP is a single
+\fB\-\fP character, then the lines are read from standard input.
+.B ldapsearch
+will exit when the first non-successful search result is returned,
+unless \fB\-c\fP is used.
+.TP
+.BR \-M [ M ]
+Enable manage DSA IT control.
+.B \-MM
+makes control critical.
+.TP
+.B \-x
+Use simple authentication instead of SASL.
+.TP
+.BI \-D \ binddn
+Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
+For SASL binds, the server is expected to ignore this value.
+.TP
+.B \-W
+Prompt for simple authentication.
+This is used instead of specifying the password on the command line.
+.TP
+.BI \-w \ passwd
+Use \fIpasswd\fP as the password for simple authentication.
+.TP
+.BI \-y \ passwdfile
+Use complete contents of \fIpasswdfile\fP as the password for
+simple authentication.
+.TP
+.BI \-H \ ldapuri
+Specify URI(s) referring to the ldap server(s);
+a list of URI, separated by whitespace or commas is expected;
+only the protocol/host/port fields are allowed.
+As an exception, if no host/port is specified, but a DN is,
+the DN is used to look up the corresponding host(s) using the
+DNS SRV records, according to RFC 2782. The DN must be a non-empty
+sequence of AVAs whose attribute type is "dc" (domain component),
+and must be escaped according to RFC 2396.
+.TP
+.BR \-P \ { 2 \||\| 3 }
+Specify the LDAP protocol version to use.
+.TP
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+.TP
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+
+Specify general extensions with \fB\-e\fP and search extensions with \fB\-E\fP.
+\'\fB!\fP\' indicates criticality.
+
+General extensions:
+.nf
+ [!]assert=<filter> (an RFC 4515 Filter)
+ !authzid=<authzid> ("dn:<dn>" or "u:<user>")
+ [!]bauthzid (RFC 3829 authzid control)
+ [!]chaining[=<resolve>[/<cont>]]
+ [!]manageDSAit
+ [!]noop
+ ppolicy
+ [!]postread[=<attrs>] (a comma-separated attribute list)
+ [!]preread[=<attrs>] (a comma-separated attribute list)
+ [!]relax
+ sessiontracking[=<username>]
+ abandon,cancel,ignore (SIGINT sends abandon/cancel,
+ or ignores response; if critical, doesn't wait for SIGINT.
+ not really controls)
+.fi
+
+Search extensions:
+.nf
+ !dontUseCopy
+ [!]domainScope (domain scope)
+ [!]mv=<filter> (matched values filter)
+ [!]pr=<size>[/prompt|noprompt] (paged results/prompt)
+ [!]sss=[\-]<attr[:OID]>[/[\-]<attr[:OID]>...] (server side sorting)
+ [!]subentries[=true|false] (subentries)
+ [!]sync=ro[/<cookie>] (LDAP Sync refreshOnly)
+ rp[/<cookie>][/<slimit>] (LDAP Sync refreshAndPersist)
+ [!]vlv=<before>/<after>(/<offset>/<count>|:<value>) (virtual list view)
+ [!]deref=derefAttr:attr[,attr[...]][;derefAttr:attr[,attr[...]]]
+ [!]<oid>[=:<value>|::<b64value>]
+.fi
+.TP
+.BI \-o \ opt \fR[= optparam \fR]
+
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
+.nf
+ nettimeout=<timeout> (in seconds, or "none" or "max")
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
+.fi
+
+.TP
+.BI \-O \ security-properties
+Specify SASL security properties.
+.TP
+.B \-I
+Enable SASL Interactive mode. Always prompt. Default is to prompt
+only as needed.
+.TP
+.B \-Q
+Enable SASL Quiet mode. Never prompt.
+.TP
+.B \-N
+Do not use reverse DNS to canonicalize SASL host name.
+.TP
+.BI \-U \ authcid
+Specify the authentication ID for SASL bind. The form of the ID
+depends on the actual SASL mechanism used.
