ldapdelete

The LDAP delete-entry command line utility.

Synopsis

ldapdelete [-c] [-C charset] [-d debuglevel][-D binddn] [-f file]
[-G realm] [-h ldaphost] [-i file] [-k] [-K keyfile] [-m mechanism]
[-M] [-n] [-N certificatename] [-O maxops] [-p ldapport]
[-P keyfilepw] [-R] [-s][-U username} [-v] [-V version]
[-w passwd | ?] [-y proxydn][-Y] [-Z] [dn]...…

Description

ldapdelete is a command-line interface to the ldap_delete application programming interface (API).

ldapdelete opens a connection to an LDAP server, binds, and deletes one or more entries. If one or more Distinguished Name (DN) arguments are provided, entries with those DNs are deleted. Each DN is a string-represented DN. If no DN arguments are provided, a list of DNs is read from standard input, or from a file if the -i flag is used.

To display syntax help for ldapdelete, type:

ldapdelete -?

Options

-c

Continuous operation mode. Errors are reported, but ldapdelete continues with deletions. Otherwise the default action is to exit after reporting an error.

-C charset

Specifies that the DNs supplied as input to the ldapdelete utility are represented in a local character set, as specified by charset. Use the -C charset option if the input string codepage is different from the job codepage value. Refer to the ldap_set_iconv_local_charset() API to see supported charset values.

-d debuglevel

Set the LDAP debugging level to debuglevel.

-D binddn

Use binddn to bind to the LDAP directory. binddn is a string-represented DN. When used with -m DIGEST-MD5, it is used to specify the authorization ID. It can either be a DN, or an authzId string starting with "u:" or "dn:".

-f file

Read a series of lines from file, performing one LDAP delete for each line in the file. Each line in the file should contain a single distinguished name (DN).

-G realm

Specify the realm. This parameter is optional. When used with -m DIGEST-MD5, the value is passed to the server during the bind.

-h ldaphost

Specify an alternate host on which the LDAP server is running.

-i file

Read a series of lines from file, performing one LDAP delete for each line in the file. Each line in the file should contain a single distinguished name.

-k

Specifies to use the server administration control.

-K keyfile

Specify the name of the SSL key database file. If the key database file is not in the current directory, specify the fully-qualified key database filename.

If the utility cannot locate a key database, it will use a hard-coded set of default trusted certificate authority roots. The key database file typically contains one or more certificates of certification authorities (CAs) that are trusted by the client. These types of X.509 certificates are also known as trusted roots.

This parameter effectively enables the -Z switch. For Directory Server on i5/OS if you use -Z and do not use -K or -N, the certificate associated with the Directory Services Client application ID will be used.

-m mechanism

Use mechanism to specify the SASL mechanism to be used to bind to the server. The ldap_sasl_bind_s() API is used. The -m parameter is ignored if -V 2 is set. If -m is not specified, simple authentication is used. Valid mechanisms are:

CRAM-MD5 - protects the password sent to the server.
EXTERNAL - uses the SSL certificate. Requires -Z.
GSSAPI - uses the user's Kerberos credentials.
DIGEST-MD5 - requires that the client send a username value to the server. Requires -U. The -D parameter (usually the bind DN) is used to specify the authorization ID. It can be a DN, or an authzId string starting with u: or dn:.
OS400_PRFTKN - authenticates to the local LDAP server as the current IBM® i user using the DN of the user in the system projected backend. The -D (bind DN) and -w (password) parameters should not be specified.

-M

Manage referral objects as regular entries.

-n

Show what would be done, but don't actually change entries. Useful for debugging in conjunction with -v.

-N certificatename

Specify the label associated with the client certificate in the key database file. If the LDAP server is configured to perform server authentication only, a client certificate is not required. If the LDAP server is configured to perform client and server authentication, a client certificate might be required. certificatename is not required if a default certificate/private key pair has been designated as the default. Similarly, certificatename is not required if there is a single certificate/private key pair in the designated key database file. This parameter is ignored if neither -Z nor -K is specified. For Directory Server on IBM i if you use -Z and do not use -K or -N, the certificate associated with the Directory Services Client application ID will be used.

-O maxhops

Specify maxhops to set the maximum number of hops that the client library takes when chasing referrals. The default hopcount is 10.

-p ldapport

Specify an alternate TCP port where the LDAP server is listening. The default LDAP port is 389. If -p is not specified and -Z is specified, the default LDAP SSL port 636 is used.

-P keyfilepw

Specify the key database password. This password is required to access the encrypted information in the key database file, which can include one or more private keys. If a password stash file is associated with the key database file, the password is obtained from the password stash file, and the -P parameter is not required. This parameter is ignored if neither -Z nor -K is specified.

-R

Specifies that referrals are not to be automatically followed.

-s

Use this option to delete the subtree rooted at the specified entry.

–U username

Specify the username. Required with -m DIGEST-MD5 and ignored with any other mechanism.

-v

Use verbose mode, with many diagnostics written to standard output.

-V version

Specifies the LDAP version to be used by ldapdelete when it binds to the LDAP server. By default, an LDAP V3 connection is established. To explicitly select LDAP V3, specify -V 3. Specify -V 2 to run as an LDAP V2 application.

-w passwd | ?

Use passwd as the password for authentication. Use the ? to generate a password prompt.

-y proxydn

Set proxied ID for proxied authorization operation.

–Y

Use a secure LDAP connection (TLS).

-Z

Use a secure SSL connection to communicate with the LDAP server. For Directory Server on IBM i if you use -Z and do not use -K or -N, the certificate associated with the Directory Services Client application ID will be used.

dn

Specifies one or more DN arguments. Each DN should be a string-represented DN.

Examples

The following command,

ldapdelete -D cn=administrator -w secret "cn=Delete Me, o=University of Life, c=US"

attempts to delete the entry named with commonName "Delete Me" directly below the University of Life organizational entry.

Notes

If no DN arguments are provided, the ldapdelete command waits to read a list of DNs from standard input.

Diagnostics

Exit status is 0 if no errors occur. Errors result in a non-zero exit status and a diagnostic message being written to standard error.