Available Command-Line Tools

The following command-line tools are provided with the UnboundID LDAP SDK for Java. Click on each tool name for usage information for that tool.


Perform repeated authentications against an LDAP directory server, where each authentication consists of a search to find a user followed by a bind to verify the credentials for that user.


Encode raw data using the base64 algorithm or decode base64-encoded data back to its raw representation.


Collect and package system information useful in troubleshooting problems. The information is packaged as a zip archive that can be sent to a technical support representative.


Generate and deliver a one-time password to a user through some out-of-band mechanism. That password can then be used to authenticate via the UNBOUNDID-DELIVERED-OTP SASL mechanism.


Generate and deliver a single-use token to a user through some out-of-band mechanism. The user can provide that token to the password modify extended request in lieu of the user's current password in order to select a new password.


Obtain a listing of all of the DNs for all entries below a specified base DN in the Directory Server.


Generate LDAP schema that may be used to store objects from a properly-annotated class contained in the Java classpath. The schema elements will be written to the file in LDIF form.


Generate source code for a Java class that may be used to represent data stored in an LDAP directory server. The source code will be generated using information read from the directory server schema, and will contain an appropriate set of annotations required to use that class with the LDAP SDK persistence framework.


Generate a shared secret that may be used to generate time-based one-time password (TOTP) authentication codes for use in authenticating with the UNBOUNDID-TOTP SASL mechanism, or in conjunction with the validate TOTP password extended operation.


This tool may be used to identify entries containing one or more attributes which reference entries that do not exist. This may require the ability to perform unindexed searches and/or the ability to use the simple paged results control.


This tool may be used to identify unique attribute conflicts. That is, it may identify values of one or more attributes which are supposed to exist only in a single entry but are found in multiple entries.


A simple LDAP directory server which holds all of its information in memory and can be used for basic testing purposes. It can be created and managed programmatically using the com.unboundid.ldap.listener.InMemoryDirectoryServer class.


Parses a provided LDAP filter string and displays it a multi-line form that makes it easier to understand its hierarchy and embedded components. If possible, it may also be able to simplify the provided filter in certain ways (for example, by removing unnecessary levels of hierarchy, like an AND embedded in an AND).


Intercept and decode LDAP communication.


Compare the contents of two LDAP servers.


Display and query LDAP result codes.


Perform compare operations in an LDAP directory server. Compare operations may be used to efficiently determine whether a specified entry has a given value.


Delete one or more entries from an LDAP directory server. You can provide the DNs of the entries to delete using named arguments, as trailing arguments, from a file, or from standard input. Alternatively, you can identify entries to delete using a search base DN and filter.


Apply a set of add, delete, modify, and/or modify DN operations to a directory server. Supply the changes to apply in LDIF format, either from standard input or from a file specified with the 'ldifFile' argument. Change records must be separated by at least one blank line.


Update the password for a user in an LDAP directory server using the password modify extended operation (as defined in RFC 3062), a standard LDAP modify operation, or an Active Directory-specific modification.


Process one or more searches in an LDAP directory server.


Compare the contents of two files containing LDIF entries. The output will be an LDIF file containing the add, delete, and modify change records needed to convert the data in the source LDIF file into the data in the target LDIF file.


Apply a set of changes (including add, delete, modify, and modify DN operations) to a set of entries contained in an LDIF file. The changes will be read from a second file (containing change records rather than entries), and the updated entries will be written to a third LDIF file. Unlike ldapmodify, the ldifmodify cannot read the changes to apply from standard input.


Search one or more LDIF files to identify entries matching a given set of criteria.


Retrieve or update information about the current state of a user account. Processing will be performed using the password policy state extended operation, and you must have the password-reset privilege to use this extended operation.


Manage certificates and private keys in a JKS, PKCS #12, PKCS #11, or BCFKS key store.


Perform repeated modifications against an LDAP directory server.


Move all entries in a specified subtree from one server to another.


Search the OID registry to retrieve information about items that match a given OID or name.


Use multiple concurrent threads to apply a set of add, delete, modify, and modify DN operations read from an LDIF file.


Registers a YubiKey OTP device with the Directory Server for a specified user so that the device may be used to authenticate that user in conjunction with the UNBOUNDID-YUBIKEY-OTP SASL mechanism. Alternately, it may be used to deregister one or more YubiKey OTP devices for a user so that they may no longer be used to authenticate that user.


Perform repeated searches against an LDAP directory server and modify each entry returned.


Perform repeated searches against an LDAP directory server.


Splits a single LDIF file into multiple sets by separating entries below a specified base DN into different mutually-exclusive collections of entries. A number of algorithms are available to determine how entries should be split, and entries outside the split base DN may be included in all sets or added to a dedicated LDIF file.


List or update the set of subtree accessibility restrictions defined in the Directory Server.


Examine one or more access log files from Ping Identity, UnboundID, or Nokia/Alcatel-Lucent 8661 server products to display a number of metrics about operations processed within the server.


Provides a mechanism to help test the performance of the LDAP SDK.


Provides information about the TLS cipher suites that are supported by the JVM and selects a recommended set of suites for secure communication.


Apply one or more changes to entries or change records read from an LDIF file, writing the updating records to a new file. This tool can apply a variety of transformations, including scrambling attribute values, redacting attribute values, excluding attributes or entries, replacing existing attributes, adding new attributes, renaming attributes, and moving entries from one subtree to another.


Validate an LDAP schema read from one or more LDIF files.


Validate the contents of an LDIF file against the server schema.