]> git.sur5r.net Git - openldap/blob - clients/tools/ldapdelete.c
bc9d057dda9af71130307bbf8f2eb6b4a79d3aeb
[openldap] / clients / tools / ldapdelete.c
1 /* ldapdelete.c - simple program to delete an entry using LDAP */
2 /* $OpenLDAP$ */
3 /*
4  * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
6  */
7
8 #include "portable.h"
9
10 #include <stdio.h>
11
12 #include <ac/stdlib.h>
13 #include <ac/ctype.h>
14
15 #include <ac/signal.h>
16 #include <ac/string.h>
17 #include <ac/unistd.h>
18
19 #include <ldap.h>
20 #include "lutil.h"
21 #include "lutil_ldap.h"
22 #include "ldap_defaults.h"
23
24 static char     *prog;
25 static char     *binddn = NULL;
26 static struct berval passwd = { 0, NULL };
27 static char *ldapuri = NULL;
28 static char     *ldaphost = NULL;
29 static int      ldapport = 0;
30 static int      prune = 0;
31 #ifdef HAVE_CYRUS_SASL
32 static unsigned sasl_flags = LDAP_SASL_AUTOMATIC;
33 static char     *sasl_mech = NULL;
34 static char *sasl_realm = NULL;
35 static char     *sasl_authc_id = NULL;
36 static char     *sasl_authz_id = NULL;
37 static char     *sasl_secprops = NULL;
38 #endif
39 static int      use_tls = 0;
40 static int      not, verbose, contoper;
41 static LDAP     *ld = NULL;
42
43 static int dodelete LDAP_P((
44     LDAP *ld,
45     const char *dn));
46
47 static int deletechildren LDAP_P((
48         LDAP *ld,
49         const char *dn ));
50
51 static void
52 usage( const char *s )
53 {
54         fprintf( stderr,
55 "Delete entries from an LDAP server\n\n"
56 "usage: %s [options] [dn]...\n"
57 "       dn: list of DNs to delete. If not given, it will be readed from stdin\n"
58 "           or from the file specified with \"-f file\".\n"
59 "Delete Options:\n"
60 "  -r         delete recursively\n"
61
62 "Common options:\n"
63 "  -d level   set LDAP debugging level to `level'\n"
64 "  -D binddn  bind DN\n"
65 "  -e [!]<ctrl>[=<ctrlparam>] general controls (! indicates criticality)\n"
66 "             [!]manageDSAit   (alternate form, see -M)\n"
67 "             [!]noop\n"
68 "  -f file    read operations from `file'\n"
69 "  -h host    LDAP server\n"
70 "  -H URI     LDAP Uniform Resource Indentifier(s)\n"
71 "  -I         use SASL Interactive mode\n"
72 "  -k         use Kerberos authentication\n"
73 "  -K         like -k, but do only step 1 of the Kerberos bind\n"
74 "  -M         enable Manage DSA IT control (-MM to make critical)\n"
75 "  -n         show what would be done but don't actually do it\n"
76 "  -O props   SASL security properties\n"
77 "  -p port    port on LDAP server\n"
78 "  -P version procotol version (default: 3)\n"
79 "  -Q         use SASL Quiet mode\n"
80 "  -R realm   SASL realm\n"
81 "  -U authcid SASL authentication identity\n"
82 "  -v         run in verbose mode (diagnostics to standard output)\n"
83 "  -w passwd  bind passwd (for simple authentication)\n"
84 "  -W         prompt for bind passwd\n"
85 "  -x         Simple authentication\n"
86 "  -X authzid SASL authorization identity (\"dn:<dn>\" or \"u:<user>\")\n"
87 "  -y file    Read passwd from file\n"
88 "  -Y mech    SASL mechanism\n"
89 "  -Z         Start TLS request (-ZZ to require successful response)\n"
90 ,               s );
91
92         exit( EXIT_FAILURE );
93 }
94
95
96 int
97 main( int argc, char **argv )
98 {
99         char            buf[ 4096 ];
100         FILE            *fp;
101         int             i, rc, authmethod, referrals, want_bindpw, version, debug, manageDSAit, noop, crit;
102         char    *pw_file;
103         char    *control, *cvalue;
104
105     not = verbose = contoper = want_bindpw = debug
106                 = manageDSAit = noop = referrals = 0;
107     fp = NULL;
108     authmethod = -1;
109         version = -1;
110         pw_file = NULL;
111
112     prog = lutil_progname( "ldapdelete", argc, argv );
113
114     while (( i = getopt( argc, argv, "cf:r"
115                 "Cd:D:e:h:H:IkKMnO:p:P:QR:U:vw:WxX:y:Y:Z" )) != EOF )
116         {
117         switch( i ) {
118         /* Delete Specific Options */
119         case 'c':       /* continuous operation mode */
120             ++contoper;
121             break;
122         case 'E': /* delete controls */
123                 if( version == LDAP_VERSION2 ) {
124                         fprintf( stderr, "%s: -E incompatible with LDAPv%d\n",
125                                 prog, version );
126                         return EXIT_FAILURE;
127                 }
128
129                 /* should be extended to support comma separated list of
130                  *      [!]key[=value] parameters, e.g.  -E !foo,bar=567
