obj (metacp)

Synopsis

[obj] bind
[-bindid bid]
[-authentication auth_method]
[-password password]
[-user username]
[-protocol protocol]
[-server ldap_server_name | -address ldap_server_address]
[-ssl]
[-sasl]
[-cert7path cert8_pathname]
[-key3path key3_pathname]
[-certsubject nickname]
[-key3password key3_password]
[-mechanism mechanism]
[-status [-bindid bid1 [bid2 …]]]

[obj] compare distinguished_name
-attribute attribute
[-bindid bid]

[obj] create distinguished_name
-attribute attribute_list
[-bindid bid]

[obj] delete distinguished_name
[-bindid bid]

[obj] help [operation | -verbose]

[obj] list distinguished_name
[-bindid bid]
[-pretty]

[obj] moddn distinguished_name
[-bindid bid]
-rdn name_part
[-dontdeleteoldrdn]
[-newsuperior new_superior]

[obj] modify distinguished_name
[-bindid bid]
{-addattr attribute_list |
-changeattr old_attribute new_attribute |
-removeattr attribute_list |
-replaceattr attribute_list}

[obj] nextpage
[-bindid bid]
[-conn connection_handle]
[-exactaction]
[-pretty]
[-result result_handle]
[-terminate]
[-vafter after_count]
[-vbefore before_count]
[-vcontentcount content_count]
[-voffset offset]
[-vpagesize page_size]
[-vvalue attribute_value]

[obj] operations

[obj] search distinguished_name
[-bindid bid]
[-conn connection_handle]
[-exactaction]
[-result result_handle]
[-allattr |
-alluserattr |
-attribute abbreviation …]
{-baseobject |
-onelevel |
-subtree}
[-filter filter]
[-matchedvaluesonly]
[-pretty]
[-types]
[-vafter after_count]
[-vbefore before_count]
[-vcontentcount content_count]
[-voffset offset]
[-vpagesize page_size]
[-vsortkey sort_keys]
[-vtype {SUBENTRY | SIMPLE | VLV}]
[-vvalue attribute_value]

[obj] show distinguished_name
[-bindid bid]
[-allattr |
-alluserattr |
-attribute abbreviation …]
[-pretty]
[-types]

[obj] unbind
[-bindid bid]

Purpose

A metacp object that manages entries in the directory information tree (DIT) of a Identity store via the Lightweight Directory Access Protocol (LDAP) protocol.

Arguments

distinguished_name

The name of an entry to act on. Supply the complete distinguished name as follows:

distinguished_name

For example:

{cn=mueller peter,ou=board,o=pqr ag,c=de}

See the String Representation for LDAP Binds chapter for complete information on distinguished name format.

operation

The name of the obj operation for which to display help information.

Operations

obj bind

Establishes a binding between metacp and an Identity store. The syntax depends upon the protocol type (-protocol option) and the security level to be used.

For LDAPv2 binds (-protocol LDAPv2) the following syntax must be used:

[obj] bind
[-bindid bid]
[-authentication auth_method]
[-password password]
[-user username]
-protocol LDAPv2
[-server ldap_server_name | -address ldap_server_address]
[-ssl]

For LDAPv3 binds (-protocol LDAPv3) the following syntax must be used:

Anonymous bind over plain LDAPv3 protocol:

[obj] bind
[-bindid bid]
-protocol LDAPv3
[-server ldap_server_name | -address ldap_server_address]
Simple authenticated bind over plain LDAPv3 protocol:

[obj] bind
[-bindid bid]
-authentication simple
-password password
-user username
-protocol LDAPv3
[-server ldap_server_name | -address ldap_server_address]
Anonymous bind over SSL-protected LDAPv3 protocol (encrypted data transfer):

[obj] bind
[-bindid bid]
-protocol LDAPv3
[-server ldap_server_name | -address ldap_server_address]
[-ssl]
Simple authenticated bind over SSL-protected LDAPv3 protocol (encrypted data transfer):

[obj] bind
[-bindid bid]
-authentication simple
-password password]
-user username
-protocol LDAPv3
[-server ldap_server_name | -address ldap_server_address]
[-ssl]
SASL-authenticated bind over SSL-protected LDAPv3 protocol (encrypted data transfer and certificate-based client authentication):

[obj] bind
[-bindid bid]
-protocol LDAPv3
[-server ldap_server_name | -address ldap_server_address]
-sasl
[-cert7path cert8_pathname]
[-key3path key3_pathname]
-certsubject nickname
-key3password key3_password
-mechanism EXTERNAL

To display the status of currently established binds the following syntax must be used:

[obj] bind -status [-bindid bid1 [bid2 …]]

Options

-address ldap_server_address

The real address of a Identity store. Specify ldap_server_address in one of the following formats:

host[:_port_]
host1[:port1],host2[:port2][,…]

where host or hostn is either an IP address or a DNS (domain name server) name and port or portn is a port number (<32767). 389 is used as the default port number unless the -ssl option or the -sasl option and the -mechanism EXTERNAL options are specified; in this case, the default port number is 636.

If more than one real address is specified, an attempt is made to establish a connection using real addresses from left to right.

