dirxcp

Synopsis

dirxcp [script_name [arg1] [arg2 …]] | -c command | -V]

Purpose

Manages objects in the directory information tree (DIT). The dirxcp program supports the following objects:

abbr

Displays valid abbreviations for object classes, attributes, and structured attributes

args

Manages service controls associated with a DAP directory operation

ldapargs

Manages service controls associated with an LDAP directory operation

obj

Manages directory objects

There are also some utilities which are described in the util (dirxcp) page.

Arguments

script_name

Filename of a user-defined script containing dirxcp commands.

arg1 … argn

Specify arguments to the user-defined script specified in script_name.

Options

-c command

Executes the dirxcp or Tcl commands or commands specified by command.

-V

Displays the DirX Directory product version, in the format:

product_version build_id date time

For example:

DirX Directory V9.0 9.4.428 2023:03:23 20:10 64-Bit

The dirxcp initialize operation also writes the build version to the dirxcp trace file.

Description

The dirxcp program is a command-line directory user agent (DUA) that directory users and system administrators can use to communicate with DSAs and LDAP servers. Use it to perform the following tasks:

Establish and terminate binds to DSAs and LDAP servers.
Send requests to DSAs or LDAP servers to perform operations such as create, modify, delete, and search on objects in the directory information tree (DIT). Note that an outstanding search, show, list or compare operation can be abandoned on a DSA by interrupting dirxcp. (Press the Del or Ctrl and C key, depending on your keyboard configuration.)
Populate the DIT with objects (entries and subentries)
Perform SQL-like queries on objects in the DIT.
Modify service controls to change the behavior of operations.
Display the abbreviations that it uses for attributes and OIDs (for DAP binds) and verify them against the schema of a DSA.

Tcl Command Language

The DirX Directory control program is built on a portable command language called the tool command language (Tcl). Tcl permits the use of variables, if statements, list-processing functions, loop functions, and many other features commonly found in command languages. The program extends these features to provide a set of commands for manipulating DirX Directory objects. The program also includes task scripts to help directory users and system administrators perform some routine DirX Directory object management functions.

Escaping in Distinguished Names and Attribute Values

See section Tcl Command Language in the dirxadm section for details.

See also sections Reserved Characters in chapters DirX Directory String Representation for DAP Binds and DirX Directory String Representation for LDAP Binds in DirX Directory Syntaxes and Attributes.

Escaping in File Names

See section Tcl Command Language in the dirxadm section for details.

The Directory Client Configuration File

The DirX Directory control program uses the directory client configuration file (dirxcl.cfg) to determine the DSAs and LDAP servers available. (See section titled Directory Client Configuration File for details.)

Bind Types and Bind IDs

dirxcp supports multiple binds by using bind IDs and - for compatibility reasons - the concept of a default bind. A bind ID is a string associated with either an LDAP bind (a connection to an LDAP server through LDAPv2 or LDAPv3 protocol) or a DAP bind (a connection to a DSA through DAP protocol). Specify the string value of a bind ID in an obj bind operation. (See obj bind operation for details.) Use the bind ID in other operations to refer to a particular bind.

An obj bind command that does not specify a bind ID establishes a default bind. A command that does not specify a bind ID refers to the default bind. Only one default bind can exist at a time and this can be either an LDAP bind or a DAP bind.

The Abbreviation Files

The DirX Directory control program uses the DirX Directory abbreviation files (dirxabbr and dirxabbr-ext*) to convert attribute abbreviations and object identifier strings to ASN1 object identifiers for DAP directory operations. The program also uses these files to determine the attribute syntax, the full name of the attribute, and other information.

Accessing Operations and Entries

The dirxcp program is the primary tool for performing directory service administration. All operations are subject to access control and schema rules: you can perform an operation only if you have access rights to the object for the action and only if the operation is consistent with the schema definition.

The dirxcp control program does not permit access to some DSA-specific entries (DSEs) and operational attributes. System administrators with a thorough knowledge of directory information database (DIB) maintenance can use the dirxadm program to manage the DSEs and operational attributes or a DSA, but they should use dirxadm for this purpose only if they cannot perform the management task with dirxcp.

Invoking dirxcp

You can invoke dirxcp commands in interactive and command mode

Interactive Mode

Activate interactive mode by entering the dirxcp command without any arguments. At the dirxcp prompt, enter a dirxcp or Tcl command; dirxcp runs the command, displays the result, and is ready to accept another command.

% dirxcp
dirxcp> obj create /C=de -attribute OCL=c \{DSC=Germany}
dirxcp>

Instead of entering a dirxcp or Tcl command enter the keyword source followed by the filename of a script that contains dirxcp commands, other valid Tcl commands, or both, for example

dirxcp> source myown.tcl

dirxcp* then runs the script, displays the result, and is ready to accept another command.

Command Mode

Activate command-line mode from the system prompt by using one of the following methods: :

Enter the dirxcp command with the filename of a script that contains dirxcp commands, other valid Tcl commands, or both, as follows:
```
% dirxcp myown.tcl
```
Enter the dirxcp command with the -c option followed by a list that contains one or more dirxcp commands or Tcl commands, for example:
```
% dirxcp -c “bind; obj show {/O=my-company/OU=Sales/CN=moy john}
-attribute tn -pretty; obj modify -removeattr tn”
```
Enter multiple commands by separating them with a semicolon (;) and enclosing the commands in quotation marks (“ ”). Remember to escape shell metacharacters (for example, by enclosing them in quotation marks). Multiple commands must be on a single line.

When you use the -c option, operation results return to the interpreter, not to the shell. if you enter multiple operations, the output of only the last operation is returned to the shell. You can solve this problem by using the following workaround:
```
% dirxcp -c “bind; puts [obj show /C=de -allattr]; puts [args show]”
```

Terminating dirxcp

Terminate an interactive dirxcp session by using the exit or quit commands. Use the following syntax:

exit n
quit n

Use the n argument to specify the exit value returned to the shell. The following example terminates a session and returns an exit value of 56 to the shell:

dirxcp> *exit 56*

Exit Codes

By default, dirxcp returns zero (0) on success and a non-zero value if a command fails. The exit codes for failure are:

1	An invalid command line was specified, for example, an invalid option (for example, you specified dirxcp -z)
2	The specified file does not exist (for example, you specified dirxcp zz.tcl, and zz.tcl does not exist)
3	The evaluation of the file failed (for example, you supplied an incorrect command in the file)
4	The evaluation of the command failed (for example, you specified an incorrect command on the dirxcp -c command line)
5	Tcl initialization failed

Startup Scripts

When you invoke dirxcp, the following script files are run in the order shown:

[info library]/init.tcl

Contains the standard Tcl initialization scripts with definitions for the unknown command and the auto_load facility. The Tcl command info library returns the location of the file init.tcl.

$dirxcp_library/init.dirxcp

Contains the initialization scripts that implement the dirxcp commands and tasks. The implementation sets the Tcl variable dirxcp_library to install_path*/client/conf*.

$HOME/.dirxcprc

Contains user customizations.

$TCL_PATH/user_script.tcl

Contains user-defined scripts within one or more user-specified directories defined with the TCL_PATH environment variable.

Command Syntax

A dirxcp command has the following syntax:

[object] operation [argument] [-option [opt_arg]] …

where:

object

Specifies the name of a dirxcp administration object. The dirxcp program supports the following objects:

abbr

Displays valid abbreviations for object classes, attributes, and structured attributes

args

Manages service controls associated with a DAP directory operation

ldapargs

Manages service controls associated with an LDAP directory operation

obj

Manages directory objects

Specifying an administration object is optional; if you do not specify an object on the command line, the specified operation is performed on the obj administration object.

For complete descriptions of these administration objects, refer to the individual object reference pages, for example, the obj reference page.

operation

Specifies the name of an action such as create, show, or delete, that is to be performed on an administration object. Refer to the individual object reference pages for complete descriptions of the operations supported by each dirxcp object. Common operations for all dirxcp objects are help and operations.

argument

Specifies the name of one or more specific objects to operate on. Most, but not all, dirxcp objects take an argument. Refer to the individual object reference pages for descriptions of the arguments supported by various objects.

-option

Specifies a qualifier that controls the precise behavior of a dirxcp command. Most, but not all, dirxcp commands take options. Some options take an argument, opt_arg, which can be a name or a value.

Line Continuation

dirxcp commands in scripts can use the backslash character (\) as the line continuation character. In interactive mode, there is no continuation character. Instead, you must continue typing. The line automatically wraps if your characters extend beyond the line end. If you press the Enter/Return key, the information you have typed is sent to the system for processing. You should press the Enter/Return key only when you have typed all information required for the command to process.

Command Processing

The dirxcp command supports the Tcl built-in commands as well as its own commands. A command unknown to dirxcp is passed to the unknown command, which evaluates it as follows:

If unknown finds the command is in a dirxcp script file, dirxcp runs it.
If unknown finds that the command is an executable Linux program, dirxcp runs it. Consequently, you can invoke any Linux command from the dirxcp prompt, for example, ls -l.
If unknown finds that you invoked the command at the top level of the dirxcp shell and that the command requests C-shell like history substitution (such as !!, !*number or *^*old\^new), *dirxcp emulates the C shell’s history substitution.
If unknown finds that you invoked the command at the top level of the dirxcp shell and the command is a unique abbreviation for another command, dirxcp runs that command.

Abbreviations

The dirxcp command uses of two mechanisms to allow all object names, operation names, and options to be abbreviated to the shortest unique string in interactive commands.

The first mechanism relies on the unknown command, whose behavior is described in the Command Processing section of this reference page.

The second mechanism is built into the individual dirxcp commands themselves. This mechanism allows the operation name to be abbreviated to the shortest unique string supported by the object, and the option names to be abbreviated to the shortest unique string representing an option supported by an object and operation. For example, consider the following dirxcp commands:

dirxcp> show -pretty
dirxcp> abbr operations

In the abbreviated form, the same operation can be entered as follows:

dirxcp> show -p
dirxcp> abbr o

Although abbreviating commands is a good way to save keystrokes in typing interactive commands, abbreviations are not recommended for use in scripts. New procedures in scripts can cause abbreviations to become ambiguous. Furthermore, abbreviations are not always portable. When scripts move to other machines, some definitions may be left behind so scripts will not work correctly. Always spell out complete names in scripts.

Tcl Variables

All dirxcp commands set several variables on invocation. The variables contain the name of the directory in which startup scripts are stored, the return value of the last command, and so on. To avoid unnecessary typing, you can substitute the value of these variables into the next command.

Tcl variables behave just like other variables in dirxcp. Thus, you can trigger variable substitution by prepending a dollar sign ($) before the name of the variable. Alternatively, you can trigger substitution by using set. The Tcl variables can only be set using the dirxcp program.

The dirxcp program defines the following variables:

_cwo

Holds the name of the current working object in the DIT. The following command sets the current working object:
```
dirxcp> set _cwo /O=my-company
```
The _cwo variable then contains the following value:
```
dirxcp> puts $_cwo
/O=my-company
```
Note that the variable is set to the specified value only if the object exists in the directory information tree (DIT); if the object does not exist, the command returns an error. The default current working object is the root of the DIT.

The _cwo variable is supported only for a default DAP bind. For LDAP binds and DAP binds with a specific bind ID, there is no such variable. (See section Bind Types and Bind IDs of this chapter for details.)

dirxcp_library

Holds the name of the directory in which the dirxcp startup scripts are stored. The user cannot set this variable.

