Directory Server provides the following command-line tools, which you can run in interactive, noninteractive, or script mode.
For Use this option Example

Information about arguments and subcommands

Usage examples


dsconfig --help

A list of subcommands


dsconfig --help-subcommands

More information about a subcommand

--help with the subcommand

dsconfig list-log-publishers --help

Note: For detailed information and examples of the command-line tools, see the Ping Identity Directory Server Command-Line Tool Reference.
audit-data-security Perform an internal task that examines all or a subset of entries in the server, writing a series of reports on potential risks with the data. Reports are written to the output directory organized by backend name and audit items.
authrate Perform repeated authentications against Directory Server, where each authentication consists of a search to find a user followed by a bind to verify the credentials for that user.
backup Run full or incremental backups on one or more directory server backends. This tool also supports the use of a properties file to pass predefined command-line arguments. See Saving Options in a File for more information.
base64 Encode raw data using the base64 algorithm or decode base64-encoded data back to its raw representation.
collect-support-data Collect and package system information useful in troubleshooting problems. The information is packaged as a zip archive that can be sent to a technical support representative.
config-diff Generate a summary of the configuration changes in a local or remote server instance. The tool can be used to compare configuration settings when troubleshooting issues or when verifying configuration settings on new servers.
create-rc-script Create a Run Control (RC) script that you can use to start, stop, and restart the Directory Server on UNIX-based systems.
create-systemd-script Create a systemd script to start and stop the Directory Server on Linux-based systems.
dbtest Inspect the contents of Directory Server local DB backends that store their information in Berkeley DB Java Edition databases. Only backends of type local DB can be inspected by this tool.
deliver-one-time-password Submit a "deliver one-time password" extended request, OID, to the server which results in a the generation of a one-time password that is delivered out-of-band to the specified user. This tool can be used to test the UNBOUNDID-DELIVERED-OTP SASL mechanism.
deliver-password-reset-token Generate and deliver a single-use token to a user through some out-of-band mechanism. The user can provide that token to the password modify extended request in lieu of the user's current password in order to select a new password.
dsconfig View and edit the Directory Server configuration.
dsjavaproperties Configure the JVM arguments used to run the Directory Server and associated tools. Before launching the command, edit the properties file located in config/ to specify the desired JVM options and JAVA_HOME environment variable.
dsreplication Manage data replication between two or more Directory Server instances.
dump-dns Obtain a listing of all of the DNs for all entries below a specified base DN in the Directory Server.
encode-password Encode user passwords with a specified storage scheme or determine whether a given clear-text value matches a provided encoded password.
encrypt-file Encrypt or decrypt data using a key generated from a user-supplied passphrase, a key generated from an encryption settings definition, or a key shared among servers in the topology. The data to be processed can be read from a file or standard input, and the resulting data can be written to a file or standard output. You can use this command to encrypt and subsequently decrypt arbitrary data, or to decrypt encrypted backups, LDIF exports, and log files generated by the server.
encryption-settings Manage the server encryption settings database.
enter-lockdown-mode Request that the Directory Server enter lockdown mode, during which it only processes operations requested by users holding the lockdown-mode privilege.
export-ldif Export data from the Directory Server backend in LDIF form.
extract-data-recovery-log-changes Extract changes matching a given set of criteria from a Directory Server audit log so that they can be replayed (for example, as part of a disaster recovery process) or reverted (for example, to back out changes made in error).
generate-totp-shared-secret Generate a shared secret that you can use to generate time-based one-time password (TOTP) authentication codes for use in authenticating with the UNBOUNDID-TOTP SASL mechanism or with the validate TOTP password extended operation.
identify-references-to-missing-entries Identify entries containing one or more attributes that reference entries that do not exist. This might require the ability to perform unindexed searches and/or the ability to use the simple paged results control.
identify-unique-attribute-conflicts Identify unique attribute conflicts. The tool can identify values of one or more attributes that are supposed to exist only in a single entry but are found in multiple entries.
import-ldif Import LDIF data into the Directory Server backend.
indent-ldap-filter Parse a provided LDAP filter string and display it a multiline form that makes it easier to understand its hierarchy and embedded components. If possible, it might also simplify the provided filter in certain ways (for example, by removing unnecessary levels of hierarchy, like an AND embedded in an AND).
ldap-debugger Intercept and decode LDAP communication.
ldap-diff Compare the contents of two LDAP servers.
ldap-result-code Display and query LDAP result codes.