-authentication auth_method

The authentication method to be applied. Supply the simple keyword to use simple unprotected authentication.

-bindid bid

The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See the Bind Types and Bind IDs section in this chapter for details.)

-cert7path cert8_pathname

The full pathname of the cert8.db file that contains the certificate database used by the Mozilla ldapssl library. A certificate database typically contains Root certificates, server and user certificates. (See SSL/TLS Certificate Database in the DirX Identity Program Files chapter for details.)

The default value is install_path/client/conf/cert8.db.

-certsubject nickname

The nickname that the Mozilla ldapssl library uses to select the correct certificate and key from the cert8.db file and the key3.db file. Use the Mozilla certutil tool to view the contents of a cert8.db file to obtain the nicknames of the client certificates.

This option is mandatory when the -sasl option is specified and the value of the -mechanism option is EXTERNAL.

-key3password key3_password

The password that protects the key3.db file. Use the Mozilla certutil tool to change the value of this password. The password protects the private keys stored in the key3.db file.

This option is mandatory when the -sasl option is specified and the value of the -mechanism option is EXTERNAL.

-key3path key3_pathname

The full pathname of the key3.db file that contains the keys. (See SSL/TLS Key Database in the DirX Identity Program Files chapter for details.)

The default value is install_path/client/conf/key3.db.

-mechanism mechanism

The SASL mechanism to use for client authentication and for the security layer. Supply the EXTERNAL keyword (case-sensitive) to use SSL/TLS certificate-based client authentication as the client authentication mechanism and SSL/TLS as the security layer. If a client uses this authentication mechanism, the Identity store authenticates the subject name of the certificate that is specified by the -certsubject option.

This option is mandatory when the -sasl option is specified.

-password password

The password associated with the user on whose behalf the bind request is being made.

-protocol protocol

The LDAP protocol to be used for the bind. Supply one of the following keywords (case-insensitive):

LDAPv2 - LDAPv2 bind
LDAPv3 - LDAPv3 bind

Specifying this option overrides the protocol specification field in the directory client configuration file dirxcl.cfg.

-sasl

The bind is to be performed using SASL protocol. This option is only supported for LDAP v3 protocol (-protocol option is LDAPv3).

-ssl

The bind is to be performed using SSL/TLS protocol.

-server ldap_server_name

The symbolic name of a Identity store. metacp uses ldap_server_name to search the client configuration file dirxcl.cfg for an entry that specifies the Identity store´s real address and protocol type.

-status [-bindid bid1 [bid2 …]]

Reports status of specified bind IDs bidn or all bind IDs currently in use (including the default bind).This option is mutually exclusive to all other options.

-user username

The name of the user on whose behalf the bind request is being made. Specify the complete distinguished name of the user. See the String Representation for LDAP Binds chapter for a description of distinguished name syntax.

Multiple binds are supported using bind IDs and the concept of a default bind. A bind ID is a string specified in the option -bindid associated with an LDAP bind. A bind ID can be used in other metacp commands to refer to a specific LDAP bind.

A bind operation (or any other obj operation) that does not specify a bind ID opens (or refers to) a default bind. There is only one default bind at a time.

Use the -server or -address options to bind to a specific Identity store. If a Identity store is not specified with the -server or -address options, the obj bind operation searches the directory client configuration file dirxcl.cfg for the first line that matches the protocol type specified in the -protocol option. The address from this line is used to establish a bind. If the directory client configuration file dirxcl.cfg does not contain a Identity store address line, the operation performs a bind to the local Identity store.

Use the -authentication option to establish a specific authentication method. If you specify simple authentication, you must supply the -user option and the -password option. The password you supply for simple authentication is sent as clear text.

Use the -ssl option to establish Secure Socket Layer (SSL)/Transport Layer Security (TLS) for the bind operation when the -protocol option specifies LDAPv2 or LDAPv3. When you specify this option, the obj bind operation authenticates the Identity store using the certificate information in the file specified in the DIRX_TRUSTED_CA environment variable or in the install_path*/client/conf/cert8.db* certificate database, if the environment variable is not set. See SSL/TLS Certificate Database in the DirX Identity Program Files chapter for more information about SSL/TLS certificate authentication.

Use the -sasl option to establish Simple Authentication and Security Layer (SASL) client authentication and SSL/TLS for the bind operation when the -protocol option specifies LDAPv3. See the recommendations made in the document Authentication Methods for LDAP (RFC 2829) and Lightweight Directory Access Protocol (v3): Extensions for Transport Layer Security (RFC 2830) for details. The -sasl option includes the -ssl option.

When an obj bind operation is called with a specific bind ID, the operation sets the service controls for the bind to the default values; see the ldapargs modify operation for a list of default values. When an obj bind operation is called without a bind ID (a default bind), the operation sets the service controls to the default values when the LDAP protocol to be used changes. For example, the operation sets the service controls to their default values when the last default bind used LDAPv2 protocol and the default bind to be performed uses LDAPv3 protocol.