_errormsg

Specifies whether the LDAP server should return additional information both in case of errors and success:
- TRUE - Provide additional information from LDAP server.
- FALSE - Don’t provide additional information from the LDAP server.
  
  On startup, dirxcp behaves as if _errormsg has been set to FALSE.
  
  The additional information either starts with “LDAP-Result” or “LDAP-ERROR”.
  
  Samples:
  dirxcp> *set _errormsg TRUE* dirxcp> bind –prot ldapv3 {{LDAP-Result: Bind succeeded}} dirxcp> modify cn=ddmin,o=my-company -replaceattr xxx=1234 Error: Undefined attribute type passed in operation. (LDAP-ERROR: Cannot handle modification for attribute type 'xxx')

_errormsgonly

Specifies whether the LDAP server should return additional information in case of errors.
- TRUE - Provide additional information from the LDAP server.
- FALSE - Don’t provide additional information from the LDAP server
  
  On startup, dirxcp behaves as if _errormsgonly has been set to FALSE.
  
  The additional information starts with LDAP-ERROR.
  
  In case of errors the output is the same as described for TCL variable _errormsg.

_localcode

Specifies the character set with one of the following keywords:
- Latin1 - Default Windows character set (only used in data files). This is the default value.
- UTF8 - LDAP / Tcl character set (only used in data files).
- PC850 - PC DOS character set only (only used in DOS windows).
  
  This variable is supported only on Windows systems.
  
  You can specify attribute values in different code sets independent of the value of this variable by using Tcl operations. For example, the value
  sn=k[encoding convertfrom utf-8 "\xc3\xcb"]bel
  specifies the value of the surname (sn) attribute in UTF-8 code.

_t61

Holds a flag that indicates whether user-specified strings are represented in T61 format. By default, dirxcp assumes that strings are specified in local format (ISO8859-1), and that conversion to T61 format must be performed. If this variable is set to true, dirxcp does not convert user-specified strings.

Line Recall and Editing

The dirxcp command uses the same line recall and editing features as the dirxadm command. Refer to Line Editing and Recall in the dirxadm section for more information.

Performing Operating System Commands

On Linux, operating system commands of the shell cannot be called directly from within dirxadm. They can be called in the following way:

dirxcp> *exec _operating_system_command_*

For example, to issue a Linux "join" command, you must type

dirxcp> *exec join _file1_ _file2_*

On Windows, operating system commands of the command interpreter cannot be called directly from within dirxadm. They are called in the following way:

dirxcp> *cmd /c _operating_system_command_*

For example, to issue issue a Windows "time" command, you must type

dirxcp> *cmd /c time /t*

Predefined procedures for listing a directory are provided that allow you to type the following commands directly:

dir options
ls
ls -l

Example

The following command sequence illustrates the use of dirxcp and Tcl commands to create an access control subentry. In this example, dirxcp has already been invoked.

puts "create /C=DE/CN=AC-subentry"
catch { create /C=DE/CN=AC-Subentry -attr attribute_list } status

if {$status == ""}
   then {puts "operation ok"}
   else {puts "$status"}

Return Values

All dirxcp operations return either a NULL to indicate the successful completion of an operation or a list of information requested by the user (such as the results of a search operation). If an error occurs, dirxcp returns an error message. The program uses the Tcl native error handling facility to log additional error information returned from commands. This information is stored in two global variables:

The errorInfo variable, which contains the stack trace of the error messages.

The errorCode variable, which is a Tcl list that contains two elements, DIRXCP (which identifies the program) and the numeric value of the error code. The following table lists the dirxcp error codes and error messages that can be returned. The error codes marked with an asterisk () can also be returned by *dirxadm.

Error Code	Error Message
4401 *	error while reading abbreviation file or syntax error with respect to abbreviations, e.g., abbreviation unknown.
4402 *	errors while converting string to internal structures and vice versa e.g., invalid attribute value.
4403 *	Conflicting option …
4404 *	Unknown option …
4405	Missing RDN.
4406	Missing new superior.
4407	Missing object name.
4408	Missing attribute information.
4409	Missing information for the new attribute values.
4410	Missing Directory Service Agent name.
4411	Missing Presentation Service Access Point address.
4412	Missing user name.
4413	Missing password.
4414	Missing filter value.
4415	Missing scope of search.
4416	Missing time limit.
4417	Missing size limit.
4418	Missing target system.
4419	Missing arguments.
4420	Invalid time limit …
4421	Invalid size limit …
4422	Unknown argument …
4423	Unable to initialize workspace.
4424	Perform bind operation first.
4425	Missing value.
4426	Format error - …
4427 *	Mismatched quotes - …
4428	Invalid parameter passed as an argument.
4429 *	Too many arguments.
4430	Entry not found.
4431 *	Subordinates not found.
4432	Insufficient memory to perform operation.
4435	Ambiguous option …
4436	Too many values.
4437	Missing authentication type.
4438	Unknown error.
4447	Invalid argument argument_value.
4501	Wrong bind session type. (Session type is DAP session whereas LDAP session is required (or vice versa).)
4502	Missing bind id.
4503	Invalid bind id …
4504	Latin.1/UTF8 conversion failed.
4505	Bind session identifier already in use.
4506	Missing server name.
4507	Missing server address.
4509	Missing protocol.
4510	Invalid protocol …
4511	Cannot set “_cwo”: _cwo is supported for a default DAP bind only.
4513	A structured attribute can’t be used in the sort keys of a paged results. (only relevant for DAP protocol).
4514	Wrong syntax for sortkey(s).
4515	Paging is not possible in this state.
4517	Invalid value (either for page size or paging type PAGING (for LDAP)).
4518	Missing path name for certificate-DB.
4519	SSL/SASL connections not supported (on SVR4).
4520	ASN.1 BER encoding failed.
4521	ASN.1 BER initialization failed.
4522	ASN.1 BER decoding failed.
4523	LDAP result control not found.
4524	Base64-decoding/encoding failed.
4525	Missing mechanism.
4526	Missing key3.db - file name.
4527	Missing 'key3password' value.
4528	Missing 'certsubject' value.
4529	Missing parameter '-sasl'.
4538	Failed to process file.
4601 *	Unknown option.
4602 *	Unknown argument.
4603 *	Invalid argument …
4605 *	Unknown operation …
4606 *	Missing operation.
4607 *	Too many arguments.
4608 *	Ambiguous operation.
4609 *	Error: Cannot unset …
4610 *	Insufficient memory.
4611	Missing bind id.
4615	Conflicting option …
4801	Operation affects multiple DSAs.
4802	An alias is encountered where an alias is not permitted.
4803	An alias is dereferenced that names an object that does not exist.
4804	ASN.1 decoding failed.
4805	ASN.1 encoding failed.
4806	Initialization of ASN.1 utility failed.
4807	Attribute or attribute value already exists.
4808	Bad argument.
4809	Bad class.
4810	Bad context.
4811	Bad name.
4812	Bad session.
4813	Bad workspace.
4814	Directory system is busy.
4815	Operation can’t be abandoned.
4816	Operation requires chaining operation mode.
4817	Problem with communication stack.
4818	DUA configuration file missing.
4819	DUA configuration file corrupted.
4820	Connection is busy.
4821	Constraint violation.
4822	DIT is inconsistent.
4823	Object already exists.
4824	Credentials expired.
4825	Fatal error.
4826	The function does not apply to the object to which it is addressed.
4827	The function was aborted by an external force.
4828	Communication problem (ICOM-attach failed).
4829	Communication problem (ICOM-detach failed).
4830	Communication problem (ICOM-receive failed).
4831	Communication problem (ICOM-send failed).
4832	Inappropriate authentication.
4833	Inappropriate matching.
4834	Initialization failed.
4835	Insufficient access rights.
4836	Operation interrupted.
4837	Invalid attribute syntax.
4838	Invalid attribute value.
4839	Invalid credentials.
4840	Invalid memory reference.
4841	Invalid signature.
4842	Invalid workspace.
4843	Loop detected while performing operation.
4844	Insufficient memory to perform operation.
4845	Fatal error.
4846	The attribute type is not included in the AVA.
4847	An attempt was made to start a synchronous operation with outstanding asynchronous operations.
4848	Naming violation.
4849	Network problems.
4850	Security error with no other information being available.
4851	Attribute or attribute value doesn’t exist.
4852	The object doesn’t exist.
4853	Operation to be abandoned doesn’t exist.
4854	Workspace doesn’t exist.
4855	Operation not allowed on non-leaf entries.
4856	Operation not allowed on RDN.
4857	Unsupported feature.
4858	Object class modification prohibited.
4859	Object class violation.
4860	Referral or partial outcome qualifier is outside the required scope.
4861	An invalid pointer supplied as a function argument.
4862	Protection required (signed operation required).
4863	Generation of signature failed.
4864	Validation of signature failed.
4865	System error.
4866	Temporary difficulty encountered.
4867	Time limit exceeded.
4868	Abandon failed: too late.
4869	Too many outstanding operations.
4870	Too many sessions. No more sessions can be started.
4871	The DSA does not have the administrative authority over the particular naming context.
4872	Directory system unavailable.
4873	Critical service extension cannot be provided.
4874	Undefined attribute type passed in operation.
4875	Unexpected PDU passed/received in operation.
4876	Directory system is unwilling to perform the operation.
4877	Warning.
4878	Local abort received.
4879	Abandon received.
4880	Can’t invoke operation.
4881	Communication problem (Can’t create subscriber).
4882	Bind to DSA failed.
4883	Can’t convert DSA name of DUA configuration file.
4884	Can’t convert requestor name.
4885	Can’t convert target name of DUA configuration file.
4886	Can’t convert DSA address of DUA configuration file.
4887	Communication problem (Can’t enable binding).
4888	Communication problem (Can’t delete binding).
4889	(Unknown) error returned from DSA.
4890	Incoming authentication failed.
4891	Outgoing authentication failed.
4892	Remote abort received.
4893	(Unknown) service error.
4894	(Unknown) attribute error.
4895	(Unknown) name error.
4896	Referral returned.
4897	(Unknown) security error.
4898	Abandon failed.
4899	(Unknown) update error.
4900	Administrative limit exceeded.
4901	Invalid query reference.
4902	Unknown error from DSA received.
4903	Reject received.
4904	Missing default DSA / LDAP server.
4905	Illegal LDAP filter.
4906	LDAP protocol error.
4907	Unknown DUA error.
4908	New superior object doesn’t exist.
4909	LDAP operation error.
4910	Offset range error.
4911	Missing sort control.
4912	Evaluation copy expired.

The program also provides a catch command to help scripts catch errors and invoke error handlers.

Viewing Output

In interactive mode, Tcl lists are written to stdout. However, in command-line mode, the Tcl lists are not displayed. To display them, use the Tcl command puts. For example, the commands:

% dirxcp -c “bind; puts [show /O=my-company/OU=Sales/CN=naik]”
% dirxcp -c “bind; catch \{show /O=my-company/OU=Sales/CN=naik}
result; puts $result”

print the results of a obj show operation to stdout.

