Delete one or more entries from an LDAP directory server. You can provide the DNs of the entries to delete using named arguments, as trailing arguments, from a file, or from standard input. Alternatively, you can identify entries to delete using a search base DN and filter.
ldapdelete --hostname ds.example.com --port 636 --useSSL \
--bindDN uid=admin,dc=example,dc=com \
uid=test.user,ou=People,dc=example,dc=com
ldapdelete --hostname ds.example.com --port 636 --useSSL \
--trustStorePath trust-store.jks --bindDN uid=admin,dc=example,dc=com \
--bindPasswordFile admin-password.txt --dnFile dns-to-delete.txt
ldapdelete --hostname ds.example.com --port 389 --useStartTLS \
--trustStorePath trust-store.jks --bindDN uid=admin,dc=example,dc=com \
--bindPasswordFile admin-password.txt \
--deleteEntriesMatchingFilter "(description=delete)"
ldapdelete --hostname ds.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com
-H
--help
| Description | Display general usage information |
--help-ldap
| Description | Display help for using LDAP options |
--help-sasl
| Description | Display help for using SASL options |
--help-debug
| Description | Display help for using debug options |
| Advanced | Yes |
-h {host}
--hostname {host}
| Description | The IP address or resolvable name to use to connect to the directory server. If this is not provided, then a default value of 'localhost' will be used. |
| Default Value | localhost |
| Required | Yes |
| Multi-Valued | Yes |
-p {port}
--port {port}
| Description | The port to use to connect to the directory server. If this is not provided, then a default value of 389 will be used. |
| Default Value | 389 |
| Required | Yes |
| Multi-Valued | No |
-D {dn}
--bindDN {dn}
| Description | The DN to use to bind to the directory server when performing simple authentication. |
| Required | No |
| Multi-Valued | No |
-w {password}
--bindPassword {password}
| Description | The password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism. |
| Required | No |
| Multi-Valued | No |
-j {path}
--bindPasswordFile {path}
| Description | The path to the file containing the password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism. |
| Required | No |
| Multi-Valued | No |
--promptForBindPassword
| Description | Indicates that the tool should interactively prompt the user for the bind password. |
-Z
--useSSL
| Description | Use SSL when communicating with the directory server. |
-q
--useStartTLS
| Description | Use StartTLS when communicating with the directory server. |
-X
--trustAll
| Description | Trust any certificate presented by the directory server. |
-K {path}
--keyStorePath {path}
| Description | The path to the file to use as the key store for obtaining client certificates when communicating securely with the directory server. |
| Required | No |
| Multi-Valued | No |
-W {password}
--keyStorePassword {password}
| Description | The password to use to access the key store contents. |
| Required | No |
| Multi-Valued | No |
-u {path}
--keyStorePasswordFile {path}
| Description | The path to the file containing the password to use to access the key store contents. |
| Required | No |
| Multi-Valued | No |
--promptForKeyStorePassword
| Description | Indicates that the tool should interactively prompt the user for the password to use to access the key store contents. |
--keyStoreFormat {format}
| Description | The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the key store file. |
| Required | No |
| Multi-Valued | No |
-P {path}
--trustStorePath {path}
| Description | The path to the file to use as trust store when determining whether to trust a certificate presented by the directory server. |
| Required | No |
| Multi-Valued | No |
-T {password}
--trustStorePassword {password}
| Description | The password to use to access the trust store contents. |
| Required | No |
| Multi-Valued | No |
-U {path}
--trustStorePasswordFile {path}
| Description | The path to the file containing the password to use to access the trust store contents. |
| Required | No |
| Multi-Valued | No |
--promptForTrustStorePassword
| Description | Indicates that the tool should interactively prompt the user for the password to use to access the trust store contents. |
--trustStoreFormat {format}
| Description | The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the trust store file. |
| Required | No |
| Multi-Valued | No |
-N {nickname}
--certNickname {nickname}
| Description | The nickname (alias) of the client certificate in the key store to present to the directory server for SSL client authentication. |
| Required | No |
| Multi-Valued | No |
--enableSSLDebugging
| Description | Enable Java's low-level support for debugging SSL/TLS communication. This is equivalent to setting the 'javax.net.debug' property to 'all'. |
-o {name=value}
--saslOption {name=value}
| Description | A name-value pair providing information to use when performing SASL authentication. |
| Required | No |
| Multi-Valued | Yes |
--useSASLExternal
| Description | Use the SASL EXTERNAL mechanism to authenticate. |
--helpSASL
| Description | Provide information about the supported SASL mechanisms, including the properties available for use with each. |
-b {dn}
--entryDN {dn}
