--- /dev/null
+.\" $OpenLDAP$
+.\" This contribution is derived from OpenLDAP Software.
+.\" All of the modifications to OpenLDAP Software represented in this
+.\" contribution were developed by Peter Marschall <peter@adpm.de>.
+.\" I have not assigned rights and/or interest in this work to any party.
+.\"
+.\" Copyright 2009 Peter Marschall
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted only as authorized by the OpenLDAP Public License.
+.\"
+.\" A copy of this license is available in file LICENSE in the
+.\" top-level directory of the distribution or, alternatively, at
+.\" http://www.OpenLDAP.org/license.html.
+
+.TH LDAPEXOP 1
+
+.SH NAME
+ldapexop \- issue LDAP extended operations
+
+.SH SYNOPSIS
+ldapexop
+[\c
+.BI \-d \ level\fR]
+[\c
+.BI \-D \ binddn\fR]
+[\c
+.BI \-e \ [!]ext[=extparam]\fR]
+[\c
+.BI \-f \ file\fR]
+[\c
+.BI \-h \ host\fR]
+[\c
+.BI \-H \ URI\fR]
+[\c
+.BR \-I ]
+[\c
+.BR \-n ]
+[\c
+.BR \-N ]
+[\c
+.BI \-O \ security-properties\fR]
+[\c
+.BI \-o \ [!]ext[=extparam]\fR]
+[\c
+.BI \-p \ port\fR]
+[\c
+.BR \-Q ]
+[\c
+.BI \-R \ realm\fR]
+[\c
+.BI \-U \ authcid\fR]
+[\c
+.BR \-v ]
+[\c
+.BR \-V ]
+[\c
+.BI \-w \ passwd\fR]
+[\c
+.BR \-W ]
+[\c
+.BR \-x ]
+[\c
+.BI \-X \ authzid\fR]
+[\c
+.BI \-y \ file\fR]
+[\c
+.BI \-Y \ mech\fR]
+[\c
+.BR \-Z[Z] ]
+\ {
+.I oid
+|
+.BI oid: data
+|
+.BI oid:: b64data
+|
+.B whoami
+|
+.BI cancel \ cancel-id
+|
+.BI refresh \ DN \ \fR[\fIttl\fR]
+}
+
+.SH DESCRIPTION
+ldapexop issues the LDAP extended operation specified by \fBoid\fP
+or one of the special keywords \fBwhoami\fP, \fBcancel\fP, or \fBrefresh\fP.
+
+Additional data for the extended operation can be passed to the server using
+\fIdata\fP or base-64 encoded as \fIb64data\fP in the case of \fBoid\fP,
+or using the additional parameters in the case of the specially named extended
+operations above.
+
+Please note that ldapexop behaves differently for the same extended operation
+when it was given as an OID or as a specialliy named operation:
+
+Calling ldapexop with the OID of the \fBwhoami\fP (RFC 4532) extended operation
+.nf
+
+ ldapexop [<options>] 1.3.6.1.4.1.4203.1.11.3
+
+.fi
+yields
+.nf
+
+ # extended operation response
+ data:: <base64 encoded response data>
+
+.fi
+while calling it with the keyword \fBwhoami\fP
+.nf
+
+ ldapexop [<options>] whoami
+
+.fi
+results in
+.nf
+
+ dn:<client's identity>
+
+.fi
+
+
+.SH OPTIONS
+.TP
+.BI \-d \ level
+Set the LDAP debugging level to \fIlevel\fP.
+.TP
+.BI \-D \ binddn
+Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
+.TP
+.BI \-e \ [!]ext[=extparam]
+Specify general extensions. \'!\' indicates criticality.
+.nf
+ [!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
+ [!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
+ [!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
+ one of "chainingPreferred", "chainingRequired",
+ "referralsPreferred", "referralsRequired"
+ [!]manageDSAit (RFC 3296)
+ [!]noop
+ ppolicy
+ [!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
+ [!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
+ [!]relax
+ abandon, cancel, ignore (SIGINT sends abandon/cancel,
+ or ignores response; if critical, doesn't wait for SIGINT.
+ not really controls)
+.fi
+.TP
+.BI \-f \ file
+Read operations from \fIfile\fP.
+.TP
+.BI \-h \ host
+Specify the host on which the ldap server is running.
+Deprecated in favor of \fB-H\fP.
+.TP
+.BI \-H \ URI
+Specify URI(s) referring to the ldap server(s); only the protocol/host/port
+fields are allowed; a list of URI, separated by whitespace or commas
+is expected.
+.TP
+.BI \-I
+Enable SASL Interactive mode. Always prompt. Default is to prompt
+only as needed.
+.TP
+.BI \-n
+Show what would be done but don't actually do it.
+Useful for debugging in conjunction with \fB-v\fP.
+.TP
+.BI \-N
+Do not use reverse DNS to canonicalize SASL host name.
+.TP
+.BI \-O \ security-properties
+Specify SASL security properties.
+.TP
+.BI \-o \ opt[=optparam]
+Specify general options:
+.nf
+ nettimeout=<timeout> (in seconds, or "none" or "max")
+.fi
+.TP
+.BI \-p \ port
+Specify the TCP port where the ldap server is listening.
+Deprecated in favor of \fB-H\fP.
+.TP
+.BI \-Q
+Enable SASL Quiet mode. Never prompt.
+.TP
+.BI \-R \ realm
+Specify the realm of authentication ID for SASL bind. The form of the realm
+depends on the actual SASL mechanism used.
+.TP
+.BI \-U \ authcid
+Specify the authentication ID for SASL bind. The form of the ID
+depends on the actual SASL mechanism used.
+.TP
+.BI \-v
+Run in verbose mode, with many diagnostics written to standard output.
+.TP
+.BI \-V
+Print version info and usage message.
+If\fB-VV\fP is given, only the version information is printed.
+.TP
+.BI \-w \ passwd
+Use \fIpasswd\fP as the password for simple authentication.
+.TP
+.BI \-W
+Prompt for simple authentication.
+This is used instead of specifying the password on the command line.
+.TP
+.BI \-x
+Use simple authentication instead of SASL.
+.TP
+.BI \-X \ authzid
+Specify the requested authorization ID for SASL bind.
+.I authzid
+must be one of the following formats:
+.B dn:\c
+.I <distinguished name>
+or
+.B u:\c
+.I <username>
+.TP
+.BI \-y \ file
+Use complete contents of \fIfile\fP as the password for
+simple authentication.
+.TP
+.BI \-Y \ mech
+Specify the SASL mechanism to be used for authentication.
+Without this option, the program will choose the best mechanism the server knows.
+.TP
+.B \-Z[Z]
+Issue StartTLS (Transport Layer Security) extended operation.
+Giving it twice (\fB-ZZ\fP) will require the operation to be successful.
+
+.SH DIAGNOSTICS
+Exit status is zero if no errors occur.
+Errors result in a non-zero exit status and
+a diagnostic message being written to standard error.
+
+.SH "SEE ALSO"
+.BR ldap_extended_operation_s (3)
+
+.SH AUTHOR
+This manual page was written by Peter Marschall
+based on \fBldapexop\fP's usage message and a few tests
+with \fBldapexop\fP.
+Do not expect it to be complete or absolutely correct.
+
+.SH ACKNOWLEDGEMENTS
+The OpenLDAP Project <http://www.openldap.org/>
+