ldapvi is an interactive LDAP client for Unix terminals. Using it, you can update LDAP entries with a text editor.
Think of it as vipw(1) for LDAP.
ldapvi was written by David Lichteblau and is available at http://www.lichteblau.com/ldapvi/.
ldapvi uses autoconf and should be rather easy to install.
It used to work on Linux, Solaris, FreeBSD, IRIX, and Cygwin for me and seems to work on MacOS X and NetBSD for others. Current versions are only really tested on Linux though, so please send a bug report if a port is broken.
$ ./configure && make # make install
Prerequisites.
Note that binaries compiled for libldap 2.1 will crash when ran with libldap 2.2.
The choice of GnuTLS over OpenSSL affects only the use of hashing routines for the userPassword convenience encodings md5, smd5, sha, and ssha. GnuTLS support is offered because, according to Debian, OpenSSL is not GPL compatible.
The quickest way to try ldapvi is using this:
$ ldapvi -d --host HOSTNAME
Explanation. This will bind anonymously to hostname, read all entries the server has and open them in the editor.
--host is the one option you really need to give. It can be one of:
-d is short for --discover and lets ldapvi search all of the server's naming contexts. Without -d, you would have had to specify the base DN yourself using --base, and you know how inconvenient those LDAP DNs are to type.
Using a configuration file. As easy as that was, you might want to put the hostname and other search options like the precise base DN to use into a configuration file.
To do that, you might like
$ ldapvi --config --discover --host HOSTNAME
This will ask the server for its naming contexts and print sample contents for ~/.ldaprc (or /etc/ldap.conf).
(Note that ldapvi also has its own configuration file format which supports multiple configuration profiles and all of its options.)
# ldap.conf(5) # edit this as needed and paste into ~/.ldaprc # server name # (for parameterless operation, make sure to include at least this line) HOST localhost # default search base ### multiple namingcontexts found (uncomment one of these lines): #BASE dc=lichteblau,dc=com #BASE dc=acme,dc=com # user to bind as #BINDDN <dn> # search parameters (uncomment as needed) #DEREF never #SIZELIMIT 0 #TIMELIMIT 0
Adjust to taste.
After quitting from the editor, one of three things can happen:
No changes.
Error: Space at beginning of line. What now? [eQ?]
add: 2, rename: 1, modify: 0, delete: 1 Action? [yYqQvVebB*rsf+?]
If all is well, you are now in the main loop. Your options are:
Edit - diff - fail. To continue, type y.
ldapvi will contact the LDAP server apply all changes. First, entries are processed in order of the changed file, then all entries missing from the file are deleted.
If any LDAP operation fails while processing the file, ldapvi will stop, report the error, and wait for your choice. To correct such an error, go back to the editor. Your will find all previously processed entries removed from the file, with the failing change at the top. After changing the file, you will be back at the prompt.
Action? [yYqQvVebB*rsf+?] y
ldap_modify: Strong(er) authentication required (8)
additional info: modifications require authentication
Error at: cn=blub4,dc=lichteblau,dc=com
add: 0, rename: 0, modify: 1, delete: 0
Action? [yYqQvVebB*rsf+?]
Apply all changes as if invoked with --continue ignoring all errors without further warning. (Make sure to save changes to an external file before using this option if they were important. Invalid changes will be lost otherwise.)
Reviewing changes. Before applying the changes, you can inspect them in either LDIF syntax or ldapvi's special changerecord syntax.
LDIF syntax is useful if you want to copy and paste changes into a file for later processing with other LDAP tools. ldapvi syntax is usually easier to read (less Base 64) and can also be entered directly into the editor.
This will update the file to include schema comments and re-enter the editor afterwards. This works like the --may command line option, but is based on the current contents of the file rather than the original entries, useful when changing the class of an entry.
Note that this command will rewrite the entire file and wipe out all comments present before invoking it.
Logging in. One way to bind to the LDAP server is to specify user name and credentials at startup using command line options or configuration files. The other is to simply start without authentication and login later.
When relying on binding after editing, keep in mind that some information will not be returned by the LDAP server unless user authorization permits it in the first place. For example, a userPassword can usually only be displayed and edited if you are bound as that user or root upon startup.
This option will ask for your user name and password (in the case of simple authentication) or various SASL parameters (as requested by the SASL library).
For simple authentication, the user name can be either an DN or a search filter. In the latter case, it must be written with parentheses around it.