+.TP
+.BI \-R \ realm
+Specify the realm of authentication ID for SASL bind. The form of the realm
+depends on the actual SASL mechanism used.
+.TP
+.BI \-X \ authzid
+Specify the requested authorization ID for SASL bind.
+.I authzid
+must be one of the following formats:
+.BI dn: "<distinguished name>"
+or
+.BI u: <username>
+.TP
+.BI \-Y \ mech
+Specify the SASL mechanism to be used for authentication. If it's not
+specified, the program will choose the best mechanism the server knows.
+.TP
+.BR \-Z [ Z ]
+Issue StartTLS (Transport Layer Security) extended operation. If you use
+\fB\-ZZ\fP, the command will require the operation to be successful.
+.SH OUTPUT FORMAT
+If one or more entries are found, each entry is written to standard
+output in LDAP Data Interchange Format or
+.BR ldif (5):
+.LP
+.nf
+ version: 1
+
+ # bjensen, example, net
+ dn: uid=bjensen,dc=example,dc=net
+ objectClass: person
+ objectClass: dcObject
+ uid: bjensen
+ cn: Barbara Jensen
+ sn: Jensen
+ ...
+.fi
+.LP
+If the \fB\-t\fP option is used, the URI of a temporary file
+is used in place of the actual value. If the \fB\-A\fP option
+is given, only the "attributename" part is written.
+.SH EXAMPLE
+The following command:
+.LP
+.nf
+ ldapsearch \-LLL "(sn=smith)" cn sn telephoneNumber
+.fi
+.LP
+will perform a subtree search (using the default search base and
+other parameters defined in
+.BR ldap.conf (5))
+for entries with a surname (sn) of smith. The common name (cn), surname
+(sn) and telephoneNumber values will be retrieved and printed to
+standard output.
+The output might look something like this if two entries are found:
+.LP
+.nf
+ dn: uid=jts,dc=example,dc=com
+ cn: John Smith
+ cn: John T. Smith
+ sn: Smith
+ sn;lang\-en: Smith
+ sn;lang\-de: Schmidt
+ telephoneNumber: 1 555 123\-4567
+
+ dn: uid=sss,dc=example,dc=com
+ cn: Steve Smith
+ cn: Steve S. Smith
+ sn: Smith
+ sn;lang\-en: Smith
+ sn;lang\-de: Schmidt
+ telephoneNumber: 1 555 765\-4321
+.fi
+.LP
+The command:
+.LP
+.nf
+ ldapsearch \-LLL \-u \-t "(uid=xyz)" jpegPhoto audio
+.fi
+.LP
+will perform a subtree search using the default search base for entries
+with user id of "xyz". The user friendly form of the entry's DN will be
+output after the line that contains the DN itself, and the jpegPhoto
+and audio values will be retrieved and written to temporary files. The
+output might look like this if one entry with one value for each of the
+requested attributes is found:
+.LP
+.nf
+ dn: uid=xyz,dc=example,dc=com
+ ufn: xyz, example, com
+ audio:< file:///tmp/ldapsearch\-audio\-a19924
+ jpegPhoto:< file:///tmp/ldapsearch\-jpegPhoto\-a19924
+.fi
+.LP
+This command:
+.LP
+.nf
+ ldapsearch \-LLL \-s one \-b "c=US" "(o=University*)" o description
+.fi
+.LP
+will perform a one-level search at the c=US level for all entries
+whose organization name (o) begins with \fBUniversity\fP.
