Appendix A. Testing Scripts Available with Directory Server
Red Hat Directory Server provides a script which you can use to test Directory Server performance in different stress or load conditions. The test script simulates different environments which allow administrators to assess configuration or machine changes before putting them in production.
The ldclt
script is located in the /usr/bin
directory.
A.1. ldclt (Load Stress Tests)
The LDAP client script (ldclt
) establishes multiple client connections to a server, under user-defined scenarios, to load-test the Directory Server. Client operations include directory adds, searches, modifies, modRDNs, and deletes, as well setup operations like generating LDIF files. Operations can be randomized — binding and unbinding as random users, performing random tasks — to simulate more realistic usage environments for the directory.
The ldclt
tool measures the completion time of continuously-repeated operations to measure Directory Server performance. Using multiple threads makes it possible to test performance under high loads. Each test performs the same type of LDAP operation, but with different settings (like different user credentials, different attribute types or sizes, and different target subtrees).
Along with defining the LDAP operation variables, administrators can control the thread performance in order to set a specific load on the server.
The ldclt
tool is specifically intended to be used for automated tests, so its options are extensive, flexible, and easily scripted, even for complex test operations.
Remember that ldclt
is a load test, and therefore uses a significant amount of system resources. The tool uses a minimum of 8 MB of memory. Depending on the numbers of threads, types of operations, and other configuration settings, it can use much more memory.
Depending on the type of operations and the directory data used for those operations, ldclt
may set its own resource limits. For information on managing system resource limits, see the man pages for ulimit
and getrlimit
.
The ldclt
utility is located in the /usr/bin
directory.
A.1.1. Syntax
ldlt
-q-Q-v-V-Emax_errors-bbase_DN-hhost-pport-ttimeout-Dbind_DN-wpassword-oSASL_options-eexecution_params-amax_pending-nnumber_of_threads-iinactivity_times-Nnumber_of_samples-Ierror_code-Ttotal_number_of_operations-rlow_range-Rhigh_range-ffilter-sscope-Sconsumer-Psupplier_port-Wwait_time-Zcertificate_file
A.1.2. ldclt Options
Option | Description |
---|---|
-a max_pending_ops | Runs the tool in asynchronous mode with a defined maximum number of pending operations. |
-b base_dn |
Gives the base DN to use for running the LDAP operation tests. If not given, the default value is |
-D bind_dn |
Gives the bind DN for the |
-E max_errors | Sets the maximum number of errors that are allowed to occur in test LDAP operations before the tool exits. The default is 1000. |
-e execution_params |
Specifies the type of operation and other test environment parameters to use for the tests. The possible values for |
-f filter | Gives an LDAP search filter to use for search testing. |
-h |
Specifies the host name or IP address of the Directory Server to run tests against. If a host is not specified, |
-I error_code |
Tells |
-i inactivity_times | Sets a number of intervals that the tool can be inactive before exiting. By default, this setting is 3, which translates into 30 seconds (each operations interval being 10 seconds long). |
-N number_of_samples | Sets the number of iterations to run, meaning how many ten-second test periods to run. By default, this is infinite and the tool only exits when it is manually stopped. |
-n number_of_threads | Sets the number of threads to run simultaneously for operations. The default value is 10. |
-o SASL_option |
Tells the tool to connect to the server using SASL and gives the SASL mechanism to use. The format is * mech, the SASL authentication mechanism * authid, the user who is binding to the server (Kerberos principal) * authzid, a proxy authorization (ignored by the server since proxy authorization is not supported) * secProp, the security properties * realm, the Kerberos realm * flags
The expected values depend on the supported mechanism. The [literal,subs="+quotes,verbatim"] …. -o "mech=DIGEST-MD5" -o "authzid=test_user" -o "authid=test_user" …. |