Many dirxcp operations take a -pretty option, which causes the results of the operation to be formatted into tables. Each page of -pretty output is 23 lines in length. Use the following dirxcp scrolling commands to view multiple pages of output:

View the nth page

*-*n

Skip n pages backward

*+*n

Skip n pages forward

View the last page

Exit viewing

SPACE

Advance to the next page

Advance one line

Note that if you specify the -pretty option, the return value is NULL, not a Tcl list.

abbr (dirxadm, dirxcp)

See the dirxadm section for information on the abbr object.

Attribute and attribute component abbreviations are used only for DAP binds. For LDAP binds the LDAP names defined in the system schema must be used. See sections Attribute Table and Object Classes Table of chapter DirX Directory Default DSA Schema for the LDAP names of attributes and object classes of the default schema.

args (dirxcp)

Synopsis

args help [operation | -verbose]

args operations

args modify
[-bindid bid]
{-default |
[-attributesizelimit {limit | INFINITE}]
[-automaticcontinuation {TRUE | FALSE}]
[-chainingprohibited {TRUE | FALSE}]
[-copyshalldo {TRUE | FALSE}]
[-dontdereferencealias {TRUE | FALSE}]
[-dontusecopy {TRUE | FALSE}]
[-localscope {TRUE | FALSE}]
[-preferchain {TRUE | FALSE}]
[-priority {LOW | MEDIUM | HIGH}]
[-protectionrequest {TRUE | FALSE}]
[-scopeofreferral {COUNTRY | DMD | UNLIMITED}]
[-signedrequest {TRUE | FALSE}]
[-subentries {TRUE | FALSE}]
[-sizelimit {limit | INFINITE}]
[-timelimit {limit | INFINITE}]}

args show [-bindid bid] [-pretty]

Purpose

A dirxcp object that manages the service controls for DAP binds. The operations of the args object should only be issued for established DAP binds.

Arguments

operation

The name of the args operation for which to display help information.

Operations

args help

Returns help information about the args object and its operations. The syntax is as follows:

args help [operation | -verbose]

Options

-verbose

Displays information about the args object.

Used without an argument or option, the args help command returns brief information about each args operation. Use the operation argument to return a description of the options associated with the operation you specify. Alternatively, you can use the -verbose option to return a description of the args object itself.

Example

args help

The output of the sample command is as follows:

modify

Modifies the service controls.

show

Shows the service controls.

help

Displays help text for the ‘args’ object and its operations.

operations

Lists the operations that can be performed on the ‘args’ object.

args modify

Changes the service controls associated with directory operations using a DAP bind. The syntax is as follows:

args modify
[-bindid bid]
{-default |
[-attributesizelimit {limit | INFINITE}]
[-automaticcontinuation {TRUE | FALSE}]
[-chainingprohibited {TRUE | FALSE}]
[-copyshalldo {TRUE | FALSE}]
[-dontdereferencealias {TRUE | FALSE}]
[-dontusecopy {TRUE | FALSE}]
[-localscope {TRUE | FALSE}]
[-preferchain {TRUE | FALSE}]
[-priority {LOW | MEDIUM | HIGH}]
[-protectionrequest {TRUE | FALSE}]
[-scopeofreferral {COUNTRY | DMD | UNLIMITED}]
[-signedrequest {TRUE | FALSE}]
[-subentries {TRUE | FALSE}]
[-sizelimit {limit | INFINITE}]
[-timelimit {limit | INFINITE}]}

Options

-bindid bid

The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See section Bind Types and Bind IDs of this chapter for details.)

-attributesizelimit {limit | INFINITE}

Sets the maximum size (in octets) of an attribute to be returned. Specify a non-negative integer or the keyword INFINITE. The default value is INFINITE.

-automaticcontinuation {TRUE | FALSE}

Controls whether or not continuation referrals are processed automatically. A value of FALSE means that referrals are returned to dirxcp. A value of TRUE causes dirxcp to process referrals automatically. The default value is TRUE.

-chainingprohibited {TRUE | FALSE}

Controls whether or not a contacted DSA is allowed to chain an operation (automatically contact other DSAs) if it cannot completely satisfy a request. The default value is FALSE.

-copyshalldo {TRUE | FALSE}

Controls whether or not an operation can be completed using a partial copy of the entry. The default value is FALSE. A value of TRUE is meaningful only if the option
-dontusecopy is set to FALSE.

-default

Sets the service controls to the following values:

Attribute Size Limit

INFINITE

Automatic Continuation

TRUE

Chaining Prohibited

FALSE

Copy Shall Do

FALSE

Don’t Dereference Alias

FALSE

Don’t Use Copy

TRUE

Local Scope

FALSE

Prefer Chaining

TRUE

Priority Of Request

MEDIUM

Protection Request

FALSE

Scope Of Referral

UNLIMITED

Signed Request

FALSE

Size Limit

INFINITE

Subentries

FALSE

Time Limit

INFINITE

Do not use this option with any other options.

-dontdereferencealias {TRUE | FALSE}

Controls whether or not aliases found in the path of a query are dereferenced to the entries to which they refer. A value of TRUE prohibits alias entries to be referenced, rather than the aliased entries. The default value is FALSE.

-dontusecopy {TRUE | FALSE}

Controls whether or not an object’s shadow entry shall be used to satisfy a request. The default value is TRUE.

-localscope {TRUE | FALSE}

Controls whether an operation is limited to the objects in the DSA to which dirxcp is currently bound, or whether other DSAs can be contacted. The default value is FALSE.

-preferchain {TRUE | FALSE}

Indicates whether or not the preferred behavior for a DSA to contact other DSAs for chaining operations. A value of TRUE requests the DSA to contact other DSAs automatically. Whether or not the contacted DSA actually chains an operation depends, for example, on whether it is configured to chain. A value of TRUE is meaningful only if the -chainingprohibited option is set to FALSE. The default value is TRUE.

-priority {LOW | MEDIUM | HIGH}

Sets the priority of a request. The default value is MEDIUM.

-protectionrequest {TRUE | FALSE}

Sets the preferred level of protection for results. If set to TRUE, it is a request for signed results. The default value is FALSE.

-scopeofreferral {COUNTRY | DMD | UNLIMITED}

Specifies the scope for return of DSA referrals. If set to COUNTRY or DMD, only referrals to DSAs within the COUNTRY or DMD scope are returned. The default value is UNLIMITED.

-signedrequest {TRUE | FALSE}

Controls whether or not the digital signature of the requester must be appended to the operation arguments. The default value is FALSE.

-subentries {TRUE | FALSE}

Controls whether or not a list or search operation returns subentries. If set to TRUE, the operation returns only subentries and normal entries become inaccessible. The default value is FALSE.

-sizelimit {limit | INFINITE}

Sets the maximum number of objects returned for list and search operations. Specify a non-negative integer or the keyword INFINITE. The default value is INFINITE.

-timelimit {limit | INFINITE}

Sets the maximum elapsed time in seconds for completion of an operation. If a list or search operation does not complete by the specified limit, the operation returns an arbitrary selection of results accumulated before exceeding the time limit. Specify a non-negative integer or the keyword INFINITE. The default value is INFINITE.

The modify operation changes one or more service control settings to be used in all subsequent directory operations using the specified DAP bind. Specify one or more of the options that correspond to the service controls you want to set. Alternatively, you can specify the -default option to set the control services to their default values.

Service control settings for a specific bind ID are lost when an unbind operation is issued for this bind ID. A subsequent bind operation resets the service controls to the default values for the specified bind ID. The service controls are not reset to the default values if the default bind is used. (See obj bind operation for details.)

Examples

The following sample command performs the following tasks:
- Limits the size of the results returned to five objects
- Specifies an infinite limit on the amount of time in which an operation can complete
- Allows copies to be present in a result
  args modify -sizelimit 5 \ -timelimit INFINITE \ -copyshalldo TRUE
The following sample command sets the service controls to the default settings:
```
args modify -default
```

The following sample command shows the default values.

args show -pretty

The output of the sample command as follows:

Attribute Size Limit    - INFINITE
Automatic Continuation  - TRUE
Chaining Prohibited     - FALSE
Copy Shall Do           - FALSE
Don't Dereference Alias - FALSE
Don't Use Copy          - TRUE
Local Scope             - FALSE
Prefer Chaining         - TRUE
Priority Of Request     - MEDIUM
Protection Request      - FALSE
Scope Of Referral       - UNLIMITED
Signed Request          - FALSE
Size Limit              - INFINITE
Subentries              - FALSE
Time Limit              - INFINITE

args operations

Returns a list of operations that can be performed on the args object. The syntax is as follows:

args operations

The list of available operations is in alphabetical order except for help and operations, which are listed last.

Example

args operations

The output of the sample command as follows:

modify show help operations

args show

Shows the service control settings currently in use for DAP binds. The syntax is as follows:

args show [-bindid bid] [-pretty]

Options

-bindid bid

The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See section Bind Types and Bind IDs of this chapter for details.)

-pretty

Displays the results of the operation in tabular format.

By default, the results of the show operation are returned as a Tcl list. Use the -pretty option to display the results in a tabular, more readable format.

Example

args show

The output of the sample command is as follows:

{attributesizelimit INFINITE} {automaticcontinuation TRUE} {chainingprohibited FALSE} {copyshalldo FALSE} {dontdereferencealias FALSE} {dontusecopy TRUE} {localscope FALSE} {preferchain TRUE} {priority MEDIUM} {protectionrequest FALSE} {scopeofreferral UNLIMITED} {signedrequest FALSE} {sizelimit INFINITE} {subentries FALSE} {timelimit INFINITE}

ldapargs (dirxcp)

Synopsis

ldapargs help [operation | -verbose]

ldapargs operations

ldapargs modify
[-bindid bid]
{-default |
[-dereferencealias {ALWAYS | NEVER | SEARCHING | FINDING}]
[-followreferral {TRUE | FALSE}]
[-sizelimit {limit | INFINITE}]
[-timelimit {limit | INFINITE}]}

ldapargs show [-bindid bid] [-pretty]

Purpose

A dirxcp object that manages the service controls for LDAP binds. The operations of the ldapargs object can only be issued for established LDAP binds.

Arguments

operation

The name of the ldapargs operation for which to display help information.

Operations

ldapargs help

Returns help information about the ldapargs object and its operations. The syntax is as follows:

ldapargs help [operation | -verbose]

Options

-verbose

Displays information about the ldapargs object.

Used without an argument or option, the ldapargs help command returns brief information about each ldapargs operation. Use the operation argument to return a description of the options associated with the operation you specify. Alternatively, you can use the -verbose option to return a description of the ldapargs object itself.

Example

ldapargs help

The output of the sample command as follows:

modify

Modifies the service controls.

show

Shows the service controls.

help

Displays help text for the ‘ldapargs’ object and its operations.

operations

Lists the operations that can be performed on the ‘ldapargs’ object.

ldapargs modify

Changes the service controls for LDAP binds. The syntax is as follows:

ldapargs modify
[-bindid bid]
{-default |
[-dereferencealias {ALWAYS | NEVER | SEARCHING | FINDING}]
[-followreferral {TRUE | FALSE}]
[-sizelimit {limit | INFINITE}]
[-timelimit {limit | INFINITE}]}

Options

-bindid bid

The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See section Bind Types and Bind IDs of this chapter for details.)

-default

Sets the service controls and options to the following values:

Dereference Alias

ALWAYS

Follow Referral

TRUE

Size Limit

INFINITE

Time Limit

INFINITE

Do not use this option with any other options except with the option -bindid.

