Ping Identity Data Sync Server Command-Line Tool Reference

Data Sync Server Documentation Index
Command-Line Tool Reference Home

export-reversible-passwords

Description

Requests that the server export entries from a specified backend in LDIF form, including clear-text representations of any passwords encoded with a reversible storage scheme. This tool may only be used over a secure connection and when authenticated as a user with the permit-export-reversible-passwords privilege. The output will be encrypted using a key generated from either a user-supplied passphrase or an encryption settings definition.

Examples

Invokes the export-reversible-passwords tool with the minimum required set of options. Only entries containing reversibly encoded passwords will be included in the export, and the export will only include entry DNs and the clear-text passwords. The output will be encrypted with a key generated from the servers' preferred encryption settings definition:

export-reversible-passwords --port 636 --useSSL \
     --trustStorePath /ds/config/truststore \
     --bindDN uid=pwexport,dc=example,dc=com --backendID userRoot \
     --ldifFile /ds/ldif/exported-passwords.ldif

Invokes the export-reversible-passwords tool with a more complete set of options. The export will include all user entries matching the filter '(objectClass=person)', including entries with non-reversibly encoded passwords and entries without passwords, and will include all user and operational attributes in the exported entries (but will not include virtual attributes). The output will be encrypted with a key generated from a passphrase read from a file:

export-reversible-passwords --port 636 --useSSL \
     --trustStorePath /ds/config/truststore \
     --bindDN uid=pwexport,dc=example,dc=com \
     --bindPassword pwexport-user-password.txt --backendID userRoot \
     --filter "(objectClass=person)" --exportNonReversiblePasswords \
     --exportEntriesWithoutPasswords --includeAdditionalAttribute '*' \
     --includeAdditionalAttribute "+" \
     --ldifFile /ds/ldif/exported-passwords.ldif \
     --encryptionPassphraseFile encryption-passphrase.txt

For examples and help with LDAP options see LDAP Option Help. For help with SASL authentication, see SASL Option Help

Arguments

-V
--version

Description

Display Data Sync Server version information

-H
--help

Description

Display general usage information

--help-ldap

Description

Display help for using LDAP options

--help-sasl

Description

Display help for using SASL options

--help-debug

Description	Display help for using debug options
Advanced	Yes

-p {port}
--port {port}

Description	The port to use to connect to the directory server. If this is not provided, then a default value of 389 will be used.
Default Value	389
Required	Yes
Multi-Valued	No

-D {dn}
--bindDN {dn}

Description	The DN to use to bind to the directory server when performing simple authentication.
Required	No
Multi-Valued	No

-w {password}
--bindPassword {password}

Description	The password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism.
Required	No
Multi-Valued	No

-j {path}
--bindPasswordFile {path}

Description	The path to the file containing the password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism.
Required	No
Multi-Valued	No

--promptForBindPassword

Description

Indicates that the tool should interactively prompt the user for the bind password.

-Z
--useSSL

Description

Use SSL when communicating with the directory server.

-q
--useStartTLS

Description

Use StartTLS when communicating with the directory server.

-X
--trustAll

Description

Trust any certificate presented by the directory server.

-K {path}
--keyStorePath {path}

Description	The path to the file to use as the key store for obtaining client certificates when communicating securely with the directory server.
Required	No
Multi-Valued	No

-W {password}
--keyStorePassword {password}

Description	The password to use to access the key store contents.
Required	No
Multi-Valued	No

-u {path}
--keyStorePasswordFile {path}

Description	The path to the file containing the password to use to access the key store contents.
Required	No
Multi-Valued	No

--promptForKeyStorePassword

Description

Indicates that the tool should interactively prompt the user for the password to use to access the key store contents.

