The ldapdelete Command-Line Tool

Delete one or more entries from an LDAP directory server. You can provide the DNs of the entries to delete using named arguments, as trailing arguments, from a file, or from standard input. Alternatively, you can identify entries to delete using a search base DN and filter.

Usage

ldapdelete {arguments} [{dn1} [{dn2} [{dn3} ...] ] ]

LDAP Connection and Authentication Arguments

• -h {host} / --hostname {host} — The IP address or resolvable name to use to connect to the directory server. If this is not provided, then a default value of 'localhost' will be used.
  
  
• -p {port} / --port {port} — The port to use to connect to the directory server. If this is not provided, then a default value of 389 will be used.
  The specified value must not be less than 1 or greater than 65,535.
  
  
• -D {dn} / --bindDN {dn} — The DN to use to bind to the directory server when performing simple authentication.
  A provided value must be able to be parsed as an LDAP distinguished name as described in RFC 4514.
  
  
• -w {password} / --bindPassword {password} — The password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism.
  
  
• -j {path} / --bindPasswordFile {path} — The path to the file containing the password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism.
  The specified path must refer to a file that exists.
  
  
• --promptForBindPassword — Indicates that the tool should interactively prompt the user for the bind password.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -Z / --useSSL — Use SSL when communicating with the directory server.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -q / --useStartTLS — Use StartTLS when communicating with the directory server.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --defaultTrust — Use the JVM's default trust store, and optionally an additional trust store specified using the --trustStorePath argument, to non-interactively determine whether to trust any certificate chain presented during TLS negotiation. If the chain cannot be trusted based on any of those sources, then negotiation will fail without prompting about whether to trust it.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -X / --trustAll — Trust any certificate presented by the directory server.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -K {path} / --keyStorePath {path} — The path to the file to use as the key store for obtaining client certificates when communicating securely with the directory server.
  
  
• -W {password} / --keyStorePassword {password} — The password to use to access the key store contents.
  
  
• -u {path} / --keyStorePasswordFile {path} — The path to the file containing the password to use to access the key store contents.
  The specified path must refer to a file that may or may not exist.
  
  
• --promptForKeyStorePassword — Indicates that the tool should interactively prompt the user for the password to use to access the key store contents.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --keyStoreFormat {format} — The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the key store file.
  
  
• -P {path} / --trustStorePath {path} — The path to the file to use as trust store when determining whether to trust a certificate presented by the directory server.
  
  
• -T {password} / --trustStorePassword {password} — The password to use to access the trust store contents.
  
  
• -U {path} / --trustStorePasswordFile {path} — The path to the file containing the password to use to access the trust store contents.
  The specified path must refer to a file that may or may not exist.
  
  
• --promptForTrustStorePassword — Indicates that the tool should interactively prompt the user for the password to use to access the trust store contents.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --trustStoreFormat {format} — The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the trust store file.
  
  
• --verifyCertificateHostnames — Indicates that the tool should verify that the hostname or IP addressed used to establish connections ot the LDAP server matches an address for which the server's TLS certificate was issued.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -N {nickname} / --certNickname {nickname} — The nickname (alias) of the client certificate in the key store to present to the directory server for SSL client authentication.
  
  
• --enableSSLDebugging — Enable Java's low-level support for debugging SSL/TLS communication. This is equivalent to setting the 'javax.net.debug' property to 'all'.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -o {name=value} / --saslOption {name=value} — A name-value pair providing information to use when performing SASL authentication.
  
  
• --useSASLExternal — Use the SASL EXTERNAL mechanism to authenticate.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --helpSASL — Provide information about the supported SASL mechanisms, including the properties available for use with each.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  

Data Arguments

• -b {dn} / --entryDN {dn} — The DN of an entry to delete. This argument may be provided multiple times to specify the DNs of multiple entries to delete, and entries will be deleted in the order in which the arguments were given. This argument must not be used in conjunction with any other argument used to indicate which entries should be deleted.
  A provided value must be able to be parsed as an LDAP distinguished name as described in RFC 4514.
  