-dereferencealias {ALWAYS | NEVER | SEARCHING | FINDING}

Controls handling of aliases in directory operations. An alias is an entry that refers to another entry (the target). During directory operations aliases may be replaced by the target (dereferenced). To control when this occurs, specify one of the following keywords:
- ALWAYS
- NEVER
- SEARCHING—Aliases are dereferenced during a search but not when locating the base object of the search.
- FINDING— Aliases are dereferenced when locating the base object of the search but not during the search.
The default value is ALWAYS.

-followreferral {TRUE | FALSE}

Controls whether or not referrals returned by a search operation are followed automatically. If referrals are followed no credentials are submitted. The search of the referral is always performed as anonymous user. The default value is TRUE.

-sizelimit {limit | INFINITE}

Sets the maximum number of objects returned for list and search operations. Specify a non-negative integer or the keyword INFINITE. The default value is INFINITE.

-timelimit {limit | INFINITE}

Sets the maximum elapsed time in seconds for completion of an operation. If a list or search operation does not complete by the specified limit, the operation returns an arbitrary selection of results accumulated before exceeding the time limit. Specify a non-negative integer or the keyword INFINITE. The default value is INFINITE.

The modify operation changes one or more service control settings to be used in all subsequent directory operations of the specified LDAP bind. Specify one or more of the options that correspond to the service controls you want to set. Alternatively, you can specify the -default option to set the control services to their default values.

Examples

The following sample command performs the following tasks for the LDAP bind corresponding to the binding id hawkL3:
- Limits the size of the results returned to 500 objects
- Limits the amount of time to 30 seconds in which an operation can complete
```
ldapargs modify -bindid hawkL3 -sizelimit 500 -timelimit 30
```
The following sample command sets the service controls for the LDAP bind corresponding to the bind ID hawkL3 to the default values:
```
ldapargs modify -bindid haekL3 -default
```

ldapargs operations

Returns a list of operations that can be performed on the ldapargs object. The syntax is as follows:

ldapargs operations

The list of available operations is in alphabetical order except for help and operations, which are listed last.

Example

ldapargs operations

The output of the sample command is as follows:

modify show help operations

ldapargs show

Shows the service control settings currently in use for LDAP binds. The syntax is as follows:

ldapargs show [-bindid bid] [-pretty]

Options

-bindid bid

The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See section Bind Types and Bind IDs of this chapter for details.)

-pretty

Displays the results of the operation in tabular format.

By default, the results of the show operation are returned as a Tcl list. Use the -pretty option to display the results in a tabular, more readable format.

Example

bind -prot LDAPv3 +
ldapargs show -pretty

The output of the sample command is as follows:

Dereference Alias - ALWAYS
Follow Referral   - TRUE
Size Limit        - INFINITE
Time Limit        - INFINITE

obj (dirxcp)

Synopsis

[obj] bind
[-bindid bid]
[-dsa distinguished_name | -psap psap_address]
[-authentication auth_method]
[-password password[,totp] | -pwdfile password_file]
[-user username]
[-protocol protocol]
[-server ldap_server_name | -address ldap_server_address]
[-ssl]
[-sasl] [-certsubject nickname]
[-key3password key3_password]
[-mechanism mechanism]
[-status [-bindid bid1 [bid2 …]]]
[-control control_ids[,criticality[,value]]]

[obj] compare [distinguished_name]
-attribute attribute
[-bindid bid]
[-control control_ids[,criticality[,value]]]

[obj] create distinguished_name
-attribute attribute_list
[-bindid bid]
[-control control_ids[,criticality[,value]]]

[obj] delete distinguished_name
[-bindid bid]
[-control control_ids[,criticality[,value]]]

[obj] help [operation | -verbose]

[obj] list [distinguished_name]
[-bindid bid]
[-pretty]
[-control control_ids[,criticality[,value]]]

[obj] moddn [distinguished_name]
[-bindid bid]
[-dontdeleteoldrdn]
{-newsuperior new_superior [-rdn name_part] | -rdn name_part}
[-control control_ids[,criticality[,value]]]

[obj] modify [distinguished_name]
[-bindid bid]
{-addattr attribute_list |
-changeattr old_attribute new_attribute |
-removeattr attribute_list |
-replaceattr attribute_list}
[-control control_ids[,criticality[,value]]]

[obj] nextpage
[-bindid bid]
[-pretty]
[-terminate]
[-vpagesize page_size]
[-control control_ids[,criticality[,value]]]

[obj] operations

[obj] search [distinguished_name]
[-bindid bid]
[-allattr |
-alloperationalattr |
-alluserattr |
-attribute abbreviation …]
{-baseobject |
-onelevel |
-subtree}
[-filter filter]
[-matchedvaluesonly]
[-noaliases]
[-pretty]
[-types]
[-vpagesize page_size]
attr_type]
[-vtype {SUBENTRY | SIMPLE}]
[-control control_ids[,criticality[,value]]]

[obj] show [distinguished_name]
[-bindid bid]
[-allattr |
-alloperationalattr |
-alluserattr |
-attribute abbreviation …]
[-pretty]
[-types]
[-control control_ids[,criticality[,value]]]

[obj] starttls
[-bindid bid]

[obj] unbind
[-bindid bid]

[obj] verify_abbr
[-dsa distinguished_name]

Purpose

A dirxcp object that manages objects in the directory information tree (DIT) via the directory access protocol (DAP) or the LDAP protocol. (See obj bind operation for details.)

Arguments

distinguished_name

The name of an object to act on. Supply an object name as follows:
1. For DAP binds:
  - Complete distinguished name, in the form
    
    /distinguished_name
    
    For example:
    {/O=my-company/OU=board/CN=mueller peter}
  - Relative distinguished name, in the form
    
    distinguished_name
    
    This name refers to a distinguished name that is relative to the current working object identified in the _cwo Tcl variable. For example:
    
    {CN=mueller peter}
    
    is relative to the current working object
    
    dirxcp> set _cwo {/O=my-company/OU=board} /O=my-company/OU=board
    
    dirxcp> *show \{CN=mueller peter} -attr SN -p* + 1) /O=my-company/OU=board/CN=mueller peter + Surname: Mueller
2. For LDAP binds, there is no current working object. Supply the complete distinguished name in the form:
  
  distinguished_name
  
  For example:
  {cn=mueller peter,ou=board,o=my-company}
  
  See the DirX Directory String Representation for DAP Binds and DirX Directory String Representation for LDAP Binds chapters in DirX Directory Syntaxes and Attributes for complete information on distinguished name format.
  
  If no distinguished_name argument is specified, the operation acts on the current working object.

operation

The name of the obj operation for which to display help information.

-control Option

The -control option is only available for operations performed over LDAPv3 protocol. The controls extend the LDAP server operation and are intended to optimize operations, for example search operations with a large search result. The syntax is as follows:

-control control_ids[,criticality[,value]]

where

control_ids

Specifies one object identifier (OID) or abbreviation or a list of OIDs or abbreviations separated by a semicolon (;) and enclosed in curly braces ({}), for example {1.3.12.2.1107.1.3.2.12.12;RELAXEDUPD}. See DirX Directory Attributes → X.500 User Application Attributes → Attributes of the LDAP Root Subentry → Supported Control in the DirX Directory Syntaxes and Attributes for a list of supported controls.

criticality

Specifies whether the LDAP operation must fail (value 1), or whether the LDAP server can ignore the control and perform the operation (value 0) if the control does not apply. If the LDAP operation fails, the LDAP server returns the error code Unsupported Critical Extension. The default is 1.

value

Specifies a control-specific value. Specify either a string, for example (title=dr.), or a filename enclosed in angle brackets (<*filename>*). The file contains a binary value. Backslashes in the filename must be escaped with an additional backslash, for example <C:\\tmp\\LDAPServerControls\\control1.value>. The default is no value.

Multiple -control options can be specified for an operation.

Examples

-control {1.3.12.2.1107.1.3.2.12.12;RELAXEDUPD) -control CONDOP,1,(title=dr.)

-control CONDOP,1,<C:\\tmp\\LDAPServerControls\\control1.value>

Operations

obj bind

Establishes a binding between dirxcp and a DSA or an LDAP server. The syntax depends upon the protocol type (-protocol option) and the security level to be used.

For DAP binds (default), the following syntax must be used:

[obj] bind
[-bindid bid]
[-dsa distinguished_name | -psap psap_address]
[-authentication auth_method]
[-password password[,totp] | -pwdfile password_file]
[-user username]
[-protocol DAP]

For LDAPv2 binds (-protocol LDAPv2), the following syntax must be used:

[obj] bind
[-bindid bid]
[-authentication auth_method]
[-password password[,totp] | -pwdfile password_file]
[-user username]
-protocol LDAPv2
[-server ldap_server_name | -address ldap_server_address]
[-ssl]

For LDAPv3 binds (-protocol LDAPv3), the following syntax must be used:

Anonymous bind over plain LDAPv3 protocol:

[obj] bind
[-bindid bid]
-protocol LDAPv3
[-server ldap_server_name | -address ldap_server_address]
[-control control_ids[,criticality[,value]]]
Simple authenticated bind over plain LDAPv3 protocol:

[obj] bind
[-bindid bid]
-authentication simple
{-password password[,totp] | -pwdfile password_file}
-user username
-protocol LDAPv3
[-server ldap_server_name | -address ldap_server_address]
[-control control_ids[,criticality[,value]]]
Anonymous bind over SSL-protected LDAPv3 protocol (encrypted data transfer):

[obj] bind
[-bindid bid]
-protocol LDAPv3
[-server ldap_server_name | -address ldap_server_address]
-ssl
[-control control_ids[,criticality[,value]]]
Simple authenticated bind over SSL-protected LDAPv3 protocol (encrypted data transfer):

[obj] bind
[-bindid bid]
-authentication simple
{-password password[,totp] | -pwdfile password_file}
-user username
-protocol LDAPv3
[-server ldap_server_name | -address ldap_server_address]
-ssl
[-control control_ids[,criticality[,value]]]
SASL-authenticated bind over SSL-protected LDAPv3 protocol (encrypted data transfer and certificate-based client authentication):

[obj] bind
[-bindid bid]
-protocol LDAPv3
[-server ldap_server_name | -address ldap_server_address]
-sasl
-certsubject nickname
-key3password key3_password
-mechanism EXTERNAL
[-control control_ids[,*criticality[,*value]]]

To display the status of currently established binds, the following syntax must be used:

[obj] bind -status [-bindid bid1 [bid2 …]]

Options

-address ldap_server_address

The real address of an LDAP server. Specify ldap_server_address in the following formats:
- host1[:_port1_][,host2[:_port2_][,…]]
where hostn is either an IP address or a DNS (domain name server) name and portn is a port number (<32767). 389 is used as the default port number unless the -ssl option or the -sasl option and the -mechanism EXTERNAL options are specified; in this case, the default port number is 636.

If more than one real address is specified, an attempt is made to establish a connection using real addresses from left to right.

You can specify this option as an alternative to the -server option.

-authentication auth_method

The authentication method to be applied. Supply one of the following keywords:
- simple—Simple unprotected authentication
- simple_pr1—Simple-protected authentication (password is encrypted)
For LDAP binds, only simple unprotected authentication is supported.

