Appendix B. Testing Scripts Available with Directory Server

Red Hat Directory Server provides two scripts which can be used to test Directory Server performance in different stress or load conditions. The test scripts simulate different environments which allow administrators to assess configuration or machine changes before putting them in production.
Both ldclt and rsearch are located in the /usr/bin directory.

B.1. ldclt (Load Stress Tests)

The LDAP client script (ldclt) establishes multiple client connections to a server, under user-defined scenarios, to load-test the Directory Server. Client operations include directory adds, searches, modifies, modRDNs, and deletes, as well setup operations like generating LDIF files. Operations can be randomized — binding and unbinding as random users, performing random tasks — to simulate more realistic usage environments for the directory.
The ldclt tool measures the completion time of continuously-repeated operations to measure Directory Server performance. Using multiple threads makes it possible to test performance under high loads. Each test performs the same type of LDAP operation, but with different settings (like different user credentials, different attribute types or sizes, and different target subtrees).
Along with defining the LDAP operation variables, administrators can control the thread performance in order to set a specific load on the server.
The ldclt tool is specifically intended to be used for automated tests, so its options are extensive, flexible, and easily scripted, even for complex test operations.


Remember that ldclt is a load test, and therefore uses a significant amount of system resources. The tool uses a minimum of 8 MB of memory. Depending on the numbers of threads, types of operations, and other configuration settings, it can use much more memory.
Depending on the type of operations and the directory data used for those operations, ldclt may set its own resource limits. For information on managing system resource limits, see the man pages for ulimit and getrlimit.
The ldclt utility is located in the /usr/bin directory.

B.1.1. Syntax

ldlt [ -q | -Q | -v | -V ] [ -E max_errors ] [ -b base_DN ] [ -h host ] [ -p port ] [ -t timeout ] [ -D bind_DN ] [ -w password ] [ -o SASL_options ] [ -e execution_params ] [ -a max_pending ] [ -n number_of_threads ] [ -i inactivity_times ] [ -N number_of_samples ] [ -I error_code ] [ -T total_number_of_operations ] [ -r low_range ] [ -R high_range ] [ -f filter ] [ -s scope ] [ -S consumer ] [ -P supplier_port ] [ -W wait_time ] [ -Z certificate_file ]

B.1.2. ldclt Options

Table B.1. ldclt Options

Option Description
-a max_pending_ops Runs the tool in asynchronous mode with a defined maximum number of pending operations.
-b base_dn Gives the base DN to use for running the LDAP operation tests. If not given, the default value is dc=example,dc=com.
-D bind_dn Gives the bind DN for the ldclt utility to use to connect to the server.
-E max_errors Sets the maximum number of errors that are allowed to occur in test LDAP operations before the tool exits. The default is 1000.
-e execution_params Specifies the type of operation and other test environment parameters to use for the tests. The possible values for -e are listed in Table B.2, “Execution Parameters”. This option can accept multiple values, in a comma-separated list.
-f filter Gives an LDAP search filter to use for search testing.
-h Specifies the host name or IP address of the Directory Server to run tests against. If a host is not specified, ldclt uses the local host.
-I error_code Tells ldclt to ignore any errors encountered that match a certain response code. For example, -I 89 tells the server to ignore error code 89.
-i inactivity_times Sets a number of intervals that the tool can be inactive before exiting. By default, this setting is 3, which translates into 30 seconds (each operations interval being 10 seconds long).
-N number_of_samples Sets the number of iterations to run, meaning how many ten-second test periods to run. By default, this is infinite and the tool only exits when it is manually stopped.
-n number_of_threads Sets the number of threads to run simultaneously for operations. The default value is 10.
-o SASL_option Tells the tool to connect to the server using SASL and gives the SASL mechanism to use. The format is -o saslOption=value. saslOption can have one of six values:
  • mech, the SASL authentication mechanism
  • authid, the user who is binding to the server (Kerberos principal)
  • authzid, a proxy authorization (ignored by the server since proxy authorization is not supported)
  • secProp, the security properties
  • realm, the Kerberos realm
  • flags
The expected values depend on the supported mechanism. The -o can be used multiple times to pass all of the required SASL information for the mechanism. For example:
-o "mech=DIGEST-MD5" -o "authzid=test_user" -o "authid=test_user"
-P master_port Gives the port to use to connect to a supplier server for replication testing. The default, if one is not given, is 16000.
-p port Gives the server port number of the Directory Server instance that is being tested.
-Q Runs the tool in "super" quiet mode. This ignores any errors that are encountered in operations run by ldclt.
-q Runs the tool in quiet mode.
-R number Sets the high number for a range.
-r number Sets the low number of a range.
-S consumer_name Gives the host name of a consumer server to connect to run replication tests.
-s scope Gives the search scope. As with ldapsearch, the values can be subtree, one, or base.
-T ops_per_thread Sets a maximum number of operations allowed per thread.
-t timeout Sets a timeout period for LDAP operations. The default is 30 seconds.
-V Runs the tool in very verbose mode.
-v Runs the tool in verbose mode.
-W wait_time Sets a time, in seconds, for the ldclt tool to wait after one operation finishes to start the next operation. The default is 0, which means there is no wait time.
-w password Gives the password to use, with the -D identity, to bind to the Directory Server for testing.
-Z /path/to/cert.db Enables TLS for the test connections and points to the file to use as the certificate database.
The -e option sets execution parameters for the ldclt test operations. Multiple parameters can be configured, in a comma-separated list. For example:
-e add,bindeach,genldif=/var/lib/dirsrv/slapd-instance/ldif/generated.ldif,inetOrgPerson