Action? [yYqQvVebB*rsf+?] b
--- Login
Type M-h for help on key bindings.
Filter or DN: (cn=admin)
Password: ********
OK, bound as cn=admin,dc=lichteblau,dc=com.
Same example with SASL:
Action? [yYqQvVebB*rsf+?] b
SASL/DIGEST-MD5 authentication started
--- SASL login
Type M-h for help on key bindings.
authorization name:
authentication name: admin
password: ********
SASL username: admin
SASL SSF: 128
SASL installing layers
Bound as authzid=, authcid=admin.
Note that all non-password values are saved into ~/.ldapvi_history, so after entering them once, "cursor up" or incremental search (C-r) will save you from having to type them again.
Use this key to switch between simple authentication and SASL at run time:
Action? [yYqQvVebB*rsf+?] B SASL authentication enabled. SASL mechanism: DIGEST-MD5 (use '*' to change) Type 'b' to log in.
When the SASL dialog is shown, it is too late to switch the SASL mechanism. Type * to set it at run time.
Action? [yYqQvVebB*rsf+?] * SASL mechanism: DIGEST-MD5 Type 'b' to log in.
"Oops". You can skip one change to proceed with the rest.
Removes the topmost entry from the data file.
This is useful if you have deleted entries from the file accidentally (or intentionally) and still want to commit other change records in the same file.
This option does not affect explicit deletion records.
Bailing out. There is a gentle way to quit and a hard one.
q will save your changes to a new file, print the file name, and quit only then. This way your changes do not get lost and you can feed them into ldapmodify at a later time.
Action? [yYqQvVebB*rsf+?] q Your changes have been saved to ,ldapvi-xenon-20094.ldif.
Normal ldapvi invocations look similar to ldapsearch(1), taking an optional search filter and zero or more attribute descriptions as unnamed arguments.
ldapvi [OPTION]... [FILTER] [AD]...
In addition, ldapvi can also simulate behaviour of other LDAP command line tools, e.g. as an interactive substitute for ldapmodify or even for a simple non-interactive usage. See below under command line tool compatibility.
Index of options.
The host option specifies the LDAP server to connect to. It is required for startup (unless specified in a configuration file).
Note that you can also bind to the server interactively after performing the search using the b command.
| --bind simple|sasl | Disable or enable SASL | |
|
Initially, ldapvi defaults to simple authentication. If any SASL parameter is given, the mode is set to sasl. Conversely, -D sets it to simple. This parameter sets it explicitly. |
||
SASL authentication. If any of the SASL arguments is specified, ldapvi uses SASL by default.
If you are unsure which SASL parameters to try for your server, start with -Y DIGEST-MD5 -U username.
| -I | --sasl-interactive | Use SASL Interactive mode |
|
Always ask for SASL parameters interactively.
This option is an alias for --bind-dialog always and --bind sasl. |
||
| -Q | --sasl-quiet | Use SASL Quiet mode |
|
Never ask for SASL parameters interactively at all.
This option is an alias for --bind-dialog never and --bind sasl. |
||
| -O | --sasl-secprops properties | SASL security properties |
| OpenLDAP's slapd.conf(5) manual page has some information on these (search for sasl-secprops). | ||
| -R | --sasl-realm realm | SASL realm |
| The SASL realm [Cyrus SASL documentation]. | ||
| -U | --sasl-authcid username | SASL authentication identity |
|
The authentication
ID [Cyrus SASL documentation].
(Basically, your username.) |
||
| -X | --sasl-authzid u:username|dn:dn | SASL authorization identity |
|
The authorization
ID [Cyrus SASL documentation].
(See SASL Proxy Authorization [openldap.org] in the OpenLDAP Administrator's Guide.) |
||
| -Y | --sasl-mech mechanism | SASL mechanism |
|
The SASL mechanism to use. Possible values depend on the server, but DIGEST-MD5 support is mandated by RFC 2829 for all servers using passwords. |
||
Where and how to look for entries.
| -b | --base dn | Search base |
|
The entry at which to start the search.
Conflicts with --discover. |
||
| -s | --scope base|one|sub | Search scope |
|
||
| -S | --sort keys | Search control |
| Use the search control to instruct the server to sort results on keys. ldapvi will fail if the server does not support the control. Unfortunately, few servers do. | ||
| -d | --discover | Auto-detect naming contexts |
|
With this option, ldapvi will first read the root DSE, then repeat
the search for each naming context found and present the
concatenation of all search results.