-bindid bid

The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See section Bind Types and Bind IDs of this chapter for details.)

-certsubject nickname

The nickname that the Mozilla ldapssl library uses to select the correct certificate and key from the cert8.db file and the key3.db file. Use the Mozilla certutil tool to view the contents of a cert8.db file to obtain the nicknames of the client certificates.

This option is mandatory when the -sasl option is specified and the value of the
-mechanism option is EXTERNAL.

-dsa distinguished_name

The name of the target DSA. Specify the complete distinguished name of the DSA to which you want to bind. See the DirX Directory String Representation for DAP Binds and DirX Directory String Representation for LDAP Binds chapters in DirX Directory Syntaxes and Attributes for a description of distinguished name syntax.

dirxcp uses distinguished_name to search the client configuration file dirxcl.cfg for an entry specifying the DSA´s real address.

You can specify this option as an alternative to the -psap option.

-key3password key3_password

The password that protects the key3.db file. Use the Mozilla certutil tool to change the value of this password. The password protects the private keys stored in the key3.db file.

This option is mandatory when the option -sasl is specified and the value of the
-mechanism option is EXTERNAL.

-mechanism mechanism

The SASL mechanism to use for client authentication and for the security layer. Supply the EXTERNAL keyword (case-sensitive) to use SSL/TLS certificate-based client authentication as the client authentication mechanism and SSL/TLS as the security layer. If a client uses this authentication mechanism and SSL/TLS as the security layer, the directory service authenticates the subject name of the certificate that is specified by the
-certsubject option.

This option is mandatory when the –sasl option is specified.

-password password[,totp]

The password associated with the user on whose behalf the bind request is being made.

When time-based one-time password two-factor authentication (TOTP 2FA) is configured for the user, the user password must be appended with a comma (“,”) and the six digit TOTP presented to the user by a TOTP authenticator app. For example, if the user password is dirx and the TOTP is 123456, the password option is specified as follows

        -password dirx,123456

Note that reusing a TOTP for a bind operation is not allowed.

-pwdfile password_file

The path to a file containing the password for bind (see the -password option). The password must be the only content of this file. When creating the file, the password must be specified in plain ASCII format. After the first successful reading by the application, the password is symmetrically encrypted and the file is rewritten to provide protected local storage.

-protocol protocol

The protocol to be used for the bind. Supply one of the following keywords (case-insensitive):
- DAP—DAP bind (default)
- LDAPv2—LDAPv2 bind
- LDAPv3—LDAPv3 bind
Specifying this option overrides the protocol specification field in the client configuration file dirxcl.cfg.

-psap psap_address

The PSAP address of the DSA, for example TS=DSA1,NA=´TCP/IP!internet=121.0.0.1+port=21100´.

You can specify this option as an alternative to the -dsa option.

-sasl

The bind is to be performed using SASL protocol. This option is only supported for LDAP v3 protocol (-protocol option is LDAPv3).

-server ldap_server_name

The symbolic name of an LDAP server. dirxcp uses ldap_server_name to search the client configuration file dirxcl.cfg for an entry specifying the LDAP server´s real address and protocol type.

You can specify this option as an alternative to the -address option.

-ssl

The bind is to be performed using SSL/TLS protocol. This option is only supported for LDAP protocol (when the -protocol option is LDAPv3 or LDAPv2).

-status [-bindid bid1 [bid2 …]]

Reports status of specified bind IDs bidn or all bind IDs currently in use (including the default bind). This option is mutually exclusive to all other options.

-user username

The name of the user on whose behalf the bind request is being made. Specify the complete distinguished name of the user. See the DirX Directory String Representation for DAP Binds and DirX Directory String Representation for LDAP Binds chapters in DirX Directory Syntaxes and Attributes for a description of distinguished name syntax.

-control control_ids[,criticality[,value]]

Specifies the LDAPv3 controls to be applied to the operation. See the section -control Option for more information about LDAPv3 controls and -control option syntax.

Multiple binds are supported using bind IDs and the concept of a default bind. A bind ID is a string specified in the option -bindid associated with either an LDAP or a DAP bind. Bind IDs may be used in other dirxcp commands to refer to a specific bind.

A bind operation (or any other operation) without specifying a bind ID opens (or refers to) a default bind. There is only one default bind at a time and this can be either an LDAP or a DAP bind.

When used without options, the bind operation creates an anonymous default bind to the default DSA, which is the first DSA listed in the client configuration file dirxcl.cfg.

Use the -dsa or -psap options to bind to a specific DSA.

Use the -server or -address options to bind to a specific LDAP server.

The option -dsa can be used synonymously for -server and -address synonymously for -psap.

If no DSA or LDAP server is specified in the options (i.e., none of the options -dsa, -psap,
-server, and -address is specified) the obj bind operation searches the client configuration file dirxcl.cfg for the first line that matches the protocol type specified in the option -protocol (or DAP if -protocol is not specified). The address from this line is used to establish a bind.

If LDAPv2 or LDAPv3 is specified in the -protocol option and no LDAP server address line is specified in the client configuration file dirxcl.cfg a bind to the local LDAP server is established.

Use the -authentication option to establish a specific authentication method. If you specify simple or simple-protected authentication, you must supply the -user option and one of the following options: -password or -pwdfile. The password you supply for simple authentication is sent as clear text, even if the password_file is used. The password you supply for simple-protected authentication is sent encrypted.

Use the -ssl option to establish Secure Socket Layer (SSL)/Transport Layer Security (TLS) for the bind operation when the -protocol option specifies LDAPv2 or LDAPv3. When you specify this option, the obj bind operation authenticates the LDAP server using the certificate information in the file specified in the DIRX_TRUSTED_CA environment variable or in the install_path*/client/conf/cert8.db* certificate database, if the environment variable is not set. See the SSL/TLS Certificate Database section in the DirX Directory Files chapter for more information about SSL/TLS certificate authentication.

Use the -sasl option to establish Simple Authentication and Security Layer (SASL) client authentication and Secure Socket Layer (SSL)/Transport Layer Security (TLS) for the bind operation when the -protocol option specifies LDAPv3. See the recommendations made in the document entitled Authentication Methods for LDAP (RFC 2829) and Lightweight Directory Access Protocol (v3): Extensions for Transport Layer Security (RFC 2830) for details.

The -sasl option includes the -ssl option.

When an obj bind operation is called with a specific bind ID, the operation sets the service controls for the bind to the default values; see the reference page for the ldapargs modify operation for a list of default values for LDAP binds and the reference page for the args modify operation for a list of default values for DAP binds. When an obj bind operation is called without a bind ID (a default bind), the operation sets the service controls to the default values when the protocol to be used changes. For example, the operation sets the service controls to their default values when the last default bind used LDAPv2 protocol and the default bind to be performed uses LDAPv3 protocol.

Example

bind -user /o=my-company/CN=admin \
     -passw dirx \
     -auth simple_pr1
bind -user /o=my-company/CN=admin \
     -pwdfile {c:\dirx\tmp\adp.txt} \
     -auth simple_pr1
bind -user /o=my-company/CN=admin \
     -passw dirx \
     -auth simple_pr1 \
     -psap TS=DSA1,NA=´TCP/IP!internet=165.26.143.71+port=17004´
bind -user cn=admin,o=my-company -password dirx -auth simple \
     -protocol LDAPv3 -address hawk.virt.de.com -bindid hawkL3
bind -user cn=admin,o=my-company -password dirx,123456 -auth simple \
     -protocol LDAPv3 -address hawk.virt.de.com -bindid hawkL3
bind -sasl -mech EXTERNAL -certsubject Admin-Nickname \
     -key3password zorro99 -prot LDAPv3
bind -status

The command output is as follows:

 1) Connection:
    Bind-ID:             : hawkL3
    Protocol:            : LDAPv3
    Address:             : hawk.virt.de.com
    User-Name:           : cn=admin,o=my-company
    Authentication Type: : simple
    Status:              : bound
 2) Connection:
    Bind-ID:             : (default)
    Protocol:            : DAP
    Status:              : unbound

obj compare

Compares an attribute name and value with the attribute names and values of an object in the DIT. The syntax is as follows:

[obj] compare [distinguished_name]
-attribute attribute
[-bindid bid]
[-control control_ids[,criticality[,value]]]

Options

-attribute attribute

A required option that specifies the attribute and attribute value to compare. See the DirX Directory String Representation for DAP Binds and DirX Directory String Representation for LDAP Binds chapters in DirX Directory Syntaxes and Attributes for a description of attribute type and value syntax.

-bindid bid

The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See section Bind Types and Bind IDs of this chapter for details.)

-control control_ids[,criticality[,value]]

Specifies the LDAPv3 controls to be applied to the operation. See the section -control Option for more information about LDAPv3 controls and -control option syntax.

Use the obj compare operation to determine whether an attribute contains a specific value. By default, the compare operation compares the specified attribute and value with the attributes and values of the current working object.

Specify a distinguished name to perform the operation on a specific object. If the specified attribute contains the specified value, the operation returns the text M=TRUE (meaning Matched=TRUE); if the value is not present, it returns M=FALSE.

If the specified attribute was found in a shadow entry, the operation returns the text FE=false (meaning From-Entry=FALSE). This is not supported for LDAP binds.

If the match was achieved in a subtype, the operation returns text in the form MS=*attribute (meaning Matched-Subtype=attribute), where attribute is the attribute abbreviation (or object identifier, if no abbreviation is present in an abbreviation file) that corresponds to the subtype; for example, *MS=CN, or MS=2.5.6.91. This is not supported for LDAP binds.

You can abandon an outstanding compare operation by interrupting dirxcp. (Press the Del or Ctrl and C key, dependent on your keyboard configuration, and dirxcp will send out an Abandon operation to the directory server.) This is not supported for LDAP binds.

Example

obj compare /O=my-company/OU=asw/CN=zapf \
            -attr TN=55029

obj create

Creates a new object in the DIT. The syntax is as follows:

[obj] create distinguished_name
-attribute attribute_list
[-bindid bid]
[-control control_ids[,*criticality[,*value]]]

Options

-attribute attribute_list

A required option that specifies one or more attributes to be applied to the object. See the DirX Directory String Representation for DAP Binds and DirX Directory String Representation for LDAP Binds chapters in DirX Directory Syntaxes and Attributes for a complete description of directory service attribute, attribute types, and attribute list formats.

-bindid bid

The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See section Bind Types and Bind IDs of this chapter for details.)

-control control_ids[,criticality[,value]]

Specifies the LDAPv3 controls to be applied to the operation. See the section -control Option for more information about LDAPv3 controls and -control option syntax.

The create operation creates a new object in the directory information tree. The distinguished_name argument is the name of the object to be created and can be specified as a complete distinguished name or a distinguished name relative to the current working object (cwo Tcl variable). Note that the current working object is supported only for a default DAP bind. See the DirX Directory String Representation for DAP Binds and DirX Directory String Representation for LDAP Binds chapters in _DirX Directory Syntaxes and Attributes for a complete description of distinguished name formats.

Use the -attribute option to specify the attributes to be applied to the newly created object. You must specify the ObjectClass (OCL) attribute as an attribute_list element; specifying additional attributes is optional. See the DirX Directory String Representation for DAP Binds and DirX Directory String Representation for LDAP Binds chapters in DirX Directory Syntaxes and Attributes for a complete list of the supported attribute types and attribute list formats. By default, the dirxcp program creates the operational attributes creation-time, creators-name, structural-object-class, and governing-structure-rule.