+The organization name and description attribute values will be retrieved
+and printed to standard output, resulting in output similar to this:
+.LP
+.nf
+ dn: o=University of Alaska Fairbanks,c=US
+ o: University of Alaska Fairbanks
+ description: Naturally Inspiring
+ description: leaf node only
+
+ dn: o=University of Colorado at Boulder,c=US
+ o: University of Colorado at Boulder
+ description: No personnel information
+ description: Institution of education and research
+
+ dn: o=University of Colorado at Denver,c=US
+ o: University of Colorado at Denver
+ o: UCD
+ o: CU/Denver
+ o: CU\-Denver
+ description: Institute for Higher Learning and Research
+
+ dn: o=University of Florida,c=US
+ o: University of Florida
+ o: UFl
+ description: Warper of young minds
+
+ ...
+.fi
+.SH DIAGNOSTICS
+Exit status is zero if no errors occur.
+Errors result in a non-zero exit status and
+a diagnostic message being written to standard error.
+.SH "SEE ALSO"
+.BR ldapadd (1),
+.BR ldapdelete (1),
+.BR ldapmodify (1),
+.BR ldapmodrdn (1),
+.BR ldap.conf (5),
+.BR ldif (5),
+.BR ldap (3),
+.BR ldap_search_ext (3),
+.BR ldap_sort (3)
+.SH AUTHOR
+The OpenLDAP Project <http://www.openldap.org/>
+.SH ACKNOWLEDGEMENTS
+.so ../Project
diff --git a/doc/man/man1/ldapurl.1 b/doc/man/man1/ldapurl.1
new file mode 100644
index 0000000..7e38270
--- /dev/null
+++ b/doc/man/man1/ldapurl.1
@@ -0,0 +1,168 @@
+.TH LDAPURL 1 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" $OpenLDAP$
+.\" Copyright 2008-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.SH NAME
+ldapurl \- LDAP URL formatting tool
+.SH SYNOPSIS
+.B ldapurl
+[\c
+.BR \-a \ attrs\fR]
+[\c
+.BI \-b \ searchbase\fR]
+[\c
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BI \-f \ filter\fR]
+[\c
+.BI \-H \ ldapuri\fR]
+[\c
+.BI \-h \ ldaphost\fR]
+[\c
+.BI \-p \ ldapport\fR]
+[\c
+.BR \-s \ { base \||\| one \||\| sub \||\| children }]
+[\c
+.BI \-S \ scheme\fR]
+.SH DESCRIPTION
+.I ldapurl
+is a command that allows one to either compose or decompose LDAP URIs.
+.LP
+When invoked with the \fB\-H\fP option,
+.B ldapurl
+extracts the components of the \fIldapuri\fP option argument,
+unescaping hex-escaped chars as required.
+It basically acts as a frontend to the
+.BR ldap_url_parse (3)
+call.
+Otherwise, it builds an LDAP URI based on the components
+passed with the appropriate options, performing the inverse operation.
+Option \fB\-H\fP is incompatible with options
+.BR \-a ,
+.BR \-b ,
+.BR \-E ,
+.BR \-f ,
+.BR \-H ,
+.BR \-h ,
+.BR \-p ,
+.BR \-S ,
+and
+.BR \-s .
+.SH OPTIONS
+.TP
+.TP
+.BI \-a \ attrs
+Set a comma-separated list of attribute selectors.
+.TP
+.BI \-b \ searchbase
+Set the \fIsearchbase\fP.
+.TP
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+
+Specify general extensions with \fB\-e\fP
+\'\fB!\fP\' indicates criticality.
+
+General extensions:
+.nf
+ [!]assert=<filter> (an RFC 4515 Filter)
+ !authzid=<authzid> ("dn:<dn>" or "u:<user>")
+ [!]bauthzid (RFC 3829 authzid control)
+ [!]chaining[=<resolve>[/<cont>]]
+ [!]manageDSAit
+ [!]noop
+ ppolicy
+ [!]postread[=<attrs>] (a comma-separated attribute list)
+ [!]preread[=<attrs>] (a comma-separated attribute list)
+ [!]relax
+ sessiontracking[=<username>]
+ abandon,cancel,ignore (SIGINT sends abandon/cancel,
+ or ignores response; if critical, doesn't wait for SIGINT.
