How to use ldapdelete in OpenLDAP
Updated at January 29th, 2026
Table of Contents
Deleting entries in OpenLDAP requires care — especially in production environments where replication, access control and referential integrity come into play. This guide explains the correct, safe ways to use the ldapdelete command.
What ldapdelete Does
ldapdelete is part of the standard OpenLDAP client utilities. It performs LDAP Delete operations against a directory server to remove one or more entries identified by their Distinguished Names (DNs.)
It connects to an LDAP server using a URI (e.g., ldap://, ldaps://, or ldapi:///) and deletes the entries specified either directly on the command line or from a file or STDIN.
Basic Syntax
ldapdelete [options] [DN...]Common options:
| Option | Description |
|---|---|
-x |
Use simple authentication instead of SASL |
-H ldap://host |
Server URI |
-D "cn=admin,dc=example,dc=com" |
Bind DN |
-W |
Prompt for password |
-w secret |
Specify password directly (not recommended) |
-r |
Recursively delete entries below a DN (dangerous — use carefully!) |
-f filename |
Read list of DNs to delete from a file |
-v |
Verbose output |
-ZZ |
StartTLS (when using ldap://) |
Example Command
This prompts for the admin password, binds, and deletes the uid=jdoe entry.
ldapdelete -x -H ldap://localhost -D "cn=admin,dc=example,dc=com" -W "uid=jdoe,ou=People,dc=example,dc=com"Access Control & Privileges
To successfully delete an entry the bound DN must have write or manage ACL access to the parent entry and the target entry. The rootDN for the database always bypasses ACLs and can delete anything.
Integration With Replication
If you’re running syncrepl, deletions performed on the provider will be replicated to consumers automatically.
Never manually delete data on consumers — it breaks replication consistency unless you’re intentionally decommissioning a replica.
For more information on ldapdelete, here is a link to the man page: https://linux.die.net/man/1/ldapdelete