4
Command Line Tools Syntax

This chapter provides syntax, usage notes, and examples for using LDAP Data Interchange Format (LDIF) and LDAP command line tools. It contains these topics:

• LDAP Data Interchange Format (LDIF) Syntax

• Command Line Tools Syntax

• Catalog Management Tool Syntax

LDAP Data Interchange Format (LDIF) Syntax

The standardized file format for directory entries is as follows:

dn: distinguished_name
attribute_type: attribute_value
.

.

.
objectClass: object_class_value
.

.

.

Property	Value	Description
dn:	RDN,RDN,RDN, ...	Separate RDNs with commas.
attribute:	attribute_value	This line repeats for every attribute in the entry, and for every attribute value in multi-valued attributes.
objectClass:	object_class_ value	This line repeats for every object class.

The following example shows a file entry for an employee. The first line contains the DN. The lines that follow the DN begin with the mnemonic for an attribute, followed by the value to be associated with that attribute. Note that each entry ends with lines defining the object classes for the entry.

dn: cn=Suzie Smith,ou=Server Technology,o=Acme, c=US

cn: Suzie Smith

cn: SuzieS

sn: Smith

email: ssmith@us.Acme.com

telephoneNumber: 69332

photo:/ORACLE_HOME/empdir/photog/ssmith.jpg

objectClass: organizational person

objectClass: person 
objectClass: top

The next example shows a file entry for an organization.

dn: o=Acme,c=US

o: Acme

ou: Financial Applications

objectClass: organization 
objectClass: top

LDIF Formatting Notes

A list of formatting rules follows. This list is not exhaustive.

• All mandatory attributes belonging to an entry being added must be included with non-null values in the LDIF file.

  Tip: To see the mandatory and optional attribute types for an object class, use Oracle Directory Manager. See Oracle Internet Directory Administrator's Guide.

• Non-printing characters and tabs are represented in attribute values by base-64 encoding.

• The entries in your file must be separated from each other by a blank line.

• A file must contain at least one entry.

• Lines can be continued to the next line by beginning the continuation line with a space or a tab.

• Add a blank line between separate entries.

• Reference binary files, such as photographs, with the absolute address of the file, preceded by a forward slash ("/").

• The DN contains the full, unique directory address for the object.

• The lines listed after the DN contain both the attributes and their values. DNs and attributes used in the input file must match the existing structure of the DIT. Do not use attributes in the input file that you have not implemented in your DIT.

• Sequence the entries in an LDIF file so that the DIT is created from the top down. If an entry relies on an earlier entry for its DN, make sure that the earlier entry is added before its child entry.

• When you define schema within an LDIF file, insert a white space between the opening parenthesis and the beginning of the text, and between the end of the text and the ending parenthesis.

  See Also: The various resources listed in Oracle Internet Directory Administrator's Guide. for a complete list of LDIF formatting rules and for information about using NLS with LDIF files.

Command Line Tools Syntax

This section tells you how to use the following tools:

• ldapadd Syntax

• ldapaddmt Syntax

• ldapbind Syntax

• ldapcompare Syntax

• ldapdelete Syntax

• ldapmoddn Syntax

• ldapmodify Syntax

• ldapmodifymt Syntax

• ldapsearch Syntax

ldapadd Syntax

The ldapadd command line tool enables you to add entries, their object classes, attributes, and values to the directory. To add attributes to an existing entry, use the ldapmodify command, explained in "ldapmodify Syntax".

See Also: Oracle Internet Directory Administrator's Guide. for an explanation of using ldapadd to configure a server with an input file

ldapadd uses this syntax:

ldapadd [arguments] -f filename

where filename is the name of an LDIF file written with the specifications explained in the section "LDAP Data Interchange Format (LDIF) Syntax".

The following example adds the entry specified in the LDIF file my_ldif_file.ldi:

ldapadd -p 389 -h myhost -f my_ldif_file.ldi

Optional Arguments	Descriptions
-b	Specifies that you have included binary file names in the file, which are preceded by a forward slash character. The tool retrieves the actual values from the file referenced.
-c	Tells ldapadd to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapadd stops when it encounters an error.)
-D binddn	When authenticating to the directory, specifies doing so as the entry specified in binddn. Use this with the -w password option.
-E "character_set"	Specifies native character set encoding. See the chapter on NLS in Oracle Internet Directory Administrator's Guide.
-f filename	Specifies the input name of the LDIF format import data file. For a detailed explanation of how to format an LDIF file, see "LDAP Data Interchange Format (LDIF) Syntax".
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-K	Same as -k, but performs only the first step of the Kerberos bind
-k	Authenticates using Kerberos authentication instead of simple authentication. To enable this option, you must compile with KERBEROS defined. You must already have a valid ticket granting ticket.
-n	Shows what would occur without actually performing the operation
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password required for one-way or two-way SSL connections
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-w password	Provides the password required to connect
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections

ldapaddmt Syntax

ldapaddmt is like ldapadd: it enables you to add entries, their object classes, attributes, and values to the directory. It is unlike ldapadd in that it supports multiple threads for adding entries concurrently.