-P supplier_port | Gives the port to use to connect to a supplier server for replication testing. The default, if one is not given, is 16000. |
-p port | Gives the server port number of the Directory Server instance that is being tested. |
-Q |
Runs the tool in "super" quiet mode. This ignores any errors that are encountered in operations run by |
-q | Runs the tool in quiet mode. |
-R number | Sets the high number for a range. |
-r number | Sets the low number of a range. |
-S consumer_name | Gives the host name of a consumer server to connect to run replication tests. |
-s scope |
Gives the search scope. As with |
-T ops_per_thread | Sets a maximum number of operations allowed per thread. |
-t timeout | Sets a timeout period for LDAP operations. The default is 30 seconds. |
-V | Runs the tool in very verbose mode. |
-v | Runs the tool in verbose mode. |
-W wait_time |
Sets a time, in seconds, for the |
-w password |
Gives the password to use, with the |
-Z /path/to/cert.db | Enables TLS for the test connections and points to the file to use as the certificate database. |
The -e
option sets execution parameters for the ldclt
test operations. Multiple parameters can be configured, in a comma-separated list. For example:
-e add,bindeach,genldif=/var/lib/dirsrv/slapd-instance/ldif/generated.ldif,inetOrgPerson
Parameter | Description |
---|---|
abandon | Initiates abandon operatons for asynchronous search requests. |
add |
Adds entries to the directory ( |
append |
Appends entries to the end of the LDIF file generated with the |
ascii | Generates ASCII 7-bit strings. |
attreplace=name:mask | Run modify operations that replace an attribute (name) in an existing entry. |
attrlist=name:name:name | Specifies a list of attributes to return in a search operation. |
attrsonly=# | Used with search operations, to set whether to read the attribute values. The possible values are 0 (read values) or 1 (do not read values). |
bindeach |
Tells the |
bindonly |
Tells the |
close | Tells the tool to close the connection rather than perform an unbind operation. |
cltcertname=name | Gives the name of the TLS client certificate to use for TLS connections. |
commoncounter |
Makes all threads opened by the |
counteach | Tells the tool to count each operation, not only successful ones. |
delete | Initiates delete operations. |
deref |
Adds the dereference control to search operations ( |
dontsleeponserverdown | Causes the tool to loop very fast if server down. |
emailPerson |
This adds the |
esearch | Performs an exact search. |
genldif=filename | Generates an LDIF file to use with the operations. |
imagesdir=path | Gives a location for images to use with tests. |
incr | Enables incremental values. |
inetOrgPerson |
This adds the |
keydbfile=file | Contains the path and file name of the key database to use with TLS connections. |
keydbpin=password | Contains the token password to access the key database. |
noglobalstats | Tells the tool not to print periodical global statistics. |
noloop | Does not loop the incremental numbers. |
object=filename | Builds entry objects from an input file. |
person |
This adds the |
random |
Tells the |
randomattrlist=name:name:name |
Tells the |
randombase |
Tells the |
randombaselow=value | Sets the low value for the random generator. |
randombasehigh=value | Sets the high value for the random generator. |
randombinddn |
Tells the |
randombinddnfromfile=file |
Tells the |
randombinddnlow=value | Sets the low value for the random generator. |
randombinddnhigh=value | Sets the high value for the random generator. |
rdn=attrname:value |
Gives an RDN to use as the search filter. This is used instead of the |
referral=value | Sets the referral behavior for operations. There are three options: on (allow referrals), off (disallow referrals), or rebind (attempt to connect again). |
smoothshutdown |
Tells the |
string |
Tells the |
v2 |
Tells the |
withnewparent | Performs a modRDN operation, renaming an entry with newparent set as an argument. |
randomauthid | Uses a random SASL authentication ID. |
randomauthidlow=value | Sets the low value for a random SASL authentication ID. |
randomauthidhigh=value | Sets the high value for the random SASL authentication ID. |
A.1.3. Results from ldclt
ldclt
continuously runs whatever operation is specified, over the specified number of threads. By default, it prints the performance statistics to the screen every ten (10) seconds.