Example

bind -user cn=admin,o=my-company -password dirx \
     -auth simple -protocol LDAPv3 \
     -address hawk.virt.de.com -bindid hawkL3
bind -sasl -mech EXTERNAL -certsubject Admin-Nickname \
     -key3password zorro99 -prot LDAPv3
bind -status

The command output is as follows:

1) Connection:
Bind-ID: : hawkL3
Protocol: : LDAPv3
Address: : hawk.virt.de.com
User-Name: : cn=admin,o=pqr
Authentication Type: : simple
Status: : bound
2) Connection:
Bind-ID: : (default)
Protocol: : LDAP
Status: : unbound

obj compare

Compares an attribute name and value with the attribute names and values of an entry in the DIT. The syntax is as follows:

[obj] compare distinguished_name
-attribute attribute
[-bindid bid]

Options

-attribute attribute A required option that specifies the attribute and attribute value to compare. See the String Representation for LDAP Binds chapter for a description of attribute type and value syntax.

-bindid bid: The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See the Bind Types and Bind IDs section in this chapter for details.)

Use the obj compare operation to determine whether an attribute in the entry specified by distinguished_name contains a specific value. If the specified attribute contains the specified value, the operation returns the text M=TRUE (meaning Matched=TRUE); if the value is not present, it returns M=FALSE.

Example

obj compare cn=zapf,ou=asw,o=sni,c=de \
      -attr TN=55029

obj create

Creates a new entry in the DIT. The syntax is as follows:

[obj] create distinguished_name
-attribute attribute_list
[-bindid bid]

Options

-attribute attribute_list: A required option that specifies one or more attributes to be applied to the entry. See the String Representation for LDAP Binds chapter for a complete description of directory service attribute, attribute types, and attribute list formats.
-bindid bid: The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See the Bind Types and Bind IDs section in this chapter for details.)

The create operation creates a new entry in the directory information tree. The distinguished_name argument is the name of the entry to be created and must be specified as a complete distinguished name. See the String Representation for LDAP Binds chapter for a description of distinguished name syntax.

Use the -attribute option to specify the attributes to be applied to the newly created entry. You must specify the ObjectClass (objectClass) attribute as an attribute_list element; specifying additional attributes is optional. See the String Representation for LDAP Binds chapter for a complete list of the supported attribute types and attribute list formats. By default, the metacp program creates the operational attributes creation-time, creators-name, structural-object-class, and governing-structure-rule.

Examples

The following sample command creates the organization "myCompany".

create {o=myCompany,c=us} \
     -attribute objectClass=organization {description=sni usa}

The following sample command creates the organizational-unit "engineering" underneath the "myCompany" organization with the telephone-number attribute telephoneNumber=+1 964 123.
```
create {ou=engeneering,o=myCompany,c=us} \
     -attribute objectClass=organizationalUnit \
     {description=engineering department} \
     {telephoneNumber=+1 964 123}
```

The following sample command creates the organizational-person "hughes" whose telephone number is "423423" within the engineering organization and whose surname is "hughes" and whose given name is "peter".

create {cn=hughes,ou=engineering,o=myCompany,c=de} \
     -attribute {objectClass=organizationalPerson;person} \
     {description=software-engineer} \
     {telephoneNumber=+1 964 123 423423} \
     sn=hughes givenName=peter

obj delete

Deletes entries from the DIT. The syntax is as follows:

[obj] delete distinguished_name
[-bindid bid]

Options

-bindid bid

The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See the Bind Types and Bind IDs section in this chapter for details.) The delete operation deletes entries from the directory information tree.

You cannot delete entries that still have subordinate entries.

Example

The following example deletes the entry cn=Miller,ou=engineering,o=sni,c=us

delete cn=miller,ou=engineering,o=sni,c=us

obj help

Returns help information about the obj object and its operations. The syntax is as follows:

[obj] help [operation | -verbose]

Options

-verbose: Displays information about the obj object.

Used without an argument or option, the help command returns brief information about each obj operation. Use the operation argument to return a description of the options associated with the operation you specify. Alternatively, you can use the -verbose option to return a description of the obj object itself.

Example

help

The output of the sample command is as follows:

bind

Binds to the specified directory server.

compare

Checks if the object has the specified attribute value.

create

Creates the specified object in the directory.

delete

Removes the specified object from the directory.

list

Lists the children of the specified object.

modify

Modifies the attribute values of an object in the directory.

moddn

Modifies the DN of an object in the directory.

search

Searches for objects in the directory.

show

Reads attributes of an object in the directory.

unbind

Unbinds from the directory server.

help

Displays help text for the 'obj' object and its operations.

operations

Lists the operations that can be performed on the 'obj' object.

obj list

Lists the distinguished names of the children of an entry. The syntax is as follows:

[obj] list distinguished_name
[-bindid bid]
[-pretty]

Options

-bindid bid: The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See the Bind Types and Bind IDs section in this chapter for details.)
-pretty: Displays the results of the operation in a tabular format.

The obj list operation returns a Tcl list that contains the complete distinguished names of the immediate subordinates of the entry specified in distinguished_name. Use the -pretty option to return the results of the operation in a tabular, more readable format.