131                  */
132
133                 crit = 0;
134                 cvalue = NULL;
135                 if( optarg[0] == '!' ) {
136                         crit = 1;
137                         optarg++;
138                 }
139
140                 control = strdup( optarg );
141                 if ( (cvalue = strchr( control, '=' )) != NULL ) {
142                         *cvalue++ = '\0';
143                 }
144                 fprintf( stderr, "Invalid delete control name: %s\n", control );
145                 usage(prog);
146                 return EXIT_FAILURE;
147         case 'f':       /* read DNs from a file */
148                 if( fp != NULL ) {
149                         fprintf( stderr, "%s: -f previously specified\n", prog );
150                         return EXIT_FAILURE;
151                 }
152             if (( fp = fopen( optarg, "r" )) == NULL ) {
153                 perror( optarg );
154                 exit( EXIT_FAILURE );
155             }
156             break;
157         case 'r':
158                 prune = 1;
159                 break;
160
161         /* Common Options */
162         case 'C':
163                 referrals++;
164                 break;
165         case 'd':
166             debug |= atoi( optarg );
167             break;
168         case 'D':       /* bind DN */
169                 if( binddn != NULL ) {
170                         fprintf( stderr, "%s: -D previously specified\n", prog );
171                         return EXIT_FAILURE;
172                 }
173             binddn = strdup( optarg );
174             break;
175         case 'e': /* general controls */
176                 if( version == LDAP_VERSION2 ) {
177                         fprintf( stderr, "%s: -e incompatible with LDAPv%d\n",
178                                 prog, version );
179                         return EXIT_FAILURE;
180                 }
181
182                 /* should be extended to support comma separated list of
183                  *      [!]key[=value] parameters, e.g.  -e !foo,bar=567
184                  */
185
186                 crit = 0;
187                 cvalue = NULL;
188                 if( optarg[0] == '!' ) {
189                         crit = 1;
190                         optarg++;
191                 }
192
193                 control = strdup( optarg );
194                 if ( (cvalue = strchr( control, '=' )) != NULL ) {
195                         *cvalue++ = '\0';
196                 }
197
198                 if ( strcasecmp( control, "manageDSAit" ) == 0 ) {
199                         if( manageDSAit ) {
200                                 fprintf( stderr, "manageDSAit control previously specified");
201                                 return EXIT_FAILURE;
202                         }
203                         if( cvalue != NULL ) {
204                                 fprintf( stderr, "manageDSAit: no control value expected" );
205                                 usage(prog);
206                                 return EXIT_FAILURE;
207                         }
208
209                         manageDSAit = 1 + crit;
210                         free( control );
211                         break;
212                         
213                 } else if ( strcasecmp( control, "noop" ) == 0 ) {
214                         if( noop ) {
215                                 fprintf( stderr, "noop control previously specified");
216                                 return EXIT_FAILURE;
217                         }
218                         if( cvalue != NULL ) {
219                                 fprintf( stderr, "noop: no control value expected" );
220                                 usage(prog);
221                                 return EXIT_FAILURE;
222                         }
223
224                         noop = 1 + crit;
225                         free( control );
226                         break;
227
228                 } else {
229                         fprintf( stderr, "Invalid general control name: %s\n", control );
230                         usage(prog);
231                         return EXIT_FAILURE;
232                 }
233         case 'h':       /* ldap host */
234                 if( ldapuri != NULL ) {
235                         fprintf( stderr, "%s: -h incompatible with -H\n", prog );
236                         return EXIT_FAILURE;
237                 }
238                 if( ldaphost != NULL ) {
239                         fprintf( stderr, "%s: -h previously specified\n", prog );