The results show the average number of operations per thread and per second and then the total number of operations that were run in that ten-second window.
ldclt[process_id] Average rate: number_of_ops/thr (number_of_ops/sec), total: total_number_of_ops
For example:
ldclt[22774]: Average rate: 10298.20/thr (15447.30/sec), total: 154473
ldclt
prints cumulative averages and totals every 15 minutes and when the tool is exited.
ldclt[22774]: Global average rate: 821203.00/thr (16424.06/sec), total: 12318045 ldclt[22774]: Global number times "no activity" reports: never ldclt[22774]: Global no error occurs during this session. Catch SIGINT - exit... ldclt[22774]: Ending at Wed Feb 24 18:39:38 2010 ldclt[22774]: Exit status 0 - No problem during execution.
Some operations (like adds) and using verbose output options like -v
or -V
output additional data to the screen. The kind of information depends on the type of operation, but it generally shows the thread performing the operation and the plug-ins called by the operation. For example:
ldclt -b ou=people,dc=example,dc=com -D "cn=Directory Manager" -w secret12 -e add,person,incr,noloop,commoncounter -r90000 -R99999 -f "cn=testXXXXX" -V ... ldclt[11176]: T002: After ldap_simple_bind_s (cn=Directory Manager, secret12) ldclt[11176]: T002: incremental mode:filter="cn=test00009" ldclt[11176]: T002: tttctx->bufFilter="cn=test00009" ldclt[11176]: T002: attrs[0]=("objectclass" , "person") ldclt[11176]: T002: attrs[1]=("cn" , "test00009") ldclt[11176]: T002: attrs[2]=("sn" , "toto sn") ... ldclt[11176]: Average rate: 195.00/thr ( 195.00/sec), total: 1950 ldclt[10627]: Global average rate: 238.80/thr (238.80/sec), total: 2388 ldclt[10627]: Global number times "no activity" reports: never ldclt[10627]: Global no error occurs during this session. Catch SIGINT - exit... ldclt[10627]: Ending at Tue Feb 23 11:46:04 2010 ldclt[10627]: Exit status 0 - No problem during execution.
Most errors are handled by ldclt
without interrupting the test. Any fatal errors that are encountered are listed with the tool’s exit status and returned in the cumulative total.
Global no error occurs during this session.
Any LDAP operations errors that occur are handled within the thread. A connection error kills the thread without affecting the overall test. The ldclt
utility does count the number of times each LDAP error is encountered; if the total number of errors that are logged hits more than 1000 (by default), then the script itself will error out.
The way that ldclt
responds to LDAP errors can be configured. Using the -E
option sets a different threshold for the script to error out after encountering LDAP errors. Using the -I
option tells the script to ignore the specified LDAP error codes in all threads. Changing the error exit limit and ignoring certain error codes can allow you to tweak and improve test scripts or test configuration.
A.1.4. Exiting ldclt and ldclt Exit Codes
The ldclt
command runs indefinitely. The script can stop itself in a handful of situations, like encountering a fatal runtime or initialization error, hitting the limit of LDAP errors, having all threads die, or hitting the operation or time limit.
The statistics for the run are not displayed until the command completes, either through the script exiting or by a user terminating the script. There are two ways to interrupt the ldclt
script.
-
Hitting control—backslash (kbd:[^\]) or
kill -3
prints the current statistics without exiting the script. -
Hitting control—C (^C) or
kill -2
exits the script and prints the global statistics.
When the ldclt
script exits or is interrupted, it returns an exit code along with the statistics and error information.
