Requests that the server export entries from a specified backend in LDIF form, including clear-text representations of any passwords encoded with a reversible storage scheme. This tool may only be used over a secure connection and when authenticated as a user with the permit-export-reversible-passwords privilege. The output will be encrypted using a key generated from either a user-supplied passphrase or an encryption settings definition.
Invokes the export-reversible-passwords tool with the minimum required set of options. Only entries containing reversibly encoded passwords will be included in the export, and the export will only include entry DNs and the clear-text passwords. The output will be encrypted with a key generated from the servers' preferred encryption settings definition:
export-reversible-passwords --port 636 --useSSL \
--trustStorePath /ds/config/truststore \
--bindDN uid=pwexport,dc=example,dc=com --backendID userRoot \
--ldifFile /ds/ldif/exported-passwords.ldif
Invokes the export-reversible-passwords tool with a more complete set of options. The export will include all user entries matching the filter '(objectClass=person)', including entries with non-reversibly encoded passwords and entries without passwords, and will include all user and operational attributes in the exported entries (but will not include virtual attributes). The output will be encrypted with a key generated from a passphrase read from a file:
export-reversible-passwords --port 636 --useSSL \
--trustStorePath /ds/config/truststore \
--bindDN uid=pwexport,dc=example,dc=com \
--bindPassword pwexport-user-password.txt --backendID userRoot \
--filter "(objectClass=person)" --exportNonReversiblePasswords \
--exportEntriesWithoutPasswords --includeAdditionalAttribute '*' \
--includeAdditionalAttribute "+" \
--ldifFile /ds/ldif/exported-passwords.ldif \
--encryptionPassphraseFile encryption-passphrase.txt
For examples and help with LDAP options see LDAP Option Help. For help with SASL authentication, see SASL Option Help
-V
--version
| Description | Display Directory Server version information |
-H
--help
| Description | Display general usage information |
--help-ldap
| Description | Display help for using LDAP options |
--help-sasl
| Description | Display help for using SASL options |
--help-debug
| Description | Display help for using debug options |
| Advanced | Yes |
-p {port}
--port {port}
| Description | The port to use to connect to the directory server. If this is not provided, then a default value of 389 will be used. |
| Default Value | 389 |
| Required | Yes |
| Multi-Valued | No |
-D {dn}
--bindDN {dn}
| Description | The DN to use to bind to the directory server when performing simple authentication. |
| Required | No |
| Multi-Valued | No |
-w {password}
--bindPassword {password}
| Description | The password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism. |
| Required | No |
| Multi-Valued | No |
-j {path}
--bindPasswordFile {path}
| Description | The path to the file containing the password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism. |
| Required | No |
| Multi-Valued | No |
--promptForBindPassword
| Description | Indicates that the tool should interactively prompt the user for the bind password. |
-Z
--useSSL
| Description | Use SSL when communicating with the directory server. |
-q
--useStartTLS
| Description | Use StartTLS when communicating with the directory server. |
--defaultTrust
| Description | Use the JVM's default trust store, the server's default trust store, the server's topology registry, and optionally an additional trust store specified using the --trustStorePath argument to non-interactively determine whether to trust any certificate chain presented during TLS negotiation. If the chain cannot be trusted based on any of those sources, then negotiation will fail without prompting about whether to trust it. |
-X
--trustAll
| Description | Trust any certificate presented by the directory server. |
-K {path}
--keyStorePath {path}
| Description | The path to the file to use as the key store for obtaining client certificates when communicating securely with the directory server. |
| Required | No |
| Multi-Valued | No |
-W {password}
--keyStorePassword {password}
| Description | The password to use to access the key store contents. |
| Required | No |
| Multi-Valued | No |
-u {path}
--keyStorePasswordFile {path}
| Description | The path to the file containing the password to use to access the key store contents. |
| Required | No |
| Multi-Valued | No |
--promptForKeyStorePassword
| Description | Indicates that the tool should interactively prompt the user for the password to use to access the key store contents. |
--keyStoreFormat {format}
| Description | The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the key store file. |
| Required | No |
| Multi-Valued | No |
-P {path}
--trustStorePath {path}
| Description | The path to the file to use as trust store when determining whether to trust a certificate presented by the directory server. |
| Required | No |
| Multi-Valued | No |
-T {password}
--trustStorePassword {password}
| Description | The password to use to access the trust store contents. |
| Required | No |
| Multi-Valued | No |
-U {path}
--trustStorePasswordFile {path}
| Description | The path to the file containing the password to use to access the trust store contents. |
| Required | No |
| Multi-Valued | No |
--promptForTrustStorePassword
| Description | Indicates that the tool should interactively prompt the user for the password to use to access the trust store contents. |
--trustStoreFormat {format}
| Description | The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the trust store file. |
| Required | No |
| Multi-Valued | No |
--verifyCertificateHostnames