+ not really controls)
+.fi
+
+.TP
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+Set URL extensions; incompatible with
+.BR \-H .
+.TP
+.BI \-f \ filter
+Set the URL filter. No particular check on conformity with RFC 4515
+LDAP filters is performed, but the value is hex-escaped as required.
+.TP
+.BI \-H \ ldapuri
+Specify URI to be exploded.
+.TP
+.BI \-h \ ldaphost
+Set the host.
+.TP
+.BI \-p \ ldapport
+Set the TCP port.
+.TP
+.BI \-S \ scheme
+Set the URL scheme. Defaults for other fields, like \fIldapport\fP,
+may depend on the value of \fIscheme\fP.
+.TP
+.BR \-s \ { base \||\| one \||\| sub \||\| children }
+Specify the scope of the search to be one of
+.BR base ,
+.BR one ,
+.BR sub ,
+or
+.B children
+to specify a base object, one-level, subtree, or children search.
+The default is
+.BR sub .
+Note:
+.B children
+scope requires LDAPv3 subordinate feature extension.
+
+.SH OUTPUT FORMAT
+If the \fB\-H\fP option is used, the \fIldapuri\fP supplied
+is exploded in its components, which are printed to standard output
+in an LDIF-like form.
+.LP
+Otherwise, the URI built using the values passed with the other options
+is printed to standard output.
+.SH EXAMPLE
+The following command:
+.LP
+.nf
+ ldapurl \-h ldap.example.com \-b dc=example,dc=com \-s sub \-f "(cn=Some One)"
+.fi
+.LP
+returns
+.LP
+.nf
+ ldap://ldap.example.com:389/dc=example,dc=com??sub?(cn=Some%20One)
+.fi
+.LP
+The command:
+.LP
+.nf
+ ldapurl \-H ldap://ldap.example.com:389/dc=example,dc=com??sub?(cn=Some%20One)
+.fi
+.LP
+returns
+.LP
+.nf
+ scheme: ldap
+ host: ldap.example.com
+ port: 389
+ dn: dc=example,dc=com
+ scope: sub
+ filter: (cn=Some One)
+.fi
+.LP
+.SH DIAGNOSTICS
+Exit status is zero if no errors occur.
+Errors result in a non-zero exit status and
+a diagnostic message being written to standard error.
+.SH "SEE ALSO"
+.BR ldap (3),
+.BR ldap_url_parse (3),
+.SH AUTHOR
+The OpenLDAP Project <http://www.openldap.org/>
+.SH ACKNOWLEDGEMENTS
+.so ../Project
diff --git a/doc/man/man1/ldapvc.1 b/doc/man/man1/ldapvc.1
new file mode 100644
index 0000000..4733080
--- /dev/null
+++ b/doc/man/man1/ldapvc.1
@@ -0,0 +1,213 @@
+.TH LDAPVC 1 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" $OpenLDAP$
+.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.SH NAME
+ldapvc \- LDAP verify credentials tool
+.SH SYNOPSIS
+.B ldapvc
+[\c
+.BR \-V [ V ]]
+[\c
+.BI \-d \ debuglevel\fR]
+[\c
+.BR \-a ]
+[\c
+.BR \-b ]
+[\c
+.BR \-n ]
+[\c
+.BR \-v ]
+[\c
+.BR \-x ]
+[\c
+.BI \-D \ binddn\fR]
+[\c
+.BR \-W ]
+[\c
+.BI \-w \ passwd\fR]
+[\c
+.BI \-y \ passwdfile\fR]
+[\c
+.BI \-H \ ldapuri\fR]
+[\c
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BI \-o \ opt \fR[= optparam \fR]]
+[\c
+.BI \-O \ security-properties\fR]
+[\c
+.BR \-I ]
+[\c
+.BR \-Q ]
+[\c
+.BR \-N ]
+[\c
+.BI \-U \ authcid\fR]
+[\c
+.BI \-R \ realm\fR]
+[\c
+.BI \-X \ authzid\fR]
+[\c
+.BI \-Y \ mech\fR]
+[\c
+.BR \-Z [ Z ]]
+\c
+.I Distinguished Name \
+\c
+.I [Credentials]
+.SH DESCRIPTION
+.I ldapvc
+implements the LDAP "Verify Credentials" extended operation.