Exit Code | Description |
---|---|
0 | Success (no errors). |
1 | An operation encountered a serious fatal error. |
2 | There was an error in the parameters passed with the tool. |
3 | The tool hit the maximum number of LDAP errors. |
4 | The tool could not bind to the Directory Server instance. |
5 | The tool could not load the TLS libraries to connect over TLS. |
6 | There was a multithreading (mutex) error. |
7 | There was an initialization problem. |
8 | The tool hit a resource limit, such as a memory allocation error. |
99 | The script encountered an unknown error. |
A.1.5. Usage Scenarios
These provide general examples of using ldclt
to test Directory Server. Test scripts with more complex examples are available in the ldclt
source files. You can download this file from the 389 Directory Server project: https://github.com/389ds/389-ds-base/tree/master/ldap/servers/slapd/tools/ldclt/examples
Every ldclt
command requires a set of execution parameters (which varies depending on the type of test) and connection parameters (which are the same for every type of operation). For example:
# ldclt -e execution_parameters -h localhost -p 389 -D "cn=Directory Manager" -w secret -b "ou=people,dc=example,dc=com"
When ldclt
runs, it first prints all of the configured parameters for that test.
Process ID = 1464 Host to connect = localhost Port number = 389 Bind DN = cn=Directory Manager Passwd = secret Referral = on Base DN = ou=people,dc=example,dc=com Filter = "cn=MrXXX" Max times inactive = 3 Max allowed errors = 1000 Number of samples = -1 Number of threads = 10 Total op. req. = -1 Running mode = 0xa0000009 Running mode = quiet verbose random exact_search LDAP oper. timeout = 30 sec Sampling interval = 10 sec Scope = subtree Attrsonly = 0 Values range = [0 , 1000000] Filter's head = "cn=Mr" Filter's tail = ""
A.1.5.1. Generating LDIFs
The ldclt
tool itself can be used to generate LDIF files that can be used for testing.
When generating an LDIF file, the ldclt
tool does not attempt to connect to a server or run any operations.
Generating an LDIF file requires a basic template file that the tool uses to create entries (-e object
), and then a specified output file (-e genldif
).
The template file can give explicit values for entry attributes or can use variables. If you want a simple way to supply unique values for entry attributes, the /usr/share/dirsrv/data
directory contains three data files to generate surnames, first names, and organizational units. These lists of values can be used to create test users and directory trees (dbgen-FamilyNames
, dbgen-GivenNames
, and dbgen-OrgUnits
, respectively). These files can be used with the rndfromfile
, incrfromfile
, or incrfromfilenoloop
options.
The basic format of the template file is:
# comment attribute: string | variable=keyword(value)
The variable can be any letter from A to H. The possible keywords are listed in Table A.4, “ldclt Template LDIF File Keywords”
Some variables and keywords can be passed with the -e object
option and other available parameters (like rdn
).
-e object=inet.txt,rdn='uid:[A=INCRNNOLOOP(0;99999;5)]'
Keyword | Description | Format |
---|---|---|
RNDN | Generates a random value within the specified range (low - high) and of the given length. | RNDN(low;high;length) |
RNDFROMFILE | Pulls a random value from any of the ones available in the specified file. | RNDFROMFILE(filename) |
INCRN | Creates sequential values within the specified range (low - high) and of the given length. | INCRN(low;high;length) |
INCRNOLOOP | Creates sequential values within the specified range (low - high) and of the given length — without looping through the incremental range. | INCRNOLOOP(low;high;length) |
INCRFROMFILE | Creates values by incrementing through the values in the specified file. | INCRFROMFILE(filename) |
INCRFROMFILENOLOOP | Creates values by incrementing through the values in the file, without looping back through the values. | INCRFROMFILENOLOOP(filename) |
RNDS | Generates random values of a given length. | RNDS(length) |
For example, this template file pulls names from sample files in the /usr/share/dirsrv/data
and builds other attributes dynamically.