| Description | Indicates that the tool should verify that the hostname or IP addressed used to establish connections ot the LDAP server matches an address for which the server's TLS certificate was issued. |
-N {nickname}
--certNickname {nickname}
| Description | The nickname (alias) of the client certificate in the key store to present to the directory server for SSL client authentication. |
| Required | No |
| Multi-Valued | No |
-o {name=value}
--saslOption {name=value}
| Description | A name-value pair providing information to use when performing SASL authentication. |
| Required | No |
| Multi-Valued | Yes |
--useSASLExternal
| Description | Use the SASL EXTERNAL mechanism to authenticate. |
--helpSASL
| Description | Provide information about the supported SASL mechanisms, including the properties available for use with each. |
-n {id}
--backendID {id}
| Description | The backend ID for the backend that contains the entries to export. This must be specified, the backend must exist, and must be enabled in the server |
| Required | Yes |
| Multi-Valued | No |
-l {path}
--ldifFile {path}
| Description | Specifies the path to the LDIF file into which the exported entries should be written. This must be specified, and the path must reference a file that does not exist but in a directory that does exist and is below the server root directory |
| Required | Yes |
| Multi-Valued | No |
--encryptionPassphraseFile {path}
| Description | The path to a file containing the passphrase to use to generate the output encryption key. If neither an encryption passphrase nor an encryption settings definition ID is specified, then the encryption key will be generated from the server's preferred encryption settings definition |
| Required | No |
| Multi-Valued | No |
--promptForEncryptionPassphrase
| Description | Interactively prompt for the passphrase to use to generate the output encryption key. If neither an encryption passphrase nor an encryption settings definition ID is specified, then the encryption key will be generated from the server's preferred encryption settings definition |
--encryptionSettingsDefinitionID {ID}
| Description | The ID of the encryption settings definition to use to genewrate the output encryption key. If neither an encryption passphrase nor an encryption settings definition ID is specified, then the encryption key will be generated from the server's preferred encryption settings definition |
| Required | No |
| Multi-Valued | No |
--includeBaseDN {dn}
| Description | The base DN of a subtree whose entries should specifically be included in the export. If any include base DNs are specified, then only entries that are below an include base DN and not below an exclude base DN will be included. If no include or exclude base DNs are specified, then all entries in the backend will be eligible for inclusion in the export |
| Required | No |
| Multi-Valued | Yes |
--excludeBaseDN {dn}
| Description | The base DN of a subtree whose entries should specifically be excluded from the export. If any exclude base DNs are specified, then no entries below an exclude base DN will be included in the export, even if they are also below an include base DN. If no include or exclude base DNs are specified, then all entries in the backend will be eligible for inclusion in the export |
| Required | No |
| Multi-Valued | Yes |
-f {filter}
--filter {filter}
| Description | A filter that may be used to restrict the set of entries to include in the export. If this is provided then only entries matching the filter will be exported |
| Required | No |
| Multi-Valued | No |
--exportNonReversiblePasswords
| Description | Indicates that the export should include passwords that are encoded in a non-reversible form. If this is not provided, then the only passwords included in the export will be those for which the clear-text representation can be obtained |
--exportEntriesWithoutPasswords
| Description | Indicates that the export should include entries that do not have any passwords. If this is not provided, then the export will only include entries that have at least one password (and unless the --exportNonReversiblePasswords argument is given, it will only include entries with at least one reversibly-encoded password) |
-A {attr}
--includeAdditionalAttribute {attr}
| Description | Specifies an additional attribute or set of attributes to include in the export. Password attributes will always be included, but this argument may be used to specify additional attributes to include. This uses the same syntax as requested attributes in a search request, so special tokens like '*' (indicating all user attributes), '+' (indicating all operational attributes), and '@person' (indicating all attributes associated with the 'person' object class) may be used. This argument may be provided multiple times to specify multiple attributes or sets of attributes |
| Required | No |
| Multi-Valued | Yes |
--includeVirtualAttributes
| Description | Indicates that the export should include the values of any virtual attributes contained in the entries being exported. If this is not provided, then the export will only include real attributes |
--interactive
| Description | Launch the tool in interactive mode. |
--outputFile {path}
| Description | Write all standard output and standard error messages to the specified file instead of to the console. |
| Required | No |
| Multi-Valued | No |
--appendToOutputFile
| Description | Indicates that the tool should append to the file specified by the --outputFile argument if it already exists. If this argument is not provided and the output file already exists, it will be overwritten. |
--teeOutput
| Description | Write all standard output and standard error messages to the console as well as to the specified output file. The --outputFile argument must also be provided. |