-.TH LDAPDELETE 1 "17 August 1999" "OpenLDAP LDVERSION"
+.TH LDAPDELETE 1 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" $OpenLDAP$
+.\" Copyright 1998-2011 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.SH NAME
ldapdelete \- LDAP delete entry tool
.SH SYNOPSIS
[\c
.BR \-v ]
[\c
-.BR \-k ]
-[\c
-.BR \-K ]
-[\c
.BR \-c ]
[\c
-.BR \-M[M] ]
+.BR \-M [ M ]]
[\c
.BI \-d \ debuglevel\fR]
[\c
[\c
.BI \-w \ passwd\fR]
[\c
+.BI \-y \ passwdfile\fR]
+[\c
+.BI \-H \ ldapuri\fR]
+[\c
.BI \-h \ ldaphost\fR]
[\c
-.BI \-P \ 2\fR\||\|\fI3\fR]
+.BR \-P \ { 2 \||\| 3 }]
+[\c
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+[\c
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
[\c
.BI \-p \ ldapport\fR]
[\c
-.IR dn ]...
+.BI \-O \ security-properties\fR]
+[\c
+.BI \-U \ authcid\fR]
+[\c
+.BI \-R \ realm\fR]
+[\c
+.BR \-r ]
+[\c
+.BR \-x ]
+[\c
+.BR \-I ]
+[\c
+.BR \-Q ]
+[\c
+.BI \-X \ authzid\fR]
+[\c
+.BI \-Y \ mech\fR]
+[\c
+.BI \-z \ sizelimit\fR]
+[\c
+.BR \-Z [ Z ]]
+[\c
+.IR DN \ [ ... ]]
.SH DESCRIPTION
.I ldapdelete
is a shell-accessible interface to the
-.BR ldap_delete (3)
+.BR ldap_delete_ext (3)
library call.
.LP
.B ldapdelete
opens a connection to an LDAP server, binds, and deletes one or more
-entries. If one or more \fIdn\fP arguments are provided, entries with
-those Distinguished Names are deleted. Each \fIdn\fP should be a
-string-represented DN as defined in RFC 1779. If no \fIdn\fP arguments
+entries. If one or more \fIDN\fP arguments are provided, entries with
+those Distinguished Names are deleted. Each \fIDN\fP should be provided
+using the LDAPv3 string representation as defined in RFC 4514.
+If no \fIDN\fP arguments
are provided, a list of DNs is read from standard input (or from
-\fIfile\fP if the -f flag is used).
+\fIfile\fP if the \fB\-f\fP flag is used).
.SH OPTIONS
.TP
.B \-n
Show what would be done, but don't actually delete entries. Useful for
-debugging in conjunction with -v.
+debugging in conjunction with \fB\-v\fP.
.TP
.B \-v
Use verbose mode, with many diagnostics written to standard output.
.TP
-.B \-k
-Use Kerberos authentication instead of simple authentication. It is
-assumed that you already have a valid ticket granting ticket. This option
-only has effect if
-. B ldapdelete
-is compiled with KERBEROS defined.
-.TP
-.B \-K
-Same as \-k, but only does step 1 of the kerberos bind. This is useful
-when connecting to a slapd and there is no x500dsa.hostname principal
-registered with your kerberos servers.
-.TP
.B \-c
Continuous operation mode. Errors are reported, but
.B ldapdelete
will continue with deletions. The default is to exit after
reporting an error.
.TP
-.B \-M[M]
+.BR \-M [ M ]
Enable manage DSA IT control.
.B \-MM
makes control critical.
must be compiled with LDAP_DEBUG defined for this option to have any effect.
.TP
.BI \-f \ file
-Read a series of lines from \fIfile\fP, performing one LDAP search for
-each line. In this case, the \fIfilter\fP given on the command line
-is treated as a pattern where the first occurrence of \fB%s\fP is
-replaced with a line from \fIfile\fP.
+Read a series of DNs from \fIfile\fP, one per line, performing an
+LDAP delete for each.
+.TP
+.B \-x
+Use simple authentication instead of SASL.
.TP
.BI \-D \ binddn
-Use \fIbinddn\fP to bind to the LDAP directory. \fIbinddn\fP should be
-a string-represented DN as defined in RFC 1779.
+Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
+For SASL binds, the server is expected to ignore this value.
.TP
.B \-W
Prompt for simple authentication.
.BI \-w \ passwd
Use \fIpasswd\fP as the password for simple authentication.
.TP
+.BI \-y \ passwdfile
+Use complete contents of \fIpasswdfile\fP as the password for
+simple authentication.