Conflicts with --base. With --config, show a BASE configuration line for each context. |
||
| -o | --class objectClass | Class to add |
|
Read the server's schema for the specified objectclass to find out
which attributes an entry of this class must have and can have.
Then open the editor with an entry template containing one line
for each such attribute the user needs to fill out. Optional
attributes are included as comments.
The option can be repeated to include additional, auxiliary classes. A distinguished name for the entry template can be specified using --base. |
||
| -m | --may | Show schema comments. |
| Show schema comments for existing entries. Specificially, show optional attributes as comments, if not present. | ||
| --add | Treat attrval records as new entries to add. | |
|
This option applies only to the --in/--ldapmodify mode: Add new entries (default would be to replace existing attributes). |
||
| -A | --empty | Start with empty file |
|
Do not search, start with an empty file instead.
This is the little brother of the --class parameter, which is more interesting for the original use case of this option, adding new entries. However, it is still useful because allows the interactive entry of delete, modify, or rename changerecords. |
||
| -a | --deref never|searching|finding|always | Alias dereferencing mode |
| Default is never. | ||
| --config | Print parameters in ldap.conf syntax | |
| Print a configuration file in standard ldap.conf syntax which reflects current command line arguments. The file is written to standard output. Use this option to create an initial configuration file after experimenting with search parameters. Useful in conjunction with --discover. | ||
| -M | --managedsait | manageDsaIT control |
| Use this option to edit referral entries. | ||
| --read DN | Read this entry | |
A rather trivial option. It means the same as:
-b DN -s base '(objectclass=*)' + * |
||
| -v | --verbose | Note every update |
| Print the distinguished name of every entry as it is being processed. | ||
| -H | --help | Print usage information |
| Print help on command line arguments. | ||
| --unpaged-help | Disable pager for --help | |
| Disable the use of a pager for --help. | ||
| --deleteoldrdn | Delete the old RDN | |
|
When changing the relative distinguished name to a new attribute
value, delete the old attribute value instead of keeping it.
This option applies only to the --rename mode. |
||
| --ldif | Use LDIF syntax internally | |
| Use standard LDIF syntax in the editor. The default is to use ldapvi syntax. | ||
| --ldapvi | Use ldapvi syntax externally | |
| Use ldapvi syntax when reading and writing files. The default is to use LDIF syntax. | ||
ldapvi invocation modes inspired by LDAP command line tools:
| ldapvi --out [OPTION]... [FILTER] [AD]... | Print LDIF, similar to ldapsearch | |||
| ldapvi --in [OPTION]... [FILENAME] | Load LDIF change records, similar to ldapmodify | |||
| ldapvi --delete [OPTION]... DN... | Edit delete records, similar to ldapdelete | |||
| ldapvi --rename [OPTION]... DN1 DN2 | Edit rename records, similar to ldapmodrdn |
All of these are more verbose and interactive than the standard command line tools. There are additional aliases for closer compatibility:
| --ldapsearch | Short for --quiet --out | |||
| --ldapmodify | Short for --noninteractive --in | |||
| --ldapdelete | Short for --noninteractive --delete | |||
| --ldapmoddn | Short for --noninteractive --rename |
Please keep in mind that all these invocation modes are only meant to imitate LDAP command line tools as far as possible while still working within the design of ldapvi. An option-by-option emulation of the OpenLDAP command line tools is not a goal, and minor differences in look and feel are to be expected.
Format conversion.
| ldapvi --in | cat | Convert LDIF on stdin to ldapvi format on stdout | |||
| ldapvi --in --ldif --ldapvi | cat | Convert ldapvi format on stdin to LDIF on stdout |
The are two ways to configure ldapvi. It has its own configuration files ~/.ldapvirc (or /etc/ldapvi.conf) which support multiple configuration profiles and all of its custom options. Alternatively, it can fall back to libldap's standard configuration files, /etc/ldap.conf and ~/.ldaprc.
Files and profiles. On startup, ldapvi will first look for ~/.ldapvirc, or /etc/ldapvi.conf if the former does not exist.
Environment variables. The choice of text editor is made using environment variables. $VISUAL and $EDITOR are looked up in this order. If neither is set, ldapvi falls back to vi.
Profile syntax. The configuration file has ldapvi syntax, except with header lines of the form profile name.
Every configuration file option corresponds to a command line parameter.