Table B.2. Execution Parameters

Parameter Description
abandon Initiates abandon operatons for asynchronous search requests.
add Adds entries to the directory (ldapadd).
append Appends entries to the end of the LDIF file generated with the genldif option.
ascii Generates ASCII 7-bit strings.
attreplace=name:mask Run modify operations that replace an attribute (name) in an existing entry.
attrlist=name:name:name Specifies a list of attributes to return in a search operation.
attrsonly=# Used with search operations, to set whether to read the attribute values. The possible values are 0 (read values) or 1 (do not read values).
bindeach Tells the ldclt tool to bind with each operation it attempts.
bindonly Tells the ldclt tool to only run bind/unbind operations. No other operation is performed.
close Tells the tool to close the connection rather than perform an unbind operation.
cltcertname=name Gives the name of the TLS client certificate to use for TLS connections.
commoncounter Makes all threads opened by the ldclt tool to share the same counter.
counteach Tells the tool to count each operation, not only successful ones.
delete Initiates delete operations.
deref Adds the dereference control to search operations (esearch). With adds, this tells ldclt to add the secretary attribute to new entries, to allow dereference searches.
dontsleeponserverdown Causes the tool to loop very fast if server down.
emailPerson This adds the emailPerson object class to generated entries. This is only valid with the add operation (-e add).
esearch Performs an exact search.
genldif=filename Generates an LDIF file to use with the operations.
imagesdir=path Gives a location for images to use with tests.
incr Enables incremental values.
inetOrgPerson This adds the inetOrgPerson object class to generated entries. This is only valid with the add operation (-e add).
keydbfile=file Contains the path and file name of the key database to use with TLS connections.
keydbpin=password Contains the token password to access the key database.
noglobalstats Tells the tool not to print periodical global statistics.
noloop Does not loop the incremental numbers.
object=filename Builds entry objects from an input file.
person This adds the person object class to generated entries. This is only valid with the add operation (-e add).
random Tells the ldclt utility to use all random elements, such as random filters and random base DNS.
randomattrlist=name:name:name Tells the ldclt utility to select random attributes from the given list.
randombase Tells the ldclt utility to select a random base DN from the directory.
randombaselow=value Sets the low value for the random generator.
randombasehigh=value Sets the high value for the random generator.
randombinddn Tells the ldclt utility to use a random bind DN.
randombinddnfromfile=file Tells the ldclt utility to use a random bind DN, selected from a file. Each entry in the file must have the appropriate DN–password pair.
randombinddnlow=value Sets the low value for the random generator.
randombinddnhigh=value Sets the high value for the random generator.
rdn=attrname:value Gives an RDN to use as the search filter. This is used instead of the -f filter.
referral=value Sets the referral behavior for operations. There are three options: on (allow referrals), off (disallow referrals), or rebind (attempt to connect again).
smoothshutdown Tells the ldclt utility not to shut down its main thread until the worker threads exit.
string Tells the ldclt utility to create random strings rather than random numbers.
v2 Tells the ldclt utility to use LDAPv2 for test operations.
withnewparent Performs a modRDN operation, renaming an entry with newparent set as an argument.
randomauthid Uses a random SASL authentication ID.
randomauthidlow=value Sets the low value for a random SASL authentication ID.
randomauthidhigh=value Sets the high value for the random SASL authentication ID.

