1
2LDAPEXOP(1)                 General Commands Manual                LDAPEXOP(1)
3
4
5

NAME

7       ldapexop - issue LDAP extended operations
8
9

SYNOPSIS

11       ldapexop  [-V[V]]  [-d debuglevel] [-n] [-v] [-f file] [-x] [-D binddn]
12       [-W]  [-w passwd]   [-y passwdfile]   [-H URI]   [-e [!]ext[=extparam]]
13       [-o opt[=optparam]]  [-O security-properties]  [-I] [-Q] [-N] [-U auth‐
14       cid] [-R realm]  [-X authzid]  [-Y mech]  [-Z[Z]]  {oid  |  oid:data  |
15       oid::b64data | whoami | cancel cancel-id | refresh DN [ttl]}
16
17

DESCRIPTION

19       ldapexop  issues the LDAP extended operation specified by oid or one of
20       the special keywords whoami, cancel, or refresh.
21
22       Additional data for the extended operation can be passed to the  server
23       using  data  or base-64 encoded as b64data in the case of oid, or using
24       the additional parameters in the case of the specially  named  extended
25       operations above.
26
27       Please note that ldapexop behaves differently for the same extended op‐
28       eration when it was given as an OID or as a specially named operation:
29
30       Calling ldapexop with the OID of the whoami (RFC 4532) extended  opera‐
31       tion
32
33         ldapexop [<options>] 1.3.6.1.4.1.4203.1.11.3
34
35       yields
36
37         # extended operation response
38         data:: <base64 encoded response data>
39
40       while calling it with the keyword whoami
41
42         ldapexop [<options>] whoami
43
44       results in
45
46         dn:<client's identity>
47
48
49
50

OPTIONS

52       -V[V]  Print  version  info.  If-VV is given, only the version informa‐
53              tion is printed.
54
55       -d debuglevel
56              Set the LDAP debugging level to debuglevel.
57
58       -n     Show what would be done but don't actually do  it.   Useful  for
59              debugging in conjunction with -v.
60
61       -v     Run  in  verbose mode, with many diagnostics written to standard
62              output.
63
64       -f file
65              Read operations from file.
66
67       -x     Use simple authentication instead of SASL.
68
69       -D binddn
70              Use the Distinguished Name binddn to bind to the LDAP directory.
71
72       -W     Prompt for simple authentication.  This is used instead of spec‐
73              ifying the password on the command line.
74
75       -w passwd
76              Use passwd as the password for simple authentication.
77
78       -y passwdfile
79              Use  complete  contents of passwdfile as the password for simple
80              authentication.
81
82       -H URI Specify URI(s) referring to the ldap server(s); only the  proto‐
83              col/host/port  fields  are  allowed; a list of URI, separated by
84              whitespace or commas is expected.
85
86       -e [!]ext[=extparam]
87              Specify general extensions.  ´!´ indicates criticality.
88                [!]assert=<filter>    (an RFC 4515 Filter)
89                !authzid=<authzid>    ("dn:<dn>" or "u:<user>")
90                [!]bauthzid           (RFC 3829 authzid control)
91                [!]chaining[=<resolve>[/<cont>]]
92                [!]manageDSAit
93                [!]noop
94                ppolicy
95                [!]postread[=<attrs>] (a comma-separated attribute list)
96                [!]preread[=<attrs>]  (a comma-separated attribute list)
97                [!]relax
98                sessiontracking[=<username>]
99                abandon,cancel,ignore (SIGINT sends abandon/cancel,
100                or ignores response; if critical, doesn't wait for SIGINT.
101                not really controls)
102
103       -o opt[=optparam]
104
105              Specify any ldap.conf(5) option or one of the following:
106                nettimeout=<timeout>  (in seconds, or "none" or "max")
107                ldif_wrap=<width>     (in columns, or "no" for no wrapping)
108
109
110       -O security-properties
111              Specify SASL security properties.
112
113       -I     Enable SASL Interactive mode.  Always  prompt.   Default  is  to
114              prompt only as needed.
115
116       -Q     Enable SASL Quiet mode.  Never prompt.
117
118       -N     Do not use reverse DNS to canonicalize SASL host name.
119
120       -U authcid
121              Specify  the authentication ID for SASL bind. The form of the ID
122              depends on the actual SASL mechanism used.
123
124       -R realm
125              Specify the realm of authentication ID for SASL bind.  The  form
126              of the realm depends on the actual SASL mechanism used.
127
128       -X authzid
129              Specify  the  requested authorization ID for SASL bind.  authzid
130              must be one of the following formats: dn:<distinguished name> or
131              u:<username>
132
133       -Y mech
134              Specify the SASL mechanism to be used for authentication.  With‐
135              out this option, the program will choose the best mechanism  the
136              server knows.
137
138       -Z[Z]  Issue  StartTLS  (Transport  Layer Security) extended operation.
139              Giving it twice (-ZZ) will require the operation to be  success‐
140              ful.
141
142

DIAGNOSTICS

144       Exit  status  is  zero if no errors occur.  Errors result in a non-zero
145       exit status and a diagnostic message being written to standard error.
146
147

SEE ALSO

149       ldap_extended_operation_s(3)
150
151

AUTHOR

153       This manual page was written by Peter Marschall based on ldapexop's us‐
154       age message and a few tests with ldapexop.  Do not expect it to be com‐
155       plete or absolutely correct.
156
157

ACKNOWLEDGEMENTS

159       OpenLDAP Software is developed and maintained by The  OpenLDAP  Project
160       <http://www.openldap.org/>.  OpenLDAP Software is derived from the Uni‐
161       versity of Michigan LDAP 3.3 Release.
162
163
164
165
166                                                                   LDAPEXOP(1)
Impressum