  
• -f {path} / --dnFile {path} — The path to a file containing the DNs of the entries to delete. Each DN must be on its own line in the file, with blank lines and lines starting with the '#' character being ignored. Each DN line may optionally start with 'dn:' (or 'dn::' to indicate that the DN is base64-encoded), and long DNs may be wrapped across multiple lines by starting subsequent lines with at least one space. This argument may be provided multiple times to specify multiple DN files, and the files will be processed in the order they were provided. This argument must not be used in conjunction with any other argument used to indicate which entries should be deleted.
  The specified path must refer to a file that exists.
  
  
• --deleteEntriesMatchingFilter {filter} — An LDAP search filter that can be used to identify the entries to delete. The base DN for the searches should be specified using the --searchBaseDN argument, with the null DN being used by default if that argument is not given. This argument may be provided multiple times to specify multiple filters, and searches will be performed in the order in which the filters are provided. This argument must not be used in conjunction with any other argument used to indicate which entries should be deleted.
  A provided value must be able to be parsed as an LDAP search filter as described in RFC 4515.
  
  
• --deleteEntriesMatchingFiltersFromFile {path} — The path to a file containing LDAP search filters (one filter per line, with blank lines and lines starting with the '#' character being ignored) that can be used to identify the entries to delete. The base DN for the searches should be specified using the --searchBaseDN argument, with the null DN being used by default if that argument is not given. This argument may be provided multiple times to specify the paths to multiple filter files, and the files will be processed in the order they are provided on the command line. This argument must not be used in conjunction with any other argument used to indicate which entries should be deleted.
  The specified path must refer to a file that exists.
  
  
• --searchBaseDN {dn} — The base DN to use when searching for entries to delete. This argument may only be used in conjunction with the --deleteEntriesMatchingFilter or --deleteEntriesMatchingFiltersFromFile arguments. It may be provided multiple times to specify multiple search base DNs. If this argument is not given, the null DN will be used as the base DN for the searches.
  A provided value must be able to be parsed as an LDAP distinguished name as described in RFC 4514.
  
  
• --searchPageSize {value} — The page size to use in conjunction with the simple paged results control when retrieving entries. This argument may be used in conjunction with either the --deleteEntriesMatchingFilter or the --deleteEntriesMatchingFilterFromFile argument to indicate that the search should use the simple paged results control to retrieve the entries in pages rather than all at once. It may also be used in conjunction with the --clientSideSubtreeDelete argument to indicate the page size for the simple paged results control that it uses.
  The specified value must not be less than 1 or greater than 2,147,483,647.
  
  
• --encryptionPassphraseFile {path} — The path to a file containing the passphrase used to encrypt an input file. If this is not provided and an input file is encrypted (and the encryption key cannot be automatically obtained, for example, from a Ping Identity Directory Server's encryption settings database), then the user will be interactively prompted for the passphrase.
  The specified path must refer to a file that exists.
  
  
• -i {charset} / --characterSet {charset} — The character set/data encoding to use when reading data from files or standard input. If this is not specified, the UTF-8 character set will be used by default.
  
  
• -R {path} / --rejectFile {path} — The path to a file that will be updated with the DNs of any entries that could not be deleted, along with information about the failed delete attempt. If this is not provided, then failure information will only be written to standard error.
  The specified path must refer to a file which may or may not exist, but whose parent directory must exist.
  
  
• -v / --verbose — Generate verbose output.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --scriptFriendly — Generate script-friendly output.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  

Delete Operation Arguments

• --retryFailedOperations — Indicates that if an operation fails in a way that indicates that the connection to the directory server may be invalid, the tool should automatically retry the failed operation on a newly created connection.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --neverRetry — Indicates that the tool should not attempt to retry operations that fail in a way that the connection to the directory server may be invalid. By default, it will automatically try to establish a new connection and retry the failed operation.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -n / --dryRun — Indicates that the tool should display what it would do, and may perform searches if appropriate, but will not actually attempt to delete any entries. Note that if the server supports the no-operation request control, you may wish to use the --noOperation argument instead, which will actually send the delete requests with a control indicating that the server should perform as much validation of the request that it can, but should not actually delete the target entry.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -c / --continueOnError — Indicates that the tool should continue processing even after encountering an error. This is only applicable if it is run with arguments that would cause it to attempt to delete multiple entries.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --followReferrals — Indicates that the tool should attempt to follow any referrals that it encounters. By default, any referrals that are returned will be treated as failures.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --useAdministrativeSession — Indicates that the tool should attempt to use the Ping Identity-proprietary start administrative session extended operation to create an administrative session that will cause all requests to be processed in a dedicated pool of worker threads. This may be useful when trying to diagnose or resolve an issue when all regular worker threads are busy processing other requests
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -r {deletesPerSecond} / --ratePerSecond {deletesPerSecond} — The maximum number of delete operations that should be attempted per second. If this is not provided, then no rate limit will be imposed on delete requests.
  The specified value must not be less than 1 or greater than 2,147,483,647.
  
