ldapcompare



LDAPCOMPARE(1)                                                  LDAPCOMPARE(1)




NAME

       ldapcompare - LDAP compare tool


SYNOPSIS

       ldapcompare   [-n]   [-v]   [-z]   [-k]  [-K]  [-M[M]]  [-d debuglevel]
       [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost]
       [-p ldapport]  [-P 2|3] [-O security-properties] [-I] [-Q] [-U authcid]
       [-R realm]  [-x]  [-X authzid]  [-Y mech]  [-Z[Z]]  DN <   attr:value |
       attr::b64value >


DESCRIPTION

       ldapcompare  is  a  shell-accessible  interface  to the ldap_compare(3)
       library call.

       ldapcompare opens a connection to an LDAP server, binds, and performs a
       compare  using specified parameters.   The DN should be a distinguished
       name in the directory.  Attr should be a known attribute.  If  followed
       by  one  colon, the assertion value should be provided as a string.  If
       followed by two colons, the base64 encoding of the value  is  provided.
       The result code of the compare is provided as the exit code and, unless
       ran with -z, the program prints TRUE, FALSE, or UNDEFINED  on  standard
       output.



OPTIONS

       -n     Show what would be done, but don’t actually perform the compare.
              Useful for debugging in conjunction with -v.

       -v     Run in verbose mode, with many diagnostics written  to  standard
              output.

       -z     Run  in  quiet  mode,  no output is written.  You must check the
              return status.  Useful in shell scripts.

       -k     Use Kerberos IV authentication instead of simple authentication.
              It  is  assumed  that  you  already have a valid ticket granting
              ticket.  ldapcompare must be compiled with Kerberos support  for
              this option to have any effect.

       -K     Same  as -k, but only does step 1 of the Kerberos IV bind.  This
              is  useful  when  connecting  to  a  slapd  and  there   is   no
              x500dsa.hostname  principal registered with your Kerberos Domain
              Controller(s).

       -M[M]  Enable manage DSA IT control.  -MM makes control critical.

       -d debuglevel
              Set the LDAP debugging level to debuglevel.  ldapcompare must be
              compiled  with  LDAP_DEBUG  defined  for this option to have any
              effect.

       -x     Use simple authentication instead of SASL.

       -D binddn
              Use the Distinguished Name binddn to bind to the LDAP directory.

       -W     Prompt for simple authentication.  This is used instead of spec-
              ifying the password on the command line.

       -w passwd
              Use passwd as the password for simple authentication.

       -y passwdfile
              Use complete contents of passwdfile as the password  for  simple
              authentication.

       -H ldapuri
              Specify URI(s) referring to the ldap server(s).

       -h ldaphost
              Specify  an  alternate host on which the ldap server is running.
              Deprecated in favor of -H.

       -p ldapport
              Specify an alternate TCP port where the ldap server  is  listen-
              ing.  Deprecated in favor of -H.

       -P 2|3 Specify the LDAP protocol version to use.

       -O security-properties
              Specify SASL security properties.

       -I     Enable  SASL  Interactive  mode.   Always prompt.  Default is to
              prompt only as needed.

       -Q     Enable SASL Quiet mode.  Never prompt.

       -U authcid
              Specify the authentication ID for SASL bind. The form of the  ID
              depends on the actual SASL mechanism used.

       -R realm
              Specify  the  realm of authentication ID for SASL bind. The form
              of the realm depends on the actual SASL mechanism used.

       -X authzid
              Specify the requested authorization ID for SASL  bind.   authzid
              must be one of the following formats: dn:<distinguished name> or
              u:<username>

       -Y mech
              Specify the SASL mechanism to be  used  for  authentication.  If
              it’s  not  specified, the program will choose the best mechanism
              the server knows.

       -Z[Z]  Issue StartTLS (Transport Layer Security) extended operation. If
              you  use  -ZZ, the command will require the operation to be suc-
              cessful.


EXAMPLES

           ldapcompare "uid=babs,dc=example,dc=com"  sn:Jensen
           ldapcompare "uid=babs,dc=example,dc=com"  sn::SmVuc2Vu
       are all equivalent.


LIMITATIONS

       Requiring the value be passed on  the  command  line  is  limiting  and
       introduces some security concerns.  The command should support a mecha-
       nism to specify the location (file name or URL) to read the value from.


SEE ALSO

       ldap.conf(5), ldif(5), ldap(3), ldap_compare(3)


AUTHOR

       The OpenLDAP Project <http://www.openldap.org/>


ACKNOWLEDGEMENTS

       OpenLDAP   is   developed   and  maintained  by  The  OpenLDAP  Project
       (http://www.openldap.org/).  OpenLDAP is  derived  from  University  of
       Michigan LDAP 3.3 Release.



OpenLDAP 2.2.29                   2005/10/04                    LDAPCOMPARE(1)

Man(1) output converted with man2html