240                         return EXIT_FAILURE;
241                 }
242             ldaphost = strdup( optarg );
243             break;
244         case 'H':       /* ldap URI */
245                 if( ldaphost != NULL ) {
246                         fprintf( stderr, "%s: -H incompatible with -h\n", prog );
247                         return EXIT_FAILURE;
248                 }
249                 if( ldapport ) {
250                         fprintf( stderr, "%s: -H incompatible with -p\n", prog );
251                         return EXIT_FAILURE;
252                 }
253                 if( ldapuri != NULL ) {
254                         fprintf( stderr, "%s: -H previously specified\n", prog );
255                         return EXIT_FAILURE;
256                 }
257             ldapuri = strdup( optarg );
258             break;
259         case 'I':
260 #ifdef HAVE_CYRUS_SASL
261                 if( version == LDAP_VERSION2 ) {
262                         fprintf( stderr, "%s: -I incompatible with version %d\n",
263                                 prog, version );
264                         return EXIT_FAILURE;
265                 }
266                 if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
267                         fprintf( stderr, "%s: incompatible previous "
268                                 "authentication choice\n",
269                                 prog );
270                         return EXIT_FAILURE;
271                 }
272                 authmethod = LDAP_AUTH_SASL;
273                 version = LDAP_VERSION3;
274                 sasl_flags = LDAP_SASL_INTERACTIVE;
275                 break;
276 #else
277                 fprintf( stderr, "%s: was not compiled with SASL support\n",
278                         prog );
279                 return( EXIT_FAILURE );
280 #endif
281         case 'k':       /* kerberos bind */
282 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
283                 if( version > LDAP_VERSION2 ) {
284                         fprintf( stderr, "%s: -k incompatible with LDAPv%d\n",
285                                 prog, version );
286                         return EXIT_FAILURE;
287                 }
288
289                 if( authmethod != -1 ) {
290                         fprintf( stderr, "%s: -k incompatible with previous "
291                                 "authentication choice\n", prog );
292                         return EXIT_FAILURE;
293                 }
294                         
295                 authmethod = LDAP_AUTH_KRBV4;
296 #else
297                 fprintf( stderr, "%s: not compiled with Kerberos support\n", prog );
298                 return EXIT_FAILURE;
299 #endif
300             break;
301         case 'K':       /* kerberos bind, part one only */
302 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
303                 if( version > LDAP_VERSION2 ) {
304                         fprintf( stderr, "%s: -k incompatible with LDAPv%d\n",
305                                 prog, version );
306                         return EXIT_FAILURE;
307                 }
308                 if( authmethod != -1 ) {
309                         fprintf( stderr, "%s: incompatible with previous "
310                                 "authentication choice\n", prog );
311                         return EXIT_FAILURE;
312                 }
313
314                 authmethod = LDAP_AUTH_KRBV41;
315 #else
316                 fprintf( stderr, "%s: not compiled with Kerberos support\n", prog );
317                 return( EXIT_FAILURE );
318 #endif
319             break;
320         case 'M':
321                 /* enable Manage DSA IT */
322                 if( version == LDAP_VERSION2 ) {
323                         fprintf( stderr, "%s: -M incompatible with LDAPv%d\n",
324                                 prog, version );
325                         return EXIT_FAILURE;
326                 }
327                 manageDSAit++;
328                 version = LDAP_VERSION3;
329                 break;
330         case 'n':       /* print deletes, don't actually do them */
331             ++not;
332             break;
333         case 'O':
334 #ifdef HAVE_CYRUS_SASL
335                 if( sasl_secprops != NULL ) {
336                         fprintf( stderr, "%s: -O previously specified\n", prog );
337                         return EXIT_FAILURE;
338                 }
339                 if( version == LDAP_VERSION2 ) {
340                         fprintf( stderr, "%s: -O incompatible with LDAPv%d\n",
341                                 prog, version );