For the named command line parameters, the long name is used in the configuration. For details, refer to the documentation of each parameter: ➙ host ➙ bind ➙ bind-dialog ➙ user ➙ password ➙ sasl-interactive ➙ sasl-quiet ➙ sasl-secprops ➙ sasl-realm ➙ sasl-authcid ➙ sasl-authzid ➙ sasl-mech ➙ base ➙ scope ➙ sort ➙ discover ➙ class ➙ may ➙ add ➙ empty ➙ deref ➙ continue ➙ encoding ➙ managedsait ➙ starttls ➙ tls ➙ read ➙ verbose ➙ unpaged-help ➙ deleteoldrdn ➙ ldif ➙ ldapvi ➙ out ➙ in ➙ delete ➙ rename ➙ ldapsearch ➙ ldapmodify ➙ ldapdelete ➙ ldapmoddn
The two unnamed kinds of command line arguments are the search filter and the list of attribute descriptions to be returned. The former is named ➙ filter in the configuration file. The latter are given as ➙ ad, one line each.
For boolean flags, given without a value at the command line, use yes as their value in the configuration file. (no is also allowed and has no effect.)
Example. With the following configuration file, ldapvi ignores libldap configuration, because a default profile is given.
profile default ldaprc: yes may: yes profile otherhost host: ldap://otherhost discover: yes profile adduser host: ldap://localhost base: uid=FILLMEIN,ou=passwd,dc=lichteblau,dc=com class: person class: posixAccount profile root host: ldap://localhost base: scope: base filter: (objectclass=*) ad: +
ldapvi syntax is somewhat LDIF-like, but not the same as standard LDIF. This chapter includes examples explaining the difference between the two formats. (A precise, technical definition of ldapvi syntax is given in the next section.)
➙ In interactive editing, the default is ldapvi syntax, explained below, unless overridden using --ldif.
➙ For external input and output (see --in, --out), the default is standard LDIF syntax, unless overridden using --ldapvi.
Comments are lines starting with a sharpsign:
# like this
They are allowed both between entries and in the middle of entries (but not in the middle of an attribute value).
Empty lines are used to separate entries:
0 dc=lichteblau,dc=com # don't touch the number! objectClass: top objectClass: dcObject objectClass: organization o: lichteblau dc: lichteblau # more than one empty line would be OK here, too add cn=admin,dc=lichteblau,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator
So far this looks pretty much like LDIF, except for the record key that appears instead of the dn: LDIF uses to start an entry.
First though, more on low-level syntax issues.
All non-empty, non-comment "lines" have the same base syntax: A left-hand and a right-hand side, separated by an optional encoding marker and a space. (Depending on the encoding used, a such a logical line may include newline characters.)
The syntax of the right-hand side depends on the encoding marker. For simple ASCII text without special characters, there are multiple valid encodings that can be used.
This includes the first line of a record with the distinguished name, its base syntax is the same as for the attribute lines. For traditional reasons, ldapvi prints this line without a colon, but that is not a requirement:
# rather than writing this: add cn=admin,dc=lichteblau,dc=com # we could have included a colon: add: cn=admin,dc=lichteblau,dc=com # or actually, this: add:; cn=admin,dc=lichteblau,dc=com
Or, vice versa, we could have omitted the colon from those attribute values. ldapvi prints it only so that entries looks for familiar to eyes used to LDIF.
Value encodings are:
LDIF-compatible encoding. Lines with just a colon and a space are parsed according to normal LDIF rules. Values must be ASCII-only and must not contain zero bytes, LF, or CR. In addition, they must not start with a space, a colon, or a less-than sign.
This encoding allows LDIF-style line folding: If a line ends, and the first character of the next line, if any, is a space, the nextline and the space are elided and parsing continues on the next line.
Note: The language for attribute value lines described above is the common subset of LDIF's attrval-spec and the actual syntax accepted by ldapvi for this value encoding. ldapvi will only ever print out values in this encoding if they follow these rules and hence are valid LDIF, but is more liberal in parsing them. It accepts space, colon, or less-than sign as the first character. It can allow them without ambiguity because, in contrast to LDIF, it does not ignore an arbitrary number of space characters after the colon.
