1.lf 1 stdin
2.TH LDAPWHOAMI 1 "2020/04/28" "OpenLDAP 2.4.50"
3.\" $OpenLDAP$
4.\" Copyright 1998-2020 The OpenLDAP Foundation All Rights Reserved.
5.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
6.SH NAME
7ldapwhoami \- LDAP who am i? tool
8.SH SYNOPSIS
9.B ldapwhoami
10[\c
11.BR \-V [ V ]]
12[\c
13.BI \-d \ debuglevel\fR]
14[\c
15.BR \-n ]
16[\c
17.BR \-v ]
18[\c
19.BR \-x ]
20[\c
21.BI \-D \ binddn\fR]
22[\c
23.BR \-W ]
24[\c
25.BI \-w \ passwd\fR]
26[\c
27.BI \-y \ passwdfile\fR]
28[\c
29.BI \-H \ ldapuri\fR]
30[\c
31.BI \-h \ ldaphost\fR]
32[\c
33.BI \-p \ ldapport\fR]
34[\c
35.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
36[\c
37.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
38[\c
39.BI \-o \ opt \fR[= optparam \fR]]
40[\c
41.BI \-O \ security-properties\fR]
42[\c
43.BR \-I ]
44[\c
45.BR \-Q ]
46[\c
47.BR \-N ]
48[\c
49.BI \-U \ authcid\fR]
50[\c
51.BI \-R \ realm\fR]
52[\c
53.BI \-X \ authzid\fR]
54[\c
55.BI \-Y \ mech\fR]
56[\c
57.BR \-Z [ Z ]]
58.SH DESCRIPTION
59.I ldapwhoami
60implements the LDAP "Who Am I?" extended operation.
61.LP
62.B ldapwhoami
63opens a connection to an LDAP server, binds, and performs a whoami
64operation.  
65.SH OPTIONS
66.TP
67.BR \-V [ V ]
68Print version info.
69If \fB\-VV\fP is given, only the version information is printed.
70.TP
71.BI \-d \ debuglevel
72Set the LDAP debugging level to \fIdebuglevel\fP.
73.B ldapwhoami
74must be compiled with LDAP_DEBUG defined for this option to have any effect.
75.TP
76.B \-n
77Show what would be done, but don't actually perform the whoami operation.
78Useful for
79debugging in conjunction with \fB\-v\fP.
80.TP
81.B \-v
82Run in verbose mode, with many diagnostics written to standard output.
83.TP
84.B \-x 
85Use simple authentication instead of SASL.
86.TP
87.BI \-D \ binddn
88Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
89For SASL binds, the server is expected to ignore this value.
90.TP
91.B \-W
92Prompt for simple authentication.
93This is used instead of specifying the password on the command line.
94.TP
95.BI \-w \ passwd
96Use \fIpasswd\fP as the password for simple authentication.
97.TP
98.BI \-y \ passwdfile
99Use complete contents of \fIpasswdfile\fP as the password for
100simple authentication.
101.TP
102.BI \-H \ ldapuri
103Specify URI(s) referring to the ldap server(s); only the protocol/host/port
104fields are allowed; a list of URI, separated by whitespace or commas
105is expected.
106.TP
107.BI \-h \ ldaphost
108Specify an alternate host on which the ldap server is running.
109Deprecated in favor of \fB\-H\fP.
110.TP
111.BI \-p \ ldapport
112Specify an alternate TCP port where the ldap server is listening.
113Deprecated in favor of \fB\-H\fP.
114.TP
115.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
116.TP
117.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
118
119Specify general extensions with \fB\-e\fP and whoami extensions with \fB\-E\fP.
120\'\fB!\fP\' indicates criticality.
121
122General extensions:
123.nf
124  [!]assert=<filter>    (an RFC 4515 Filter)
125  !authzid=<authzid>    ("dn:<dn>" or "u:<user>")
126  [!]bauthzid           (RFC 3829 authzid control)
127  [!]chaining[=<resolve>[/<cont>]]
128  [!]manageDSAit
129  [!]noop
130  ppolicy
131  [!]postread[=<attrs>] (a comma-separated attribute list)
132  [!]preread[=<attrs>]  (a comma-separated attribute list)
133  [!]relax
134  sessiontracking
135  abandon,cancel,ignore (SIGINT sends abandon/cancel,
136  or ignores response; if critical, doesn't wait for SIGINT.
137  not really controls)
138.fi
139
140WhoAmI extensions:
141.nf
142  (none)
143.fi
144.TP
145.BI \-o \ opt \fR[= optparam \fR]
146
147Specify general options.
148
149General options:
150.nf
151  nettimeout=<timeout>  (in seconds, or "none" or "max")
152  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
153.fi
154.TP
155.BI \-O \ security-properties
156Specify SASL security properties.
157.TP
158.B \-I
159Enable SASL Interactive mode.  Always prompt.  Default is to prompt
160only as needed.
161.TP
162.B \-Q
163Enable SASL Quiet mode.  Never prompt.
164.TP
165.B \-N
166Do not use reverse DNS to canonicalize SASL host name.
167.TP
168.BI \-U \ authcid
169Specify the authentication ID for SASL bind. The form of the ID
170depends on the actual SASL mechanism used.
171.TP
172.BI \-R \ realm
173Specify the realm of authentication ID for SASL bind. The form of the realm
174depends on the actual SASL mechanism used.
175.TP
176.BI \-X \ authzid
177Specify the requested authorization ID for SASL bind.
178.I authzid
179must be one of the following formats:
180.BI dn: "<distinguished name>"
181or
182.BI u: <username>
183.TP
184.BI \-Y \ mech
185Specify the SASL mechanism to be used for authentication. If it's not
186specified, the program will choose the best mechanism the server knows.
187.TP
188.BR \-Z [ Z ]
189Issue StartTLS (Transport Layer Security) extended operation. If you use
190\fB\-ZZ\fP, the command will require the operation to be successful.
191.SH EXAMPLE
192.nf
193    ldapwhoami \-x \-D "cn=Manager,dc=example,dc=com" \-W
194.fi
195.SH "SEE ALSO"
196.BR ldap.conf (5),
197.BR ldap (3),
198.BR ldap_extended_operation (3)
199.SH AUTHOR
200The OpenLDAP Project <http://www.openldap.org/>
201.SH ACKNOWLEDGEMENTS
202.lf 1 ./../Project
203.\" Shared Project Acknowledgement Text
204.B "OpenLDAP Software"
205is developed and maintained by The OpenLDAP Project <http://www.openldap.org/>.
206.B "OpenLDAP Software"
207is derived from the University of Michigan LDAP 3.3 Release.  
208.lf 202 stdin
209