+.LP
+.B Verify Credentials
+operation behaves like LDAP Bind but has no impact upon the underlying LDAP session.
+.SH OPTIONS
+.TP
+.BR \-V [ V ]
+Print version info.
+If \fB\-VV\fP is given, only the version information is printed.
+.TP
+.BI \-d \ debuglevel
+Set the LDAP debugging level to \fIdebuglevel\fP.
+.B ldapvc
+must be compiled with LDAP_DEBUG defined for this option to have any effect.
+.TP
+.B \-a
+Print the authzID resulting from a successful verification of credentials.
+.TP
+.B \-b
+Print the results from the ppolicy control after verification of credentials.
+.TP
+.B \-n
+Show what would be done, but don't actually perform the operation.
+Useful for
+debugging in conjunction with \fB\-v\fP.
+.TP
+.B \-v
+Run in verbose mode, with many diagnostics written to standard output.
+.TP
+.B \-x
+Use simple authentication instead of SASL.
+.TP
+.BI \-D \ binddn
+Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
+For SASL binds, the server is expected to ignore this value.
+.TP
+.B \-W
+Prompt for simple authentication.
+This is used instead of specifying the password on the command line.
+.TP
+.BI \-w \ passwd
+Use \fIpasswd\fP as the password for simple authentication.
+.TP
+.BI \-y \ passwdfile
+Use complete contents of \fIpasswdfile\fP as the password for
+simple authentication.
+.TP
+.BI \-H \ ldapuri
+Specify URI(s) referring to the ldap server(s); only the protocol/host/port
+fields are allowed; a list of URI, separated by whitespace or commas
+is expected.
+.TP
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+.TP
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+
+Specify general extensions with \fB\-e\fP and Verify Credentials extensions with \fB\-E\fP.
+\'\fB!\fP\' indicates criticality.
+
+General extensions:
+.nf
+ [!]assert=<filter> (an RFC 4515 Filter)
+ [!]bauthzid (RFC 3829 authzid control)
+ [!]chaining[=<resolve>[/<cont>]]
+ [!]manageDSAit
+ [!]noop
+ ppolicy
+ [!]postread[=<attrs>] (a comma-separated attribute list)
+ [!]preread[=<attrs>] (a comma-separated attribute list)
+ [!]relax
+ sessiontracking[=<username>]
+ abandon,cancel,ignore (SIGINT sends abandon/cancel,
+ or ignores response; if critical, doesn't wait for SIGINT.
+ not really controls)
+.fi
+.sp
+Verify Credentials extensions:
+.sp
+The following options set SASL params on the Verify Credentials request:
+.nf
+ authcid=<authcid> (SASL Authentication Identity "dn:<dn>" or "u:<user>")
+ authzid=<authzid> (SASL Authorization Identity "dn:<dn>" or "u:<user>")
+ mech=<mech> (SASL mechanism default e.g. Simple)
+ realm=<realm> (SASL Realm, defaults to none)
+ sasl=a[utomatic]|i[nteractive]|q[uiet] (SASL mode defaults to automatic if any other -E option provided, otherwise none)
+ secprops=<secprops> (SASL Security Properties)
+.fi
+.TP
+.BI \-o \ opt \fR[= optparam \fR]
+
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
+.nf
+ nettimeout=<timeout> (in seconds, or "none" or "max")
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
+.fi
+
+.B -o
+option that can be passed here, check
+.BR ldap.conf (5)
+for details.