Example

The following sample command lists the distinguished names of the object ou=ap11,o=sni,c=de:

list ou=ap11,o=sni,c=de -pretty

The output of the sample command as follows:

1) cn=mueller,ou=ap11,o=sni,c=de
2) cn=hughes,ou=ap11,o=sni,c=de
3) cn=zahn,ou=ap11,o=sni,c=de
4) cn=schmid,ou=ap11,o=sni,c=de

obj moddn

Changes the last RDN of an entry or a subtree or moves an entry or subtree to a new superior. The syntax is as follows:

[obj] moddn distinguished_name
[-bindid bid]
-rdn name_part
[-dontdeleteoldrdn]
[-newsuperior new_superior]

Options

-bindid bid: The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See the "Bind Types and Bind IDs" section in this chapter for details.)
-dontdeleteoldrdn: Saves the attribute values of the old RDN that are not present in the new RDN.
-rdn name_part: A required option that specifies the new RDN. If the operation moves an object or subtree to a new superior without changing its RDN, the old RDN is supplied for this option. When the last RDN of the object is to be changed grantRename permission is required. See the String Representation for LDAP Binds chapter for a description of relative distinguished name syntax.
-newsuperior new_superior: Specifies the distinguished name of the new superior of the entry. The new superior must already exist. The new superior must not be the entry to be moved, or the root of the subtree to be moved, or one of its subordinates, or such that the moved object violates any DIT structure rules. If objects subordinate to the moved object violate the active subschema subsequent adjustments must be done to make these objects consistent with the subschema. grantExport permission is required for the object being considered with its original name, and grantImport permission is required for the object being considered with its new name. See the String Representation for LDAP Binds chapter for a description of distinguished name syntax.

The moddn operation changes the last relative distinguished name of an object or subtree or moves an object or subtree to a new superior. The distinguished_name argument specifies the entry or subtree to modify. See the String Representation for LDAP Binds chapter for a description of distinguished name syntax. By default, the operation removes the attributes and attribute values that do not exist in the new RDN.

When the obj moddn operation modifies a distinguished name, it automatically updates all references to the complete name that exist within a single Identity store.

Example

In the following sample command, the entry is renamed but the old name (zahn) is kept in the new entry. The resulting cn attribute has two values: zahn and soeder, where soeder is the naming value of cn.

obj moddn cn=zahn,ou=staff,o=ibis,c=us -rdn cn=soeder \
     -dontdeleteoldrdn

obj modify

Changes the attribute values of an entry. The syntax is as follows:

Options

-bindid bid: The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See the Bind Types and Bind IDs section in this chapter for details.)
-addattr attribute_list: Adds the attributes and attribute values specified in the attribute_list argument to an object. See the String Representation for LDAP Binds chapter for a description of attribute type and value syntax.
-changeattr old_attribute new_attribute: Changes the specified existing attribute and attribute values to the specified new attribute and attribute values. See the String Representation for LDAP Binds chapter for a description of attribute type and value syntax.
-removeattr attribute_list: Removes the attributes and attribute values specified in the attribute_list argument from an object. See the String Representation for LDAP Binds chapter for a description of attribute type and value syntax
-replaceattr attribute_list: Replaces the attributes and attribute values specified in the attribute_list argument from an object. See String Representation for LDAP Binds for a description of attribute type and value syntax

The modify operation changes attributes and attribute values of entries. The distinguished_name argument specifies the entry to modify. See the String Representation for LDAP Binds chapter for a description of distinguished name syntax.

Use the -addattr option to add new attributes and their attribute values to an entry or add new attribute values to an existing attribute.

Use the -changeattr option to modify values of an existing attribute. You must specify the option name and the desired values for each attribute you want to change. For example, to modify attr1 and attr2 for an entry, enter the -changeattr option twice as follows: -changeattr attr1_old attr1_new -changeattr attr2_old attr2_new

Use the -removeattr option to remove existing attribute values or remove existing attributes.

Use the -replaceattr option to replace all existing attribute values by the new attribute values.

You may combine the options addattr, changeattr, removeattr and replaceattr in any order as often as you like.

Examples

In the following sample commands, the modify operation performs the following tasks on the entry represented by the distinguished name
cn=miller,ou=sales,o=ins CO,c=us:

Adds the telephone-number attribute type and value:

modify {cn=miller,ou=sales,o=ins CO,c=us} \
     -addattr {telephoneNumber=+1 964 123 5678}

Changes the telephoneNumber attribute value:

modify {cn=miller,ou=sales,o=ins CO,c=us} \
     -changeattr {telephoneNumber=+1 964 123 5678} \
     {telephoneNumber=+1 964 123 9999}

Deletes the instance of the telephoneNumber attribute assigned the value +1 964 123 9999:

modify {cn=miller,ou=sales,o=ins CO,c=us} \
     -removeattr {telephoneNumber=+1 964 123 9999}

In the following sample commands, the modify command performs the following tasks on the entry represented by the distinguished name

Adds two telephone numbers to the object represented by the distinguished name cn=gunther,ou=sales,o=acme,c=us:
```
modify cn=gunther,ou=sales,o=acme,c=us \
     -addattr {telephoneNumber=+1 919 555 4545;+1 431 223 4457}
```

