Directory Server client utilities
The Directory Server client utilities use the ldap_sasl_bind or
ldap_sasl_bind_s API to initiate a bind. The behavior and usage of the client
utilities varies based on the values that you provide.
- If you specify the admin DN, the password must be correctly specified or the bind is not successful.
- If a null DN or a 0 length DN is specified, you receive unauthenticated access unless you are using an external bind (SASL) such as Kerberos.
- If a DN is specified, and is non-null, a password must also be specified, or an error is returned.
- If a DN and password are specified but do not fall under any suffix in the directory, a referral is returned.
- If a DN and password are specified and are correct, the user is bound with that identity.
- If a DN and password are specified but the DN does not exist, unauthenticated access is given.
- If a DN and password are specified and the DN exists but the object does not have user password, an error message is returned.
- idsldapchangepwd
- idsldapdelete
- idsldapexop
- idsldapmodify, idsldapadd
- idsldapmodrdn
- idsldapsearch
You can download the example code from the virtual appliance console, folder. See Managing custom files.
LDAP C-client utilities (ibmdirctl,
ldapadd, ldapchangepwd, ldapcompare,
ldapdelete, ldapexop, ldapmodify,
ldapmodrdn, ldapsearch, and ldaptrace)
internally use the connect() system call to connect to the specified socket on the
target system. When an LDAP client attempts to connect to a system that is down, then the
connect() system call exits only when the TCP/IP timeout is met. In such case, it
gives an impression that the LDAP client operation is in hung state.
You can configure an
LDAP client to return earlier than the system-wide TCP/IP timeout value. To return earlier, run an
LDAP client command with the -1 option along with the timeout value in seconds
and microseconds.