ldapcompare Perform compare operations in the Directory Server. Compare operations can be used to efficiently determine whether a specified entry has a given value.
ldapdelete Delete one or more entries from an LDAP directory server. You can provide the DNs of the entries to delete using named arguments, as trailing arguments, from a file, or from standard input. Alternatively, you can identify entries to delete using a search base DN and filter.
ldapmodify Apply a set of add, delete, modify, and/or modify DN operations to a directory server. Supply the changes to apply in LDIF format, either from standard input or from a file specified with the ldifFile argument. Change records must be separated by at least one blank line.
ldappasswordmodify Update the password for a user in an LDAP directory server using the password modify extended operation (as defined in RFC 3062), a standard LDAP modify operation, or an Active Directory-specific modification.
ldapsearch Process one or more searches in the Directory Server.
ldif-diff Compare the contents of two files containing LDIF entries. The output is an LDIF file containing the add, delete, and modify change records needed to convert the data in the source LDIF file into the data in the target LDIF file.
ldifmodify Apply a set of changes (including add, delete, modify, and modify DN operations) to a set of entries contained in an LDIF file. The changes are read from a second file (containing change records rather than entries), and the updated entries are written to a third LDIF file. Unlike ldapmodify, ldifmodify cannot read the changes to apply from standard input.
ldifsearch Search one or more LDIF files to identify entries matching a given set of criteria.
leave-lockdown-mode Request that the Directory Server leave lockdown mode and resume normal operation.
list-backends List the backends and base DNs configured in Ping Identity Directory Server.
load-ldap-schema-file Load the schema definitions contained in a specified LDIF file into the schema for a running server. You can only use this command with a server instance running on the local system.
make-ldif Generate LDIF data based on a definition in a template file. For example template files, see the server's config/MakeLDIF directory. In particular, the examples-of-all-tags.template file shows how to use all of the tags for generating values.
manage-account Retrieve or update information about the current state of a user account. Processing is performed using the password policy state extended operation, and you must have the password-reset privilege to use this extended operation.
manage-certificates Manage certificates and private keys in a JKS or PKCS #12 key store.
manage-extension Install or update extension bundles. An extension bundle is a package of extensions that use the Server SDK to extend the functionality of the PingDirectory Server. Extension bundles are installed from a zip archive or file system directory. PingDirectory Server will be restarted if running to activate the extensions.
manage-profile Generate, compare, install, and replace server profiles.
manage-tasks Access information about pending, running, and completed tasks scheduled in the Directory Server.
manage-topology Manage the topology registry.
migrate-ldap-schema Migrate schema information from an existing LDAP server into a Ping Identity Directory Server instance.
migrate-sun-ds-config Update an instance of the Ping Identity Directory Server to match the configuration of an existing Sun Java System Directory Server 5.x, 6.x, or 7.x.
modrate Perform repeated modifications against an LDAP directory server.
move-subtree Move all entries in a specified subtree from one server to another.
parallel-update Perform add, delete, modify, and modify DN operations concurrently using multiple threads.
populate-composed-attribute-values Populate entries in one or more backends with attribute values generated by one or more composed attribute plugins.
profile-viewer View information in data files captured by the Directory Server profiler.
re-encode-entries Initiate a task that causes a local DB backend to re-encode all or a specified subset of the entries that it contains. The tool does not alter the entries themselves but provides a useful mechanism for applying significant changes to the way that entries are stored in the backend (for example, to apply encoding changes if a feature like data encryption or uncached attributes or entries is enabled).
rebuild-index Rebuild index data within a backend based on the Berkeley DB Java Edition. Note that this tool uses different approaches to rebuilding indexes based on whether it is running in online mode (as a task) rather than with the server offline. Running in offline mode will often provide significantly better performance and require significantly less database cleaning, particularly for indexes containing keys that match a large number of entries and have high index entry limit and exploded index entry threshold values. Also note that rebuilding an index with the server online will prevent the server from using that index while the rebuild is in progress, so some searches might behave differently while a rebuild is active than when it is not.
register-yubikey-otp-device Register a YubiKey OTP device with the Directory Server for a specified user so that the device can be used to authenticate that user in conjunction with the UNBOUNDID-YUBIKEY-OTP SASL mechanism. Alternately, it can be used to deregister one or more YubiKey OTP devices for a user so that they can no longer be used to authenticate that user.
reload-http-connection-handler-certificates Reload HTTPS Connection Handler certificates.
