1LDAPCOMPARE(1)              General Commands Manual             LDAPCOMPARE(1)
2
3
4

NAME

6       ldapcompare - LDAP compare tool
7

SYNOPSIS

9       ldapcompare   [-V[V]]  [-d debuglevel]  [-n]  [-v]  [-z]  [-M[M]]  [-x]
10       [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost]
11       [-p ldapport]  [-P {2|3}] [-e [!]ext[=extparam]] [-E [!]ext[=extparam]]
12       [-o opt[=optparam]] [-O security-properties] [-I] [-Q]  [-N]  [-U auth‐
13       cid]   [-R realm]  [-X authzid]  [-Y mech]  [-Z[Z]]  DN  {attr:value  |
14       attr::b64value}
15

DESCRIPTION

17       ldapcompare is a shell-accessible interface to the  ldap_compare_ext(3)
18       library call.
19
20       ldapcompare opens a connection to an LDAP server, binds, and performs a
21       compare using specified parameters.   The DN should be a  distinguished
22       name  in the directory.  Attr should be a known attribute.  If followed
23       by one colon, the assertion value should be provided as a  string.   If
24       followed  by  two colons, the base64 encoding of the value is provided.
25       The result code of the compare is provided as the exit code and, unless
26       ran  with  -z, the program prints TRUE, FALSE, or UNDEFINED on standard
27       output.
28

OPTIONS

30       -V[V]  Print version info.  If -VV is given, only the version  informa‐
31              tion is printed.
32
33       -d debuglevel
34              Set the LDAP debugging level to debuglevel.  ldapcompare must be
35              compiled with LDAP_DEBUG defined for this option to have any ef‐
36              fect.
37
38       -n     Show what would be done, but don't actually perform the compare.
39              Useful for debugging in conjunction with -v.
40
41       -v     Run in verbose mode, with many diagnostics written  to  standard
42              output.
43
44       -z     Run in quiet mode, no output is written.  You must check the re‐
45              turn status.  Useful in shell scripts.
46
47       -M[M]  Enable manage DSA IT control.  -MM makes control critical.
48
49       -x     Use simple authentication instead of SASL.
50
51       -D binddn
52              Use the Distinguished Name binddn to bind to the LDAP directory.
53              For SASL binds, the server is expected to ignore this value.
54
55       -W     Prompt for simple authentication.  This is used instead of spec‐
56              ifying the password on the command line.
57
58       -w passwd
59              Use passwd as the password for simple authentication.
60
61       -y passwdfile
62              Use complete contents of passwdfile as the password  for  simple
63              authentication.   Note  that  complete means that any leading or
64              trailing whitespaces, including  newlines,  will  be  considered
65              part  of  the password and, unlike other software, they will not
66              be stripped.  As a consequence, passwords  stored  in  files  by
67              commands like echo(1) will not behave as expected, since echo(1)
68              by default appends a trailing newline to the echoed string.  The
69              recommended portable way to store a cleartext password in a file
70              for use with this option is to use slappasswd(8)  with  {CLEART‐
71              EXT} as hash and the option -n.
72
73       -H ldapuri
74              Specify  URI(s) referring to the ldap server(s); only the proto‐
75              col/host/port fields are allowed; a list of  URI,  separated  by
76              whitespace or commas is expected.
77
78       -h ldaphost
79              Specify  an  alternate host on which the ldap server is running.
80              Deprecated in favor of -H.
81
82       -p ldapport
83              Specify an alternate TCP port where the ldap server  is  listen‐
84              ing.  Deprecated in favor of -H.
85
86       -P {2|3}
87              Specify the LDAP protocol version to use.
88
89       -e [!]ext[=extparam]
90
91       -E [!]ext[=extparam]
92
93              Specify  general  extensions with -e and compare extensions with
94              -E.  ´!´ indicates criticality.
95
96              General extensions:
97                [!]assert=<filter>    (an RFC 4515 Filter)
98                !authzid=<authzid>    ("dn:<dn>" or "u:<user>")
99                [!]bauthzid           (RFC 3829 authzid control)
100                [!]chaining[=<resolve>[/<cont>]]
101                [!]manageDSAit
102                [!]noop
103                ppolicy
104                [!]postread[=<attrs>] (a comma-separated attribute list)
105                [!]preread[=<attrs>]  (a comma-separated attribute list)
106                [!]relax
107                sessiontracking
108                abandon,cancel,ignore (SIGINT sends abandon/cancel,
109                or ignores response; if critical, doesn't wait for SIGINT.
110                not really controls)
111
112              Compare extensions:
113                !dontUseCopy
114
115       -o opt[=optparam]
116
117              Specify any ldap.conf(5) option or one of the following:
118                nettimeout=<timeout>  (in seconds, or "none" or "max")
119                ldif_wrap=<width>     (in columns, or "no" for no wrapping)
120
121
122       -O security-properties
123              Specify SASL security properties.
124
125       -I     Enable SASL Interactive mode.  Always  prompt.   Default  is  to
126              prompt only as needed.
127
128       -Q     Enable SASL Quiet mode.  Never prompt.
129
130       -N     Do not use reverse DNS to canonicalize SASL host name.
131
132       -U authcid
133              Specify  the authentication ID for SASL bind. The form of the ID
134              depends on the actual SASL mechanism used.
135
136       -R realm
137              Specify the realm of authentication ID for SASL bind.  The  form
138              of the realm depends on the actual SASL mechanism used.
139
140       -X authzid
141              Specify  the  requested authorization ID for SASL bind.  authzid
142              must be one of the following formats: dn:<distinguished name> or
143              u:<username>
144
145       -Y mech
146              Specify  the  SASL  mechanism  to be used for authentication. If
147              it's not specified, the program will choose the  best  mechanism
148              the server knows.
149
150       -Z[Z]  Issue StartTLS (Transport Layer Security) extended operation. If
151              you use -ZZ, the command will require the operation to  be  suc‐
152              cessful.
153

EXAMPLES

155           ldapcompare "uid=babs,dc=example,dc=com"  sn:Jensen
156           ldapcompare "uid=babs,dc=example,dc=com"  sn::SmVuc2Vu
157       are all equivalent.
158

LIMITATIONS

160       Requiring  the  value be passed on the command line is limiting and in‐
161       troduces some security concerns.  The command should support  a  mecha‐
162       nism to specify the location (file name or URL) to read the value from.
163

SEE ALSO

165       ldap.conf(5), ldif(5), ldap(3), ldap_compare_ext(3)
166

AUTHOR

168       The OpenLDAP Project <http://www.openldap.org/>
169

ACKNOWLEDGEMENTS

171       OpenLDAP  Software  is developed and maintained by The OpenLDAP Project
172       <http://www.openldap.org/>.  OpenLDAP Software is derived from the Uni‐
173       versity of Michigan LDAP 3.3 Release.
174
175
176
177OpenLDAP 2.4.57                   2021/01/18                    LDAPCOMPARE(1)
Impressum