Table 6-16 ldapdelete SSL options (continued)

Option

Description

-K

Specifies the path, including the file name, of the private key database of the client. Either the absolute

 

or relative (to the server root) path can be used. The -Koption must be used when the key database

 

has a different name than key3.db or when the key database is not under the same directory as

 

the certificate database, the cert8.db file (the path for which is specified with the -Poption).

 

 

-N

Specifies the certificate name to use for certificate-based client authentication. For example:

 

-N Server-Cert

 

If this option is specified, then the -Zand -Woptions are required. Also, if this option is specified,

 

then the -Dand -woptions must not be specified, or certificate-based authentication will not occur,

 

and the bind operation will use the authentication credentials specified on -Dand -w.

 

 

-P

Specifies the absolute path, including the file name, of the certificate database of the client. This

 

option is used only with the -Zoption.

 

When used on a machine where an SSL-enabled web browser is configured, the path specified on

 

this option can be pointed to the certificate database for the web browser. For example:

 

-P /security/cert.db

 

The client security files can be stored on the Directory Server in the

 

/etc/opt/dirsrv/slapd-instance_namedirectory. In this case, the -Poption calls out a path

 

and file name similar to the following:

 

-P /etc/opt/dirsrv/slapd-instance_name/client-cert.db

 

 

-Q

Specifies the token and certificate name, which is separated by a semicolon (:) for PKCS11.

 

 

-W

Specifies the password for the certificate database identified on the -Poption. For example:

 

-W serverpassword

 

 

-Z

Specifies that SSL is to be used for the delete request.

 

 

-ZZ

Specifies the Start TLS request. Use this option to make a cleartext connection into a secure one. If

 

the server does not support Start TLS, the command does not need to be aborted; it will continue

 

in plain text.

 

 

-ZZZ

Enforces the Start TLS request. The server must respond that the request was successful. If the server

 

does not support Start TLS, such as Start TLS is not enabled or the certificate information is incorrect,

 

the command is aborted immediately.

 

 

6.6.4 ldapdelete SASL options

SASL mechanisms can be used to authenticate a user, using the -othe required SASL information.

To learn which SASL mechanisms are supported, search the root DSE. See the -boption in Table 6-3“Commonly-used ldapsearch options”.

Table 6-17 SASL options

Option

Description

-o

Specifies SASL options. The format is -osaslOption=value, where saslOption can have one

 

of these values:

 

mech, the SASL authentication mechanism

 

authid, the user who is binding to the server (Kerberos principal)

 

authzid, a proxy authorization (ignored by the server since proxy authorization is not supported)

 

secProp, the security properties

 

realm, the Kerberos realm

 

flags

 

The expected values depend on the supported mechanism. The -ocan be used multiple times to

 

pass all the required SASL information for the mechanism. For example:

 

-o "mech=DIGEST-MD5" -o "authzid=test_user" -o "authid=test_user"

 

 

206 Command-line utilities