+.TP
+.BI \-O \ security-properties
+Specify SASL security properties.
+.TP
+.B \-I
+Enable SASL Interactive mode. Always prompt. Default is to prompt
+only as needed.
+.TP
+.B \-Q
+Enable SASL Quiet mode. Never prompt.
+.TP
+.B \-N
+Do not use reverse DNS to canonicalize SASL host name.
+.TP
+.BI \-U \ authcid
+Specify the authentication ID for SASL bind. The form of the ID
+depends on the actual SASL mechanism used.
+.TP
+.BI \-R \ realm
+Specify the realm of authentication ID for SASL bind. The form of the realm
+depends on the actual SASL mechanism used.
+.TP
+.BI \-X \ authzid
+Specify the requested authorization ID for SASL bind.
+.I authzid
+must be one of the following formats:
+.BI dn: "<distinguished name>"
+or
+.BI u: <username>
+.TP
+.BI \-Y \ mech
+Specify the SASL mechanism to be used for authentication. If it's not
+specified, the program will choose the best mechanism the server knows.
+.TP
+.BR \-Z [ Z ]
+Issue StartTLS (Transport Layer Security) extended operation. If you use
+\fB\-ZZ\fP, the command will require the operation to be successful.
+.SH EXAMPLE
+.nf
+ ldapvc \-x "uid=Alice,ou=People,dc=example,dc=com"
+.fi
+.SH "SEE ALSO"
+.BR ldap.conf (5),
+.BR ldap (3),
+.BR ldap_extended_operation (3)
+.SH AUTHOR
+The OpenLDAP Project <http://www.openldap.org/>
+.SH ACKNOWLEDGEMENTS
+.so ../Project
diff --git a/doc/man/man1/ldapwhoami.1 b/doc/man/man1/ldapwhoami.1
new file mode 100644
index 0000000..49b1187
--- /dev/null
+++ b/doc/man/man1/ldapwhoami.1
@@ -0,0 +1,194 @@
+.TH LDAPWHOAMI 1 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" $OpenLDAP$
+.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.SH NAME
+ldapwhoami \- LDAP who am i? tool
+.SH SYNOPSIS
+.B ldapwhoami
+[\c
+.BR \-V [ V ]]
+[\c
+.BI \-d \ debuglevel\fR]
+[\c
+.BR \-n ]
+[\c
+.BR \-v ]
+[\c
+.BR \-x ]
+[\c
+.BI \-D \ binddn\fR]
+[\c
+.BR \-W ]
+[\c
+.BI \-w \ passwd\fR]
+[\c
+.BI \-y \ passwdfile\fR]
+[\c
+.BI \-H \ ldapuri\fR]
+[\c
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BI \-o \ opt \fR[= optparam \fR]]
+[\c
+.BI \-O \ security-properties\fR]
+[\c
+.BR \-I ]
+[\c
+.BR \-Q ]
+[\c
+.BR \-N ]
+[\c
+.BI \-U \ authcid\fR]
+[\c
+.BI \-R \ realm\fR]
+[\c
+.BI \-X \ authzid\fR]
+[\c
+.BI \-Y \ mech\fR]
+[\c
+.BR \-Z [ Z ]]
+.SH DESCRIPTION
+.I ldapwhoami
+implements the LDAP "Who Am I?" extended operation.
+.LP
+.B ldapwhoami
+opens a connection to an LDAP server, binds, and performs a whoami
+operation.
+.SH OPTIONS
+.TP
+.BR \-V [ V ]
+Print version info.
+If \fB\-VV\fP is given, only the version information is printed.
+.TP
+.BI \-d \ debuglevel
+Set the LDAP debugging level to \fIdebuglevel\fP.
+.B ldapwhoami
+must be compiled with LDAP_DEBUG defined for this option to have any effect.
+.TP
+.B \-n
+Show what would be done, but don't actually perform the whoami operation.