Examples

The following sample command creates the organization “my-company”.

create {/O=my-company} \
       -attribute OCL=org {DSC=my-company usa}

The following sample command creates the organizational-unit “engineering” underneath the “my-company” organization with the telephone-number attribute TN=+1 964 123.
```
create {/O=my-company/OU=engineering} \ +
       -attribute OCL=ou {DSC=engineering department} {TN=+1 964 123}
```
The following sample command creates the organizational-person “hughes” whose telephone number is “423423” within the engineering organization and whose surname is “hughes” and whose given name is “peter”.
```
create {/O=my-company/OU=engineering/CN=hughes} \
       -attribute {OCL=orp;per;iper} {DSC=software-engineer}\
                  {TN=+1 964 123 423423} SN=hughes GN=peter
```

obj delete

Deletes objects from the DIT. The syntax is as follows:

[obj] delete distinguished_name
[-bindid bid]
[-control control_ids[,criticality[,value]]]

Options

-bindid bid

The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See section Bind Types and Bind IDs of this chapter for details.)

-control control_ids[,*criticality[,*value]]

Specifies the LDAPv3 controls to be applied to the operation. See the section -control Option for more information about LDAPv3 controls and -control option syntax.

The delete operation deletes objects from the directory information tree.

You cannot delete objects that still have subordinate objects.

Example

The following example sets the current working object to: /O=my-company/OU=engineering (Note that the _cwo variable is supported only for a default DAP bind.)
```
set _cwo /O=my-company/OU=engineering
```

The following example deletes the object /O=my-company/OU=engineering/CN=miller
```
delete CN=miller
```

obj help

Returns help information about the obj object and its operations. The syntax is as follows:

[obj] help [operation | -verbose]

Options

-verbose

Displays information about the obj object.

Used without an argument or option, the help command returns brief information about each obj operation. Use the operation argument to return a description of the options associated with the operation you specify. Alternatively, you can use the -verbose option to return a description of the obj object itself.

Example

help

The output of the sample command is as follows:

bind

Binds to the specified directory server.

compare

Checks if the object has the specified attribute value.

create

Creates the specified object in the directory.

delete

Removes the specified object from the directory.

list

Lists the children of the specified object.

modify

Modifies the attribute values of an object in the directory.

moddn

Modifies the DN of an object in the directory.

search

Searches for objects in the directory.

show

Reads attributes of an object in the directory.

unbind

Unbinds from the directory server.

help

Displays help text for the ‘obj’ object and its operations.

operations

Lists the operations that can be performed on the ‘obj’ object.

verify_abbr

Verifies the abbreviation files against the schema.

obj list

Lists the distinguished names of the children of an object. The syntax is as follows:

[obj] list [distinguished_name]
[-bindid bid]
[-pretty]
[-control control_ids[,criticality[,value]]]

Options

-bindid bid

The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See section Bind Types and Bind IDs of this chapter for details.)

-pretty

Displays the results of the operation in a tabular format.

-control control_ids[,criticality[,value]]

Specifies the LDAPv3 controls to be applied to the operation. See the section -control Option for more information about LDAPv3 controls and -control option syntax.

Used without arguments or options, the list operation returns a Tcl list that contains the complete distinguished names of the immediate subordinates of the current working object. Use the distinguished_name argument to specify an object. Use the -pretty option to return the results of the operation in a tabular, more readable format.

You can abandon an outstanding list operation by interrupting dirxcp. (Press the Del or Ctrl and C key, dependent on your keyboard configuration, and dirxcp will send out an Abandon operation to the directory server.) This is not supported for LDAP binds.

Example

The following sample command sets the current working object to /O=my-company/OU=ap11
```
set _cwo /O=my-company/OU=ap11
```

The following sample command lists the distinguished names of the current working object:

list -pretty

The output of the sample command is as follows:

1) /O=my-company/OU=ap11/CN=mueller
2) /O=my-company/OU=ap11/CN=hughes
3) /O=my-company/OU=ap11/CN=zahn
4) /O=my-company/OU=ap11/CN=schmid

obj moddn

Changes the last RDN of an object or a subtree or moves an object or subtree to a new superior. The syntax is as follows:

[obj] moddn [distinguished_name]
[-bindid bid]
[-dontdeleteoldrdn]
{-newsuperior new_superior [-rdn name_part] | -rdn name_part}
[-control control_ids[,criticality[,value]]]

Options

-bindid bid

The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See section Bind Types and Bind IDs of this chapter for details.)

-dontdeleteoldrdn

Saves the attribute values of the old RDN that are not present in the new RDN.

-rdn name_part

An option that specifies the new RDN. If the operation moves an object or subtree to a new superior without changing its RDN, this option can be omitted or the old RDN is supplied for this option. When the last RDN of the object is to be changed grantRename permission is required. See the DirX Directory String Representation for DAP Binds and DirX Directory String Representation for LDAP Binds chapters in DirX Directory Syntaxes and Attributes for a description of relative distinguished name syntax, and ACI-Item attribute syntax for a description of the permissions.

-newsuperior new_superior

Specifies the distinguished name of the new superior of the entry. The new superior must already exist. The new superior must not be the entry to be moved, or the root of the subtree to be moved, or one of its subordinates. grantExport permission is required for the object being considered with its original name, and grantImport permission is required for the object being considered with its new name. See the DirX Directory String Representation for DAP Binds and DirX Directory String Representation for LDAP Binds chapters in DirX Directory Syntaxes and Attributes for a description of distinguished names syntax, and ACI-Item attribute syntax for a description of the permissions.

-control control_ids[,*criticality[,*value]]

Specifies the LDAPv3 controls to be applied to the operation. See the section -control Option for more information about LDAPv3 controls and -control option syntax.

The moddn operation changes the last relative distinguished name of an object or subtree or moves an object or subtree to a new superior. The distinguished_name argument specifies the object or subtree to modify; if no distinguished_name argument is specified, the operation acts on the current working object. Refer to the DirX Directory String Representation for DAP Binds and DirX Directory String Representation for LDAP Binds chapters in DirX Directory Syntaxes and Attributes for a complete description of distinguished name format. By default, the operation removes the attributes and attribute values that do not exist in the new RDN.

When a distinguished name is modified by the moddn operation all references inside a single DSA to the complete name are updated automatically.

Example

In the following sample command, the object is renamed but the old name (zahn) is kept in the new object. The resulting CN attribute has two values: zahn and soeder, where soeder is the naming value of CN.

obj moddn /O=ibis/OU=staff/CN=zahn -rdn CN=soeder \
          -dontdeleteoldrdn

The result of a obj show /O=ibis/OU=staff/CN=soeder –attr CN command after performing the command above is:

/O=ibis/OU=staff/CN=soeder {CN=soeder;zahn}

obj modify

Changes the attribute values of an object. The syntax is as follows:

[obj] modify [distinguished_name]
[-bindid bid]
{-addattr attribute_list |
-changeattr old_attribute new_attribute |
-removeattr attribute_list |
-replaceattr attribute_list} …
[-control control_ids[,criticality[,value]]]

Options

-bindid bid

The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See section Bind Types and Bind IDs of this chapter for details.)

-addattr attribute_list

Adds the attributes and attribute values specified in the attribute_list argument to an object. See the DirX Directory String Representation for DAP Binds and DirX Directory String Representation for LDAP Binds chapters in DirX Directory Syntaxes and Attributes for a description of attribute type and value syntax.

-changeattr old_attribute new_attribute

Changes the specified existing attribute and attribute values to the specified new attribute and attribute values. old_attribute and new_attribute must be separated by a space character. See the DirX Directory String Representation for DAP Binds and DirX Directory String Representation for LDAP Binds chapters in DirX Directory Syntaxes and Attributes for a description of attribute type and value syntax.

-removeattr attribute_list

Removes the attributes and attribute values specified in the attribute_list argument from an object. See the DirX Directory String Representation for DAP Binds and DirX Directory String Representation for LDAP Binds chapters in DirX Directory Syntaxes and Attributes for a description of attribute type and value syntax.

-replaceattr attribute_list

Replaces the attributes and attribute values specified in the attribute_list argument from an object. If the attribute does not exist the attribute is created. If no attribute value is specified the attribute is deleted. See the DirX Directory String Representation for DAP Binds and DirX Directory String Representation for LDAP Binds chapters in DirX Directory Syntaxes and Attributes for a description of attribute type and value syntax.

-control control_ids[,criticality[,value]]

Specifies the LDAPv3 controls to be applied to the operation. See the section -control Option for more information about LDAPv3 controls and -control option syntax.

The modify operation changes attributes and attribute values of objects. The distinguished_name argument specifies the object to modify; if no distinguished_name argument is specified, the operation acts on the current working object. Refer to the DirX Directory String Representation for DAP Binds and DirX Directory String Representation for LDAP Binds chapters in DirX Directory Syntaxes and Attributes for a complete description of distinguished name format.

Use the -addattr option to add new attributes and their attribute values to an object or add new attribute values to an existing attribute.

Use the -changeattr option to modify values of an existing attribute; you must specify the option name and the desired values for each attribute you want to change. For example, to modify attr1 and attr2 for an object, enter the -changeattr option twice as follows: -changeattr attr1_old attr1_new -changeattr attr2_old attr2_new

Use the -removeattr option to remove existing attribute values or remove existing attributes.

Use the -replaceattr option to replace all existing attribute values by the new attribute values, to add new attributes, or to delete the specified attribute.

You may combine the options -addattr, -changeattr, -removeattr, and -replaceattr in any order as often as you like.

Examples

In the following sample commands, the modify operation performs the following tasks on the object represented by the distinguished name
/O=ins CO/OU=sales/CN=miller:
- Adds the telephone-number attribute type and value:
  modify {/O=ins CO/OU=sales/CN=miller} \ -addattr {tn=+1 964 123 5678}
- Changes the TN attribute value
  modify {/O=ins CO/OU=sales/CN=miller} \ -changeattr {TN=+1 964 123 5678} {TN=+1 964 123 9999}
- Deletes the instance of the TN attribute assigned the value +1 964 123 9999C
  modify {/O=ins CO/OU=sales/CN=miller} \ -removeattr {TN=+1 964 123 9999}
In the following sample commands, the modify command performs the following tasks on the object represented by the distinguished name
- Adds two telephone numbers to the object represented by the distinguished name /O=acme/OU=sales/CN=gunther:
  modify /O=acme/OU=sales/CN=gunther \ + -addattr {TN=+1 919 555 4545;+1 431 223 4457}
- Changes the initial values of both telephone numbers:
  modify /O=acme/OU=sales/CN=gunther \ -changeattr {TN=+1 919 555 4545} {TN=+1 508 693 9130} \ -changeattr {TN=+1 431 223 4457} {TN=+1 508 477 7300}

obj nextpage

Returns the next page of a search result if simple paging is used. The syntax is as follows:

[obj] nextpage
[-bindid bid]
[-pretty]
[-terminate]
[-vpagesize page_size]
[-control control_ids[,criticality[,value]]]

Options

-bindid bid

The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See section Bind Types and Bind IDs of this chapter for details.)

-pretty

Displays the results of the operation in a tabular format.

-terminate

Notifies the server that the search result can be discarded because no more pages will be requested by the client any more.

