From abf91ca1ff338b897329508ba156ca67e9f2c464 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Tue, 29 Jan 2002 07:33:11 +0000 Subject: [PATCH] Initial ldapcompare(1) implementation. Adapted from patch submitted by Jeff Costlow (ITS#1560). Portions: Copyright 2002, F5 Networks, Inc, All rights reserved. This software is not subject to any license of F5 Networks. This is free software; you can redistribute and use it under the same terms as OpenLDAP itself. --- clients/tools/Makefile.in | 14 +- clients/tools/ldapcompare.c | 715 ++++++++++++++++++++++++++++++++++++ doc/devel/todo | 9 +- doc/man/man1/ldapcompare.1 | 191 ++++++++++ 4 files changed, 922 insertions(+), 7 deletions(-) create mode 100644 clients/tools/ldapcompare.c create mode 100644 doc/man/man1/ldapcompare.1 diff --git a/clients/tools/Makefile.in b/clients/tools/Makefile.in index 7e414b84f2..c120fd4c68 100644 --- a/clients/tools/Makefile.in +++ b/clients/tools/Makefile.in @@ -14,10 +14,11 @@ XLIBS = -llutil -lldif -lldap -llber XXLIBS = $(SECURITY_LIBS) $(LDIF_LIBS) $(LUTIL_LIBS) XSRCS = ldsversion.c ldmversion.c lddversion.c ldrversion.c \ - ldpversion.c ldwversion.c + ldpversion.c ldwversion.c ldcversion.c PROGRAMS = ldapsearch ldapmodify ldapdelete ldapmodrdn ldapadd \ - ldappasswd ldapwhoami + ldappasswd ldapwhoami ldapcompare + ldapsearch: ldsversion.o $(LTLINK) -o $@ ldapsearch.o ldsversion.o $(LIBS) @@ -37,10 +38,14 @@ ldappasswd: ldpversion.o ldapwhoami: ldwversion.o $(LTLINK) -o $@ ldapwhoami.o ldwversion.o $(LIBS) +ldapcompare: ldcversion.o + $(LTLINK) -o $@ ldapcompare.o ldcversion.o $(LIBS) + ldapadd: ldapmodify @-$(RM) $@$(EXEEXT) $(LN_H) ldapmodify$(EXEEXT) ldapadd$(EXEEXT) + ldsversion.c: ldapsearch.o $(LDAP_LIBDEPEND) @-$(RM) $@ $(MKVERSION) ldapsearch > $@ @@ -65,6 +70,11 @@ ldwversion.c: ldapwhoami.o $(LDAP_LIBDEPEND) @-$(RM) $@ $(MKVERSION) ldapwhoami > $@ +ldcversion.c: ldapcompare.o $(LDAP_LIBDEPEND) + @-$(RM) $@ + $(MKVERSION) ldapcompare > $@ + + install-local: FORCE -$(MKDIR) $(DESTDIR)$(bindir) @( \ diff --git a/clients/tools/ldapcompare.c b/clients/tools/ldapcompare.c new file mode 100644 index 0000000000..0216eb0784 --- /dev/null +++ b/clients/tools/ldapcompare.c @@ -0,0 +1,715 @@ +/* + * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. + * COPYING RESTRICTIONS APPLY, see COPYRIGHT file + */ + +#include "portable.h" + +#include + +#include + +#include +#include +#include +#include +#include +#include + +#ifdef HAVE_FCNTL_H +#include +#endif +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_IO_H +#include +#endif + +#include + +#include "ldif.h" +#include "lutil.h" +#include "lutil_ldap.h" +#include "ldap_defaults.h" + +static void +usage( const char *s ) +{ + fprintf( stderr, +"usage: %s [options] DN \n" +"where:\n" +" DN\tDistinguished Name\n" +" attr\tassertion attribute\n" +" value\tassertion value\n" +" b64value\tbase64 encoding of assertion value\n" + +"Common options:\n" +" -d level set LDAP debugging level to `level'\n" +" -D binddn bind DN\n" +" -h host LDAP server\n" +" -H URI LDAP Uniform Resource Indentifier(s)\n" +" -I use SASL Interactive mode\n" +" -k use Kerberos authentication\n" +" -K like -k, but do only step 1 of the Kerberos bind\n" +" -M enable Manage DSA IT control (-MM to make critical)\n" +" -n show what would be done but don't actually compare\n" +" -O props SASL security properties\n" +" -p port port on