1
2LDAPEXOP(1)                 General Commands Manual                LDAPEXOP(1)
3
4
5

NAME

7       ldapexop - issue LDAP extended operations
8
9

SYNOPSIS

11       ldapexop  [-V[V]]  [-d debuglevel] [-n] [-v] [-f file] [-x] [-D binddn]
12       [-W] [-w passwd] [-y passwdfile] [-H URI]  [-h ldaphost]  [-p ldapport]
13       [-e [!]ext[=extparam]]   [-o opt[=optparam]]   [-O security-properties]
14       [-I] [-Q] [-N] [-U authcid] [-R realm] [-X authzid]  [-Y mech]  [-Z[Z]]
15       {oid   |   oid:data  |  oid::b64data  |  whoami  |  cancel cancel-id  |
16       refresh DN [ttl]}
17
18

DESCRIPTION

20       ldapexop issues the LDAP extended operation specified by oid or one  of
21       the special keywords whoami, cancel, or refresh.
22
23       Additional  data for the extended operation can be passed to the server
24       using data or base-64 encoded as b64data in the case of oid,  or  using
25       the  additional  parameters in the case of the specially named extended
26       operations above.
27
28       Please note that ldapexop behaves differently  for  the  same  extended
29       operation  when  it was given as an OID or as a specialliy named opera‐
30       tion:
31
32       Calling ldapexop with the OID of the whoami (RFC 4532) extended  opera‐
33       tion
34
35         ldapexop [<options>] 1.3.6.1.4.1.4203.1.11.3
36
37       yields
38
39         # extended operation response
40         data:: <base64 encoded response data>
41
42       while calling it with the keyword whoami
43
44         ldapexop [<options>] whoami
45
46       results in
47
48         dn:<client's identity>
49
50
51
52

OPTIONS

54       -V[V]  Print  version  info.  If-VV is given, only the version informa‐
55              tion is printed.
56
57       -d debuglevel
58              Set the LDAP debugging level to debuglevel.
59
60       -n     Show what would be done but don't actually do  it.   Useful  for
61              debugging in conjunction with -v.
62
63       -v     Run  in  verbose mode, with many diagnostics written to standard
64              output.
65
66       -f file
67              Read operations from file.
68
69       -x     Use simple authentication instead of SASL.
70
71       -D binddn
72              Use the Distinguished Name binddn to bind to the LDAP directory.
73
74       -W     Prompt for simple authentication.  This is used instead of spec‐
75              ifying the password on the command line.
76
77       -w passwd
78              Use passwd as the password for simple authentication.
79
80       -y passwdfile
81              Use  complete  contents of passwdfile as the password for simple
82              authentication.
83
84       -H URI Specify URI(s) referring to the ldap server(s); only the  proto‐
85              col/host/port  fields  are  allowed; a list of URI, separated by
86              whitespace or commas is expected.
87
88       -h ldaphost
89              Specify the host on which the ldap server  is  running.   Depre‐
90              cated in favor of -H.
91
92       -p ldapport
93              Specify the TCP port where the ldap server is listening.  Depre‐
94              cated in favor of -H.
95
96       -e [!]ext[=extparam]
97              Specify general extensions.  ´!´ indicates criticality.
98                [!]assert=<filter>    (an RFC 4515 Filter)
99                !authzid=<authzid>    ("dn:<dn>" or "u:<user>")
100                [!]bauthzid           (RFC 3829 authzid control)
101                [!]chaining[=<resolve>[/<cont>]]
102                [!]manageDSAit
103                [!]noop
104                ppolicy
105                [!]postread[=<attrs>] (a comma-separated attribute list)
106                [!]preread[=<attrs>]  (a comma-separated attribute list)
107                [!]relax
108                sessiontracking
109                abandon,cancel,ignore (SIGINT sends abandon/cancel,
110                or ignores response; if critical, doesn't wait for SIGINT.
111                not really controls)
112
113       -o opt[=optparam]
114
115              Specify general options.
116
117              General options:
118                nettimeout=<timeout>  (in seconds, or "none" or "max")
119                ldif-wrap=<width>     (in columns, or "no" for no wrapping)
120
121       -O security-properties
122              Specify SASL security properties.
123
124       -I     Enable SASL Interactive mode.  Always  prompt.   Default  is  to
125              prompt only as needed.
126
127       -Q     Enable SASL Quiet mode.  Never prompt.
128
129       -N     Do not use reverse DNS to canonicalize SASL host name.
130
131       -U authcid
132              Specify  the authentication ID for SASL bind. The form of the ID
133              depends on the actual SASL mechanism used.
134
135       -R realm
136              Specify the realm of authentication ID for SASL bind.  The  form
137              of the realm depends on the actual SASL mechanism used.
138
139       -X authzid
140              Specify  the  requested authorization ID for SASL bind.  authzid
141              must be one of the following formats: dn:<distinguished name> or
142              u:<username>
143
144       -Y mech
145              Specify the SASL mechanism to be used for authentication.  With‐
146              out this option, the program will choose the best mechanism  the
147              server knows.
148
149       -Z[Z]  Issue  StartTLS  (Transport  Layer Security) extended operation.
150              Giving it twice (-ZZ) will require the operation to be  success‐
151              ful.
152
153

DIAGNOSTICS

155       Exit  status  is  zero if no errors occur.  Errors result in a non-zero
156       exit status and a diagnostic message being written to standard error.
157
158

SEE ALSO

160       ldap_extended_operation_s(3)
161
162

AUTHOR

164       This manual page was written by Peter  Marschall  based  on  ldapexop's
165       usage  message  and  a few tests with ldapexop.  Do not expect it to be
166       complete or absolutely correct.
167
168

ACKNOWLEDGEMENTS

170       OpenLDAP Software is developed and maintained by The  OpenLDAP  Project
171       <http://www.openldap.org/>.  OpenLDAP Software is derived from the Uni‐
172       versity of Michigan LDAP 3.3 Release.
173
174
175
176
177                                                                   LDAPEXOP(1)
Impressum