| Description | The DN of an entry to delete. This argument may be provided multiple times to specify the DNs of multiple entries to delete, and entries will be deleted in the order in which the arguments were given. This argument must not be used in conjunction with any other argument used to indicate which entries should be deleted. |
| Required | No |
| Multi-Valued | Yes |
-f {path}
--dnFile {path}
| Description | The path to a file containing the DNs of the entries to delete. Each DN must be on its own line in the file, with blank lines and lines starting with the '#' character being ignored. Each DN line may optionally start with 'dn:' (or 'dn::' to indicate that the DN is base64-encoded), and long DNs may be wrapped across multiple lines by starting subsequent lines with at least one space. This argument may be provided multiple times to specify multiple DN files, and the files will be processed in the order they were provided. This argument must not be used in conjunction with any other argument used to indicate which entries should be deleted. |
| Required | No |
| Multi-Valued | Yes |
--deleteEntriesMatchingFilter {filter}
| Description | An LDAP search filter that can be used to identify the entries to delete. The base DN for the searches should be specified using the --searchBaseDN argument, with the null DN being used by default if that argument is not given. This argument may be provided multiple times to specify multiple filters, and searches will be performed in the order in which the filters are provided. This argument must not be used in conjunction with any other argument used to indicate which entries should be deleted. |
| Required | No |
| Multi-Valued | No |
--deleteEntriesMatchingFiltersFromFile {path}
| Description | The path to a file containing LDAP search filters (one filter per line, with blank lines and lines starting with the '#' character being ignored) that can be used to identify the entries to delete. The base DN for the searches should be specified using the --searchBaseDN argument, with the null DN being used by default if that argument is not given. This argument may be provided multiple times to specify the paths to multiple filter files, and the files will be processed in the order they are provided on the command line. This argument must not be used in conjunction with any other argument used to indicate which entries should be deleted. |
| Required | No |
| Multi-Valued | Yes |
--searchBaseDN {dn}
| Description | The base DN to use when searching for entries to delete. This argument may only be used in conjunction with the --deleteEntriesMatchingFilter or --deleteEntriesMatchingFiltersFromFile arguments. It may be provided multiple times to specify multiple search base DNs. If this argument is not given, the null DN will be used as the base DN for the searches. |
| Default Value | |
| Required | No |
| Multi-Valued | Yes |
--searchPageSize {value}
| Description | The page size to use in conjunction with the simple paged results control when retrieving entries. This argument may be used in conjunction with either the --deleteEntriesMatchingFilter or the --deleteEntriesMatchingFilterFromFile argument to indicate that the search should use the simple paged results control to retrieve the entries in pages rather than all at once. It may also be used in conjunction with the --clientSideSubtreeDelete argument to indicate the page size for the simple paged results control that it uses. |
| Upper Bound | 2147483647 |
| Required | No |
| Multi-Valued | No |
--encryptionPassphraseFile {path}
| Description | The path to a file containing the passphrase used to encrypt an input file. If this is not provided and an input file is encrypted (and the encryption key cannot be automatically obtained, for example, from a Ping Identity Directory Server's encryption settings database), then the user will be interactively prompted for the passphrase. |
| Required | No |
| Multi-Valued | No |
-i {charset}
--characterSet {charset}
| Description | The character set/data encoding to use when reading data from files or standard input. If this is not specified, the UTF-8 character set will be used by default. |
| Default Value | UTF-8 |
| Required | No |
| Multi-Valued | No |
-R {path}
--rejectFile {path}
| Description | The path to a file that will be updated with the DNs of any entries that could not be deleted, along with information about the failed delete attempt. If this is not provided, then failure information will only be written to standard error. |
| Required | No |
| Multi-Valued | No |
-v
--verbose
| Description | Generate verbose output. |
--neverRetry
| Description | Indicates that the tool should not attempt to retry operations that fail in a way that the connection to the directory server may be invalid. By default, it will automatically try to establish a new connection and retry the failed operation. |
-n
--dryRun
| Description | Indicates that the tool should display what it would do, and may perform searches if appropriate, but will not actually attempt to delete any entries. Note that if the server supports the no-operation request control, you may wish to use the --noOperation argument instead, which will actually send the delete requests with a control indicating that the server should perform as much validation of the request that it can, but should not actually delete the target entry. |
