1LDAPCOMPARE(1)              General Commands Manual             LDAPCOMPARE(1)
2
3
4

NAME

6       ldapcompare - LDAP compare tool
7

SYNOPSIS

9       ldapcompare   [-V[V]]  [-d debuglevel]  [-n]  [-v]  [-z]  [-M[M]]  [-x]
10       [-D binddn] [-W] [-w passwd]  [-y passwdfile]  [-H ldapuri]  [-P {2|3}]
11       [-e [!]ext[=extparam]]    [-E [!]ext[=extparam]]    [-o opt[=optparam]]
12       [-O security-properties] [-I] [-Q] [-N] [-U authcid] [-R realm] [-X au‐
13       thzid] [-Y mech] [-Z[Z]] DN {attr:value | attr::b64value}
14

DESCRIPTION

16       ldapcompare  is a shell-accessible interface to the ldap_compare_ext(3)
17       library call.
18
19       ldapcompare opens a connection to an LDAP server, binds, and performs a
20       compare  using specified parameters.   The DN should be a distinguished
21       name in the directory.  Attr should be a known attribute.  If  followed
22       by  one  colon, the assertion value should be provided as a string.  If
23       followed by two colons, the base64 encoding of the value  is  provided.
24       The result code of the compare is provided as the exit code and, unless
25       ran with -z, the program prints TRUE, FALSE, or UNDEFINED  on  standard
26       output.
27

OPTIONS

29       -V[V]  Print  version info.  If -VV is given, only the version informa‐
30              tion is printed.
31
32       -d debuglevel
33              Set the LDAP debugging level to debuglevel.  ldapcompare must be
34              compiled with LDAP_DEBUG defined for this option to have any ef‐
35              fect.
36
37       -n     Show what would be done, but don't actually perform the compare.
38              Useful for debugging in conjunction with -v.
39
40       -v     Run  in  verbose mode, with many diagnostics written to standard
41              output.
42
43       -z     Run in quiet mode, no output is written.  You must check the re‐
44              turn status.  Useful in shell scripts.
45
46       -M[M]  Enable manage DSA IT control.  -MM makes control critical.
47
48       -x     Use simple authentication instead of SASL.
49
50       -D binddn
51              Use the Distinguished Name binddn to bind to the LDAP directory.
52              For SASL binds, the server is expected to ignore this value.
53
54       -W     Prompt for simple authentication.  This is used instead of spec‐
55              ifying the password on the command line.
56
57       -w passwd
58              Use passwd as the password for simple authentication.
59
60       -y passwdfile
61              Use  complete  contents of passwdfile as the password for simple
62              authentication.  Note that complete means that  any  leading  or
63              trailing  whitespaces,  including  newlines,  will be considered
64              part of the password and, unlike other software, they  will  not
65              be  stripped.   As  a  consequence, passwords stored in files by
66              commands like echo(1) will not behave as expected, since echo(1)
67              by default appends a trailing newline to the echoed string.  The
68              recommended portable way to store a cleartext password in a file
69              for  use  with this option is to use slappasswd(8) with {CLEART‐
70              EXT} as hash and the option -n.
71
72       -H ldapuri
73              Specify URI(s) referring to the ldap server(s); only the  proto‐
74              col/host/port  fields  are  allowed; a list of URI, separated by
75              whitespace or commas is expected.
76
77       -P {2|3}
78              Specify the LDAP protocol version to use.
79
80       -e [!]ext[=extparam]
81
82       -E [!]ext[=extparam]
83
84              Specify general extensions with -e and compare  extensions  with
85              -E.  ´!´ indicates criticality.
86
87              General extensions:
88                [!]assert=<filter>    (an RFC 4515 Filter)
89                !authzid=<authzid>    ("dn:<dn>" or "u:<user>")
90                [!]bauthzid           (RFC 3829 authzid control)
91                [!]chaining[=<resolve>[/<cont>]]
92                [!]manageDSAit
93                [!]noop
94                ppolicy
95                [!]postread[=<attrs>] (a comma-separated attribute list)
96                [!]preread[=<attrs>]  (a comma-separated attribute list)
97                [!]relax
98                sessiontracking[=<username>]
99                abandon,cancel,ignore (SIGINT sends abandon/cancel,
100                or ignores response; if critical, doesn't wait for SIGINT.
101                not really controls)
102
103              Compare extensions:
104                !dontUseCopy
105
106       -o opt[=optparam]
107
108              Specify any ldap.conf(5) option or one of the following:
109                nettimeout=<timeout>  (in seconds, or "none" or "max")
110                ldif_wrap=<width>     (in columns, or "no" for no wrapping)
111
112
113       -O security-properties
114              Specify SASL security properties.
115
116       -I     Enable  SASL  Interactive  mode.   Always prompt.  Default is to
117              prompt only as needed.
118
119       -Q     Enable SASL Quiet mode.  Never prompt.
120
121       -N     Do not use reverse DNS to canonicalize SASL host name.
122
123       -U authcid
124              Specify the authentication ID for SASL bind. The form of the  ID
125              depends on the actual SASL mechanism used.
126
127       -R realm
128              Specify  the  realm of authentication ID for SASL bind. The form
129              of the realm depends on the actual SASL mechanism used.
130
131       -X authzid
132              Specify the requested authorization ID for SASL  bind.   authzid
133              must be one of the following formats: dn:<distinguished name> or
134              u:<username>
135
136       -Y mech
137              Specify the SASL mechanism to be  used  for  authentication.  If
138              it's  not  specified, the program will choose the best mechanism
139              the server knows.
140
141       -Z[Z]  Issue StartTLS (Transport Layer Security) extended operation. If
142              you  use  -ZZ, the command will require the operation to be suc‐
143              cessful.
144

EXAMPLES

146           ldapcompare "uid=babs,dc=example,dc=com"  sn:Jensen
147           ldapcompare "uid=babs,dc=example,dc=com"  sn::SmVuc2Vu
148       are all equivalent.
149

LIMITATIONS

151       Requiring the value be passed on the command line is limiting  and  in‐
152       troduces  some  security concerns.  The command should support a mecha‐
153       nism to specify the location (file name or URL) to read the value from.
154

SEE ALSO

156       ldap.conf(5), ldif(5), ldap(3), ldap_compare_ext(3)
157

AUTHOR

159       The OpenLDAP Project <http://www.openldap.org/>
160

ACKNOWLEDGEMENTS

162       OpenLDAP Software is developed and maintained by The  OpenLDAP  Project
163       <http://www.openldap.org/>.  OpenLDAP Software is derived from the Uni‐
164       versity of Michigan LDAP 3.3 Release.
165
166
167
168OpenLDAP 2.6.3                    2022/07/14                    LDAPCOMPARE(1)
Impressum