342                         return EXIT_FAILURE;
343                 }
344                 if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
345                         fprintf( stderr, "%s: incompatible previous "
346                                 "authentication choice\n", prog );
347                         return EXIT_FAILURE;
348                 }
349                 authmethod = LDAP_AUTH_SASL;
350                 version = LDAP_VERSION3;
351                 sasl_secprops = strdup( optarg );
352 #else
353                 fprintf( stderr, "%s: not compiled with SASL support\n",
354                         prog );
355                 return( EXIT_FAILURE );
356 #endif
357                 break;
358         case 'p':
359                 if( ldapport ) {
360                         fprintf( stderr, "%s: -p previously specified\n", prog );
361                         return EXIT_FAILURE;
362                 }
363             ldapport = atoi( optarg );
364             break;
365         case 'P':
366                 switch( atoi(optarg) ) {
367                 case 2:
368                         if( version == LDAP_VERSION3 ) {
369                                 fprintf( stderr, "%s: -P 2 incompatible with version %d\n",
370                                         prog, version );
371                                 return EXIT_FAILURE;
372                         }
373                         version = LDAP_VERSION2;
374                         break;
375                 case 3:
376                         if( version == LDAP_VERSION2 ) {
377                                 fprintf( stderr, "%s: -P 2 incompatible with version %d\n",
378                                         prog, version );
379                                 return EXIT_FAILURE;
380                         }
381                         version = LDAP_VERSION3;
382                         break;
383                 default:
384                         fprintf( stderr, "%s: protocol version should be 2 or 3\n",
385                                 prog );
386                         usage( prog );
387                         return( EXIT_FAILURE );
388                 } break;
389         case 'Q':
390 #ifdef HAVE_CYRUS_SASL
391                 if( version == LDAP_VERSION2 ) {
392                         fprintf( stderr, "%s: -Q incompatible with version %d\n",
393                                 prog, version );
394                         return EXIT_FAILURE;
395                 }
396                 if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
397                         fprintf( stderr, "%s: incompatible previous "
398                                 "authentication choice\n",
399                                 prog );
400                         return EXIT_FAILURE;
401                 }
402                 authmethod = LDAP_AUTH_SASL;
403                 version = LDAP_VERSION3;
404                 sasl_flags = LDAP_SASL_QUIET;
405                 break;
406 #else
407                 fprintf( stderr, "%s: not compiled with SASL support\n",
408                         prog );
409                 return( EXIT_FAILURE );
410 #endif
411         case 'R':
412 #ifdef HAVE_CYRUS_SASL
413                 if( sasl_realm != NULL ) {
414                         fprintf( stderr, "%s: -R previously specified\n", prog );
415                         return EXIT_FAILURE;
416                 }
417                 if( version == LDAP_VERSION2 ) {
418                         fprintf( stderr, "%s: -R incompatible with version %d\n",
419                                 prog, version );
420                         return EXIT_FAILURE;
421                 }
422                 if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
423                         fprintf( stderr, "%s: incompatible previous "
424                                 "authentication choice\n",
425                                 prog );
426                         return EXIT_FAILURE;
427                 }
428                 authmethod = LDAP_AUTH_SASL;
429                 version = LDAP_VERSION3;
430                 sasl_realm = strdup( optarg );
431 #else
432                 fprintf( stderr, "%s: not compiled with SASL support\n",
433                         prog );
434                 return( EXIT_FAILURE );
435 #endif
436                 break;
437         case 'U':
438 #ifdef HAVE_CYRUS_SASL
439                 if( sasl_authc_id != NULL ) {
440                         fprintf( stderr, "%s: -U previously specified\n", prog );
441                         return EXIT_FAILURE;