B.1.3. Results from ldclt

ldclt continuously runs whatever operation is specified, over the specified number of threads. By default, it prints the performance statistics to the screen every ten (10) seconds.
The results show the average number of operations per thread and per second and then the total number of operations that were run in that ten-second window.
ldclt[process_id] Average rate: number_of_ops/thr (number_of_ops/sec), total: total_number_of_ops
For example:
ldclt[22774]: Average rate: 10298.20/thr  (15447.30/sec), total: 154473
ldclt prints cumulative averages and totals every 15 minutes and when the tool is exited.
ldclt[22774]: Global average rate: 821203.00/thr  (16424.06/sec), total: 12318045
ldclt[22774]: Global number times "no activity" reports: never
ldclt[22774]: Global no error occurs during this session.
Catch SIGINT - exit...
ldclt[22774]: Ending at Wed Feb 24 18:39:38 2010
ldclt[22774]: Exit status 0 - No problem during execution.
Some operations (like adds) and using verbose output options like -v or -V output additional data to the screen. The kind of information depends on the type of operation, but it generally shows the thread performing the operation and the plug-ins called by the operation. For example:
ldclt -b ou=people,dc=example,dc=com -D "cn=Directory Manager" -w secret12 -e add,person,incr,noloop,commoncounter -r90000 -R99999 -f "cn=testXXXXX" -V

ldclt[11176]: T002: After ldap_simple_bind_s (cn=Directory Manager, secret12)
ldclt[11176]: T002: incremental mode:filter="cn=test00009"
ldclt[11176]: T002: tttctx->bufFilter="cn=test00009"
ldclt[11176]: T002: attrs[0]=("objectclass" , "person")
ldclt[11176]: T002: attrs[1]=("cn" , "test00009")
ldclt[11176]: T002: attrs[2]=("sn" , "toto sn")
ldclt[11176]: Average rate:   195.00/thr  (  195.00/sec), total:    1950
ldclt[10627]: Global average rate:  238.80/thr  (238.80/sec), total:   2388
ldclt[10627]: Global number times "no activity" reports: never
ldclt[10627]: Global no error occurs during this session.
Catch SIGINT - exit...
ldclt[10627]: Ending at Tue Feb 23 11:46:04 2010
ldclt[10627]: Exit status 0 - No problem during execution.
Most errors are handled by ldclt without interrupting the test. Any fatal errors that are encountered are listed with the tool's exit status and returned in the cumulative total.
Global no error occurs during this session.
Any LDAP operations errors that occur are handled within the thread. A connection error kills the thread without affecting the overall test. The ldclt utility does count the number of times each LDAP error is encountered; if the total number of errors that are logged hits more than 1000 (by default), then the script itself will error out.
The way that ldclt responds to LDAP errors can be configured. Using the -E option sets a different threshold for the script to error out after encountering LDAP errors. Using the -I option tells the script to ignore the specified LDAP error codes in all threads. Changing the error exit limit and ignoring certain error codes can allow you to tweak and improve test scripts or test configuration.

B.1.4. Exiting ldclt and ldclt Exit Codes

The ldclt command runs indefinitely. The script can stop itself in a handful of situations, like encountering a fatal runtime or initialization error, hitting the limit of LDAP errors, having all threads die, or hitting the operation or time limit.
The statistics for the run are not displayed until the command completes, either through the script exiting or by a user terminating the script. There are two ways to interrupt the ldclt script.
  • Hitting control—backslash (^\) or kill -3 prints the current statistics without exiting the script.
  • Hitting control—C (^C) or kill -2 exits the script and prints the global statistics.
When the ldclt script exits or is interrupted, it returns an exit code along with the statistics and error information.

Table B.3. ldclt Exit Codes

Exit Code Description
0 Success (no errors).
1 An operation encountered a serious fatal error.
2 There was an error in the parameters passed with the tool.
3 The tool hit the maximum number of LDAP errors.
4 The tool could not bind to the Directory Server instance.
5 The tool could not load the TLS libraries to connect over TLS.
6 There was a multithreading (mutex) error.
7 There was an initialization problem.
8 The tool hit a resource limit, such as a memory allocation error.
99 The script encountered an unknown error.