-vpagesize page_size

Specifies the maximum number of objects that should be returned in a page. The value specified must be lower or equal than the effective size limit for search operations. (See the section titled Managing Huge Search Results in chapter Managing Miscellaneous Scenarios in the DirX Directory Administration Guide for details.) This option is required when reading a search result page.

-control control_ids[,criticality[,value]]

Specifies the LDAPv3 controls to be applied to the operation. See the section -control Option for more information about LDAPv3 controls and -control option syntax.

obj nextpage is used to return the next page of a search result once the initial search with simple paging has already been performed.

By default, the obj nextpage operation returns results as Tcl lists. Use the -pretty option to return formatted results.

Use the option -vpagesize to specify the maximum number of objects that should be returned in a page.

Use the option -terminate if you are no longer receiving search pages from the server. That option cannot be combined with any other option. The result of this command is that the server discards the search result.

If the number of result entries is greater than the page size (specified in -vpagesize), then the search returns an indication for an incomplete operation, the partial-outcome-qualifier, as the last element of the search result. This is a query reference (cookie) that internally is used for subsequent calls of obj nextpage. When processing the real entries of the search result an application (for example a TCL script) must take care of that last element and should ignore it. Here is an example for this indication:
```
dirxcp> nextpage -p -vpagesize 3
```
The sample output is as follows:
```
{empty}1) o=PQR

{empty}2) cn=admin,o=PQR

{empty}3) ou=Sales,o=PQR

Incomplete operation:

    Partial-Outcome-Qualifier

        Query-Reference         : \x0b\x00\x00\x00
```
(See the Partial-Outcome-Qualifier attribute syntax in DirX Directory Syntaxes and Attributes for details.)
Only one search with simple paging can be performed for a bind connection because the cookie is internally stored for each connection. If another search (with simple paging or without paging) is required simultaneously an additional bind connection for that additional search is required.
If the last page has been received when using simple paging and you keep on calling the obj nextpage operation then an appropriate error code is returned that no more pages are available. For LDAP binds, this error code is 4515, “Paging is not possible in this state”. For DAP binds, this error code is 4901, “Invalid query reference”.

Example

Terminate paging:
```
nextpage -terminate
```
Simple paging with page size 3:
```
nextpage -pretty -vpagesize 3
```

obj operations

Returns a list of operations that can be performed on the obj object. The syntax is as follows:

[obj] operations

The list of available operations is in alphabetical order except for help and operations, which are listed last.

Example

obj operations

The output of the sample command is as follows:

bind compare create delete list modify moddn search show unbind help operations verify_abbr

obj search

Searches for objects. The syntax is as follows:

[obj] search [distinguished_name]
[-bindid bid]
[-allattr | -alloperationalattr | -alluserattr | -attribute abbreviation […]]
{-baseobject | -onelevel | -subtree}
[-filter filter]
[-matchedvaluesonly]
[-noaliases]
[-pretty]
[-types]
[-vpagesize page_size]
attr_type]
[-vtype {SUBENTRY | SIMPLE}]
[-control control_ids[,criticality[,value]]]

Options

-bindid bid

The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See section Bind Types and Bind IDs of this chapter for details.)

-allattr

Shows information about all of the attributes of an object, including user and operational attributes. For LDAP binds this option returns the same attributes as the option –alluserattr.

-alloperationalattr

Returns the object’s operational attributes. This option is not supported for LDAP binds.

-alluserattr

Returns the object’s user attributes. For LDAP binds this option returns the same attributes as the option –allattr.

-attribute abbreviation

Returns the attributes that correspond to the specified attribute abbreviations or OIDs. Use the abbr show operation to determine attribute abbreviations.

For LDAP binds, the LDAP name or the OID of the attribute must be specified.

For LDAP binds, specify the following abbreviation to return a specific set of attributes:
- * - All user attributes.
- + - All operational attributes.

-baseobject

Limits the search scope to the base object; that is, the object represented by the specified distinguished name, or the current working object.

-filter filter

Specifies the filter condition for the search. See the DirX Directory String Representation for DAP Binds and DirX Directory String Representation for LDAP Binds chapters in DirX Directory Syntaxes and Attributes for a description of search filters.

-matchedvaluesonly

Specifies that attribute values not matched by the filter are not to be returned.

-noaliases

Specifies that aliases are not to be dereferenced. This option is prohibited for LDAP binds.

-onelevel[none] * Limits the search scope to the children of the base object.

-pretty

Displays the results of the operation in a tabular format.

-subtree[none] * Limits the search scope to the subtree below the base object.

-types

Specifies that the results are to contain attribute types, but not attribute values.

-vpagesize page_size

Specifies the maximum number of objects that should be returned in a page. The value specified must be lower than the effective size limit for search operations. (See the section titled Managing Huge Search Results in chapter Managing Miscellaneous Scenarios in the DirX Directory Administration Guide for details.) This option is required for simple paging.

-vsortkey attr_type

Specifies an attribute type that the server uses to sort the paged result. attr_type is the LDAP name (for LDAP binds) or the abbreviation (for DAP binds) or the object identifier (OID) of the attribute. The attr_type can be prefixed by an exclamation mark (!) to specify reverse sort order. For attr_type only indexed attribute types can be specified.

-vtype \{SUBENTRY | SIMPLE}

Specifies the result type. Specify one of the following keywords:
- SUBENTRY—Specifies that the search operation returns subentries. This option is only supported for LDAP binds.
- SIMPLE—Specifies that the search operation uses simple paging mechanism.
This option is only supported for LDAP binds.

-control control_ids[,*criticality[,*value]]

Specifies the LDAPv3 controls to be applied to the operation. See the section -control Option for more information about LDAPv3 controls and -control option syntax.

The search operation searches for objects starting from the specified distinguished name or the current working object. You must specify one of the search scope options
-baseobject, -onelevel, or -subtree.

By default, the operation does not search for attribute information. Use the -attribute, *
-alloperationalattr*, or -alluserattr options to return selected attribute information, or use the
-allattr option to return information about all attributes.

By default, the search operation returns results as Tcl lists. Use the -pretty option to return formatted results.

The directory server may return incomplete results if a size limit or time limit has been encountered or if referrals to other servers are returned. In the event of an incomplete result the search operation returns the partial-outcome-qualifier as the last element of the search result. (See also the Partial-Outcome-Qualifier attribute syntax in DirX Directory Syntaxes and Attributes.)

In order to avoid huge search results you can use the Simple Paging mechanism by specifying the option –vtype SIMPLE. However, if the DSA must perform chaining simple paging does not work at all. Then the search operation returns no result and no refarral but the error message Directory system is unwilling to perform the operation.

Use the option -vpagesize to specify the maximum number of objects that should be returned in a page.

Use the option -vsortkey to specify the sort criteria.

If number of result entries is greater than the page size (specified in -vpagesize), then the search returns an indication for an incomplete operation, the partial-outcome-qualifier, as the last element of the search result. This is a query reference (cookie) that internally is used for subsequent calls of obj nextpage. When processing the real entries of the search result an application (for example a TCL script) must take care of that last element and should ignore it. Here is an example for this indication:
```
dirxcp> search o=pqr -subtree -pretty -vtype SIMPLE -vpagesize 3
```
The sample output is as follows:
```
{empty}1) o=PQR
{empty}2) cn=admin,o=PQR
{empty}3) ou=Sales,o=PQR
Incomplete operation:
    Partial-Outcome-Qualifier
        Query-Reference         : \x0b\x00\x00\x00
```
(See the Partial-Outcome-Qualifier attribute syntax in DirX Directory Syntaxes and Attributes for details.)
Only one search with simple paging can be performed for a bind connection because the cookie is internally stored for each connection. If another search (with simple paging or without paging) is required simultaneously an additional bind connection for that additional search is required.

If the search operation is unable to access information because of access restrictions, it returns IE=TRUE (meaning Incomplete-Entry=TRUE) in the Tcl list or displays the following line in the formatted output produced by the -pretty option:

Incomplete-Entry :TRUE

This is not supported for LDAP binds.

You can abandon an outstanding search operation by interrupting dirxcp. (Press the Del or Ctrl and C key, dependent on your keyboard configuration, and dirxcp will send out an Abandon operation to the directory server.) This is not supported for LDAP binds.

Examples

The following sample search operation returns the DNs and all user attributes of the subtree below the base object /O=my-company.

search {/O=my-company} \
       -subtree \
       -alluserattr \
       -pretty

The output of the sample command is as follows:

 1) /O=my-company/OU=engineering/CN=miller
    Object-Class             : TOP
                             : PER
                             : ORP
    Common-Name              : Miller
    Surname                  : Tom
    Description              : Software-Engineer
 2) /O=my-company/OU=Engineering/CN=Hughes
    Object-Class             : TOP
                             : PER
                             : ORP
    Common-Name              : Hughes
    Surname                  : Peter
    Description              : Software-Engineer
    Telephone-Number         : +1 964 123 423423
 3) /O=my-company/OU=Sales
    Object-Class             : TOP
                             : OU
    Organizational-Unit-Name : Sales
    Description              : Sales Department
    Telephone-Number         : +1 964 123 23422
 4) /O=my-company/OU=Engineering
    Object-Class             : TOP
                             : OU
    Organizational-Unit-Name : Engineering
    Description              : Engineering Department
    Telephone-Number         : +1 964 123 4567
 5) /O=my-company
    Object-Class             : TOP
                             : ORG
    Organization-Name        : my-company
    Description              : my-company US

The following sample search operation returns the DNs and all attributes of the objects that are children of /O=my-company.

search {/O=my-company} -onelevel -allattr
       -pretty

The output of the sample command is as follows:

 1) /O=my-company/OU=Sales
    Object-Class              : TOP
                              : OU
    Organizational-Unit-Name  : Sales
    Description               : Sales Department
    Telephone-Number          : +1 964 123 23422
    Creation-Time             : 19961120171345Z
    Creators-Name             : /O=my-company/CN=admin
    Governing-Structure-Rule  : 3
    Structural-Object-Classes : OU
 2) /O=my-company/OU=Engineering
    Object-Class              : TOP
                              : OU
    Organizational-Unit-Name  : Engineering
    Description               : Engineering Department
    Telephone-Number          : +1 964 123 4567
    Creation-Time             : 19961120171344Z
    Creators-Name             : /O=my-company/CN=admin
    Governing-Structure-Rule  : 3
    Structural-Object-Classes : OU

The following sample search operation returns the DNs and all operational attributes of the (base) object /O=my-company.

search {/O=my-company} -baseobject
       -alloperationalattr -pretty

The output of the sample command is as follows:

 1) /O=my-company
    Creation-Time             : 19961120165002Z
    Creators-Name             : /O=my-company/CN=admin
    Governing-Structure-Rule  : 2
    Structural-Object-Classes : ORG

The following sample search operation searches the subtree starting from /O=my-company
for objects that contain the information specified in the search filter and returns their DNs.
```
search /O=my-company -subtree -pretty -filter {TN=+1 964*}
```
The output of the sample command is as follows:
```
 1) /O=my-company/OU=Engineering/CN=Hughes
 2) /O=my-company/OU=Sales
```
The following sample search operation searches the subtree starting from /O=my-company
for objects with simple paging with page size 3:
```
search /O=my-company -subtree -pretty –vtype SIMPLE –vpagesize 3
```

obj show

Shows an object’s contents. The syntax is as follows:

[obj] show [distinguished_name]
[-bindid bid]
[-allattr | -alloperationalattr | -alluserattr | -attribute abbreviation …] *
[-pretty*]
[-types]
[-control control_ids[,criticality[,value]]]

Options

-bindid bid

The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See section Bind Types and Bind IDs of this chapter for details.)