442                 }
443                 if( version == LDAP_VERSION2 ) {
444                         fprintf( stderr, "%s: -U incompatible with version %d\n",
445                                 prog, version );
446                         return EXIT_FAILURE;
447                 }
448                 if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
449                         fprintf( stderr, "%s: incompatible previous "
450                                 "authentication choice\n",
451                                 prog );
452                         return EXIT_FAILURE;
453                 }
454                 authmethod = LDAP_AUTH_SASL;
455                 version = LDAP_VERSION3;
456                 sasl_authc_id = strdup( optarg );
457 #else
458                 fprintf( stderr, "%s: not compiled with SASL support\n",
459                         prog );
460                 return( EXIT_FAILURE );
461 #endif
462                 break;
463         case 'v':       /* verbose mode */
464             verbose++;
465             break;
466         case 'w':       /* password */
467             passwd.bv_val = strdup( optarg );
468                 {
469                         char* p;
470
471                         for( p = optarg; *p != '\0'; p++ ) {
472                                 *p = '\0';
473                         }
474                 }
475                 passwd.bv_len = strlen( passwd.bv_val );
476             break;
477         case 'W':
478                 want_bindpw++;
479                 break;
480         case 'y':
481                 pw_file = optarg;
482                 break;
483         case 'Y':
484 #ifdef HAVE_CYRUS_SASL
485                 if( sasl_mech != NULL ) {
486                         fprintf( stderr, "%s: -Y previously specified\n", prog );
487                         return EXIT_FAILURE;
488                 }
489                 if( version == LDAP_VERSION2 ) {
490                         fprintf( stderr, "%s: -Y incompatible with version %d\n",
491                                 prog, version );
492                         return EXIT_FAILURE;
493                 }
494                 if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
495                         fprintf( stderr, "%s: incompatible with authentication choice\n", prog );
496                         return EXIT_FAILURE;
497                 }
498                 authmethod = LDAP_AUTH_SASL;
499                 version = LDAP_VERSION3;
500                 sasl_mech = strdup( optarg );
501 #else
502                 fprintf( stderr, "%s: not compiled with SASL support\n",
503                         prog );
504                 return( EXIT_FAILURE );
505 #endif
506                 break;
507         case 'x':
508                 if( authmethod != -1 && authmethod != LDAP_AUTH_SIMPLE ) {
509                         fprintf( stderr, "%s: incompatible with previous "
510                                 "authentication choice\n", prog );
511                         return EXIT_FAILURE;
512                 }
513                 authmethod = LDAP_AUTH_SIMPLE;
514                 break;
515         case 'X':
516 #ifdef HAVE_CYRUS_SASL
517                 if( sasl_authz_id != NULL ) {
518                         fprintf( stderr, "%s: -X previously specified\n", prog );
519                         return EXIT_FAILURE;
520                 }
521                 if( version == LDAP_VERSION2 ) {
522                         fprintf( stderr, "%s: -X incompatible with LDAPv%d\n",
523                                 prog, version );
524                         return EXIT_FAILURE;
525                 }
526                 if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
527                         fprintf( stderr, "%s: -X incompatible with "
528                                 "authentication choice\n", prog );
529                         return EXIT_FAILURE;
530                 }
531                 authmethod = LDAP_AUTH_SASL;
532                 version = LDAP_VERSION3;
533                 sasl_authz_id = strdup( optarg );
534 #else
535                 fprintf( stderr, "%s: not compiled with SASL support\n",
536                         prog );
537                 return( EXIT_FAILURE );
538 #endif
539                 break;
540         case 'Z':
541 #ifdef HAVE_TLS
542                 if( version == LDAP_VERSION2 ) {
543                         fprintf( stderr, "%s: -Z incompatible with version %d\n",
544                                 prog, version );
545                         return EXIT_FAILURE;
