ldapcompare LDAP compare tool	Command
	SYNOPSIS DESCRIPTION Options EXAMPLES DIAGNOSTICS PORTABILITY AUTHOR ACKNOWLEDGEMENTS AVAILABILITY SEE ALSO

---

SYNOPSIS

ldapcompare [-V V] [-d debuglevel] [-n ] [-v ] [-z sizelimit] [-M M] [-x ] [-D bindn] [-W ] [-w passwd] [-y psswdfile] [-H ldapurl] [-h ldaphost] [-p ldapport] [-P {2|3}] [-e [!]ext[=extparam]] [-E [!]ext[=extparam]] [-o opt[=outparam]] [-O security-properties] [-I ] [-Q ] [-N ] [-U authcid] [-R realm] [-X authzip] [-Y mech] [-Z Z] DN {attr:value | attr::b64value}

---

DESCRIPTION

ldapcompare implements the LDAP "Who Am I?" extended operation.

ldapcompare opens a connection to an LDAP server, binds, and performs a whoami operation.

Options

ldapcompare

-V[V] 

Print version info. If -VV is given, only the version information is printed.

-d debuglevel 

Set the LDAP debugging level to debuglevel. ldapsearch must be compiled with LDAP_DEBUG defined for this option to have any effect. The PTC MKS Toolkit port does not define LDAP_DEBUG.

-n 

Show what would be done, but don't actually perform the search. Useful for debugging in conjunction with -v.

-v 

Run in verbose mode, with many diagnostics written to standard output.

-z sizelimit 

retrieve at most sizelimit entries for a search. A sizelimit of 0 (zero) or none means no limit. A sizelimit of max means the maximum integer allowable by the protocol. A server may impose a maximal sizelimit which only the root user may override.

-M[M] 

Enable manage DSA IT control. -MM makes control critical.

-x 

Use simple authentication instead of SASL.

-D binddn 

Use the Distinguished Name binddn to bind to the LDAP directory. For SASL binds, the server is expected to ignore this value.

-W 

Prompt for simple authentication. This is used instead of specifying the password on the command line.

-w passwd 

Use passwd as the password for simple authentication.

-y passwdfile 

Use complete contents of passwdfile as the password for simple authentication.

-H ldapuri 

Specify URI(s) referring to the ldap server(s); a list of URI, separated by whitespace or commas is expected; only the protocol/host/port fields are allowed. As an exception, if no host/port is specified, but a DN is, the DN is used to look up the corresponding host(s) using the DNS SRV records, according to RFC 2782. The DN must be a non-empty sequence of AVAs whose attribute type is "dc" (domain component), and must be escaped according to RFC 2396.

-h ldaphost 

Specify an alternate host on which the ldap server is running. Deprecated in favor of -H.

-p ldapport 

Specify an alternate TCP port where the ldap server is listening. Deprecated in favor of -H.

-P{2|3} 

Specify the LDAP protocol version to use.

-e[!]ext[=extparam] 

-E[!]ext[=extparam] 

Specify general extensions with -e and search extensions with -E. '!' indicates criticality. General extensions:

[!]assert=<filter>   (an RFC 4515 Filter)
[!]authzid=<authzid> ("dn:<dn>" or "u:<user>")
[!]manageDSAit
[!]noop
ppolicy
[!]postread[=<attrs>]        (a comma-separated attribute list)
[!]preread[=<attrs>] (a comma-separated attribute list)
[!]relax
sessiontracking
abandon,cancel,ignore (SIGINT sends abandon/cancel; or ignores repsonse; ; If critical doesn't wait for SIGINT. not really controls)

Search extensions:

[!]domainScope                       (domain scope)
[!]mv=<filter>                       (matched values filter)
[!]pr=<size>[/prompt|noprompt]       (paged results/prompt)
[!]sss=[-]<attr[:OID]>[/[-]<attr[:OID]>...]  (server side sorting)
[!]subentries[=true|false]           (subentries)
[!]sync=ro[/<cookie>]                (LDAP Sync refreshOnly)
        rp[/<cookie>][/<slimit>]     (LDAP Sync refreshAndPersist)
[!]vlv=<before>/<after>(/<offset>/<count>|:<value>)  (virtual list view)

-o opt[=optparam] 

Specify general options. General options:

nettimeout=<timeout>  (in seconds, or "none" or "max")

-O security-properties 

Specify SASL security properties.

-I 

Enable SASL Interactive mode. Always prompt. Default is to prompt only as needed.

-N 

Do not use reverse DNS to canonicalize SASL host name.

-U authcid 

Specify the authentication ID for SASL bind. The form of the ID depends on the actual SASL mechanism used.

-R realm 

Specify the realm of authentication ID for SASL bind. The form of the realm depends on the actual SASL mechanism used.

-X authzid 

Specify the requested authorization ID for SASL bind. authzid must be one of the following formats: dn:<distinguished name> or u:<username>.

-Y mech 

Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows.

-Z[Z] 

Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be successful.

---

EXAMPLES

ldapcompare -x -D "cn=Manager,dc=example,dc=com" -W

---

DIAGNOSTICS

Possible exit status values are: Exit status is zero if no errors occur. Errors result in a non-zero exit status and a diagnostic message being written to standard error.

---

PORTABILITY

Linux. All UNIX systems. Windows 8.1. Windows Server 2012 R2. Windows 10. Windows Server 2016. Windows Server 2019. Windows 11. Windows Server 2022.

---

AUTHOR

The OpenLDAP Project <http://www.openldap.org/>

---

ACKNOWLEDGEMENTS

OpenLDAP Software is developed and maintained by The OpenLDAP Project <http://www.openldap.org/>. OpenLDAP Software is derived from University of Michigan LDAP 3.3 Release.

---

AVAILABILITY

PTC MKS Toolkit for System Administrators
PTC MKS Toolkit for Developers
PTC MKS Toolkit for Interoperability
PTC MKS Toolkit for Professional Developers
PTC MKS Toolkit for Professional Developers 64-Bit Edition
PTC MKS Toolkit for Enterprise Developers
PTC MKS Toolkit for Enterprise Developers 64-Bit Edition

---

SEE ALSO

Functions:

ldap(), ldap_compare_ext()

File Formats:

ldap.conf

---

PTC MKS Toolkit 10.4 Documentation Build 39.