Changes the initial values of both telephone numbers:

modify cn=gunther,ou=sales,o=acme,c=us \
     -changeattr {telephoneNumber=+1 919 555 4545} \
     {telephoneNumber=+1 508 693 9130} \
     -changeattr {telephoneNumber=+1 431 223 4457} \
     {telephoneNumber=+1 508 477 7300}

obj nextpage

Returns the next page of a search result if Simple Paging or Virual List View (VLV) is used. The syntax is as follows:

Options

-bindid bid: The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See the Bind Types and Bind IDs section in this chapter for details.)
-conn connection_handle: A handle to the connected directory to search. Specify the name of a connection handle created by a meta openconn operation. This is a required option when using this operation to search a connected directory. The connection handle must specify a connected directory of type LDAP (a connected directory opened with the meta openconn -type option LDAP) and it must not specify a format of LDIF-CHANGE (a connected directory opened with the meta openconn -format option LDIF-CHANGE).
-exactaction: Usually distinguished names are defined as CaseIgnore strings that implies that leading and trailing spaces are ignored and several spaces are reduced to one space when comparing distinguished names. There are no problems when modifying such an object and a reduced number of spaces is passed in the DN; the objects are still considered to be the same and the modify operation is performed successfully.

There are directory systems that want to have the exact number of spaces when calling the modify operation. Therefore multiple spaces must not be dropped.

Using the option -exactaction guarantees that multiple spaces in DNs of the search result are not dropped. The DNs are provided the same way as they are retrieved from the directory server.
-pretty: Displays the results of the operation in a tabular format.
-result result_handle: A name to assign to the result handle returned by the operation.
-terminate: Notifies the directory server that that search result can be discarded because no more pages will be requested by the client any more.
-vafter after_count: Specifies the maximum number of objects in the page that should be returned after the target object.
-vbefore before_count: Specifies the maximum number of objects in the page that should be returned before the target object.
-vcontentcount content_count: Together with -voffset -vcontentcount is used to specify the target object in a virtual list view in terms of an offset relative to the beginning of the list and the expected number of entries of the list.
-voffset offset: Specifies the target object in a virtual list view in terms of an offset relative to the beginning of the list.
-vpagesize page_size: Specifies the maximum number of objects that should be returned in a page. This option is required for Simple Paging.
-vvalue attribute_value: Specifies the way the target object in the virtual list view is calculated. The target object is defined to be first object in the list where the attribute identified by the first attribute type of the sort keys is greater than or equal to attribute_value.

In order to avoid huge search results you can either use the Simple Paging or the Virtual List View (VLV) mechanism. VLV allows a client to specify that the server returns a contiguous subset of the search result for a given LDAP search with associated sort keys. The subset is defined in terms of offsets into the ordered list or in terms of a greater than or equal comparison value.

obj nextpage is used to return the next page of a search result once the initial search with paging has already been performed.

By default, the obj nextpage operation returns results as Tcl lists. Use the -pretty option to return formatted results.

When searching a connected directory the operation creates a result handle associated with the results list and assigns the name specified in the -result option to the handle. If the -result option is not specified the results list is output to the display as a Tcl list (unless the -pretty option has been specified). The -result option cannot be combined with the -pretty option.

If the -result option is specified the -conn option is required.

Supplying the -conn option causes the obj nextpage operation to return in the search results list the set of attributes to be synchronized (SSA) specified in the connection handle.

Use the option -vpagesize to specify the maximum number of objects that should be returned in a page.

The remaining options -vbefore, -vafter, -vvalue, -voffset, and -vcontentcount are only relevant for VLV.

The options -vbefore and -vafter are required if -vpagesize is absent. The option -vbefore specifies the maximum number of objects before a target object in the page and the option -vafter specifies the maximum number of objects after that object in the page.

If the options -vbefore and -vafter are used additionally one of the following options must be used:

-vvalue attribute_value
or
-voffset offset [-vcontentcount content_count]

Use -vvalue option if the target object is defined to be the first object in the list where the attribute type is greater or equal to attribute_value. The attribute type is taken from the first element of the sort keys. The -vvalue option can be used too if -vpagesize option is set (instead of -vbefore and -vafter).

Alternatively, the parameters -voffset and optionally -vcontentcount can be used for specifying a target object that should be contained in the page. If -vcontentcount is absent then its default value 0 is used. Because an LDAP server may not have an accurate estimate of the number of entries in the list and to take into account the cases where the list size changes during the time the user browses through the list, and because the client needs a way to indicate specific list targets beginning and end, offsets within the list are transmitted between the client and the LDAP server as ratios, offset to content count. The LDAP server sends its latest estimate of the number of entries in the list (content count) to the client. Using -vcontentcount metacp sends its assumed value of the content count to the server. The LDAP server examines the content count and offset that it receives and computes the corresponding offset within the list, based on its own idea of the content count.

Example:

offset = 60, content_count = 100

Suppose that the LDAP servers view of the complete search result conatians 300 objects, then the target object is at position 180.

There are the following special cases when using the -voffset and -vcontentcount option:

offset is one and content_count is non-one: The target object is the first entry in the list.
Equivalent values of offset and content_count: The target object is the last entry in the list.

Use the option -terminate if you are no longer receiving search pages from the server. That option cannot be combined with any other option. The result of this command is that the LDAP server discards the search result.