546                 }
547                 version = LDAP_VERSION3;
548                 use_tls++;
549 #else
550                 fprintf( stderr, "%s: not compiled with TLS support\n",
551                         prog );
552                 return( EXIT_FAILURE );
553 #endif
554                 break;
555         default:
556                 fprintf( stderr, "%s: unrecognized option -%c\n",
557                         prog, optopt );
558                 usage( prog );
559                 return( EXIT_FAILURE );
560         }
561     }
562
563         if (version == -1) {
564                 version = LDAP_VERSION3;
565         }
566         if (authmethod == -1 && version > LDAP_VERSION2) {
567 #ifdef HAVE_CYRUS_SASL
568                 authmethod = LDAP_AUTH_SASL;
569 #else
570                 authmethod = LDAP_AUTH_SIMPLE;
571 #endif
572         }
573
574     if ( fp == NULL ) {
575         if ( optind >= argc ) {
576             fp = stdin;
577         }
578     }
579
580         if ( debug ) {
581                 if( ber_set_option( NULL, LBER_OPT_DEBUG_LEVEL, &debug ) != LBER_OPT_SUCCESS ) {
582                         fprintf( stderr, "Could not set LBER_OPT_DEBUG_LEVEL %d\n", debug );
583                 }
584                 if( ldap_set_option( NULL, LDAP_OPT_DEBUG_LEVEL, &debug ) != LDAP_OPT_SUCCESS ) {
585                         fprintf( stderr, "Could not set LDAP_OPT_DEBUG_LEVEL %d\n", debug );
586                 }
587         }
588
589 #ifdef SIGPIPE
590         (void) SIGNAL( SIGPIPE, SIG_IGN );
591 #endif
592
593         if( ( ldaphost != NULL || ldapport ) && ( ldapuri == NULL ) ) {
594                 if ( verbose ) {
595                         fprintf( stderr, "ldap_init( %s, %d )\n",
596                                 ldaphost != NULL ? ldaphost : "<DEFAULT>",
597                                 ldapport );
598                 }
599
600                 ld = ldap_init( ldaphost, ldapport );
601                 if( ld == NULL ) {
602                         perror("ldapdelete: ldap_init");
603                         return EXIT_FAILURE;
604                 }
605
606         } else {
607                 if ( verbose ) {
608                         fprintf( stderr, "ldap_initialize( %s )\n",
609                                 ldapuri != NULL ? ldapuri : "<DEFAULT>" );
610                 }
611
612                 rc = ldap_initialize( &ld, ldapuri );
613                 if( rc != LDAP_SUCCESS ) {
614                         fprintf( stderr, "Could not create LDAP session handle (%d): %s\n",
615                                 rc, ldap_err2string(rc) );
616                         return EXIT_FAILURE;
617                 }
618         }
619
620         {
621                 /* this seems prudent for searches below */
622                 int deref = LDAP_DEREF_NEVER;
623                 ldap_set_option( ld, LDAP_OPT_DEREF, &deref );
624         }
625
626         /* chase referrals */
627         if( ldap_set_option( ld, LDAP_OPT_REFERRALS,
628                 referrals ? LDAP_OPT_ON : LDAP_OPT_OFF ) != LDAP_OPT_SUCCESS )
629         {
630                 fprintf( stderr, "Could not set LDAP_OPT_REFERRALS %s\n",
631                         referrals ? "on" : "off" );
632                 return EXIT_FAILURE;
633         }
634
635         if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version )
636                 != LDAP_OPT_SUCCESS )
637         {
638                 fprintf( stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n",
639                         version );
640                 return EXIT_FAILURE;
641         }
642
643         if ( use_tls && ( ldap_start_tls_s( ld, NULL, NULL ) != LDAP_SUCCESS )) {
644                 ldap_perror( ld, "ldap_start_tls" );
645                 if ( use_tls > 1 ) {
646                         return EXIT_FAILURE;
647                 }
648         }
649
650         if ( pw_file || want_bindpw ) {
651                 if ( pw_file ) {
652                         rc = lutil_get_filed_password( pw_file, &passwd );
653                         if( rc ) return EXIT_FAILURE;
654                 } else {
655                         passwd.bv_val = getpassphrase( "Enter LDAP Password: " );
656                         passwd.bv_len = passwd.bv_val ? strlen( passwd.bv_val ) : 0;
657                 }
658         }
659
660         if ( authmethod == LDAP_AUTH_SASL ) {
661 #ifdef HAVE_CYRUS_SASL
662                 void *defaults;
663
664                 if( sasl_secprops != NULL ) {
665                         rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS,
