Available Command-Line Tools

The following command-line tools are provided with the UnboundID LDAP SDK for Java. Click on each tool name for usage information for that tool.


Perform repeated authentications against an LDAP directory server, where each authentication consists of a search to find a user followed by a bind to verify the credentials for that user.


Base64 encode raw data, or base64-decode encoded data. The data to encode or decode may be provided via an argument value, in a file, or read from standard input. The output may be written to a file or standard output.


Generate and deliver a one-time password to a user through some out-of-band mechanism. That password can then be used to authenticate via the UNBOUNDID-DELIVERED-OTP SASL mechanism.


Generate and deliver a single-use token to a user through some out-of-band mechanism. The user can provide that token to the password modify extended request in lieu of the user's current password in order to select a new password.


Obtain a listing of all of the DNs for all entries below a specified base DN in the Directory Server.


Generate LDAP schema that may be used to store objects from a properly-annotated class contained in the Java classpath. The schema elements will be written to the file in LDIF form.


Generate source code for a Java class that may be used to represent data stored in an LDAP directory server. The source code will be generated using information read from the directory server schema, and will contain an appropriate set of annotations required to use that class with the LDAP SDK persistence framework.


Generate a shared secret that may be used to generate time-based one-time password (TOTP) authentication codes for use in authenticating with the UNBOUNDID-TOTP SASL mechanism, or in conjunction with the validate TOTP password extended operation.


This tool may be used to identify entries containing one or more attributes which reference entries that do not exist. This may require the ability to perform unindexed searches and/or the ability to use the simple paged results control.


This tool may be used to identify unique attribute conflicts. That is, it may identify values of one or more attributes which are supposed to exist only in a single entry but are found in multiple entries.


A simple LDAP directory server which holds all of its information in memory and can be used for basic testing purposes. It can be created and managed programmatically using the com.unboundid.ldap.listener.InMemoryDirectoryServer class.


Parses a provided LDAP filter string and displays it a multi-line form that makes it easier to understand its hierarchy and embedded components. If possible, it may also be able to simplify the provided filter in certain ways (for example, by removing unnecessary levels of hierarchy, like an AND embedded in an AND).


Intercept and decode LDAP communication.


Process compare operations in LDAP directory server.


Deletes one or more entries from an LDAP directory server. The DNs of the entries to delete can be provided using named arguments, as trailing arguments, read from a file, or read from standard input. Alternately, entries to delete can be identified using a search base DN and filter.


Applies a set of add, delete, modify, and/or modify DN operations to a directory server. The changes to apply should be supplied in LDIF format, either via standard input or from a file specified with the 'ldifFile' argument. Change records must be separated by at least one blank line.


Issues one or more searches to an LDAP directory server.


Retrieve or update information about the current state of a user account. Processing will be performed using the password policy state extended operation, and you must have the password-reset privilege to use this extended operation.


Provides a number of subcommands that can be used to manage a set of certificates and private keys in a JKS or PKCS #12 keystore.


Perform repeated modifications against an LDAP directory server.


Move all entries in a specified subtree from one server to another.


Registers a YubiKey OTP device with the Directory Server for a specified user so that the device may be used to authenticate that user in conjunction with the UNBOUNDID-YUBIKEY-OTP SASL mechanism. Alternately, it may be used to deregister one or more YubiKey OTP devices for a user so that they may no longer be used to authenticate that user.


Perform repeated searches against an LDAP directory server and modify each entry returned.


Perform repeated searches against an LDAP directory server.


Splits a single LDIF file into multiple sets by separating entries below a specified base DN into different mutually-exclusive collections of entries. A number of algorithms are available to determine how entries should be split, and entries outside the split base DN may be included in all sets or added to a dedicated LDIF file.


List or update the set of subtree accessibility restrictions defined in the Directory Server.


Examine one or more access log files from Ping Identity, UnboundID, or Nokia/Alcatel-Lucent 8661 server products to display a number of metrics about operations processed within the server.


Apply one or more changes to entries or change records read from an LDIF file, writing the updating records to a new file. This tool can apply a variety of transformations, including scrambling attribute values, redacting attribute values, excluding attributes or entries, replacing existing attributes, adding new attributes, renaming attributes, and moving entries from one subtree to another.


Validate the contents of an LDIF file against the server schema.