If the parameters -conn and -result are not used and the number of result entries is greater than the page size (specified in -vpagesize), then the search returns an indication for an incomplete operation as the last element of the search result. For Simple Paging, this is a query reference (cookie) that internally is used for subsequent calls of obj nextpage. For VLV, additionally Target-Position and Content-Count are provided. When processing the real entries of the search result an application (TCL script) must take care of that last element and should ignore it.

Simple Paging:
```
metacp> nextpage -p -vpagesize 3
```
The sample output is as follows:
```
1) o=PQR
2) cn=admin,o=PQR
3) ou=Sales,o=PQR
Incomplete operation:
    Partial-Outcome-Qualifier
        Query-Reference         : \x0b\x00\x00\x00
```
VLV:
```
metacp> nextpage -p -vpagesize 3 -voffset 1
```
The sample output is as follows:
```
1) cn=Abele,ou=Sales,o=PQR
2) cn=admin,o=PQR
3) cn=Tinker,ou=Sales,o=PQR
Incomplete operation:
    Partial-Outcome-Qualifier
        Query-Reference         : \x0c\x00\x00\x00
        Virtual-List-View-Spec.
              Target-Position       : 1
              Content-Count         : 18
```
If the parameters -conn and -result are used then the “incomplete operation” indication is not returned in the search result; it is already dropped.
Only one search with simple paging or VLV can be done for a bind connection because the cookie is internally stored for each connection. If another search (with simple paging, VLV, or without paging) is required simultaneously an additional bind connection for that additional search is required.
If the last page has been received when using simple paging and you keep on calling the obj nextpage operation then an appropriate error code is returned that no more pages are available. (METACP 4515)

Example

Terminate paging:
```
nextpage -terminate
```
Simple paging with page size 3:
```
nextpage -pretty -vpagesize 3
```
VLV with page size 3 starting with the first entry:
```
nextpage -pretty -vpagesize 3 -voffset 1
```
VLV with page size 3 and the common name of the first object displayed starts with a D:
```
nextpage -pretty -vvalue D -vpagesize 3
```
VLV, the common name of the target object starts with a D. Three objects before and five objects after this object should be displayed:
```
nextpage -pretty -vvalue D -vbefore 3 -vafter 5
```

obj operations

Returns a list of operations that can be performed on the obj object. The syntax is as follows:

[obj] operations

The list of available operations is in alphabetical order except for help and operations, which are listed last.

Example

obj operations

The output of the sample command is as follows:

bind compare create delete list modify moddn search show unbind help operations

obj search

Searches for entries. The syntax is as follows:

Options

-bindid bid

The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See the Bind Types and Bind IDs section in this chapter for details.)

-conn connection_handle

A handle to the connected directory to search. Specify the name of a connection handle created by a meta openconn operation. This is a required option when using this operation to search a connected directory. The connection handle must specify a connected directory of type LDAP (a connected directory opened with the meta openconn -type option LDAP) and it must not specify a format of LDIF-CHANGE (a connected directory opened with the meta openconn -format option LDIF-CHANGE).

Usually all attributes that are defined in the connection handle are passed in the search operation as list of requested attributes. As this list may be very huge (namely when the meta openconn operation uses the -processallattr option) it makes sense to use the -allattr option instead. Therefore the Tcl variable _md_req_attr_limit (defined in init.metacp with the default value 64) is used. If the attribute list of the connection handle is beyond that limit then for optimization purposes a search request with the -allattr option is generated internally. In that case metacp makes sure that later on in the synchronization cycle, only the relevant attributes are processed; attributes returned by search but which are not defined in the connection handle are ignored. But you should be aware that operational attributes are not returned with the -allattr option. Futhermore the directory server may return an attribute with an alternate LDAP attribute name (if configured). So therefore if you miss an attribute during synchronization keep in mind to change _md_req_attr_limit to -1 so that the list of requested attributes is passed to the server as is.

-exactaction

Usually distinguished names are defined as CaseIgnore strings that implies that leading and trailing spaces are ignored and several spaces are reduced to one space when comparing distinguished names. There are no problems when modifying such an object and a reduced number of spaces is passed in the DN; the objects are still considered to be the same and the modify operation is performed successfully.

There are directory systems that want to have the exact number of spaces when calling the modify operation. Therefore multiple spaces must not be dropped.

Using the option -exactaction guarantees that multiple spaces in DNs of the search result are not dropped. The DNs are provided the same way as they are retrieved from the directory server.

-result result_handle

A name to assign to the result handle returned by the operation.

-allattr

Shows information about all the attributes of an entry.

-alluserattr

Returns the object’s user attributes. For LDAP binds, this option returns the same attributes as the option -allattr.

-attribute abbreviation

Returns the attributes that correspond to the specified LDAP names or OIDs.

-baseobject

Limits the search scope to the base object; that is, the entry represented by the specified distinguished name.

-filter filter

Specifies the filter condition for the search. See the String Representation for LDAP Binds chapter for a description of search filters.

-matchedvaluesonly

Specifies that attribute values not matched by the filter are not to be returned.

-onelevel

Limits the search scope to the children of the base object.

-pretty

Displays the results of the operation in a tabular format.