Examples of valid LDIF values:
# normally, one would write: objectClass: posixAccount # but with line folding, the same value can be broken into two lines: objectClass: posix Account # in contrast to ldapvi backslashed format, this encoding does not # interpret backslashes specially at all: cn: this is a value containing a backslash\ but no newline
Examples of attribute values not representable in LDIF-compatible encoding:
# must not start with '<': # [accepted by ldapvi but not LDIF]document: <?xml version="1.0" encoding="UTF-8"><foo/># cannot start with a space: # [LDIF would ignore the space]foo: ...# must not start with a colon: # [accepted by ldapvi but not LDIF]foo: ::::::::# must not contain non-ASCII bytes:surname: Müller# cannot represent newlines:mail: From david@lichteblau.com Mon Apr 1 00:11:22 2006 Return-path: <david@lichteblau.com> Envelope-to: lists@mail.askja.de
Base 64 encoding. Base 64 can be used just as in LDIF.
# This is what the XML from above looks like in strict LDIF: document:: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPjxmb28vPg==
ldapvi backslashed encoding. This is the format ldapvi falls back to if a value cannot be represented in LDIF-compatible encoding without resorting to Base 64. Any character is valid in this encoding, except for two characters with a special meaning:
Examples of valid backslashed attributes:
# any funny characters are OK document:; <?xml version="1.0" encoding="UTF-8"> foo:; ... foo:; :::::::: surname:; Müller # backslash escapes newline mail:; From david@lichteblau.com Mon Apr 1 00:11:22 2006\ Return-path: <david@lichteblau.com>\ Envelope-to: lists@mail.askja.de # No LDIF line folding, however, so this value contains a space: cn:; David\ Lichteblau
Counter-example:
# Parsable first line, followed by garbage on the second:cn:; David Lichteblau
Finally, in most situations :; can be omitted, leaving just a space between the left-hand and right-hand side of the line. The only exception is a line with an empty left-hand side, which occurs in modify records.
foo:; bar # is the same as: foo bar
Binary encoding. Decimal numbers are valid as encoding markers and specify the number of bytes to read after the separating space. No special characters exist in this syntax. This encoding is not meant for interactive use, but for the sake of completeness, here is an example:
# This entry has two attributes, givenname and cn: add cn=admin,ou=passwd,dc=blubba givenname:5 Davidcn: admin
File inclusion. The less-than sign tells LDAP to read the contents of another file and use them as the attribute value. This is another LDIF compatibility feature.
# oops add cn=haxor,ou=passwd,dc=blubba comment:< file:///etc/passwd
userPassword encodings. The encodings crypt, cryptmd5, md5, smd5, sha, and ssha are designed for the userPassword attribute. ldapvi takes the right-hand side as the password, hashes it, and prepends {ENCODING} as appropriate.
userPassword:crypt foo
# ...could result in:
userPassword: {CRYPT}KgJTUDs14z57Q
# ...or:
userPassword: {CRYPT}UoILyHlM1bPYU
# cryptmd5 gives $1$ notation
userPassword:cryptmd5 foo
userPassword: {CRYPT}$1$iKeAY9mQ$vmo/m/6EoDqRuVtjSqLPr0
# while the other encodings prepend the marker of the same name:
userPassword:md5 foo
userPassword: {MD5}AQ3GmMeoPXozyRU4wsEDXA==
rename records. Like every other record, rename states the (original) distinguished name of the name in the header line. Next is one additional line stating the new distinguished name.
The complication is that LDAP's moddn operation needs to be told what to do with the old relative DN if there is a new one. The old one can be kept as an additional attribute value or deleted in favour of the new one.
In ldapvi, this choice is made using the left-hand side of the second line. It is either "add" or "replace".
# example for "deleteoldrdn" behaviour: rename: cn=blub4,dc=lichteblau,dc=com replace: cn=blub3,dc=neu,dc=com # alternatively, the old RDN can be kept: rename: cn=blub3,dc=lichteblau,dc=com add: cn=blub4,dc=neu,dc=com
In LDIF, the same changes would be written as:
# this is LDIF, not ldapvi syntax! dn: cn=blub4,dc=lichteblau,dc=com changetype: modrdn newrdn: cn=blub3 deleteoldrdn: 1 newsuperior: dc=neu,dc=com dn: cn=blub3,dc=lichteblau,dc=com changetype: modrdn newrdn: cn=blub4 deleteoldrdn: 0 newsuperior: dc=neu,dc=com
modify records. These records state changes to attributes, processed in order. Attributes can be changed by replacing their existing values with a new set of values, adding those values to the existing ones, or removing only selected old values.