  
• -V {version} / --ldapVersion {version} — The LDAP protocol version that should be used.
  The specified value must not be less than 3 or greater than 3.
  
  

Control Arguments

• --clientSideSubtreeDelete — Indicates that all delete requests should be processed as client-side subtree deletes by searching for all entries below the target entry and then deleting them.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -x / --serverSideSubtreeDelete — Indicates that all delete requests should be processed as server-side subtree deletes by using the subtree delete request control.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -s / --softDelete — Indicates that delete requests should include the Ping Identity-proprietary soft delete request control to indicate that the server should hide the entries rather than deleting them immediately. Soft-deleted may or may not be completely removed after a period of time, based on the server configuration.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --hardDelete — Indicates that delete requests should include the Ping Identity-proprietary hard delete request control to indicate that the target entries should be completely removed, even if they would have otherwise been processed as soft deletes.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -Y {authzID} / --proxyAs {authzID} — Indicates that search and delete requests should include the proxied authorization v2 request control, to request that they be processed under the authority of the specified user.
  
  
• --proxyV1As {dn} — Indicates that search and delete requests should include the proxied authorization v1 request control, to request that they be processed under the authority of the specified user.
  A provided value must be able to be parsed as an LDAP distinguished name as described in RFC 4514.
  
  
• --useManageDsaIT — Indicates that search and delete requests should include the Manage DSA IT request control to indicate that the server should treat referral entries as regular entries.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --assertionFilter {filter} — Indicates that delete requests should include the assertion request control to indicate that the server should reject any attempt to delete an entry that does not match the provided filter.
  A provided value must be able to be parsed as an LDAP search filter as described in RFC 4515.
  
  
• --preReadAttribute {attr} — Indicates that delete requests should include the pre-read request control to indicate that delete responses should include a post-read response control with the values of the specified at the time the entry was deleted. This may be provided multiple times to request multiple pre-read attributes.
  
  
• --noOperation — Indicates that delete requests should include the no-operation request control to indicate that the server should perform as much processing as possible for the delete operation without actually removing the entry.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --getBackendSetID — Indicates that delete requests sent through a Directory Proxy Server should include the Ping Identity-proprietary get backend set ID request control to indicate that the response should include a control with the ID of the entry-balancing backend set in which the delete was processed.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --routeToBackendSet {entry-balancing-processor-id:backend-set-id} — Indicates that search and delete requests should include the Ping Identity-proprietary route to backend set request control to indicate that the Directory Proxy Server should forward those requests to servers in the specified entry-balancing backend set. This control may be provided multiple times to specify multiple backend sets for the same or different entry-balancing request processors.
  
  
• --getServerID — Indicates that delete requests should include the Ping Identity-proprietary get server ID request control to indicate that the response should include a control with the server ID of the Directory Server instance in which the delete was processed.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --routeToServer {id} — Indicates that search and delete requests should include the Ping Identity-proprietary route to server request control to indicate that the Directory Proxy Server should forward those requests to the specified backend server.
  
  
• --useAssuredReplication — Indicates that delete requests should include the Ping Identity-proprietary assured replication request control to delay the response from the server until the change has been replicated to other servers. The --assuredReplicationLocalLevel, --assuredReplicationRemoteLevel, and --assuredReplicationTimeout arguments may also be used to customize the content of the request control.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --assuredReplicationLocalLevel {none|received-any-server|processed-all-servers} — The replication assurance level that should be used for servers in the same location as the server that originally processed the change. The value must be one of 'none', 'received-any-server', or 'processed-all-servers'. If this is not provided, the server will determine an appropriate local assurance level.
  A provided value should be one of the following: 'received-any-server', 'processed-all-servers', 'none'.
  