Example A.1. Example Template File
objectclass: inetOrgPerson sn: [B=RNDFROMFILE(/usr/share/dirsrv/data/dbgen-FamilyNames)] cn: [C=RNDFROMFILE(/usr/share/dirsrv/data/dbgen-GivenNames)] [B] password: test[A] description: user id [A] mail: [C].[B]@example.com telephonenumber: (555) [RNDN(0;999;3)]-[RNDN(0;9999;4)]
The ldclt
command, then, uses that template to build an LDIF file with 100,000 entries:
# ldclt -b "ou=people,dc=csb" -e object=inet.txt,rdn='uid:[A=INCRNNOLOOP(0;99999;5)]' -e genldif=100Kinet.ldif,commoncounter
A.1.5.2. Adding Entries
The ldclt
tool can add entries that match either of two templates:
- person
- inetorgperson
The -f
filter sets the format of the naming attribute for the user entries. For example, -f "cn=MrXXXXX"
creates a name like -f "cn=Mr01234"
. Using the person
or inetorgperson
parameter with -f
creates a basic entry.
objectclass: person sn: ex sn cn: Mr01234
More complex entries (which are good for search and modify testing) can be created using the rdn
parameter and an object
file. The full range of options for the entries is covered in Section A.1.5.1, “Generating LDIFs”. The rdn
and object
parameters provide the format for the entries to add or edit in the directory. The rdn
execution parameter takes a keyword pattern (as listed in Table A.4, “ldclt Template LDIF File Keywords”) and draws its entry pool from the entries listed in a text file.
-e rdn='uid:[A=INCRNNOLOOP(0;99999;5)]',object=inet.txt
The ldclt
tool creates entries in a numeric sequence. That means that the method of adding those entries and of counting the sequence have to be defined as well. Some possible options for this include:
- -r and -R to set the numeric range for entries
- incr or random to set the method of assigning numbers (these are only used with -f)
- -r and -R to set the numeric range for entries
- noloop, to stop the add operations when it hits the end of the range rather than looping back
Example A.2. Adding Entries
# ldclt -b ou=people,dc=example,dc=com -D "cn=Directory Manager" -w secret -e add,person,incr,noloop,commoncounter -r0 -R99999 -f "cn=MrXXXXX" -v -q
The add
operation can also be used to build a directory tree for more complex testing. Whenever an entry is added to the directory that belongs to a non-existent branch, the ldclt
tool automatically creates that branch entry.
The first time that an entry is added that is the child of non-existent branch, the branch entry is added to the directory. However, the entry itself is not added. Subsequent entries will be added to the new branch.
For a branch entry to be added automatically, its naming attribute must be cn
, o
, or ou
.
Example A.3. Creating the Directory Tree
# ldclt -b ou=DeptXXX,dc=example,dc=com
-D "cn=Directory Manager" -w secret -e add,person,incr,noloop,commoncounter -r0 -R99999 -f "cn=MrXXXXX" -v -q
A.1.5.3. Search Operations
The most basic ldclt
search test simply looks for all entries within the given base DN. This uses two execution parameters: esearch
and random
.
Example A.4. Basic Search Operation
# ldclt -h localhost -p 389 -D "cn=Directory Manager" -w secret -b "ou=people,dc=example,dc=com" -f uid=testXXXXX -e esearch,random -r0 -R99999 -I 32
A search that returns all entries can use a large amount of memory per thread, as much as 1 GB. ldclt
is designed to perform searches that return one entry.
The search results can be expanded to return attributes contained in the entries. (Section A.1.5.1, “Generating LDIFs” has information on generating entries that contain multiple attributes.) To return a specific list of attributes for entries, use the attrlist
execution parameter and a colon-separated list of attributes.
Example A.5. Searching for a List of Attributes
# ldclt -h localhost -p 389 -b "ou=people,dc=example,dc=com" -f uid=XXXXX -e esearch,random -r0 -R99999 -I 32 -e attrlist=cn:mail
Alternatively, the ldclt
search operation can return attribute values for attributes randomly selected from the search list. The list is given in the randomattrlist
execution parameter with a colon-separated list of attributes.