While it is processing LDIF entries, ldapaddmt logs errors in the add.log file in the current directory.

ldapaddmt uses this syntax:

ldapaddmt -T number_of_threads -h host -p port -f filename

where filename is the name of an LDIF file written with the specifications explained in the section "LDAP Data Interchange Format (LDIF) Syntax".

The following example uses five concurrent threads to process the entries in the file myentries.ldif.

ldapaddmt -T 5 -h node1 -p 3000 -f myentries.ldif

Note: Increasing the number of concurrent threads improves the rate at which LDIF entries are created, but consumes more system resources.

Optional Arguments	Descriptions
-b	Specifies that you have included binary file names in the data file, which are preceded by a forward slash character. The tool retrieves the actual values from the file referenced.
-c	Tells the tool to proceed in spite of errors. The errors will be reported. (If you do not use this option, the tool stops when it encounters an error.)
-D binddn	When authenticating to the directory, specifies doing so as the entry is specified in binddn. Use this with the -w password option.
-E "character_set"	Specifies native character set encoding. See the chapter on NLS in Oracle Internet Directory Administrator's Guide.
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-K	Same as -k, but performs only the first step of the kerberos bind
-k	Authenticates using Kerberos authentication instead of simple authentication. To enable this option, you must compile with KERBEROS defined. You must already have a valid ticket granting ticket.
-n	Shows what would occur without actually performing the operation.
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password required for one-way or two-way SSL connections
-T	Sets the number of threads for concurrently processing entries
-U SSLAuth	Specifies SSL Authentication Mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-w password	Provides the password required to connect
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections

ldapbind Syntax

The ldapbind command line tool enables you to see whether you can authenticate a client to a server.

ldapbind uses this syntax:

ldapbind [arguments]

Optional Arguments	Descriptions
-D binddn	When authenticating to the directory, specifies doing so as the entry specified in binddn. Use this with the -w password option.
-E ".character_set"	Specifies native character set encoding. See the chapter on NLS in Oracle Internet Directory Administrator's Guide.
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-n	Shows what would occur without actually performing the operation
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies the wallet password required for one-way or two-way SSL connections
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-w password	Provides the password required to connect
-W wallet_location	Specifies wallet location (required for one-way or two-way SSL connections)

ldapcompare Syntax

The ldapcompare command line tool enables you to match attribute values you specify in the command line with the attribute values in the directory entry.

ldapcompare uses this syntax:

ldapcompare [arguments] 

The following example tells you whether Person Nine's title is associate.

ldapcompare -p 389 -h myhost -b "cn=Person Nine, ou=EuroSInet Suite, o=IMC, 
c=US" -a title -v associate

Mandatory Arguments	Descriptions
-a attribute name	Specifies the attribute on which to perform the compare
-b basedn	Specifies the distinguished name of the entry on which to perform the compare
-v attribute value	Specifies the attribute value to compare

Optional Arguments	Descriptions
-D binddn	When authenticating to the directory, specifies doing so as the entry is specified in binddn. Use this with the -w password option.
-d debug-level	Sets the debugging level. See the chapter on managing a directory server in Oracle Internet Directory Administrator's Guide.
-E "character_set"	Specifies native character set encoding. See chapter on NLS in Oracle Internet Directory Administrator's Guide.
-f filename	Specifies the input filename
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password (required for one-way or two-way SSL connections)
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-w password	Provides the password required to connect
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections

ldapdelete Syntax

The ldapdelete command line tool enables you to remove entire entries from the directory that you specify in the command line.

ldapdelete uses this syntax:

ldapdelete [arguments] "entry_DN"

The following example uses port 389 on a host named myhost.

ldapdelete -p 389 -h myhost ou=EuroSInet Suite, o=IMC, c=US"