remove-backup Safely remove a backup and optionally all of its dependent backups from the specified Directory Server backend.
remove-defunct-server Remove a server from this server's topology.
replace-certificate Replace the listener certificate for this Ping Identity Directory Server server instance.
restore Restore a backup of a Directory Server backend.
revert-update Revert this server package's most recent update.
review-license Review and/or indicate your acceptance of the license agreement defined in legal/LICENSE.txt.
rotate-log Trigger the rotation of one or more log files.
sanitize-log Sanitize the contents of a server log file to remove potentially sensitive information while still attempting to retain enough information to make it useful for diagnosing problems or understanding load patterns. The sanitization process operates on fields that consist of name-value pairs. The field name is always preserved, but field values might be tokenized or redacted if they might include sensitive information. Supported log file types include the file-based access, error, sync, and resync logs, as well as the operation timing access log and the detailed HTTP operation log. Sanitize the audit log using the scramble-ldif tool.
schedule-exec-task Schedule an exec task to run a specified command in the server. To run an exec task, a number of conditions must be satisfied: the server's global configuration must have been updated to include '' in the set of allowed-task values, the requester must have the exec-task privilege, and the command to execute must be listed in the exec-command-whitelist.txt file in the server's config directory. The absolute path (on the server system) of the command to execute must be specified as the first unnamed trailing argument to this program, and the arguments to provide to that command (if any) should be specified as the remaining trailing arguments. The server root is used as the command's working directory, so any arguments that represent relative paths are interpreted as relative to that directory.
search-and-mod-rate Perform repeated searches against an LDAP directory server and modify each entry returned.
search-logs Search across log files to extract lines matching the provided patterns, like the grep command-line tool. The benefits of using this tool over grep are its ability to handle multiline log messages, extract log messages within a given time range, and the inclusion of rotated log files.
searchrate Perform repeated searches against an LDAP directory server.
server-state View information about the current state of the Directory Server process.
set-delegated-admin-aci Request that the Directory Server assign appropriate ACI for configured delegated administrators of the Delegated Admin API.
setup Perform the initial setup for a server instance.
start-server Start the Directory Server.
status Display basic server information.
stop-server Stop or restart the server.
subtree-accessibility List or update the set of subtree accessibility restrictions defined in the Directory Server.
sum-file-sizes Calculate the sum of the sizes for a set of files.
summarize-access-log Generate a summary of one or more access logs to display a number of metrics about operations processed within the server.
transform-ldif Apply one or more changes to entries or change records read from an LDIF file, writing the updating records to a new file. This tool can apply a variety of transformations, including scrambling attribute values, redacting attribute values, excluding attributes or entries, replacing existing attributes, adding new attributes, renaming attributes, and moving entries from one subtree to another.
uninstall Uninstall Ping Identity Directory Server.
update Update the Directory Server to a newer version by downloading and unzipping the new server install package on the same host as the server you wish to update. Then, use the update tool from the new server package to update the older version of the server. Before upgrading a server, you should ensure that it is capable of starting without severe or fatal errors. During the update process, the server is stopped if running, then the update is performed, and a check is made to determine if the newly updated server starts without major errors. If it cannot start cleanly, the update will be backed out and the server returned to its prior state. See the revert-update tool for information on reverting an update.
validate-acis Validate a set of access control definitions contained in an LDAP server (including Sun/Oracle DSEE instances) or an LDIF file to determine whether they are acceptable for use in the Directory Server. Note that the output generated by this tool will be in LDIF format, but each entry in the output will have exactly one ACI, so entries that have more than one ACI will appear multiple times in the output with different ACI values.
validate-file-signature Validate file signatures. For best results, file signatures should be validated by the same instance used to generate the file. However, it might be possible to validate signatures generated on other instances in a replicated topology.
validate-ldap-schema Validate an LDAP schema read from one or more LDIF files.
validate-ldif Validate the contents of an LDIF file against the server schema.
verify-index Verify that indexes in a backend using the Berkeley DB Java Edition are consistent with the entry data contained in the database.
watch-entry Launch a window to watch an LDAP entry for changes. If the entry changes, the background of modified attributes will temporarily be red. Attributes can be modified as well. This tool is primarily intended to demonstrate replication or synchronization functionality.