-c
--continueOnError
| Description | Indicates that the tool should continue processing even after encountering an error. This is only applicable if it is run with arguments that would cause it to attempt to delete multiple entries. |
--followReferrals
| Description | Indicates that the tool should attempt to follow any referrals that it encounters. By default, any referrals that are returned will be treated as failures. |
--useAdministrativeSession
| Description | Indicates that the tool should attempt to use the Ping Identity-proprietary start administrative session extended operation to create an administrative session that will cause all requests to be processed in a dedicated pool of worker threads. This may be useful when trying to diagnose or resolve an issue when all regular worker threads are busy processing other requests |
-r {deletesPerSecond}
--ratePerSecond {deletesPerSecond}
| Description | The maximum number of delete operations that should be attempted per second. If this is not provided, then no rate limit will be imposed on delete requests. |
| Upper Bound | 2147483647 |
| Required | No |
| Multi-Valued | No |
--version
| Description | Display PingAuthorize Server version information |
--clientSideSubtreeDelete
| Description | Indicates that all delete requests should be processed as client-side subtree deletes by searching for all entries below the target entry and then deleting them. |
-x
--serverSideSubtreeDelete
| Description | Indicates that all delete requests should be processed as server-side subtree deletes by using the subtree delete request control. |
-s
--softDelete
| Description | Indicates that delete requests should include the Ping Identity-proprietary soft delete request control to indicate that the server should hide the entries rather than deleting them immediately. Soft-deleted may or may not be completely removed after a period of time, based on the server configuration. |
--hardDelete
| Description | Indicates that delete requests should include the Ping Identity-proprietary hard delete request control to indicate that the target entries should be completely removed, even if they would have otherwise been processed as soft deletes. |
-Y {authzID}
--proxyAs {authzID}
| Description | Indicates that search and delete requests should include the proxied authorization v2 request control, to request that they be processed under the authority of the specified user. |
| Required | No |
| Multi-Valued | No |
--proxyV1As {dn}
| Description | Indicates that search and delete requests should include the proxied authorization v1 request control, to request that they be processed under the authority of the specified user. |
| Required | No |
| Multi-Valued | No |
--useManageDsaIT
| Description | Indicates that search and delete requests should include the Manage DSA IT request control to indicate that the server should treat referral entries as regular entries. |
--assertionFilter {filter}
| Description | Indicates that delete requests should include the assertion request control to indicate that the server should reject any attempt to delete an entry that does not match the provided filter. |
| Required | No |
| Multi-Valued | No |
--preReadAttribute {attr}
| Description | Indicates that delete requests should include the pre-read request control to indicate that delete responses should include a post-read response control with the values of the specified at the time the entry was deleted. This may be provided multiple times to request multiple pre-read attributes. |
| Required | No |
| Multi-Valued | Yes |
--noOperation
| Description | Indicates that delete requests should include the no-operation request control to indicate that the server should perform as much processing as possible for the delete operation without actually removing the entry. |
--getBackendSetID
| Description | Indicates that delete requests sent through a Directory Proxy Server should include the Ping Identity-proprietary get backend set ID request control to indicate that the response should include a control with the ID of the entry-balancing backend set in which the delete was processed. |
--routeToBackendSet {entry-balancing-processor-id:backend-set-id}
| Description | Indicates that search and delete requests should include the Ping Identity-proprietary route to backend set request control to indicate that the Directory Proxy Server should forward those requests to servers in the specified entry-balancing backend set. This control may be provided multiple times to specify multiple backend sets for the same or different entry-balancing request processors. |
| Required | No |
| Multi-Valued | Yes |
--getServerID
| Description | Indicates that delete requests should include the Ping Identity-proprietary get server ID request control to indicate that the response should include a control with the server ID of the Directory Server instance in which the delete was processed. |
--routeToServer {id}
