User Guide -- command-line tools

Intended Audience:
Developers and system administrators

  1. OpenLDAP command-line tools
    1. TLS cert valiation
    2. ldapwhoami
    3. ldapsearch
  2. Æ-DIR command-line tools
    1. ae-dir-passwd
    2. ae-dir-addzone
  3. OpenSSL
    1. openssl s_client
    2. openssl verify
  4. Æ-DIR maintenance scripts

OpenLDAP command-line tools

Relevant OpenLDAP documentation:

TLS cert valiation

Please make sure that you fully understand how OpenLDAP command-line tools determine which trusted root CA cert to use (see section TLS_OPTIONS in ldap.conf(5)).

If in doubt simply use this to set it by environment variables (does not work on MacOSX!):



The OpenLDAP command-line tool ldapwhoami(1) binds and sends a "Who am I?" extended operation (see RFC 4532) to the LDAP server. This is handy to test various authentication mechs and authz-ID mappings.

Check aeUser or aeService password via simple bind request with short bind-DN interactively asking for password:
ldapwhoami -x -H ldaps:// -D "uid=lisa,ou=ae-dir" -W
Check aeHost password via simple bind request with short bind-DN and given password:
ldapwhoami -x -H ldaps:// -D ",ou=ae-dir" -w
Check aeService authentication via SASL/EXTERNAL bind request and client cert:
LDAPTLS_CERT=/path/to/client.crt LDAPTLS_KEY=/path/to/client.key ldapwhoami -Y EXTERNAL -H ldaps://
On a fully installed replica the following should output the DN of the replica's aeService entry:
LDAPRC=/opt/ae-dir/etc/ldap.conf ldapwhoami -Y EXTERNAL -H ldaps://


The OpenLDAP command-line tool ldapsearch(1) sends a search request to the LDAP server and outputs search results retrieved as LDIF (see RFC 2849).

Search for aeUser with username "lisa" by uid:
ldapsearch -H ldaps:// -b ou=ae-dir -s sub "(uid=lisa)" "*" "+"
Search on behalf of an aeService (with -X):
ldapsearch -H ldaps:// -b ou=ae-dir -s sub -X 'dn:uid=system_test-1,cn=test-servers-1,cn=test,ou=ae-dir' "*" "+"

Æ-DIR command-line tools

Various command-line tools are installed on the provider systems into directory /opt/ae-dir/bin/ which use a separate configuration file installed to /opt/ae-dir/etc/ldap.conf:

Sets password of aeUser, aeService or aeHost
Adds new aeZone with the two standard aeGroup entries for the zone admins and zone auditors.



Especially this tool is used when boot-strapping a new Æ-DIR installation to set the password of the first Æ admin.

Example usage setting password for user account:

root@ae-dir-deb-p1:~# /opt/ae-dir/bin/ae-dir-passwd bart
new password for uid=bart,cn=ae,ou=ae-dir:
repeat password:



Example usage:

root@ae-dir-deb-p1:~# /opt/ae-dir/bin/ae-dir-addzone test42 IAM-42 "the definite answer"
Added cn=test42,ou=ae-dir
Added cn=test42-init,cn=test42,ou=ae-dir
Tagged cn=test42,ou=ae-dir
Added cn=test42-zone-admins,cn=test42,ou=ae-dir
Added cn=test42-zone-auditors,cn=test42,ou=ae-dir

OpenSSL command-line tools

Relevant OpenSSL documentation:

openssl s_client

The OpenSSL command-line tool s_client(1) opens a TLS connection to the server which is useful to test whether server cert validation is correct.

Open TLS connection to LDAPS port:
openssl s_client -connect -CAfile /path/to/rootca.crt
(should display "Verify return code: 0 (ok)")

openssl verify

The OpenSSL command-line tool verify(1) is useful to validate a certificate (chain) against a locally CA certificate chain.

Æ-DIR maintenance scripts

Some scripts installed in /opt/ae-dir/sbin are useful for database maintenance:
Generates a new key pair and CSR for the next TLS server certificate.
Fixes ownership and permissions of all database directories and files especially useful after doing manual maintenance as user root.
Exports and reloads all database, useful when databases' on-disk format changed e.g. after OpenLDAP update or certain re-configuration.
Removes all database files and restarts service ae-slapd to trigger replicating all data from another replica.
Exports all databases to LDIF files. This script is automatically invoked as CRON job.
Re-indexes all databases, useful when databases' on-disk format changed e.g. after OpenLDAP update or index configuration changed.
All databases are compacted with mdb_copy -c, especially useful when MDB got fragmented, e.g. by often changing bigger group entries.