Optional Arguments	Descriptions
-D binddn	When authenticating to the directory, uses a full DN for the binddn parameter; typically used with the -w password option.
-d debug-level	Sets the debugging level. See the chapter on managing a directory server in Oracle Internet Directory Administrator's Guide.
-E "character_set"	Specifies native character set encoding. See the chapter on NLS in Oracle Internet Directory Administrator's Guide.
-f filename	Specifies the input filename
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-k	Authenticates using authentication instead of simple authentication. To enable this option, you must compile with Kerberos defined. You must already have a valid ticket granting ticket.
-n	Shows what would be done, but doesn't actually delete
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password required for one-way or two-way SSL connections
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-w password	Provides the password required to connect.
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections

ldapmoddn Syntax

The ldapmoddn command line tool enables you to modify the DN or RDN of an entry.

ldapmoddn uses this syntax:

ldapmoddn [arguments]

The following example uses ldapmoddn to modify the RDN component of a DN from "cn=dcpl" to "cn=thanh mai". It uses port 389, and a host named myhost.

ldapmoddn -p 389 -h myhost -b "cn=dcpl,dc=Americas,dc=imc,dc=com" -R "cn=thanh 
mai"

Mandatory Argument	Description
-b basedn	Specifies DN of the entry to be moved

Optional Arguments	Descriptions
-D binddn	When authenticating to the directory, do so as the entry is specified in binddn. Use this with the -w password option.
-E "character_set"	Specifies native character set encoding. See the chapter on NLS in Oracle Internet Directory Administrator's Guide.
-f filename	Specifies the input filename
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-N newparent	Specifies new parent of the RDN
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password required for one-way or two-way SSL connections
-r	Specifies that the old RDN is not retained as a value in the modified entry. If this argument is not included, the old RDN is retained as an attribute in the modified entry.
-R newrdn	Specifies new RDN
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-w password	Provides the password required to connect.
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections

ldapmodify Syntax

The ldapmodify tool enables you to act on attributes.

ldapmodify uses this syntax:

ldapmodify [arguments] -f filename

where filename is the name of an LDIF file written with the specifications explained the section "LDAP Data Interchange Format (LDIF) Syntax".

The list of arguments in the following table is not exhaustive.

Optional Arguments	Description
-a	Denotes that entries are to be added, and that the input file is in LDIF format.
-b	Specifies that you have included binary file names in the data file, which are preceded by a forward slash character.
-c	Tells ldapmodify to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapmodify stops when it encounters an error.)
-D binddn	When authenticating to the directory, specifies doing so as the entry is specified in binddn. Use this with the -w password option.
-E "character_set"	Specifies native character set encoding. See the chapter on NLS in Oracle Internet Directory Administrator's Guide.
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-n	Shows what would occur without actually performing the operation.
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password required for one-way or two-way SSL connections
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-w password	Overrides the default, unauthenticated, null bind. To force authentication, use this option with the -D option.
-W wallet_location	Specifies wallet location (required for one-way or two-way SSL connections)

To run modify, delete, and modifyrdn operations using the -f flag, use LDIF for the input file format (see "LDAP Data Interchange Format (LDIF) Syntax") with the specifications noted below:

Always separate entries with a blank line.

Unnecessary space characters in the LDIF input file, such as a space at the end of an attribute value, will cause the LDAP operations to fail.

Line 1: Every change record has, as its first line, the literal dn: followed by the DN value for the entry, for example:

dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US

Line 2: Every change record has, as its second line, the literal "changetype:" followed by the type of change (add, delete, modify, modrdn), for example:

changetype:modify

or

changetype:modrdn

Format the remainder of each record according to the following requirements for each type of change:

• changetype:add

  Uses LDIF format (see "LDAP Data Interchange Format (LDIF) Syntax").

• changetype:modify

  The lines that follow this changetype consist of changes to attributes belonging to the entry that you identified in Line 1 above. You can specify three different types of attribute modifications--add, delete, and replace--which are explained next:

  • Add attribute values. This option to changetype modify adds more values to an existing multi-valued attribute. If the attribute does not exist, it adds the new attribute with the specified values:

    add: attribute name
    attribute name: value1
    attribute name: value2...
    

    For example:

    dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
    changetype:modify
    add: work-phone
    work-phone:510/506-7000
    work-phone:510/506-7001
    

  • Delete values. If you supply only the "delete" line, all the values for the specified attribute are deleted. Otherwise, if you specify an attribute line, you can delete specific values from the attribute:

    delete: attribute name
    [attribute name: value1]
    

    For example:

    dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
    changetype:delete
    delete: home-fax
    

  • Replace values. Use this option to replace all the values belonging to an attribute with the new, specified set:

    replace:attribute name
    [attribute name:value1 ...]
    

    If you do not provide any attributes with "replace," the directory adds an empty set. It then interprets the empty set as a delete request, and complies by deleting the attribute from the entry. This is useful if you want to delete attributes that may or may not exist.