--keyStoreFormat {format}

Description	The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the key store file.
Required	No
Multi-Valued	No

-P {path}
--trustStorePath {path}

Description	The path to the file to use as trust store when determining whether to trust a certificate presented by the directory server.
Required	No
Multi-Valued	No

-T {password}
--trustStorePassword {password}

Description	The password to use to access the trust store contents.
Required	No
Multi-Valued	No

-U {path}
--trustStorePasswordFile {path}

Description	The path to the file containing the password to use to access the trust store contents.
Required	No
Multi-Valued	No

--promptForTrustStorePassword

Description

Indicates that the tool should interactively prompt the user for the password to use to access the trust store contents.

--trustStoreFormat {format}

Description	The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the trust store file.
Required	No
Multi-Valued	No

-N {nickname}
--certNickname {nickname}

Description	The nickname (alias) of the client certificate in the key store to present to the directory server for SSL client authentication.
Required	No
Multi-Valued	No

-o {name=value}
--saslOption {name=value}

Description	A name-value pair providing information to use when performing SASL authentication.
Required	No
Multi-Valued	Yes

--useSASLExternal

Description

Use the SASL EXTERNAL mechanism to authenticate.

--helpSASL

Description

Provide information about the supported SASL mechanisms, including the properties available for use with each.

-n {id}
--backendID {id}

Description	The backend ID for the backend that contains the entries to export. This must be specified, the backend must exist, and must be enabled in the server
Required	Yes
Multi-Valued	No

-l {path}
--ldifFile {path}

Description	Specifies the path to the LDIF file into which the exported entries should be written. This must be specified, and the path must reference a file that does not exist but in a directory that does exist and is below the server root directory
Required	Yes
Multi-Valued	No

--encryptionPassphraseFile {path}

Description	The path to a file containing the passphrase to use to generate the output encryption key. If neither an encryption passphrase nor an encryption settings definition ID is specified, then the encryption key will be generated from the server's preferred encryption settings definition
Required	No
Multi-Valued	No

--promptForEncryptionPassphrase

Description

Interactively prompt for the passphrase to use to generate the output encryption key. If neither an encryption passphrase nor an encryption settings definition ID is specified, then the encryption key will be generated from the server's preferred encryption settings definition

--encryptionSettingsDefinitionID {ID}

Description	The ID of the encryption settings definition to use to genewrate the output encryption key. If neither an encryption passphrase nor an encryption settings definition ID is specified, then the encryption key will be generated from the server's preferred encryption settings definition
Required	No
Multi-Valued	No

-f {filter}
--filter {filter}

Description	A filter that may be used to restrict the set of entries to include in the export. If this is provided then only entries matching the filter will be exported
Required	No
Multi-Valued	No

--exportNonReversiblePasswords

Description

Indicates that the export should include passwords that are encoded in a non-reversible form. If this is not provided, then the only passwords included in the export will be those for which the clear-text representation can be obtained

--exportEntriesWithoutPasswords

Description

Indicates that the export should include entries that do not have any passwords. If this is not provided, then the export will only include entries that have at least one password (and unless the --exportNonReversiblePasswords argument is given, it will only include entries with at least one reversibly-encoded password)

-A {attr}
--includeAdditionalAttribute {attr}

Description	Specifies an additional attribute or set of attributes to include in the export. Password attributes will always be included, but this argument may be used to specify additional attributes to include. This uses the same syntax as requested attributes in a search request, so special tokens like '*' (indicating all user attributes), '+' (indicating all operational attributes), and '@person' (indicating all attributes associated with the 'person' object class) may be used. This argument may be provided multiple times to specify multiple attributes or sets of attributes
Required	No
Multi-Valued	Yes

--includeVirtualAttributes

Description

Indicates that the export should include the values of any virtual attributes contained in the entries being exported. If this is not provided, then the export will only include real attributes

--interactive

Description

Launch the tool in interactive mode.

--outputFile {path}

Description	Write all standard output and standard error messages to the specified file instead of to the console.
Required	No
Multi-Valued	No

--appendToOutputFile

Description

Indicates that the tool should append to the file specified by the --outputFile argument if it already exists. If this argument is not provided and the output file already exists, it will be overwritten.

--teeOutput

Description

Write all standard output and standard error messages to the console as well as to the specified output file. The --outputFile argument must also be provided.