1LDAPCOMPARE(1)              General Commands Manual             LDAPCOMPARE(1)
2
3
4

NAME

6       ldapcompare - LDAP compare tool
7

SYNOPSIS

9       ldapcompare   [-V[V]]  [-d debuglevel]  [-n]  [-v]  [-z]  [-M[M]]  [-x]
10       [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost]
11       [-p ldapport]  [-P {2|3}] [-e [!]ext[=extparam]] [-E [!]ext[=extparam]]
12       [-o opt[=optparam]] [-O security-properties] [-I] [-Q]  [-N]  [-U auth‐
13       cid]   [-R realm]  [-X authzid]  [-Y mech]  [-Z[Z]]  DN  {attr:value  |
14       attr::b64value}
15

DESCRIPTION

17       ldapcompare is a shell-accessible interface to the  ldap_compare_ext(3)
18       library call.
19
20       ldapcompare opens a connection to an LDAP server, binds, and performs a
21       compare using specified parameters.   The DN should be a  distinguished
22       name  in the directory.  Attr should be a known attribute.  If followed
23       by one colon, the assertion value should be provided as a  string.   If
24       followed  by  two colons, the base64 encoding of the value is provided.
25       The result code of the compare is provided as the exit code and, unless
26       ran  with  -z, the program prints TRUE, FALSE, or UNDEFINED on standard
27       output.
28

OPTIONS

30       -V[V]  Print version info.  If -VV is given, only the version  informa‐
31              tion is printed.
32
33       -d debuglevel
34              Set the LDAP debugging level to debuglevel.  ldapcompare must be
35              compiled with LDAP_DEBUG defined for this  option  to  have  any
36              effect.
37
38       -n     Show what would be done, but don't actually perform the compare.
39              Useful for debugging in conjunction with -v.
40
41       -v     Run in verbose mode, with many diagnostics written  to  standard
42              output.
43
44       -z     Run  in  quiet  mode,  no output is written.  You must check the
45              return status.  Useful in shell scripts.
46
47       -M[M]  Enable manage DSA IT control.  -MM makes control critical.
48
49       -x     Use simple authentication instead of SASL.
50
51       -D binddn
52              Use the Distinguished Name binddn to bind to the LDAP directory.
53              For SASL binds, the server is expected to ignore this value.
54
55       -W     Prompt for simple authentication.  This is used instead of spec‐
56              ifying the password on the command line.
57
58       -w passwd
59              Use passwd as the password for simple authentication.
60
61       -y passwdfile
62              Use complete contents of passwdfile as the password  for  simple
63              authentication.   Note  that  complete means that any leading or
64              trailing whitespaces, including  newlines,  will  be  considered
65              part  of  the password and, unlike other software, they will not
66              be stripped.  As a consequence, passwords  stored  in  files  by
67              commands like echo(1) will not behave as expected, since echo(1)
68              by default appends a trailing newline to the echoed string.  The
69              recommended portable way to store a cleartext password in a file
70              for use with this option is to use slappasswd(8)  with  {CLEART‐
71              EXT} as hash and the option -n.
72
73       -H ldapuri
74              Specify  URI(s) referring to the ldap server(s); only the proto‐
75              col/host/port fields are allowed; a list of  URI,  separated  by
76              whitespace or commas is expected.
77
78       -h ldaphost
79              Specify  an  alternate host on which the ldap server is running.
80              Deprecated in favor of -H.
81
82       -p ldapport
83              Specify an alternate TCP port where the ldap server  is  listen‐
84              ing.  Deprecated in favor of -H.
85
86       -P {2|3}
87              Specify the LDAP protocol version to use.
88
89       -e [!]ext[=extparam]
90
91       -E [!]ext[=extparam]
92
93              Specify  general  extensions with -e and compare extensions with
94              -E.  ´!´ indicates criticality.
95
96              General extensions:
97                [!]assert=<filter>    (an RFC 4515 Filter)
98                !authzid=<authzid>    ("dn:<dn>" or "u:<user>")
99                [!]bauthzid           (RFC 3829 authzid control)
100                [!]chaining[=<resolve>[/<cont>]]
101                [!]manageDSAit
102                [!]noop
103                ppolicy
104                [!]postread[=<attrs>] (a comma-separated attribute list)
105                [!]preread[=<attrs>]  (a comma-separated attribute list)
106                [!]relax
107                sessiontracking
108                abandon,cancel,ignore (SIGINT sends abandon/cancel,
109                or ignores response; if critical, doesn't wait for SIGINT.
110                not really controls)
111
112              Compare extensions:
113                !dontUseCopy
114
115       -o opt[=optparam]
116
117              Specify general options.
118
119              General options:
120                nettimeout=<timeout>  (in seconds, or "none" or "max")
121                ldif-wrap=<width>     (in columns, or "no" for no wrapping)
122
123       -O security-properties
124              Specify SASL security properties.
125
126       -I     Enable SASL Interactive mode.  Always  prompt.   Default  is  to
127              prompt only as needed.
128
129       -Q     Enable SASL Quiet mode.  Never prompt.
130
131       -N     Do not use reverse DNS to canonicalize SASL host name.
132
133       -U authcid
134              Specify  the authentication ID for SASL bind. The form of the ID
135              depends on the actual SASL mechanism used.
136
137       -R realm
138              Specify the realm of authentication ID for SASL bind.  The  form
139              of the realm depends on the actual SASL mechanism used.
140
141       -X authzid
142              Specify  the  requested authorization ID for SASL bind.  authzid
143              must be one of the following formats: dn:<distinguished name> or
144              u:<username>
145
146       -Y mech
147              Specify  the  SASL  mechanism  to be used for authentication. If
148              it's not specified, the program will choose the  best  mechanism
149              the server knows.
150
151       -Z[Z]  Issue StartTLS (Transport Layer Security) extended operation. If
152              you use -ZZ, the command will require the operation to  be  suc‐
153              cessful.
154

EXAMPLES

156           ldapcompare "uid=babs,dc=example,dc=com"  sn:Jensen
157           ldapcompare "uid=babs,dc=example,dc=com"  sn::SmVuc2Vu
158       are all equivalent.
159

LIMITATIONS

161       Requiring  the  value  be  passed  on  the command line is limiting and
162       introduces some security concerns.  The command should support a mecha‐
163       nism to specify the location (file name or URL) to read the value from.
164

SEE ALSO

166       ldap.conf(5), ldif(5), ldap(3), ldap_compare_ext(3)
167

AUTHOR

169       The OpenLDAP Project <http://www.openldap.org/>
170

ACKNOWLEDGEMENTS

172       OpenLDAP  Software  is developed and maintained by The OpenLDAP Project
173       <http://www.openldap.org/>.  OpenLDAP Software is derived from  Univer‐
174       sity of Michigan LDAP 3.3 Release.
175
176
177
178OpenLDAP 2.4.44                   2016/02/05                    LDAPCOMPARE(1)
Impressum