  
• --assuredReplicationRemoteLevel {none|received-any-remote-location|received-all-remote-locations|processed-all-remote-servers} — The replication assurance level that should be used for servers in a different location from the server that originally processed the change. The value must be one of 'none', 'received-any-remote-location', 'received-all-remote-locations', or 'processed-all-remote-servers'. If this is not provided, the server will determine an appropriate remote assurance level.
  A provided value should be one of the following: 'processed-all-remote-servers', 'none', 'received-any-remote-location', 'received-all-remote-locations'.
  
  
• --assuredReplicationTimeout {duration} — The maximum length of time that the server should delay the response to the delete operation while waiting for the desired replication assurance to be achieved. If this is not provided, the server will determine an appropriate timeout to use.
  The provided value must contain an integer followed by a unit of 'ns' (for nanoseconds), 'us' (for microseconds), 'ms' (for milliseconds), 's' (for seconds), 'm' (for minutes), 'h' (for hours), 'd' (for days), or 'w' (for weeks). The specified duration must not be less than 0ns or greater than 9223372036854775807ns.
  
  
• --replicationRepair — Indicates that delete requests should include the Ping Identity-proprietary replication repair request control to indicate that the delete operation should not be replicated.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --suppressReferentialIntegrityUpdates — Indicates that delete requests should include the Ping Identity-proprietary suppress referential integrity updates request control so that the server will not perform any referential integrity processing for the delete operation.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --operationPurpose {value} — Indicates that requests should include the Ping Identity-proprietary operation purpose request control to indicate the intended purpose for the operations.
  
  
• -E / --authorizationIdentity — Indicates that bind requests should include the authorization identity request control to retrieve the authorization identity for the authenticated connection.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --getAuthorizationEntryAttribute {attr} — Indicates that bind requests should include the Ping Identity-proprietary get authorization entry request control to retrieve the specified attribute from the authenticated user's entry. This argument may be provided multiple times to request that multiple attributes be returned.
  
  
• --getUserResourceLimits — Indicates that bind requests should include the Ping Identity-proprietary get user resource limits request control to retrieve information about the resource limits that the server will impose for the authenticated connection.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -J {oid}[:{criticality}[:{stringValue}|::{base64Value}]] / --deleteControl {oid}[:{criticality}[:{stringValue}|::{base64Value}]] — Provides a control to include in all delete requests.
  A provided value must be a string representation of a valid LDAP control in the form {oid}[:{criticality}[:{stringValue}|::{base64Value}]].
  
  
• --bindControl {oid}[:{criticality}[:{stringValue}|::{base64Value}]] — Provides a control to include in all bind requests.
  A provided value must be a string representation of a valid LDAP control in the form {oid}[:{criticality}[:{stringValue}|::{base64Value}]].
  
  

Additional Arguments

• --interactive — Launch the tool in interactive mode.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --outputFile {path} — Write all standard output and standard error messages to the specified file instead of to the console.
  The specified path must refer to a file which may or may not exist, but whose parent directory must exist.
  
  
• --appendToOutputFile — Indicates that the tool should append to the file specified by the --outputFile argument if it already exists. If this argument is not provided and the output file already exists, it will be overwritten.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --teeOutput — Write all standard output and standard error messages to the console as well as to the specified output file. The --outputFile argument must also be provided.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -H / --help — Display usage information for this program.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --version — Display version information for this program.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --propertiesFilePath {path} — The path to a properties file used to specify default values for arguments not supplied on the command line.
  The specified path must refer to a file that exists.
  
  
• --generatePropertiesFile {path} — Write an empty properties file that may be used to specify default values for arguments.
  The specified path must refer to a file which may or may not exist, but whose parent directory must exist.
  