-subtree

Limits the search scope to the subtree below the base object.

-types

Specifies that the results are to contain attribute types but not attribute values.

-vafter after_count

Specifies the maximum number of objects in the page that should be returned after the target object.

-vbefore before_count

Specifies the maximum number of objects in the page that should be returned before the target object.

-vcontentcount content_count

Together with -voffset -vcontentcount is used to specify the target object in a virtual list view in terms of an offset relative to the beginning of the list and the expected number of entries of the list.

-voffset offset

Specifies the target object in a virtual list view in terms of an offset relative to the beginning of the list.

-vpagesize page_size

Specifies the maximum number of objects that should be returned in a page. This option is required for Simple Paging.

-vsortkey sort_keys

Specifies a list of attribute types (sort keys) that should be used for paging or virtual list view. This option is required for VLV. Specify sort_keys in the following format:

For simple pageing
-vsortkey attr_type [attr_type …]
For VLV:
-vsortkey attr_type attr_type …]

where attr_type is the LDAP name of the attribute. For simple paging the first attr_type can be prefixed by an exclamation mark (!) to specify reverse sort order. For VLV all attr_types can be prefixed by an exclamation mark (!). For attr_type only indexed attribute types can be specified.

-vtype {SUBENTRY | SIMPLE | VLV}

Specifies the result type. Specify one of the following keywords:

SUBENTRY - Specifies that the search operation returns subentries. This option is only supported for LDAP binds based on DirX Directory.
SIMPLE - Specifies that the search operation uses simple paging mechanism. This option is only supported for LDAP binds not based on DirX Directory.
VLV - Specifies that the search operation uses virtual list view mechanism.

-vvalue attribute_value

Specifies how the target object in the virtual list view is calculated. The target object is defined to be first object in the list where the attribute identified by the first attribute type of the sort keys is greater than or equal to attribute_value.

The search operation searches for entries starting from the specified distinguished name. You must specify one of the search scope options *
-baseobject*, -onelevel, or -subtree.

By default, the operation does not search for attribute information. Use the *
-attribute* or -alluserattr options to return selected attribute information, or use the -allattr option to return information about all attributes.

By default, the search operation returns results as Tcl lists. Use the -pretty option to return formatted results.

If the -result option is specified the -conn option is required. If the -conn option is specified the obj search attribute selection options (-allattr, -alluserattr, -attribute) cannot be specified.

If the -result option is specified then the search operation usually expects a complete result returned by the directory server (unless paging or virtual list view mode is turned on). If the directory server returns an incomplete result the synchronization TCL script’s behavior is not predictable; for example due to missing entries in the search result, objects are deleted from the directory database. The directory server however may return incomplete results if a size limit or time limit has been encountered (see ldapargs command for details) or if referrals to other servers are returned. In the event of an incomplete result the search operation returns an error “Incomplete search result returned.” (errCode: METACP 6142). If you want to process such incomplete results you must specify the TCL variable _allowpartialresult to prevent the search operation from returning an error. Then the TCL variable _partialresulttype is returned and specifies the reason why the partial result has been received. (See the introduction to metacp for details about the TCL variables _allowpartialresult and _partialresulttype.)

Supplying the -conn option causes the obj search operation to return in the search results list the set of attributes to be synchronized (SSA) specified in the connection handle. To prevent obj search from returning SSA attributes you must create a connection handle that specifies only DDN in the -attribute option, and specify this handle in the -conn option. The obj search operation then returns only entry names. In this case, you must maintain two connection handles for the connected directory: one for the directory synchronization process, and one for returning entry names without attributes in obj search operations.

The following sections describe how to work with these two mechanisms:

Use the option -vpagesize to specify the maximum number of objects that should be returned in a page. (If -vpagesize is not used for VLV, alternatively -vbefore and -vafter must be used.)

Use the option -vsortkey to specify the sort criterias.

The remaining options -vbefore, -vafter, -vvalue, -voffset, and -vcontentcount are only relevant for VLV.

If the options -vbefore and -vafter are used additionally one of the following options must be used:

-vvalue attribute_value
or
-voffset offset [-vcontentcount content_count]

Alternatively, the parameters -voffset and optionally -vcontentcount can be used for specifying a target object that should be contained in the page. If -vcontentcount is absent then its default value 0 is used. Because an LDAP server may not have an accurate estimate of the number of entries in the list, and to take into account the cases where the list size changes during the time the user browses through the list, and because the client needs a way to indicate specific list targets beginning and end, offsets within the list are transmitted between the client and the LDAP server as ratios, offset to content count. The LDAP server sends its latest estimate of the number of entries in the list (content count) to the client. Using -vcontentcount metacp sends its assumed value of the content count to the server. The LDAP server examines the content count and offset that it receives and computes the corresponding offset within the list, based on its own idea of the content count.

Example:

offset = 60, content_count = 100

Suppose that the LDAP servers view of the complete search result conatians 300 objects, then the target object is at position 180.

There are the following special cases when using the -voffset and -vcontentcount option:

offset is one and content_count is non-one: The target object is the first entry in the list.
Equivalent values of offset and content_count: The target object is the last entry in the list.