Example A.6. Searching for a List of Random Attributes
# ldclt -h localhost -p 389 -b "ou=people,dc=example,dc=com" -f uid=XXXXX -e esearch,random -r0 -R99999 -I 32 -e randomattrlist=cn:sn:ou:uid:mail:mobile:description
The filter used to match entries can target other entry attributes, not just naming attributes. It depends on the attributes in the generated LDIF.
Example A.7. Searches with Alternate Filters
# ldclt -h localhost -p 389 -b "ou=people,dc=example,dc=com" -f mail=XXXXXX@example.com
-e esearch,random -r0 -R99999 -I 32 -e randomattrlist=cn:sn:ou:uid:mail:mobile:description
The search operation can also use the RDN-style filter to search for entries. The rdn
and object
execution parameters provide the format for the entries to add or edit in the directory. The rdn
execution parameter takes a keyword pattern (as listed in Table A.4, “ldclt Template LDIF File Keywords”) and draws its entry pool from the entries listed in a text file.
Example A.8. Searches with RDN Filters
# ldclt -h localhost -p 389 -b "ou=people,dc=example,dc=com" -e rdn='mail:[RNDN(0;99999;5)]@example.com',object="inet.txt" -e attrlist=cn:telephonenumber
A.1.5.4. Modify Operations
The attreplace
execution parameter replaces specific attributes in the entries.
The modify operation uses the RDN filter to search for the entries to update. The rdn
and object
parameters provide the format for the entries to add or edit in the directory. The rdn
execution parameter takes a keyword pattern (as listed in Table A.4, “ldclt Template LDIF File Keywords”) and draws its entry pool from the entries listed in a text file.
Example A.9. Modify Operation
# ldclt -h localhost -p 389 -D "cn=Directory Manager" -w secret -b "ou=people,dc=example,dc=com" -e rdn='uid:[RNDN(0;99999;5)]' -I 32 -e attreplace='description: random modify XXXXX'
A.1.5.5. modrdn Operations
The ldclt
command supports two kinds of modrdn operations:
- Renaming entries
- Moving an entry to a new parent
The ldclt
utility creates the new entry name or parent from a randomly-selected DN.
The basic rename operation requires three execution parameters:
- rename
- rdn='pattern'
- object=file
The rdn
and object
parameters provide the format for the entries to add or edit in the directory. The rdn
execution parameter takes a keyword pattern (as listed in Table A.4, “ldclt Template LDIF File Keywords”) and draws its entry pool from the entries listed in a text file.
Example A.10. Simple Rename Operation
# ldclt -h localhost -p 389 -D "cn=Directory Manager" -w secret -b "ou=people,dc=example,dc=com" -I 32 -I 68 -e rename,rdn='uid:[RNDN(0;999;5)]',object="inet.txt"
Using the withnewparent
execution parameter renames the entry and moves it beneath a new parent entry. If the parent entry does not exist, then the ldclt
tool creates it.[3]
Example A.11. Renaming an Entry and Moving to a New Parent
# ldclt -h localhost -p 389 -D "cn=Directory Manager" -w secret12 -b "ou=DeptXXX,dc=example,dc-com" -I 32 -I 68 -e rename,withnewparent,rdn='uid:Mr[RNDN(0;99999;5)]',object="inet.txt"
A.1.5.6. Delete Operations
The ldclt
delete operation is exactly the reverse of the add operation. As with the add, delete operations can remove entries in several different ways:
-
Randomly (
-e delete,random
) -
RDN-ranges (
-e delete,rdn=
[pattern]) -
Sequentially (
-e delete,incr
)
Random deletes are configured to occur within the specified range of entries. This requires the following options:
- -e delete,random
- -r and -R for the range bounds
- -f for the filter to match the entries
Example A.12. Random Delete Operations
# ldclt -b "ou=people,dc=example,dc=com" -D "cn=Directory Manager" -w secret -e delete,random -r0 -R99999 -f "uid=XXXXXX" -I 32 -v -q
RDN-based deletes use the rdn