    For example:

    dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US 
    changetype:modify
    replace: work-phone
    work-phone:510/506-7002
    
    
    

    • changetype:delete

      This change type deletes entries. It requires no further input, since you identified the entry in Line 1 and specified a changetype of delete in Line 2.

      For example:

      dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US 
      changetype:delete
      
      
      

    • changetype:modrdn

      The line following the change type provides the new relative distinguished name using this format:

      newrdn: RDN
      
      
      

      For example:

      dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
      changetype:modrdn
      newrdn: cn=Barbara Fritchy-Blomberg
      

ldapmodifymt Syntax

The ldapmodifymt command line tool enables you to modify several entries concurrently.

ldapmodifymt uses this syntax:

ldapmodifymt -T number_of_threads [arguments] -f filename

where filename is the name of an LDIF file written with the specifications explained the section "LDAP Data Interchange Format (LDIF) Syntax".

See Also: "ldapmodify Syntax" for additional formatting specifications used by ldapmodifymt

For example:

ldapmodifymt -T 5 -h node1 -p 3000 -f myentries.ldif

Optional Arguments	Descriptions
-a	Denotes that entries are to be added, and that the input file is in LDIF format. (If you are running ldapadd, this flag is not required.)
-b	Specifies that you have included binary file names in the data file, which are preceded by a forward slash character.
-c	Tells ldapmodify to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapmodify stops when it encounters an error.)
-D binddn	When authenticating to the directory, specifies doing so as the entry is specified in binddn. Use this with the -w password option.
-E "character_set"	Specifies native character set encoding. See the chapter on NLS in Oracle Internet Directory Administrator's Guide.
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-n	Shows what would occur without actually performing the operation.
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password required for one-way or two-way SSL connections
-T	Sets the number of threads for concurrently processing entries
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-w password	Overrides the default, unauthenticated, null bind. To force authentication, use this option with the -D option.
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections

ldapsearch Syntax

The ldapsearch command line tool enables you to search for and retrieve specific entries in the directory.

ldapsearch uses this syntax:

ldapsearch [arguments] filter [attributes]

The filter format must be compliant with RFC-2254. For further information about this standard, search for the standard at: http://www.ietf.org/rfc/rfc2254.txt

Separate attributes with a space. If you do not list any attributes, all attributes are retrieved.

Mandatory Arguments	Descriptions
-b basedn	Specifies base dn for search
-s scope	Specifies search scope: base, one, or sub.

Optional Arguments	Descriptions
-A	Retrieves attribute names only (no values)
-a deref	Specifies alias dereferencing: never, always, search, or find
-B	Allows printing of non-ASCII values
-D binddn	When authenticating to the directory, specifies doing so as the entry specified in binddn. Use this with the -w password option.
-d debug level	Sets debugging level to the level specified (see the chapter on managing a directory server in Oracle Internet Directory Administrator's Guide.)
-E "character_set"	Specifies native character set encoding. See the chapter on NLS in Oracle Internet Directory Administrator's Guide.
-f file	Performs sequence of searches listed in file
-F sep	Prints `sep' instead of `=' between attribute names and values
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-L	Prints entries in LDIF format (-B is implied)
-l timelimit	Specifies maximum time (in seconds) to wait for ldapsearch command to complete
-n	Shows what would be done without actually searching
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password (required for one-way or two-way SSL connections)
-S attr	Sorts the results by attribute attr
-t	Writes to files in /tmp
-u	Includes user friendly entry names in the output
-U SSLAuth	Specifies the SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-w passwd	Specifies bind passwd for simple authentication
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections
-z sizelimit	Specifies maximum number of entries to retrieve

Examples of ldapsearch Filters

Study the following examples to see how to build your own search commands.

Example 1: Base Object Search

The following example performs a base-level search on the directory from the root.

ldapsearch -p 389 -h myhost -b "" -s base -v "objectclass=*"

• -b specifies base dn for search, root in this case.

• -s specifies whether the search is a base search (base), one level search (one) or subtree search (sub).

• "objectclass=*" specifies the filter for search.

Example 2: One-Level Search

The following example performs a one level search starting at "ou=HR, ou=Americas, o=IMC, c=US".

ldapsearch -p 389 -h myhost -b "ou=HR, ou=Americas, o=IMC, c=US" -s one -v 
"objectclass=*"

Example 3: Sub-Tree Search

The following example performs a sub-tree search and returns all entries having a DN starting with "cn=Person".

ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "cn=Person*"

Example 4: Search Using Size Limit

The following example actually retrieves only two entries, even if there are more than two matches.

ldapsearch -h myhost -p 389 -z 2 -b "ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US" 
-s one "objectclass=*"

Example 5: Search with Required Attributes and Attribute Options

The following example returns only the DN attribute values of the matching entries:

ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "objectclass=*" dn

The following example retrieves only the distinguished name (dn) along with the surname (sn) and description (description) attribute values:

ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "cn=Person*" dn sn description

The following example retrieves entries with common name (cn) attributes that have an option specifying a language code attribute option. This particular example retrieves entries in which the common names are in French and begin with the letter R.

ldapsearch -p 389 -h myhost -b "c=US" -s sub "cn;lang-fr=R*"

Suppose that, in the entry for John, no value is set for the cn;lang-it language code attribute option. In this case, the following example fails:

ldapsearch -p 389 -h myhost -b "c=us" -s sub "cn;lang-it=Giovanni

Example 6: Searching for All User Attributes and Specified Operational Attributes

The following example retrieves all user attributes and the createtimestamp and orclguid operational attributes:

ldapsearch -p 389 -h myhost -b "ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US" -s sub 
"cn=Person*" * createtimestamp orclguid

The following example retrieves entries modified by Anne Smith:

ldapsearch -h sun1 -b "" "(&(objectclass=*)(modifiersname=cn=Anne
Smith))"

The following example retrieves entries modified between 01 April 2000 and 06 April 2000:

ldapsearch -h sun1 -b "" "(&(objectclass=*)(modifytimestamp>=20000401000000)

(modifytimestamp<= 20000406235959))"

Note: Because modifiersname and modifytimestamp are not indexed attributes, use catalog.sh to index these two attributes. Then, restart the Oracle directory server before issuing the two previous ldapsearch commands.

Other Examples:

Each of the following examples searches on port 389 of host sun1, and searches the whole subtree starting from the DN "ou=hr,o=acme,c=us".

The following example searches for all entries with any value for the objectclass attribute.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "objectclass=*"

The following example searches for all entries that have orcle at the beginning of the value for the objectclass attribute.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree 
"objectclass=orcle*"

The following example searches for entries where the objectclass attribute begins with orcle and cn begins with foo.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree 
"(&(objectclass=orcle*)(cn=foo*))"

The following example searches for entries in which the common name (cn) is not foo.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "(!(cn=foo))"

The following example searches for entries in which cn begins with foo or sn begins with bar.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree 
"(|(cn=foo*)(sn=bar*))"

The following example searches for entries in which employeenumber is less than or equal to 10000.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree 
"employeenumber<=10000"

Catalog Management Tool Syntax

Oracle Internet Directory uses indexes to make attributes available for searches. When Oracle Internet Directory is installed, the entry cn=catalogs lists available attributes that can be used in a search. Only those attributes that have an equality matching rule can be indexed.

If you want to use additional attributes in search filters, you must add them to the catalog entry. You can do this at the time you create the attribute by using Oracle Directory Manager. However, if the attribute already exists, then you can index it only by using the Catalog Management tool.

Before running the Catalog Management tool, unset the LANG variable. After you finish running Catalog Management tool, set the LANG variable back to its original value.

To unset LANG:

• Using Korn shell:

  UNSET LANG
  
  
  

• Using C shell:

  UNSETENV LANG
  

The Catalog Management tool uses this syntax:

catalog.sh -connect net_service_name {add|delete} {-attr attr_name|-file 
filename}

Mandatory Argument	Description
- connect net_service_name	Specifies the net service name to connect to the directory database See Also: Net8 Administrator's Guide

Optional Arguments	Descriptions
- add -attr attr_name	Indexes the specified attribute
- delete -attr attr_name	Drops the index from the specified attribute
- add -file filename	Indexes attributes (one per line) in the specified file
-delete -file filename	Drops the indexes from the attributes in the specified file

When you enter the catalog.sh command, the following message appears:

This tool can only be executed if you know the OiD user password.
Enter OiD password:

If you enter the correct password, the command is executed. If you give an incorrect password, the following message is displayed:

Cannot execute this tool

After you finish running the Catalog Management tool, set the LANG variable back to its original value.

To set LANG:

• Using Korn shell:

  SET LANG=appropriate_language; EXPORT LANG
  
  

• Using C shell:

  SETENV LANG appropriate_language
  
  
  

To effect the changes after running the Catalog Management tool, stop, then restart, the Oracle directory server.

See Also: The chapter on preliminary tasks in Oracle Internet Directory Administrator's Guide. for instructions on starting and restarting directory servers