-allattr

Shows information about all of the attributes of an object, including user and operational attributes.

-alloperationalattr

Returns the object’s operational attributes. This option is not supported for LDAP binds.

-alluserattr

Returns the object’s user attributes. For LDAP binds this option returns the same attributes as the option –allattr.

-attribute abbreviation

Returns the attributes that correspond to the specified attribute abbreviations or OIDs. Use the abbr show operation to determine attribute abbreviations. See the chapter titled Attribute Values in a File in DirX Directory Syntaxes and Attributes how to write the attribute value in a file.

For LDAP binds, the LDAP name or the OID of the attribute must be specified. It is not possible to write the attribute value in a file for LDAP binds.

-pretty

Displays the results of the operation in a tabular format.

-types

Specifies that the results are to contain attribute types, but not attribute values.

-control control_ids[,criticality[,value]]

Specifies the LDAPv3 controls to be applied to the operation. See the section -control Option for more information about LDAPv3 controls and -control option syntax.

Used without arguments or options, the show operation returns the distinguished name the current working object. Use the distinguished_name argument to specify an object to show.

By default, the operation does not return attribute information. Use the -attribute, -alloperationalattr, or -alluserattr options to return selected attribute information, or use the -allattr option to return information about all attributes. If you have selected to return attribute information, the show operation returns attribute types and values by default. Use the -types option to limit the results returned to attribute types only.

By default, the results of the show operation are displayed as a Tcl list. Use the -pretty option to return the results in a tabular, more readable format.

If the show operation is unable to access information because of access restrictions, it returns IE=TRUE (meaning Incomplete-Entry=TRUE) in the Tcl list or displays the following line in the formatted output produced by the -pretty option:

Incomplete-Entry :TRUE

Note that this function is not supported for LDAP binds.

You can abandon an outstanding show operation by interrupting dirxcp. (Press the Del or Ctrl and C key, depending on your keyboard configuration, and dirxcp will send out an Abandon operation to the directory server.) This function is not supported for LDAP binds.

Examples

The following sample command shows all attributes associated with the object represented by the distinguished name /O=my-company/OU=Engineering/CN=Miller.
Note also that this example shows the Incomplete-Entry flag that indicates access to some of the requested information was restricted.

show {/O=my-company/OU=Engineering/CN=Miller} \
     -allattr \
     -pretty

The output of the sample command is as follows:

 1) /O=my-company/OU=Engineering/CN=Miller
    Incomplete-Entry          : TRUE
    Object-Class              : TOP
                              : PER
                              : ORP
    Common-Name               : Miller
    Surname                   : Tom
    Description               : Software-Engineer
    Creation-Time             : 19961120171347Z
    Creators-Name             : /O=my-company/CN=admin
    Governing-Structure-Rule  : 4
    Structural-Object-Classes : ORP[.italicemphasis]####

The following sample command displays a Tcl list that contains all attributes associated with the object represented by the distinguished name
/O=my-company/OU=Engineering/CN=Miller.
```
show {/O=my-company/OU=Engineering/CN=Miller}
     -allattr
```
The output of the sample command is as follows:
```
{/O=my-company/OU=Engineering/CN=Miller} {OCL=TOP;PER;ORP} CN=Miller SN=Tom DSC=Software-Engineer CRT=19961120171347Z CRN={/O=my-company/CN=admin} GSR=4 SOC=ORP
```
The following sample command displays the telephone-number attribute associated with the object represented by the distinguished name
/O=my-company/OU=Engineering/CN=Miller.
```
show {/O=my-company/OU=Engineering/CN=Miller}
        -attribute TN -pretty
```
The output of the sample command is as follows:
```
 1) /O=my-company/OU=Engineering/CN=Miller
    Telephone-Number : +1 964 123 5678
```

obj starttls

Switches on the SSL/TLS security layer between dirxcp and an LDAP server. The syntax is as follows:

[obj] starttls
[-bindid bid]

Options

-bindid bid

The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See section Bind Types and Bind IDs of this chapter for details.)

This operation is only supported for a connection that was created by a bind operation over plain LDAPv3 protocol and requires the same kind of access to LDAP server SSL key material that is required by a bind over SSL-protected LDAPv3 protocol. The operation enables SSL/TLS security for the current LDAP connection. If a new plain LDAPv3 bind operation is issued, dirxcp creates the new connection without SSL/TLS protection.

The LDAP extended operations must be enabled in the LDAP server; the LDAP Start TLS Enabled (LSTEN, ldapStartTLS) must have the value 1.

obj unbind

Terminates a binding between dirxcp and a DSA. The syntax is as follows:

[obj] unbind
[-bindid bid]

Options

-bindid bid

The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See section Bind Types and Bind IDs of this chapter for details.)

obj verify_abbr

Verifies the abbreviations used in DirX Directory abbreviation files against a DSA schema. See the section Abbreviation Files in the chapter DirX Directory Files for detailed information about these files. The syntax is as follows:

[obj] verify_abbr
[-dsa distinguished_name]

Options

-dsa distinguished_name

The name of the target DSA that contains the schema to be used for verification. Specify the complete distinguished name of the DSA to which you want to bind and get schema information. See the DirX Directory String Representation for DAP Binds chapter in the DirX Directory Syntaxes and Attributes for a description of distinguished name syntax.
The DSA name specified must be one of the target DSA names defined in the directory client configuration file install_path*/client/dirxcl.cfg*.
If this option is not provided, the operation uses the target DSA name of the most recently established DAP bind.

The verify_abbr operation takes the abbreviation files from the client and the schema from the DSA, compares the two for inconsistencies, and outputs all errors discovered in the abbreviation files. Use this error output to fix issues with the abbreviation files.

Example

verify_abbr

The output of the sample command on error-free abbreviation files is as follows:

The abbreviations files are in sync with the schema.
    Schema was read from server /CN=DirX-DSA-host1
    with address TS=DSA1,NA='TCP/IP_IDM!internet=127.0.0.1+port=21200'.

util (dirxcp)

Synopsis

delete_subtree base_object

faddattr filename

fcreate filename

Purpose

Utilities for dirxcp.

Arguments

base_object

The distinguished name of an entry in the DIT. See the DirX Directory String Representation for DAP Binds and DirX Directory String Representation for LDAP Binds chapters in DirX Directory Syntaxes and Attributes for complete information on distinguished name format.

filename

The name of the data file.

Operations

delete_subtree

Deletes the subtree under the specified base object. The base object itself is also deleted. The syntax is as follows:

delete_subtree base_object

If the subtree to be deleted contains shadow entries, you must set the service controls appropriately before invoking delete_subtree (see args (dirxcp) for details).

This utility can only be performed for a default bind id. (See obj bind (dirxcp) for details.)

Example

delete_subtree /O=my-company/OU=sales

faddattr

Adds attributes and attribute values to existing entries in the DIT in batch mode. The syntax is as follows:

faddattr filename

where filename is a data file that contains the names and attributes of the entries in the following format:

Blank lines and lines starting with the # character are ignored.
All information for an entry must be contained in a single line. Each line is divided into fields separated by the SPACE character. If the SPACE character is part of an attribute, the field should be enclosed in curly braces (\{ }).
The first field in a line contains the distinguished name of the entry and subsequent fields contain attribute information. If recurring values are specified for an attribute, the values must be separated by a semicolon (;) and the field must be enclosed in curly braces (\{ }).

Here are some examples of the file format:

# Add description {/O=my-company/OU=sales/CN=Smith John} {DSC=Sales Manager}

# Add telephone number /O=my-company/OU=sales/CN=Mayer {TN=+49(89)235-42356}

Example

faddattr datafile

fcreate

Creates entries in the DIT in a batch mode. The syntax is as follows:

fcreate filename

where filename is a data file that contains the names and attributes of the entries in the following format:

Blank lines and lines starting with the # character are ignored.
All information for an entry must be contained in a single line. Each line is divided into fields separated by the SPACE character. If the SPACE character is part of an attribute, the field should be enclosed in curly braces (\{ }).
The first field in a line contains the distinguished name of the entry and subsequent fields contain attribute information. If recurring values are specified for an attribute, the values must be separated by a semicolon (;) and the field must be enclosed in curly braces (\{ }).

Here are some examples of the file format:

# Organizational Unit /O=my-company/OU=Services OCL=OU

# Organizational Persons {/O=my-company/OU=services/CN=Smith James} {OCL=ORP;PER;ORP;MUS} SN=Smith \ TN=+49(89)123-456 {FTN={PN=+49(89)123-789}} \ {PA={PA1=Services Dpt,PA2=Einstein-Ring 4,PA3=D-81789 Munich,PA4=Germany}} \ {MOA={C=DE,ADMD=DBP,PRMD=My-Company,OU1=MCH1,OU2=S41,SN=Smith,GN=James}}

/O=my-company/OU=services/CN=Mayer {OCL=ORP;PER;ORP;MUS} SN=Mayer \ TN=+49(89)123-567 {FTN={PN=+49(89)123-789}} \ {PA={PA1=Services Dpt,PA2=Einstein-Ring 4,PA3=D-81789 Munich,PA4=Germany}} \ {MOA={C=DE,ADMD=DBP,PRMD=My-Company,OU1=MCH1,OU2=S41,SN=Mayer,GN=Erna}}

/O=my-company/OU=services/CN=Richter {OCL=ORP;PER;ORP;MUS} SN=Richter \ TN=+49(89)234-678 {FTN={PN=+49(89)234-6789}} \ {PA={PA1=Services Dpt,PA2=Albert-Ring 41,PA3=D-81789 Munich,PA4=Germany}} \ {MOA={C=DE,ADMD=DBP,PRMD=My-Company,OU1=MCH1,OU2=S12,SN=Richter,GN=Franz}}

Example

fcreate datafile

dirxcp

Synopsis

Purpose

Arguments

Options

Description

Tcl Command Language

Escaping in Distinguished Names and Attribute Values

Escaping in File Names

The Directory Client Configuration File

Bind Types and Bind IDs

The Abbreviation Files

Accessing Operations and Entries

Invoking dirxcp

Interactive Mode

Command Mode

Terminating dirxcp

Exit Codes

Startup Scripts

Command Syntax

Line Continuation

Command Processing

Abbreviations

Tcl Variables

Line Recall and Editing

Performing Operating System Commands

Example

Return Values

Viewing Output

See Also

abbr (dirxadm, dirxcp)

args (dirxcp)

Synopsis

Purpose

Arguments

Operations

args help

Options

Example

args modify

Options

Examples

args operations

Example

args show

Options

Example

ldapargs (dirxcp)

Synopsis

Purpose

Arguments

Operations

ldapargs help

Options

Example

ldapargs modify

Options

Examples

ldapargs operations

Example

ldapargs show

Options

Example

obj (dirxcp)

Synopsis

Purpose

Arguments

-control Option

Examples

Operations

obj bind

Options

Example

obj compare

Options

Example

obj create

Options

Examples

obj delete