execution parameter with a keyword (as listed in Table A.4, “ldclt Template LDIF File Keywords”) and draws its entry pool from the entries listed in a text file. This format requires three execution parameters:
- -e delete
- -e rdn='pattern'
- -e object='file'
Example A.13. RDN-Based Delete Operations
# ldclt -b "ou=people,dc=example,dc=com" -D "cn=Directory Manager" -w secret -e delete,rdn='uid:[INCRNNOLOOP(0;99999;5)]',object="inet.txt" -I 32 -v -q
The last delete operation format is much like the random delete format, only it moves sequentially through the given range, rather than randomly:
- -e delete,incr
- -r and -R for the range bounds
- -f for the filter to match the entries
Example A.14. Sequential Delete Operations
# ldclt -b "ou=people,dc=example,dc=com" -D "cn=Directory Manager" -w secret -e delete,incr -r0 -R99999 -f "uid=XXXXXX" -I 32 -v -q
A.1.5.7. Bind Operations
By default, each ldclt
thread binds once to the server and then runs all of its operations in a single session. The -e bindeach
can be used with any other operation to instruct the ldclt
tool to bind for each operation and then unbind before initiating the next operation.
-e add,bindeach ...
To test only bind and unbind operations, use the -e bindeach,bindonly
execution parameters and no other operation information. For example:
# ldclt -h localhost -p 389 -b "ou=people,dc=example,dc=com" -e bindeach,bindonly -e bind_info
The bind operation can specify a single user to use for testing by using the -D
and -w
user name-password pair in the connection parameters.
Use the -e close
option with the bind parameters to test the affect that dropping connections has on the Directory Server, instead of unbinding cleanly.
Example A.15. Bind Only and Close Tests
# ldclt -h localhost -p 389 -D "cn=Directory Manager" -w secret -e bindeach,bindonly,close
There are also execution parameters which can be used to select a random bind identity from a given file (randombinddnfromfile
) or using a DN selected randomly from within a range (-e randombinddn,randombinddnlow=X,randombinddnhigh=Y
).
Example A.16. Random Binds from Identities in a File
# ldclt -h localhost -p 389 -e bindeach,bindonly -e randombinddnfromfile=/tmp/testbind.txt
Binding with a random identity is useful if identities have been added from a generated LDIF or using -e add
, where the accounts were added in a range. The ldclt
tool can autogenerate values using X as a variable and incrementing through the specified range.
Example A.17. Random Binds from Random Base DN
# ldclt -h localhost -p 389 -e bindeach,bindonly -D "uid=XXXXX,dc=example,dc=com" -w testXXXXX -e randombinddn,randombinddnlow=0,randombinddnhigh=99999
A.1.5.8. Running Operations on Random Base DNs
Any operation can be run against randomly-selected base DNs. The trio of randombase
parameters set the range of organizational units to select from. A variable in the -b
base entry sets the format of the base DN.
-b "ou=DeptXXX,dc=example,dc=com" -e randombase,randombaselow=0,randombasehigh=999 ...
A.1.5.9. TLS Authentication
Every operation can be run over TLS to test secure authentication and performance for secure connections. There are two parameters required for TLS authentication.
-
The connection parameters,
-Z
, which gives the path to the security databases for the Directory Server -
The execution parameters,
cltcertname
,keydbfile
, andkeydbpin
, which contains the information that the server will prompt to access the TLS databases
For example, this runs bind tests over TLS:
# ldclt -h host -p port -e bindeach,bindonly -Z certPath -e cltcertname=certName,keydbfile=filename,keydbpin=password
A.1.5.10. Abandon Operations
The -e abandon
parameter opens and then cancels operations on the server. This can be run by itself or with other types of operations (like -e add
or -e esearch
).
# ldclt -e abandon -h localhost -p 389 -D "cn=Directory Manager" -w secret -v -q -b "ou=people,dc=example,dc=com"