+Useful for
+debugging in conjunction with \fB\-v\fP.
+.TP
+.B \-v
+Run in verbose mode, with many diagnostics written to standard output.
+.TP
+.B \-x
+Use simple authentication instead of SASL.
+.TP
+.BI \-D \ binddn
+Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
+For SASL binds, the server is expected to ignore this value.
+.TP
+.B \-W
+Prompt for simple authentication.
+This is used instead of specifying the password on the command line.
+.TP
+.BI \-w \ passwd
+Use \fIpasswd\fP as the password for simple authentication.
+.TP
+.BI \-y \ passwdfile
+Use complete contents of \fIpasswdfile\fP as the password for
+simple authentication.
+.TP
+.BI \-H \ ldapuri
+Specify URI(s) referring to the ldap server(s); only the protocol/host/port
+fields are allowed; a list of URI, separated by whitespace or commas
+is expected.
+.TP
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+.TP
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+
+Specify general extensions with \fB\-e\fP and whoami extensions with \fB\-E\fP.
+\'\fB!\fP\' indicates criticality.
+
+General extensions:
+.nf
+ [!]assert=<filter> (an RFC 4515 Filter)
+ !authzid=<authzid> ("dn:<dn>" or "u:<user>")
+ [!]bauthzid (RFC 3829 authzid control)
+ [!]chaining[=<resolve>[/<cont>]]
+ [!]manageDSAit
+ [!]noop
+ ppolicy
+ [!]postread[=<attrs>] (a comma-separated attribute list)
+ [!]preread[=<attrs>] (a comma-separated attribute list)
+ [!]relax
+ sessiontracking[=<username>]
+ abandon,cancel,ignore (SIGINT sends abandon/cancel,
+ or ignores response; if critical, doesn't wait for SIGINT.
+ not really controls)
+.fi
+
+WhoAmI extensions:
+.nf
+ (none)
+.fi
+.TP
+.BI \-o \ opt \fR[= optparam \fR]
+
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
+.nf
+ nettimeout=<timeout> (in seconds, or "none" or "max")
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
+.fi
+
+.B -o
+option that can be passed here, check
+.BR ldap.conf (5)
+for details.
+.TP
+.BI \-O \ security-properties
+Specify SASL security properties.
+.TP
+.B \-I
+Enable SASL Interactive mode. Always prompt. Default is to prompt
+only as needed.
+.TP
+.B \-Q
+Enable SASL Quiet mode. Never prompt.
+.TP
+.B \-N
+Do not use reverse DNS to canonicalize SASL host name.
+.TP
+.BI \-U \ authcid
+Specify the authentication ID for SASL bind. The form of the ID
+depends on the actual SASL mechanism used.
+.TP
+.BI \-R \ realm
+Specify the realm of authentication ID for SASL bind. The form of the realm
+depends on the actual SASL mechanism used.
+.TP
+.BI \-X \ authzid
+Specify the requested authorization ID for SASL bind.
+.I authzid
+must be one of the following formats:
+.BI dn: "<distinguished name>"
+or
+.BI u: <username>
+.TP
+.BI \-Y \ mech
+Specify the SASL mechanism to be used for authentication. If it's not
+specified, the program will choose the best mechanism the server knows.
+.TP
+.BR \-Z [ Z ]
+Issue StartTLS (Transport Layer Security) extended operation. If you use
+\fB\-ZZ\fP, the command will require the operation to be successful.
+.SH EXAMPLE
+.nf
+ ldapwhoami \-x \-D "cn=Manager,dc=example,dc=com" \-W
+.fi
+.SH "SEE ALSO"
+.BR ldap.conf (5),
+.BR ldap (3),
+.BR ldap_extended_operation (3)
+.SH AUTHOR
+The OpenLDAP Project <http://www.openldap.org/>
+.SH ACKNOWLEDGEMENTS
+.so ../Project