666                                 (void *) sasl_secprops );
667                         
668                         if( rc != LDAP_OPT_SUCCESS ) {
669                                 fprintf( stderr,
670                                         "Could not set LDAP_OPT_X_SASL_SECPROPS: %s\n",
671                                         sasl_secprops );
672                                 return( EXIT_FAILURE );
673                         }
674                 }
675                 
676                 defaults = lutil_sasl_defaults( ld,
677                         sasl_mech,
678                         sasl_realm,
679                         sasl_authc_id,
680                         passwd.bv_val,
681                         sasl_authz_id );
682
683                 rc = ldap_sasl_interactive_bind_s( ld, binddn,
684                         sasl_mech, NULL, NULL,
685                         sasl_flags, lutil_sasl_interact, defaults );
686
687                 if( rc != LDAP_SUCCESS ) {
688                         ldap_perror( ld, "ldap_sasl_interactive_bind_s" );
689                         return( EXIT_FAILURE );
690                 }
691 #else
692                 fprintf( stderr, "%s: not compiled with SASL support\n",
693                         prog );
694                 return( EXIT_FAILURE );
695 #endif
696         }
697         else {
698                 if ( ldap_bind_s( ld, binddn, passwd.bv_val, authmethod )
699                                 != LDAP_SUCCESS ) {
700                         ldap_perror( ld, "ldap_bind" );
701                         return( EXIT_FAILURE );
702                 }
703         }
704
705         if ( manageDSAit || noop ) {
706                 int err, i = 0;
707                 LDAPControl c1, c2;
708                 LDAPControl *ctrls[3];
709
710                 if ( manageDSAit ) {
711                         ctrls[i++] = &c1;
712                         ctrls[i] = NULL;
713                         c1.ldctl_oid = LDAP_CONTROL_MANAGEDSAIT;
714                         c1.ldctl_value.bv_val = NULL;
715                         c1.ldctl_value.bv_len = 0;
716                         c1.ldctl_iscritical = manageDSAit > 1;
717                 }
718
719                 if ( noop ) {
720                         ctrls[i++] = &c2;
721                         ctrls[i] = NULL;
722
723                         c2.ldctl_oid = LDAP_CONTROL_NOOP;
724                         c2.ldctl_value.bv_val = NULL;
725                         c2.ldctl_value.bv_len = 0;
726                         c2.ldctl_iscritical = noop > 1;
727                 }
728         
729                 err = ldap_set_option( ld, LDAP_OPT_SERVER_CONTROLS, ctrls );
730
731                 if( err != LDAP_OPT_SUCCESS ) {
732                         fprintf( stderr, "Could not set %scontrols\n",
733                                 (c1.ldctl_iscritical || c2.ldctl_iscritical)
734                                 ? "critical " : "" );
735                         if ( c1.ldctl_iscritical && c2.ldctl_iscritical ) {
736                                 return EXIT_FAILURE;
737                         }
738                 }
739         }
740
741         rc = 0;
742
743     if ( fp == NULL ) {
744                 for ( ; optind < argc; ++optind ) {
745                         rc = dodelete( ld, argv[ optind ] );
746
747                         /* Stop on error and no -c option */
748                         if( rc != 0 && contoper == 0) break;
749                 }
750         } else {
751                 while ((rc == 0 || contoper) && fgets(buf, sizeof(buf), fp) != NULL) {
752                         buf[ strlen( buf ) - 1 ] = '\0'; /* remove trailing newline */
753
754                         if ( *buf != '\0' ) {
755                                 rc = dodelete( ld, buf );
756                         }
757                 }
758         }
759
760     ldap_unbind( ld );
761
762         return( rc );
763 }
764
765
766 static int dodelete(
767     LDAP        *ld,
768     const char  *dn)
769 {
770         int id;
771         int     rc, code;
772         char *matcheddn = NULL, *text = NULL, **refs = NULL;
773         LDAPMessage *res;
774
775         if ( verbose ) {
776                 printf( "%sdeleting entry \"%s\"\n",
777                         (not ? "!" : ""), dn );
778         }
779
780         if ( not ) {
781                 return LDAP_SUCCESS;
782         }
783
784         /* If prune is on, remove a whole subtree.  Delete the children of the
785          * DN recursively, then the DN requested.