+.TP
+.BI \-H \ ldapuri
+Specify URI(s) referring to the ldap server(s); only the protocol/host/port
+fields are allowed; a list of URI, separated by whitespace or commas
+is expected.
+.TP
.BI \-h \ ldaphost
Specify an alternate host on which the ldap server is running.
+Deprecated in favor of \fB\-H\fP.
.TP
.BI \-p \ ldapport
Specify an alternate TCP port where the ldap server is listening.
+Deprecated in favor of \fB\-H\fP.
.TP
-.BI \-P \ 2\fR\||\|\fI3
+.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
+.TP
+.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+.TP
+.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+
+Specify general extensions with \fB\-e\fP and delete extensions with \fB\-E\fP.
+\'\fB!\fP\' indicates criticality.
+
+General extensions:
+.nf
+ [!]assert=<filter> (an RFC 4515 Filter)
+ !authzid=<authzid> ("dn:<dn>" or "u:<user>")
+ [!]bauthzid (RFC 3829 authzid control)
+ [!]chaining[=<resolve>[/<cont>]]
+ [!]manageDSAit
+ [!]noop
+ ppolicy
+ [!]postread[=<attrs>] (a comma-separated attribute list)
+ [!]preread[=<attrs>] (a comma-separated attribute list)
+ [!]relax
+ sessiontracking[=<username>]
+ abandon,cancel,ignore (SIGINT sends abandon/cancel,
+ or ignores response; if critical, doesn't wait for SIGINT.
+ not really controls)
+.fi
+
+Delete extensions:
+.nf
+ (none)
+.fi
+.TP
+.B \-r
+Do a recursive delete. If the DN specified isn't a leaf, its
+children, and all their children are deleted down the tree. No
+verification is done, so if you add this switch, ldapdelete will
+happily delete large portions of your tree. Use with care.
+.TP
+.BI \-z \ sizelimit
+Use \fIsizelimit\fP when searching for children DN to delete,
+to circumvent any server-side size limit. Only useful in conjunction
+with \fB\-r\fP.
+.TP
+.BI \-O \ security-properties
+Specify SASL security properties.
+.TP
+.B \-I
+Enable SASL Interactive mode. Always prompt. Default is to prompt
+only as needed.
+.TP
+.B \-Q
+Enable SASL Quiet mode. Never prompt.
+.TP
+.BI \-U \ authcid
+Specify the authentication ID for SASL bind. The form of the identity depends on the
+actual SASL mechanism used.
+.TP
+.BI \-R \ realm
+Specify the realm of authentication ID for SASL bind. The form of the realm
+depends on the actual SASL mechanism used.
+.TP
+.BI \-X \ authzid
+Specify the requested authorization ID for SASL bind.
+.I authzid
+must be one of the following formats:
+.BI dn: "<distinguished name>"
+or
+.BI u: <username>
+.TP
+.BI \-Y \ mech
+Specify the SASL mechanism to be used for authentication. If it's not
+specified, the program will choose the best mechanism the server knows.
+.TP
+.BR \-Z [ Z ]
+Issue StartTLS (Transport Layer Security) extended operation. If you use
+\fB\-ZZ\fP, the command will require the operation to be successful.
.SH EXAMPLE
The following command:
.LP
.nf
- ldapdelete "cn=Delete Me, dc=OpenLDAP, dc=org"
+ ldapdelete "cn=Delete Me,dc=example,dc=com"
.fi
.LP
-will attempt to delete the entry named with commonName "Delete Me"
-directly below the "dc=OpenLDAP, dc=org" entry. Of
-course it would probably be necessary to supply a \fIbinddn\fP and
-\fIpasswd\fP for deletion to be allowed (see the -D and -w options).
+will attempt to delete the entry named "cn=Delete Me,dc=example,dc=com".
+Of course it would probably be necessary to supply authentication
+credentials.
.SH DIAGNOSTICS
Exit status is 0 if no errors occur. Errors result in a non-zero exit
status and a diagnostic message being written to standard error.
.BR ldapmodrdn (1),
.BR ldapsearch (1),
.BR ldap (3),
-.BR ldap_delete (3)
-.LP
-Kille, S.,
-.IR "A String Representation of Distinguished Names",
-.SM RFC
-1779,
-ISODE Consortium, March 1995.
-.SH BUGS
-There is no interactive mode, but there probably should be.
+.BR ldap_delete_ext (3)
+.SH AUTHOR
+The OpenLDAP Project <http://www.openldap.org/>
.SH ACKNOWLEDGEMENTS
-.B OpenLDAP
-is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
-.B OpenLDAP
-is derived from University of Michigan LDAP 3.3 Release.
+.so ../Project