Example:
# Let's add classes, delete a comment and remove cn entirely: modify: dc=bar,dc=lichteblau,dc=com add: objectClass : posixAccount : specialAccount delete: comment : dummy user replace: cn
In LDIF, this would be:
# this is LDIF, not ldapvi syntax! dn: dc=bar,dc=lichteblau,dc=com changetype: modify add: objectClass objectClass: posixAccount objectClass: specialAccount - delete: comment comment: dummy user - replace: cn -
delete records. These are rather simple, they consist just of the header line.
delete: dc=acme,dc=com
In LDIF, this would be:
# this is LDIF, not ldapvi syntax! dn: dc=acme,dc=com changetype: delete
When invoked using --ldif, ldapvi will use RFC 2849 syntax instead of its own special syntax.
However, there is a special marker in each entry:
Existing entries are presented for editing with an additional marker on the second line, just after the dn: line. This line states the (numeric) key that would appear in the header line if the entry had been printed in ldapvi syntax.
(New entries can have the same line, with add as their key, but records with neither ldapvi-key nor changetype are automatically assumed to be new entries to add.)
Also, control: is not supported.
Examples:
# Existing entry dn: dc=lichteblau,dc=com ldapvi-key: 0 objectClass: top objectClass: dcObject objectClass: organization o: lichteblau dc: lichteblau # New entry dn: cn=admin,dc=lichteblau,dc=com # next line is optional ldapvi-key: add objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # Changerecord (standard LDIF syntax) dn: cn=blub4,dc=lichteblau,dc=com changetype: modify delete: seeAlso seeAlso: cn=dort -
As explained above, ldapvi has its own, vaguely LDIF-inspired syntax. For a precise definition, see ldapvi-file below.
LDIF is defined in RFC 2849.
RFC 2849 modifies the language generated by its BNF grammar with the "Notes on LDIF Syntax" (2) and (3) presented there. These notes do not apply to ldapvi syntax as stated: Line folding and comments can be used, but are allowed specificially by our modified BNF, not hacked into the rules later. Line folding is allowed only in LDIF-compatible attribute values and comments. ldapvi files cannot be read line-by-line without knowing the encoding of those lines, since newlines are permitted in certain attribute value representations.
The following rules are used as defined in RFC 2849 and not reproduced here: AttributeDescription, SAFE-STRING, BASE64-STRING, SPACE.
Changes to the RFC 2849 BNF grammar.
ldapvi-file = vspace ldapvi-record
*(vspace SEP vspace ldapvi-record) vspace
ldapvi-record = ldapvi-attrval-record
/ ldapvi-rename-record
/ ldapvi-modify-record
ldapvi-attrval-record = *(comment) dn-spec 1*(*(comment) attrval-spec)
ldapvi-rename-record = *(comment)
"rename" distinguishedName SEP
("add" / "replace") value-spec SEP
ldapvi-modify-record = *(comment)
"modify" distinguishedName SEP
1*(*(comment) mod-spec)
mod-spec = ("delete" / "add" / "replace") ad-value SEP
*(value-enc SEP)
vspace = *(comment / sep)
comment = "#" *(ldif-char) *(SEP " " *(ldif-char)) SEP
dn-spec = key distinguishedName SEP
key = number / "add"
distinguishedName = value-spec ;encoding an RFC 2253 DN
attrval-spec = AttributeDescription value-spec SEP
value-spec = value-simple / value-enc
value-simple = SPACE escaped-string ;escape CR/LF with '\\\\'
value-enc = (":;" SPACE escaped-string / ;ditto
":" SPACE 0*1(SAFE-STRING ;LDIF compatible
*(SEP " " *SAFE-CHAR)) /
"::" SPACE BASE64-STRING / ;ditto
":" number SPACE 0*1(octet) / ;exactly `number' octets
":<" SPACE url / ;only file:// supported
":crypt" SPACE password / ;for userPassword
":cryptmd5" SPACE password /
":md5" SPACE password /
":smd5" SPACE password /
":sha" SPACE password /
":ssha" SPACE password /
;; other encoding markers reserved
)
octet = %x00-ff
number = 1*(%x30-39) ;any decimal number
ldif-char = unescaped-char / %5c ;any except for CR/LF.
unescaped-char = %x00-%x09 / %x0a-%x0c / %x0d-%5b / %x5d-%ff
escaped-string = *(unescaped-char / %x5c %x0a / %x5c %x0d / %x5c %x5c)
password = 0*ldif-char
SEP = LF ;this is a unix program!
ad-value = value-spec ;parsing as an AttributeDescription
Please report bugs to the ldapvi mailing list for archival purposes.
Address: ldapvi@lists.askja.de