| Description | Indicates that search and delete requests should include the Ping Identity-proprietary route to server request control to indicate that the Directory Proxy Server should forward those requests to the specified backend server. |
| Required | No |
| Multi-Valued | No |
--useAssuredReplication
| Description | Indicates that delete requests should include the Ping Identity-proprietary assured replication request control to delay the response from the server until the change has been replicated to other servers. The --assuredReplicationLocalLevel, --assuredReplicationRemoteLevel, and --assuredReplicationTimeout arguments may also be used to customize the content of the request control. |
--assuredReplicationLocalLevel {none|received-any-server|processed-all-servers}
| Description | The replication assurance level that should be used for servers in the same location as the server that originally processed the change. The value must be one of 'none', 'received-any-server', or 'processed-all-servers'. If this is not provided, the server will determine an appropriate local assurance level. |
| Required | No |
| Multi-Valued | No |
--assuredReplicationRemoteLevel {none|received-any-remote-location|received-all-remote-locations|processed-all-remote-servers}
| Description | The replication assurance level that should be used for servers in a different location from the server that originally processed the change. The value must be one of 'none', 'received-any-remote-location', 'received-all-remote-locations', or 'processed-all-remote-servers'. If this is not provided, the server will determine an appropriate remote assurance level. |
| Required | No |
| Multi-Valued | No |
--assuredReplicationTimeout {duration}
| Description | The maximum length of time that the server should delay the response to the delete operation while waiting for the desired replication assurance to be achieved. If this is not provided, the server will determine an appropriate timeout to use. |
| Required | No |
| Multi-Valued | No |
--replicationRepair
| Description | Indicates that delete requests should include the Ping Identity-proprietary replication repair request control to indicate that the delete operation should not be replicated. |
--suppressReferentialIntegrityUpdates
| Description | Indicates that delete requests should include the Ping Identity-proprietary suppress referential integrity updates request control so that the server will not perform any referential integrity processing for the delete operation. |
--operationPurpose {value}
| Description | Indicates that requests should include the Ping Identity-proprietary operation purpose request control to indicate the intended purpose for the operations. |
| Required | No |
| Multi-Valued | No |
-E
--authorizationIdentity
| Description | Indicates that bind requests should include the authorization identity request control to retrieve the authorization identity for the authenticated connection. |
--getAuthorizationEntryAttribute {attr}
| Description | Indicates that bind requests should include the Ping Identity-proprietary get authorization entry request control to retrieve the specified attribute from the authenticated user's entry. This argument may be provided multiple times to request that multiple attributes be returned. |
| Required | No |
| Multi-Valued | Yes |
--getUserResourceLimits
| Description | Indicates that bind requests should include the Ping Identity-proprietary get user resource limits request control to retrieve information about the resource limits that the server will impose for the authenticated connection. |
-J {oid}[:{criticality}[:{stringValue}|::{base64Value}]]
--deleteControl {oid}[:{criticality}[:{stringValue}|::{base64Value}]]
| Description | Provides a control to include in all delete requests. |
| Required | No |
| Multi-Valued | No |
--bindControl {oid}[:{criticality}[:{stringValue}|::{base64Value}]]
| Description | Provides a control to include in all bind requests. |
| Required | No |
| Multi-Valued | No |
--interactive
| Description | Launch the tool in interactive mode. |
--outputFile {path}
| Description | Write all standard output and standard error messages to the specified file instead of to the console. |
| Required | No |
| Multi-Valued | No |
--appendToOutputFile
| Description | Indicates that the tool should append to the file specified by the --outputFile argument if it already exists. If this argument is not provided and the output file already exists, it will be overwritten. |
--teeOutput
| Description | Write all standard output and standard error messages to the console as well as to the specified output file. The --outputFile argument must also be provided. |
--propertiesFilePath {path}
| Description | The path to a properties file used to specify default values for arguments not supplied on the command line. |
| Required | No |
| Multi-Valued | No |
--generatePropertiesFile {path}
| Description | Write an empty properties file that may be used to specify default values for arguments. |
| Required | No |
| Multi-Valued | No |
--noPropertiesFile
| Description | Do not obtain any argument values from a properties file. |
--suppressPropertiesFileComment
| Description | Suppress output listing the arguments obtained from a properties file. |