ldapcompare — perform LDAP compare operations
Synopsis
ldapcompare {options} attribute:value DN
Description
This utility can be used to perform LDAP compare operations in the Directory Server.
Options
The ldapcompare command takes the following options:
Command options:
--assertionFilter {filter}
Use the LDAP assertion control with the provided filter.
-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}
Use a request control with the provided information.
For some controloid values, you can replace object identifiers with user-friendly strings. The values are not case-sensitive:
Assertion
,LdapAssertion
Assertion Request Control, Object Identifier: 1.3.6.1.1.12
AccountUsable
,AccountUsability
Account Usability Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8
AuthzId
,AuthorizationIdentity
Authorization Identity Request Control, Object Identifier: 2.16.840.1.113730.3.4.16
Csn
,ChangeNumber
,ChangeSequenceNumber
Change Sequence Number Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.9
This is an internal DS server control.
EffectiveRights
,GetEffectiveRights
Get Effective Rights Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2
ManageDsaIt
Manage DSAIT Request Control, Object Identifier: 2.16.840.1.113730.3.4.2
Noop
,No-Op
No-Op Request Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.2
PwdPolicy
,PasswordPolicy
Password Policy Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1
PasswordQualityAdvice
Password Quality Advice Request Control, Object Identifier: 1.3.6.1.4.1.36733.2.1.5.5
PermissiveModify
Permissive Modify Request Control, Object Identifier: 1.2.840.113556.1.4.1413
PSearch
,PersistentSearch
Persistent Search Request Control, Object Identifier: 2.16.840.1.113730.3.4.3
PostRead
Post Read Request Control, Object Identifier: 1.3.6.1.1.13.2
PreRead
Pre Read Request Control, Object Identifier: 1.3.6.1.1.13.1
ProxiedAuthV1
Proxied Authorization Request Control V1, Object Identifier: 2.16.840.1.113730.3.4.12
ProxiedAuth
,ProxiedAuthV2
Proxied Authorization Request Control V2, Object Identifier: 2.16.840.1.113730.3.4.18
RealAttrsOnly
,RealAttributesOnly
Real Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.17
RelaxRules
Relax Rules Request Control, Object Identifier: 1.3.6.1.4.1.4203.666.5.12
TreeDelete
,SubTreeDelete
Subtree Delete Request Control, Object Identifier: 1.2.840.113556.1.4.805
Sort
,ServerSideSort
Server Side Sort Request Control, Object Identifier: 1.2.840.113556.1.4.473
PagedResults
,SimplePagedResults
Simple Paged Results Control, Object Identifier: 1.2.840.113556.1.4.319
SubEntries
Sub-Entries Request Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.1
TxnId
,TransactionId
Transaction ID Control, Object Identifier: 1.3.6.1.4.1.36733.2.1.5.1
This is an internal ForgeRock control.
VirtualAttrsOnly
,VirtualAttributesOnly
Virtual Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.19
Vlv
,VirtualListView
Virtual List View Request Control, Object Identifier: 2.16.840.1.113730.3.4.9
-m | --useCompareResultCode
Use the LDAP compare result as an exit code for the LDAP compare operations.
Default: false
-n | --dry-run
Show what would be done but do not perform any operation and do not contact the server.
Default: false
-S | --scriptFriendly
Use script-friendly mode.
Default: false
-Y | --proxyAs {authzID}
Use the proxied authorization control with the given authorization ID.
LDAP connection options:
--connectTimeout {timeout}
Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
Default: 30000
-D | --bindDn {bindDN}
DN to use to bind to the server.
Default:
-E | --reportAuthzId
Use the authorization identity control.
Default: false
-h | --hostname {host}
Fully-qualified server host name or IP address.
Default: localhost.localdomain
-N | --certNickname {nickname}
Nickname of the certificate that should be sent to the server for SSL client authentication.
-o | --saslOption {name=value}
SASL bind options.
-p | --port {port}
Directory server port number.
-q | --useStartTls
Use StartTLS to secure communication with the server.
Default: false
-T | --trustStorePassword {trustStorePassword}
Truststore cleartext password.
--useJavaKeyStore {keyStorePath}
JKS keystore containing the certificate which should be used for SSL client authentication.
--useJavaTrustStore {trustStorePath}
Use a JKS truststore file for validating server certificate.
--useJceKeyStore {keyStorePath}
JCEKS keystore containing the certificate which should be used for SSL client authentication.
--useJceTrustStore {trustStorePath}
Use a JCEKS truststore file for validating server certificate.
--useJvmTrustStore
Use the a JVM truststore for validating server certificate.
Default: false
--usePasswordPolicyControl
Use the password policy request control.
Default: false
--usePkcs11KeyStore
PKCS#11 keystore containing the certificate which should be used for SSL client authentication.
Default: false
--usePkcs12KeyStore {keyStorePath}
PKCS#12 keystore containing the certificate which should be used for SSL client authentication.
--usePkcs12TrustStore {trustStorePath}
Use a PKCS#12 truststore file for validating server certificate.
-w | --bindPassword {bindPassword}
Password to use to bind to the server. Omit this option while providing the bind DN to ensure that the command prompts for the password, rather than entering the password as a command argument.
-W | --keyStorePassword {keyStorePassword}
Keystore cleartext password.
-X | --trustAll
Trust all server SSL certificates.
Default: false
-Z | --useSsl
Use SSL for secure communication with the server.
Default: false
Utility input/output options:
--no-prompt
Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.
Default: false
--noPropertiesFile
No properties file will be used to get default command line argument values.
Default: false
--propertiesFilePath {propertiesFilePath}
Path to the file containing default property values used for command line arguments.
-v | --verbose
Use verbose mode.
Default: false
General options:
-V | --version
Display Directory Server version information.
Default: false
-H | --help
Display this usage information.
Default: false
Exit Codes
- 0
The command completed successfully.
- 5
The LDAP compare operation did not match.
- 6
The
-m
option was used, and the LDAP compare operation did match.- ldap-error
An LDAP error occurred while processing the operation.
LDAP result codes are described in RFC 4511. Also see the additional information for details.
- 89
An error occurred while parsing the command-line arguments.
Files
You can use ~/.opendj/tools.properties
to set the defaults for bind DN, host name, and port number as in the following example:
hostname=directory.example.com port=1389 bindDN=uid=kvaughan,ou=People,dc=example,dc=com ldapcompare.port=1389 ldapdelete.port=1389 ldapmodify.port=1389 ldappasswordmodify.port=1389 ldapsearch.port=1389
Examples
The following examples demonstrate comparing Babs Jensen's UID.
The following example uses a matching UID value:
$ldapcompare --port 1389 uid:bjensen uid=bjensen,ou=people,dc=example,dc=com
Comparing type uid with value bjensen in entry uid=bjensen,ou=people,dc=example,dc=com Compare operation returned true for entry uid=bjensen,ou=people,dc=example,dc=com
The following example uses a UID value that does not match:
$ldapcompare --port 1389 uid:beavis uid=bjensen,ou=people,dc=example,dc=com
Comparing type uid with value beavis in entry uid=bjensen,ou=people,dc=example,dc=com Compare operation returned false for entry uid=bjensen,ou=people,dc=example,dc=com