LDAP server\n" +" -P version procotol version (default: 3)\n" +" -z Quiet mode, don't print anything, use return values\n" +" -Q use SASL Quiet mode\n" +" -R realm SASL realm\n" +" -U authcid SASL authentication identity\n" +" -v run in verbose mode (diagnostics to standard output)\n" +" -w passwd bind passwd (for simple authentication)\n" +" -W prompt for bind passwd\n" +" -x Simple authentication\n" +" -X authzid SASL authorization identity (\"dn:\" or \"u:\")\n" +" -Y mech SASL mechanism\n" +" -Z Start TLS request (-ZZ to require successful response)\n" +, s ); + + exit( EXIT_FAILURE ); +} + +static int docompare LDAP_P(( + LDAP *ld, + char *dn, + char *attr, + struct berval *bvalue, + int quiet, + LDAPControl **sctrls, + LDAPControl **cctrls)); + +static char *prog = NULL; +static char *binddn = NULL; +static struct berval passwd = { 0, NULL }; +static char *ldaphost = NULL; +static char *ldapuri = NULL; +static int ldapport = 0; +#ifdef HAVE_CYRUS_SASL +static unsigned sasl_flags = LDAP_SASL_AUTOMATIC; +static char *sasl_realm = NULL; +static char *sasl_authc_id = NULL; +static char *sasl_authz_id = NULL; +static char *sasl_mech = NULL; +static char *sasl_secprops = NULL; +#endif +static int use_tls = 0; +static int verbose, not; + +int +main( int argc, char **argv ) +{ + char *compdn = NULL, *attrs = NULL; + char *sep; + int rc, i, manageDSAit, quiet; + int referrals, debug; + int authmethod, version, want_bindpw; + LDAP *ld = NULL; + struct berval bvalue = { 0, NULL }; + + debug = verbose = not = referrals = + manageDSAit = want_bindpw = quiet = 0; + + version = -1; + + authmethod = -1; + + prog = (prog = strrchr(argv[0], *LDAP_DIRSEP)) == NULL ? argv[0] : prog + 1; + + while (( i = getopt( argc, argv, + "Cd:D:h:H:IkKMnO:p:P:qQR:U:vw:WxX:Y:zZ")) != EOF ) + { + switch( i ) { + + /* Common Options */ + case 'C': + referrals++; + break; + case 'd': + debug |= atoi( optarg ); + break; + case 'D': /* bind DN */ + if( binddn != NULL ) { + fprintf( stderr, "%s: -D previously specified\n", prog ); + return EXIT_FAILURE; + } + binddn = strdup( optarg ); + break; + case 'h': /* ldap host */ + if( ldapuri != NULL ) { + fprintf( stderr, "%s: -h incompatible with -H\n", prog ); + return EXIT_FAILURE; + } + if( ldaphost != NULL ) { + fprintf( stderr, "%s: -h previously specified\n", prog ); + return EXIT_FAILURE; + } + ldaphost = strdup( optarg ); + break; + case 'H': /* ldap URI */ + if( ldaphost != NULL ) { + fprintf( stderr, "%s: -H incompatible with -h\n", prog ); + return EXIT_FAILURE; + } + if( ldapport ) { + fprintf( stderr, "%s: -H incompatible with -p\n", prog ); + return EXIT_FAILURE; + } + if( ldapuri != NULL ) { + fprintf( stderr, "%s: -H previously specified\n", prog ); + return EXIT_FAILURE; + } + ldapuri = strdup( optarg ); + break; + case 'I': +#ifdef HAVE_CYRUS_SASL + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -I incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible previous " + "authentication choice\n", + prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; + sasl_flags = LDAP_SASL_INTERACTIVE; + break; +#else + fprintf( stderr, "%s: was not compiled with SASL support\n", + prog ); + return( EXIT_FAILURE ); +#endif + case 'k': /* kerberos bind */ +#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND + if( version > LDAP_VERSION2 ) { + fprintf( stderr, "%s: -k incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + + if( authmethod != -1 ) { + fprintf( stderr, "%s: -k incompatible with previous " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + + authmethod = LDAP_AUTH_KRBV4; +#else + fprintf( stderr, "%s: not compiled with Kerberos support\n", prog ); + return EXIT_FAILURE; +#endif + break; + case 'K': /* kerberos bind, part one only */ +#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND + if( version > LDAP_VERSION2 ) { + fprintf( stderr, "%s: -k incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 ) { + fprintf( stderr, "%s: incompatible with previous " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + + authmethod = LDAP_AUTH_KRBV41; +#else + fprintf( stderr, "%s: not compiled with Kerberos support\n", prog ); + return( EXIT_FAILURE ); +#endif + break; + case 'M': + /* enable Manage DSA IT */ + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -M incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + manageDSAit++; + version = LDAP_VERSION3; + break; + case 'n': /* print compares, don't actually do them */ + ++not; + break; + case 'O': +#ifdef HAVE_CYRUS_SASL + if( sasl_secprops != NULL ) { + fprintf( stderr, "%s: -O previously specified\n", prog ); + return EXIT_FAILURE; + } + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -O incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible previous " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; + sasl_secprops = strdup( optarg ); +#else + fprintf( stderr, "%s: not compiled with SASL support\n", + prog ); + return( EXIT_FAILURE ); +#endif + break; + case 'p': + if( ldapport ) { + fprintf( stderr, "%s: -p previously specified\n", prog ); + return EXIT_FAILURE; + } + ldapport = atoi( optarg ); + break; + case 'P': + switch( atoi(optarg) ) { + case 2: + if( version == LDAP_VERSION3 ) { + fprintf( stderr, "%s: -P 2 incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + version = LDAP_VERSION2; + break; + case 3: + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -P 2 incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + version = LDAP_VERSION3; + break; + default: + fprintf( stderr, "%s: protocol version should be 2 or 3\n", + prog ); + usage( prog ); + return( EXIT_FAILURE ); + } break; + case 'Q': +#ifdef HAVE_CYRUS_SASL + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -Q incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible previous " + "authentication choice\n", + prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; + sasl_flags = LDAP_SASL_QUIET; + break; +#else + fprintf( stderr, "%s: not compiled with SASL support\n", + prog ); + return( EXIT_FAILURE ); +#endif + case 'R': +#ifdef HAVE_CYRUS_SASL + if( sasl_realm != NULL ) { + fprintf( stderr, "%s: -R previously specified\n", prog ); + return EXIT_FAILURE; + } + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -R incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible previous " + "authentication choice\n", + prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; + sasl_realm = strdup( optarg ); +#else + fprintf( stderr, "%s: not compiled with SASL support\n", + prog ); + return( EXIT_FAILURE ); +#endif + break; + case 'U': +#ifdef HAVE_CYRUS_SASL + if( sasl_authc_id != NULL ) { + fprintf( stderr, "%s: -U previously specified\n", prog ); + return EXIT_FAILURE; + } + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -U incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible previous " + "authentication choice\n", + prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; + sasl_authc_id = strdup( optarg ); +#else + fprintf( stderr, "%s: not compiled with SASL support\n", + prog ); + return( EXIT_FAILURE ); +#endif + break; + case 'v': /* verbose mode */ + verbose++; + break; + case 'w': /* password */ + passwd.bv_val = strdup( optarg ); + { + char* p; + + for( p = optarg; *p != '\0'; p++ ) { + *p = '\0'; + } + } + passwd.bv_len = strlen( passwd.bv_val ); + break; + case 'W': + want_bindpw++; + break; + case 'Y': +#ifdef HAVE_CYRUS_SASL + if( sasl_mech != NULL ) { + fprintf( stderr, "%s: -Y previously specified\n", prog ); + return EXIT_FAILURE; + } + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -Y incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: incompatible with authentication choice\n", prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; + sasl_mech = strdup( optarg ); +#else + fprintf( stderr, "%s: not compiled with SASL support\n", + prog ); + return( EXIT_FAILURE ); +#endif + break; + case 'x': + if( authmethod != -1 && authmethod != LDAP_AUTH_SIMPLE ) { + fprintf( stderr, "%s: incompatible with previous " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SIMPLE; + break; + case 'X': +#ifdef HAVE_CYRUS_SASL + if( sasl_authz_id != NULL ) { + fprintf( stderr, "%s: -X previously specified\n", prog ); + return EXIT_FAILURE; + } + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -X incompatible with LDAPv%d\n", + prog, version ); + return EXIT_FAILURE; + } + if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) { + fprintf( stderr, "%s: -X incompatible with " + "authentication choice\n", prog ); + return EXIT_FAILURE; + } + authmethod = LDAP_AUTH_SASL; + version = LDAP_VERSION3; + sasl_authz_id = strdup( optarg ); +#else + fprintf( stderr, "%s: not compiled with SASL support\n", + prog ); + return( EXIT_FAILURE ); +#endif + break; + case 'z': + quiet++; + break; + case 'Z': +#ifdef HAVE_TLS + if( version == LDAP_VERSION2 ) { + fprintf( stderr, "%s: -Z incompatible with version %d\n", + prog, version ); + return EXIT_FAILURE; + } + version = LDAP_VERSION3; + use_tls++; +#else + fprintf( stderr, "%s: not compiled with TLS support\n", + prog ); + return( EXIT_FAILURE ); +#endif + break; + default: + fprintf( stderr, "%s: unrecognized option -%c\n", + prog, optopt ); + usage( argv[0] ); + } + } + + if (version == -1) { + version = LDAP_VERSION3; + } + if (authmethod == -1 && version > LDAP_VERSION2) { +#ifdef HAVE_CYRUS_SASL + authmethod = LDAP_AUTH_SASL; +#else + authmethod = LDAP_AUTH_SIMPLE; +#endif + } + + if ( argc - optind != 2 ) { + usage( argv[ 0 ] ); + } + + compdn = argv[optind++]; + attrs = argv[optind++]; + + /* user passed in only 2 args, the last one better be in + * the form attr:value or attr::b64value + */ + sep = strchr(attrs, ':'); + if (!sep) { + usage( argv[ 0 ] ); + } + + *sep++='\0'; + if ( *sep != ':' ) { + bvalue.bv_val = strdup( sep ); + bvalue.bv_len = strlen( bvalue.bv_val ); + + } else { + /* it's base64 encoded. */ + bvalue.bv_val = malloc( strlen( &sep[1] )); + bvalue.bv_len = lutil_b64_pton( &sep[1], + bvalue.bv_val, strlen( &sep[1] )); + + if (bvalue.bv_len == -1) { + fprintf(stderr, "base64 decode error\n"); + exit(-1); + } + } + + if ( debug ) { + if( ber_set_option( NULL, LBER_OPT_DEBUG_LEVEL, &debug ) + != LBER_OPT_SUCCESS ) + { + fprintf( stderr, + "Could not set LBER_OPT_DEBUG_LEVEL %d\n", debug ); + } + if( ldap_set_option( NULL, LDAP_OPT_DEBUG_LEVEL, &debug ) + != LDAP_OPT_SUCCESS ) + { + fprintf( stderr, + "Could not set LDAP_OPT_DEBUG_LEVEL %d\n", debug ); + } + ldif_debug = debug; + } + +#ifdef SIGPIPE + (void) SIGNAL( SIGPIPE, SIG_IGN ); +#endif + + if( ( ldaphost != NULL || ldapport ) && ( ldapuri == NULL ) ) { + if ( verbose ) { + fprintf( stderr, "ldap_init( %s, %d )\n", + ldaphost != NULL ? ldaphost : "", + ldapport ); + } + + ld = ldap_init( ldaphost, ldapport ); + if( ld == NULL ) { + perror("ldapsearch: ldap_init"); + return EXIT_FAILURE; + } + + } else { + if ( verbose ) { + fprintf( stderr, "ldap_initialize( %s )\n", + ldapuri != NULL ? ldapuri : "" ); + } + + rc = ldap_initialize( &ld, ldapuri ); + if( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "Could not create LDAP session handle (%d): %s\n", + rc, ldap_err2string(rc) ); + return EXIT_FAILURE; + } + } + + + /* referrals */ + if (ldap_set_option( ld, LDAP_OPT_REFERRALS, + referrals ? LDAP_OPT_ON : LDAP_OPT_OFF ) != LDAP_OPT_SUCCESS ) + { + fprintf( stderr, "Could not set LDAP_OPT_REFERRALS %s\n", + referrals ? "on" : "off" ); + return EXIT_FAILURE; + } + + if (version == -1 ) { + version = LDAP_VERSION3; + } + + if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version ) + != LDAP_OPT_SUCCESS ) + { + fprintf( stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n", + version ); + return EXIT_FAILURE; + } + + if ( use_tls && ( ldap_start_tls_s( ld, NULL, NULL ) != LDAP_SUCCESS )) { + ldap_perror( ld, "ldap_start_tls" ); + if ( use_tls > 1 ) { + return EXIT_FAILURE; + } + } + + if (want_bindpw) { + passwd.bv_val = getpassphrase("Enter LDAP Password: "); + passwd.bv_len = passwd.bv_val ? strlen( passwd.bv_val ) : 0; + } + + if ( authmethod == LDAP_AUTH_SASL ) { +#ifdef HAVE_CYRUS_SASL + void *defaults; + + if( sasl_secprops != NULL ) { + rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS, + (void *) sasl_secprops ); + + if( rc != LDAP_OPT_SUCCESS ) { + fprintf( stderr, + "Could not set LDAP_OPT_X_SASL_SECPROPS: %s\n", + sasl_secprops ); + return EXIT_FAILURE; + } + } + + defaults = lutil_sasl_defaults( ld, + sasl_mech, + sasl_realm, + sasl_authc_id, + passwd.bv_val, + sasl_authz_id ); + + rc = ldap_sasl_interactive_bind_s( ld, binddn, + sasl_mech, NULL, NULL, + sasl_flags, lutil_sasl_interact, defaults ); + + if( rc != LDAP_SUCCESS ) { + ldap_perror( ld, "ldap_sasl_interactive_bind_s" ); + return EXIT_FAILURE; + } +#else + fprintf( stderr, "%s: not compiled with SASL support\n", + prog, argv[0] ); + return EXIT_FAILURE; +#endif + } else { + if ( ldap_bind_s( ld, binddn, passwd.bv_val, authmethod ) + != LDAP_SUCCESS ) { + ldap_perror( ld, "ldap_bind" ); + return EXIT_FAILURE; + } + } + + if ( manageDSAit ) { + int err; + LDAPControl c; + LDAPControl *ctrls[2]; + ctrls[0] = &c; + ctrls[1] = NULL; + + c.ldctl_oid = LDAP_CONTROL_MANAGEDSAIT; + c.ldctl_value.bv_val = NULL; + c.ldctl_value.bv_len = 0; + c.ldctl_iscritical = manageDSAit > 1; + + err = ldap_set_option( ld, LDAP_OPT_SERVER_CONTROLS, ctrls ); + + if( err != LDAP_OPT_SUCCESS ) { + fprintf( stderr, "Could not set ManageDSAit %scontrol\n", + c.ldctl_iscritical ? "critical " : "" ); + if( c.ldctl_iscritical ) { + return EXIT_FAILURE; + } + } + } + + if ( verbose ) { + fprintf( stderr, "DN:%s, attr:%s, value:%s\n", + compdn, attrs, sep ); + } + + rc = docompare( ld, compdn, attrs, &bvalue, quiet, NULL, NULL ); + + free( bvalue.bv_val ); + + ldap_unbind( ld ); + + return rc; +} + + +static int docompare( + LDAP *ld, + char *dn, + char *attr, + struct berval *bvalue, + int quiet, + LDAPControl **sctrls, + LDAPControl **cctrls ) +{ + int rc; + + if ( not ) { + return LDAP_SUCCESS; + } + + rc = ldap_compare_ext_s( ld, dn, attr, bvalue, + sctrls, cctrls ); + + if ( rc == -1 ) { + ldap_perror( ld, "ldap_result" ); + return( rc ); + } + + /* if we were told to be quiet, use the return value. */ + if ( !quiet ) { + if ( rc == LDAP_COMPARE_TRUE ) { + rc = 0; + printf("TRUE\n"); + } else if ( rc == LDAP_COMPARE_FALSE ) { + rc = 0; + printf("FALSE\n"); + } else { + ldap_perror( ld, "ldap_compare" ); + } + } + + return( rc ); +} + diff --git a/doc/devel/todo b/doc/devel/todo index ef038a205b..051a41fc18 100644 --- a/doc/devel/todo +++ b/doc/devel/todo @@ -42,7 +42,8 @@ Implement dNSReferral Implement authPassword (RFC 3112) Implement localization Implement LDAP Transactions -Implement Proxy Group extension +Implement Proxy Authorization Group extension +Implement Proxy Authorization Control extension Small projects @@ -50,12 +51,10 @@ Small projects Implement -E/-e extensions options Implement -V version options Implement simple paged results control -Implement whoami? (get-authzid) operation Add tests to test suite (ACI, moddn, manageDSAit, etc.) +Add support for Cyrus SASL v2 Add support for Cyrus pwcheckd/saslauthd -Add support for Cyrus SASL v2-beta -Create ldapbind (from ldappasswd?) to support bind operations -Create ldapcompare (from ldapsearch) to support compare operations +Create ldapbind (from ldapcompare?) to support bind operations Update any manual page diff --git a/doc/man/man1/ldapcompare.1 b/doc/man/man1/ldapcompare.1 new file mode 100644 index 0000000000..c8f0da2af2 --- /dev/null +++ b/doc/man/man1/ldapcompare.1 @@ -0,0 +1,191 @@ +.TH LDAPCOMPARE 1 "28 January 2002" "OpenLDAP LDVERSION" +.\" $OpenLDAP$ +.\" Copyright 1998-2002 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.SH NAME +ldapcompare \- LDAP compare tool +.SH SYNOPSIS +.B ldapcompare +[\c +.BR \-n ] +[\c +.BR \-v ] +[\c +.BR \-z ] +[\c +.BR \-k ] +[\c +.BR \-K ] +[\c +.BR \-M[M] ] +[\c +.BI \-d \ debuglevel\fR] +[\c +.BI \-D \ binddn\fR] +[\c +.BR \-W ] +[\c +.BI \-w \ bindpasswd\fR] +[\c +.BI \-H \ ldapuri\fR] +[\c +.BI \-h \ ldaphost\fR] +[\c +.BI \-p \ ldapport\fR] +[\c +.BI \-P \ 2\fR\||\|\fI3\fR] +[\c +.BR \-O \ security-properties ] +[\c +.BR \-I ] +[\c +.BR \-Q ] +[\c +.BI \-U \ authcid\fR] +[\c +.BR \-x ] +[\c +.BI \-X \ authzid\fR] +[\c +.BI \-Y \ mech\fR] +[\c +.BR \-Z[Z] ] +.IR DN \ < +.BR attr:value \ | +.BR attr::b64value \ > +.SH DESCRIPTION +.I ldapcompare +is a shell-accessible interface to the +.BR ldap_compare (3) +library call. +.LP +.B ldapcompare +opens a connection to an LDAP server, binds, and performs a compare +using specified parameters. The \fIDN\fP should be a distinguished +name in the directory. \fIAttr\fP should be a known attribute. If +followed by one colon, the assertion \fIvalue\fP should be provided +as a string. If followed by two colons, the base64 encoding of the +value is provided. +.LP +.SH OPTIONS +.TP +.B \-n +Show what would be done, but don't actually perform the compare. Useful for +debugging in conjunction