If the parameters -conn and -result are not used and the number of result entries is greater than the pagesize (specified in -vpagesize), then the search returns an indication for an incomplete operation as the last element of the search result. For Simple Paging, this is a query reference (cookie) that internally is used for subsequent calls of obj nextpage. For VLV, additionally Target-Position and Content-Count are provided. When processing the real entries of the search result an application (TCL script) must take care of that last element and should ignore it.

Simple Paging:
```
metacp> search o=pqr -subtree -pretty -vtype SIMPLE -vpagesize 3
```
The sample output is as follows:
```
1) o=PQR
2) cn=admin,o=PQR
3) ou=Sales,o=PQR
Incomplete operation:
    Partial-Outcome-Qualifier
        Query-Reference         : \x0b\x00\x00\x00
```

VLV:

metacp> search o=pqr -subtree -pretty -vtype VLV -vpagesize 3 -vsortkey cn -voffset 1

The sample output is as follows:

1) cn=Abele,ou=Sales,o=PQR
2) cn=admin,o=PQR
3) cn=Tinker,ou=Sales,o=PQR
Incomplete operation:
    Partial-Outcome-Qualifier
        Query-Reference         : \x0c\x00\x00\x00
        Virtual-List-View-Spec.
              Target-Position       : 1
              Content-Count         : 18

If the parameters -conn and -result are used then the “incomplete operation” indication is not returned in the search result; it is already dropped.
Only one search with simple paging or VLV can be done for a bind connection, because the cookie is internally stored for each connection. If another search (with simple paging, VLV, or without paging) is required simultaneously an additional bind connection for that additional search is required.

Examples

Search without paging

obj search o=pqr -subtree -conn ch -result LDAP_rh

Search with simple paging with page size 3:

search o=pqr -subtree -pretty -vtype SIMPLE -vpagesize 3

Search with VLV with page size 3 starting with the first entry:

search o=pqr -subtree -pretty -vtype VLV -vpagesize 3 -vsortkey cn -voffset 1

Search with VLV with page size 3 starting with the first entry that common name starts with the letter D:
```
search o=pqr -subtree -pretty -vtype VLV -vsortkey cn -vvalue D -vpagesize 3
```
Search with VLV with starting with the first entry (target object) that common name starts with the letter D, displaying 3 entries before and 5 entries after the target object:
```
search o=pqr -subtree -pretty -vtype VLV -vsortkey cn -vvalue D -vbefore 3 –vafter 5
```

obj show

Shows an entry’s contents. The syntax is as follows:

[obj] show distinguished_name
[-bindid bid]
[-allattr |
-alluserattr |
-attribute abbreviation …]
[-pretty]
[-types]

Options

-bindid bid: The name (bid) of the bind to be used. If this option is omitted, the default bind is used. (See the Bind Types and Bind IDs section in this chapter for details.)
-allattr: Shows information about all the attributes of an entry.
-alluserattr: Returns the object’s user attributes. For LDAP binds, this option returns the same attributes as the option -allattr.
-attribute abbreviation: Returns the attributes that correspond to the specified LDAP names or OIDs.
-pretty: Displays the results of the operation in a tabular format.
-types: Specifies that the results are to contain attribute types, but not attribute values.

Use the distinguished_name argument to specify an object to show.

By default, the operation does not return attribute information. Use the -attribute
or -alluserattr options to return selected attribute information, or use the -allattr option to return information about all attributes. If you have selected to return attribute information, the obj show operation returns attribute types and values by default. Use the -types option to limit the results returned to attribute types only.

By default, the results of the obj show operation are displayed as a Tcl list. Use the -pretty option to return the results in a tabular, more readable format.

Examples

The following sample command shows all attributes associated with the object represented by the distinguished name cn=Miller,ou=engeneering,o=myCompany,c=de.

show {cn=Miller,ou=engeneering,o=myCompany,c=de} \
    -allattr \
      -pretty

The output of the sample command is as follows:

1) cn=Miller,ou=engeneering,o=myCompany,c=de
objectClass     : top
: person
: organizationalPerson
commonName : Miller
surname           : Tom
description       : Software-Engineer

The following sample command displays a Tcl list that contains all attributes associated with the object represented by the distinguished name cn=Miller,ou=engeneering,o=myCompany,c=de.

show {cn=Miller,ou=engeneering,o=myCompany,c=de}
     -allattr

The output of the sample command is as follows:

cn=Miller,ou=engeneering,o=myCompany,c=de {objectClass=top;person;organizationalPerson} cn=Miller sn=Tom description=Software-Engineer

The following sample command displays the telephone-number attribute associated with the object represented by the distinguished name cn=Miller,ou=engeneering,o=myCompany,c=de.

show {cn=Miller,ou=engeneering,o=myCompany,c=de}
     -attribute TN -pretty

The output of the sample command is as follows:

1) cn=Miller,ou=engeneering,o=myCompany,c=de
telephoneNumber : +1 964 123 5678

obj unbind

Terminates a binding between metacp and a Identity store. The syntax is as follows:

[obj] unbind
[-bindid bid]

Options

-bindid bid: The name (bid) of the bind to be used. If this option is omitted, the default bind is used. See the Bind Types and Bind IDs section in this chapter for details.