  
• --noPropertiesFile — Do not obtain any argument values from a properties file.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --suppressPropertiesFileComment — Suppress output listing the arguments obtained from a properties file.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  

Dependent Argument Sets

• If the --keyStorePassword argument is provided, then the --keyStorePath argument must also be provided.
• If the --keyStorePasswordFile argument is provided, then the --keyStorePath argument must also be provided.
• If the --promptForKeyStorePassword argument is provided, then the --keyStorePath argument must also be provided.
• If the --trustStorePassword argument is provided, then the --trustStorePath argument must also be provided.
• If the --trustStorePasswordFile argument is provided, then the --trustStorePath argument must also be provided.
• If the --promptForTrustStorePassword argument is provided, then the --trustStorePath argument must also be provided.
• If the --keyStorePath argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
• If the --trustStorePath argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
• If the --defaultTrust argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
• If the --trustAll argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
• If the --bindPassword argument is provided, then at least one of the following arguments must also be provided: --bindDN, --saslOption
• If the --bindPasswordFile argument is provided, then at least one of the following arguments must also be provided: --bindDN, --saslOption
• If the --promptForBindPassword argument is provided, then at least one of the following arguments must also be provided: --bindDN, --saslOption
• If the --searchBaseDN argument is provided, then at least one of the following arguments must also be provided: --deleteEntriesMatchingFilter, --deleteEntriesMatchingFiltersFromFile
• If the --searchPageSize argument is provided, then at least one of the following arguments must also be provided: --deleteEntriesMatchingFilter, --deleteEntriesMatchingFiltersFromFile, --clientSideSubtreeDelete
• If the --appendToOutputFile argument is provided, then the --outputFile argument must also be provided.
• If the --teeOutput argument is provided, then the --outputFile argument must also be provided.

Exclusive Argument Sets

• The following arguments cannot be used together: --useSSL, --useStartTLS
• The following arguments cannot be used together: --keyStorePassword, --keyStorePasswordFile, --promptForKeyStorePassword
• The following arguments cannot be used together: --trustStorePassword, --trustStorePasswordFile, --promptForTrustStorePassword
• The following arguments cannot be used together: --defaultTrust, --trustAll
• The following arguments cannot be used together: --trustAll, --trustStorePath
• The following arguments cannot be used together: --bindDN, --saslOption, --useSASLExternal
• The following arguments cannot be used together: --bindPassword, --bindPasswordFile, --promptForBindPassword
• The following arguments cannot be used together: --entryDN, --dnFile, --deleteEntriesMatchingFilter, --deleteEntriesMatchingFiltersFromFile
• The following arguments cannot be used together: --followReferrals, --useManageDsaIT
• The following arguments cannot be used together: --clientSideSubtreeDelete, --serverSideSubtreeDelete
• The following arguments cannot be used together: --clientSideSubtreeDelete, --followReferrals
• The following arguments cannot be used together: --clientSideSubtreeDelete, --preReadAttribute
• The following arguments cannot be used together: --clientSideSubtreeDelete, --getBackendSetID
• The following arguments cannot be used together: --clientSideSubtreeDelete, --getServerID
• The following arguments cannot be used together: --clientSideSubtreeDelete, --noOperation
• The following arguments cannot be used together: --clientSideSubtreeDelete, --dryRun
• The following arguments cannot be used together: --softDelete, --hardDelete
• The following arguments cannot be used together: --propertiesFilePath, --noPropertiesFile

Examples

• Deletes the entry with DN 'uid=test.user,ou=People,dc=example,dc=com'

    ldapdelete --hostname ds.example.com --port 636 --useSSL \
         --bindDN uid=admin,dc=example,dc=com \
         uid=test.user,ou=People,dc=example,dc=com

• Deletes the entries whose DNs are contained in the file 'dns-to-delete.txt'.

    ldapdelete --hostname ds.example.com --port 636 --useSSL \
         --trustStorePath trust-store.jks \
         --bindDN uid=admin,dc=example,dc=com \
         --bindPasswordFile admin-password.txt --dnFile dns-to-delete.txt

• Deletes all entries matching filter '(description=delete)' below base entry 'ou=People,dc=example,dc=com'.

    ldapdelete --hostname ds.example.com --port 389 --useStartTLS \
         --trustStorePath trust-store.jks \
         --bindDN uid=admin,dc=example,dc=com \
         --bindPasswordFile admin-password.txt \
         --deleteEntriesMatchingFilter "(description=delete)"

• Deletes the entries whose DNs are read from standard input (one DN per line).

    ldapdelete --hostname ds.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com