with -v. +.TP +.B \-v +Run in verbose mode, with many diagnostics written to standard output. +.TP +.B \-z +Run in quiet mode, no output is written. You must check the return +status. Useful in shell scripts. +.TP +.B \-k +Use Kerberos IV authentication instead of simple authentication. It is +assumed that you already have a valid ticket granting ticket. +.B ldapcompare +must be compiled with Kerberos support for this option to have any effect. +.TP +.B \-K +Same as \-k, but only does step 1 of the Kerberos IV bind. This is useful +when connecting to a slapd and there is no x500dsa.hostname principal +registered with your Kerberos Domain Controller(s). +.TP +.B \-M[M] +Enable manage DSA IT control. +.B \-MM +makes control critical. +.TP +.BI \-d \ debuglevel +Set the LDAP debugging level to \fIdebuglevel\fP. +.B ldapcompare +must be compiled with LDAP_DEBUG defined for this option to have any effect. +.TP +.B \-x +Use simple authentication instead of SASL. +.TP +.BI \-D \ binddn +Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory. +.TP +.B \-W +Prompt for simple authentication. +This is used instead of specifying the password on the command line. +.TP +.BI \-w \ bindpasswd +Use \fIbindpasswd\fP as the password for simple authentication. +.TP +.BI \-H \ ldapuri +Specify URI(s) referring to the ldap server(s). +.TP +.BI \-h \ ldaphost +Specify an alternate host on which the ldap server is running. +Deprecated in favor of -H. +.TP +.BI \-p \ ldapport +Specify an alternate TCP port where the ldap server is listening. +Deprecated in favor of -H. +.TP +.BI \-P \ 2\fR\||\|\fI3 +Specify the LDAP protocol version to use. +.TP +.BI \-O \ security-properties +Specify SASL security properties. +.TP +.B \-I +Enable SASL Interactive mode. Always prompt. Default is to prompt +only as needed. +.TP +.B \-Q +Enable SASL Quiet mode. Never prompt. +.TP +.BI \-U \ authcid +Specify the authentication ID for SASL bind. The form of the ID +depends on the actual SASL mechanism used. +.TP +.BI \-X \ authzid +Specify the requested authorization ID for SASL bind. +.I authzid +must be one of the following formats: +.B dn:\c +.I +or +.B u:\c +.I +.TP +.BI \-Y \ mech +Specify the SASL mechanism to be used for authentication. If it's not +specified, the program will choose the best mechanism the server knows. +.TP +.B \-Z[Z] +Issue StartTLS (Transport Layer Security) extended operation. If you use +.B \-ZZ\c +, the command will require the operation to be successful. +.SH EXAMPLE +.nf + ldapcompare "uid=babs,dc=example,dc=com" sn Jensen + ldapcompare "uid=babs,dc=example,dc=com" sn:Jensen + ldapcompare "uid=babs,dc=example,dc=com" sn::SmVuc2Vu +.fi +are all equivalent. +.SH DIAGNOSTICS +When -z is used, exit status is either 5 if the compare is false, or 6 +when the compare is true. Errors result in other non-zero values. +.br +When -z is not used, exit status is zero if no errors occur. +Errors result in a non-zero exit status and +a diagnostic message being written to standard error. +.SH BUGS +Should have a way to specify a url for options or for large binary +file compares. +.SH "SEE ALSO" +.BR ldap.conf (5), +.BR ldif (5), +.BR ldap (3), +.BR ldap_compare (3) +.SH AUTHOR +The OpenLDAP Project +.SH ACKNOWLEDGEMENTS +.B OpenLDAP +is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). +.B OpenLDAP +is derived from University of Michigan LDAP 3.3 Release.