786          */
787         if ( prune ) deletechildren( ld, dn );
788
789         rc = ldap_delete_ext( ld, dn, NULL, NULL, &id );
790         if ( rc != LDAP_SUCCESS ) {
791                 fprintf( stderr, "%s: ldap_delete_ext: %s (%d)\n",
792                         prog, ldap_err2string( rc ), rc );
793                 return rc;
794         }
795
796         rc = ldap_result( ld, LDAP_RES_ANY, LDAP_MSG_ALL, NULL, &res );
797         if ( rc < 0 ) {
798                 ldap_perror( ld, "ldapdelete: ldap_result" );
799                 return rc;
800         }
801
802         rc = ldap_parse_result( ld, res, &code, &matcheddn, &text, &refs, NULL, 1 );
803
804         if( rc != LDAP_SUCCESS ) {
805                 fprintf( stderr, "%s: ldap_parse_result: %s (%d)\n",
806                         prog, ldap_err2string( rc ), rc );
807                 return rc;
808         }
809
810         if( verbose || code != LDAP_SUCCESS ||
811                 (matcheddn && *matcheddn) || (text && *text) || (refs && *refs) )
812         {
813                 printf( "Delete Result: %s (%d)\n", ldap_err2string( code ), code );
814
815                 if( text && *text ) {
816                         printf( "Additional info: %s\n", text );
817                 }
818
819                 if( matcheddn && *matcheddn ) {
820                         printf( "Matched DN: %s\n", matcheddn );
821                 }
822
823                 if( refs ) {
824                         int i;
825                         for( i=0; refs[i]; i++ ) {
826                                 printf("Referral: %s\n", refs[i] );
827                         }
828                 }
829         }
830
831         ber_memfree( text );
832         ber_memfree( matcheddn );
833         ber_memvfree( (void **) refs );
834
835         return code;
836 }
837
838 /*
839  * Delete all the children of an entry recursively until leaf nodes are reached.
840  *
841  */
842 static int deletechildren(
843         LDAP *ld,
844         const char *dn )
845 {
846         LDAPMessage *res, *e;
847         int entries;
848         int rc;
849         static char *attrs[] = { "1.1", NULL };
850
851         if ( verbose ) printf ( "deleting children of: %s\n", dn );
852         /*
853          * Do a one level search at dn for children.  For each, delete its children.
854          */
855
856         rc = ldap_search_ext_s( ld, dn, LDAP_SCOPE_ONELEVEL, NULL, attrs, 1,
857                 NULL, NULL, NULL, -1, &res );
858         if ( rc != LDAP_SUCCESS ) {
859                 ldap_perror( ld, "ldap_search" );
860                 return( rc );
861         }
862
863         entries = ldap_count_entries( ld, res );
864
865         if ( entries > 0 ) {
866                 int i;
867
868                 for (e = ldap_first_entry( ld, res ), i = 0; e != NULL;
869                         e = ldap_next_entry( ld, e ), i++ )
870                 {
871                         char *dn = ldap_get_dn( ld, e );
872
873                         if( dn == NULL ) {
874                                 ldap_perror( ld, "ldap_prune" );
875                                 ldap_get_option( ld, LDAP_OPT_ERROR_NUMBER, &rc );
876                                 ber_memfree( dn );
877                                 return rc;
878                         }
879
880                         rc = deletechildren( ld, dn );
881                         if ( rc == -1 ) {
882                                 ldap_perror( ld, "ldap_prune" );
883                                 ber_memfree( dn );
884                                 return rc;
885                         }
886
887                         if ( verbose ) {
888                                 printf( "\tremoving %s\n", dn );
889                         }
890
891                         rc = ldap_delete_s( ld, dn );
892                         if ( rc == -1 ) {
893                                 ldap_perror( ld, "ldap_delete" );
894                                 ber_memfree( dn );
895                                 return rc;
896
897                         }
898                         
899                         if ( verbose ) {
900                                 printf( "\t%s removed\n", dn );
901                         }
902
903                         ber_memfree( dn );
904                 }
905         }
906
907         ldap_msgfree( res );
908         return rc;
909 }