The ldap-debugger Command-Line Tool

Intercept and decode LDAP communication.

Usage

ldap-debugger {arguments}

LDAP Connection and Authentication Arguments

-h {host} / --hostname {host} — The IP address or resolvable name to use to connect to the directory server. If this is not provided, then a default value of 'localhost' will be used.
-p {port} / --port {port} — The port to use to connect to the directory server. If this is not provided, then a default value of 389 will be used.
The specified value must not be less than 1 or greater than 65,535.
-D {dn} / --bindDN {dn} — The DN to use to bind to the directory server when performing simple authentication.
A provided value must be able to be parsed as an LDAP distinguished name as described in RFC 4514.
-w {password} / --bindPassword {password} — The password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism.
-j {path} / --bindPasswordFile {path} — The path to the file containing the password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism.
The specified path must refer to a file that exists.
--promptForBindPassword — Indicates that the tool should interactively prompt the user for the bind password.
This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
-Z / --useSSL — Use SSL when communicating with the directory server.
This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
-q / --useStartTLS — Use StartTLS when communicating with the directory server.
This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
--defaultTrust — Use the JVM's default trust store, and optionally an additional trust store specified using the --trustStorePath argument, to non-interactively determine whether to trust any certificate chain presented during TLS negotiation. If the chain cannot be trusted based on any of those sources, then negotiation will fail without prompting about whether to trust it.
This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
-X / --trustAll — Trust any certificate presented by the directory server.
This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
-K {path} / --keyStorePath {path} — The path to the file to use as the key store for obtaining client certificates when communicating securely with the directory server.
-W {password} / --keyStorePassword {password} — The password to use to access the key store contents.
-u {path} / --keyStorePasswordFile {path} — The path to the file containing the password to use to access the key store contents.
The specified path must refer to a file that may or may not exist.
--promptForKeyStorePassword — Indicates that the tool should interactively prompt the user for the password to use to access the key store contents.
This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
--keyStoreFormat {format} — The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the key store file.
-P {path} / --trustStorePath {path} — The path to the file to use as trust store when determining whether to trust a certificate presented by the directory server.
-T {password} / --trustStorePassword {password} — The password to use to access the trust store contents.
-U {path} / --trustStorePasswordFile {path} — The path to the file containing the password to use to access the trust store contents.
The specified path must refer to a file that may or may not exist.
--promptForTrustStorePassword — Indicates that the tool should interactively prompt the user for the password to use to access the trust store contents.
This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
--trustStoreFormat {format} — The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the trust store file.
--verifyCertificateHostnames — Indicates that the tool should verify that the hostname or IP addressed used to establish connections ot the LDAP server matches an address for which the server's TLS certificate was issued.
This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
-N {nickname} / --certNickname {nickname} — The nickname (alias) of the client certificate in the key store to present to the directory server for SSL client authentication.
--enableSSLDebugging — Enable Java's low-level support for debugging SSL/TLS communication. This is equivalent to setting the 'javax.net.debug' property to 'all'.
This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
-o {name=value} / --saslOption {name=value} — A name-value pair providing information to use when performing SASL authentication.
--useSASLExternal — Use the SASL EXTERNAL mechanism to authenticate.
This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
--helpSASL — Provide information about the supported SASL mechanisms, including the properties available for use with each.
This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.

Additional Arguments

-a {address} / --listenAddress {address} — The address on which to listen for client connections. If this is not provided, then it will listen on all interfaces.
-L {port} / --listenPort {port} — The port on which to listen for client connections. If no value is provided, then a free port will be automatically selected.
The specified value must not be less than 0 or greater than 65,535.
-S / --listenUsingSSL — Use SSL when accepting client connections. This is independent of the '--useSSL' option, which applies only to communication between the LDAP debugger and the backend server. If this argument is provided, then either the --keyStorePath or the --generateSelfSignedCertificate argument must also be provided.
This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
--generateSelfSignedCertificate — Generate a self-signed certificate to present to clients when the --listenUsingSSL argument is provided. This argument cannot be used in conjunction with the --keyStorePath argument.
This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
-f {path} / --outputFile {path} — The path to the output file to be written. If no value is provided, then the output will be written to standard output.
The specified path must refer to a file which may or may not exist, but whose parent directory must exist.
-c {path} / --codeLogFile {path} — The path to the a code log file to be written. If a value is provided, then the tool will generate sample code that corresponds to the requests received from clients. If no value is provided, then no code log will be generated.
The specified path must refer to a file which may or may not exist, but whose parent directory must exist.
--interactive — Launch the tool in interactive mode.
This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
-H / --help — Display usage information for this program.
This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
-V / --version — Display version information for this program.
This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
--propertiesFilePath {path} — The path to a properties file used to specify default values for arguments not supplied on the command line.
The specified path must refer to a file that exists.
--generatePropertiesFile {path} — Write an empty properties file that may be used to specify default values for arguments.
The specified path must refer to a file which may or may not exist, but whose parent directory must exist.
--noPropertiesFile — Do not obtain any argument values from a properties file.
This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
--suppressPropertiesFileComment — Suppress output listing the arguments obtained from a properties file.
This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.

Dependent Argument Sets

If the --keyStorePassword argument is provided, then the --keyStorePath argument must also be provided.
If the --keyStorePasswordFile argument is provided, then the --keyStorePath argument must also be provided.
If the --promptForKeyStorePassword argument is provided, then the --keyStorePath argument must also be provided.
If the --trustStorePassword argument is provided, then the --trustStorePath argument must also be provided.
If the --trustStorePasswordFile argument is provided, then the --trustStorePath argument must also be provided.
If the --promptForTrustStorePassword argument is provided, then the --trustStorePath argument must also be provided.
If the --keyStorePath argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
If the --trustStorePath argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
If the --defaultTrust argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
If the --trustAll argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
If the --bindPassword argument is provided, then at least one of the following arguments must also be provided: --bindDN, --saslOption
If the --bindPasswordFile argument is provided, then at least one of the following arguments must also be provided: --bindDN, --saslOption
If the --promptForBindPassword argument is provided, then at least one of the following arguments must also be provided: --bindDN, --saslOption
If the --listenUsingSSL argument is provided, then at least one of the following arguments must also be provided: --keyStorePath, --generateSelfSignedCertificate

Exclusive Argument Sets

The following arguments cannot be used together: --useSSL, --useStartTLS
The following arguments cannot be used together: --keyStorePassword, --keyStorePasswordFile, --promptForKeyStorePassword
The following arguments cannot be used together: --trustStorePassword, --trustStorePasswordFile, --promptForTrustStorePassword
The following arguments cannot be used together: --defaultTrust, --trustAll
The following arguments cannot be used together: --trustAll, --trustStorePath
The following arguments cannot be used together: --bindDN, --saslOption, --useSASLExternal
The following arguments cannot be used together: --bindPassword, --bindPasswordFile, --promptForBindPassword
The following arguments cannot be used together: --generateSelfSignedCertificate, --keyStorePath
The following arguments cannot be used together: --generateSelfSignedCertificate, --keyStorePassword
The following arguments cannot be used together: --generateSelfSignedCertificate, --keyStorePasswordFile
The following arguments cannot be used together: --generateSelfSignedCertificate, --promptForKeyStorePassword
The following arguments cannot be used together: --propertiesFilePath, --noPropertiesFile

Examples

Listen for client connections on port 1389 on all interfaces and forward any traffic received to server.example.com:389. The decoded LDAP communication will be written to the /tmp/ldap-debugger.log log file.

    ldap-debugger --hostname server.example.com --port 389 --listenPort 1389 \
         --outputFile /tmp/ldap-debugger.log