B.1.5. Usage Scenarios

These provide general examples of using ldclt to test Directory Server. Test scripts with more complex examples are available in the ldclt source files. This can be downloaded from the 389 Directory Server Project,
Every ldclt command requires a set of execution parameters (which varies depending on the type of test) and connection parameters (which are the same for every type of operation). For example:
# ldclt -e execution_parameters -h localhost -p 389 -D "cn=Directory Manager" -w secret -b "ou=people,dc=example,dc=com"
When ldclt runs, it first prints all of the configured parameters for that test.
Process ID         = 1464
Host to connect    = localhost
Port number        = 389
Bind DN            = cn=Directory Manager
Passwd             = secret
Referral           = on
Base DN            = ou=people,dc=example,dc=com
Filter             = "cn=MrXXX"
Max times inactive = 3
Max allowed errors = 1000
Number of samples  = -1
Number of threads  = 10
Total op. req.     = -1
Running mode       = 0xa0000009
Running mode       = quiet verbose random exact_search
LDAP oper. timeout = 30 sec
Sampling interval  = 10 sec
Scope              = subtree
Attrsonly          = 0
Values range       = [0 , 1000000]
Filter's head      = "cn=Mr"
Filter's tail      = ""

B.1.5.1. Generating LDIFs

The ldclt tool itself can be used to generate LDIF files that can be used for testing.


When generating an LDIF file, the ldclt tool does not attempt to connect to a server or run any operations.
Generating an LDIF file requires a basic template file that the tool uses to create entries (-e object), and then a specified output file (-e genldif).
The template file can give explicit values for entry attributes or can use variables. If you want a simple way to supply unique values for entry attributes, the /usr/share/dirsrv/data directory contains three data files to generate surnames, first names, and organizational units. These lists of values can be used to create test users and directory trees (dbgen-FamilyNames, dbgen-GivenNames, and dbgen-OrgUnits, respectively). These files can be used with the rndfromfile, incrfromfile, or incrfromfilenoloop options.
The basic format of the template file is:
# comment

attribute: string | variable=keyword(value)
The variable can be any letter from A to H. The possible keywords are listed in Table B.4, “ldclt Template LDIF File Keywords”
Some variables and keywords can be passed with the -e object option and other available parameters (like rdn).
-e object=inet.txt,rdn='uid:[A=INCRNNOLOOP(0;99999;5)]'

Table B.4. ldclt Template LDIF File Keywords

Keyword Description Format
RNDN Generates a random value within the specified range (low - high) and of the given length. RNDN(low;high;length)
RNDFROMFILE Pulls a random value from any of the ones available in the specified file. RNDFROMFILE(filename)
INCRN Creates sequential values within the specified range (low - high) and of the given length. INCRN(low;high;length)
INCRNOLOOP Creates sequential values within the specified range (low - high) and of the given length — without looping through the incremental range. INCRNOLOOP(low;high;length)
INCRFROMFILE Creates values by incrementing through the values in the specified file. INCRFROMFILE(filename)
INCRFROMFILENOLOOP Creates values by incrementing through the values in the file, without looping back through the values. INCRFROMFILENOLOOP(filename)
RNDS Generates random values of a given length. RNDS(length)
For example, this template file pulls names from sample files in the /usr/share/dirsrv/data and builds other attributes dynamically.

Example B.1. Example Template File

objectclass: inetOrgPerson
sn: [B=RNDFROMFILE(/usr/share/dirsrv/data/dbgen-FamilyNames)]
cn: [C=RNDFROMFILE(/usr/share/dirsrv/data/dbgen-GivenNames)] [B]
password: test[A]
description: user id [A]
mail: [C].[B]
telephonenumber: (555) [RNDN(0;999;3)]-[RNDN(0;9999;4)]
The ldclt command, then, uses that template to build an LDIF file with 100,000 entries:
# ldclt -b "ou=people,dc=csb" -e object=inet.txt,rdn='uid:[A=INCRNNOLOOP(0;99999;5)]' -e genldif=100Kinet.ldif,commoncounter

B.1.5.2. Adding Entries

The ldclt tool can add entries that match either of two templates:
  • person
  • inetorgperson
The -f filter sets the format of the naming attribute for the user entries. For example, -f "cn=MrXXXXX" creates a name like -f "cn=Mr01234". Using the person or inetorgperson parameter with -f creates a basic entry.
objectclass: person
sn: ex sn
cn: Mr01234
More complex entries (which are good for search and modify testing) can be created using the rdn parameter and an object file. The full range of options for the entries is covered in Section B.1.5.1, “Generating LDIFs”. The rdn and object parameters provide the format for the entries to add or edit in the directory. The rdn execution parameter takes a keyword pattern (as listed in Table B.4, “ldclt Template LDIF File Keywords”) and draws its entry pool from the entries listed in a text file.
-e rdn='uid:[A=INCRNNOLOOP(0;99999;5)]',object=inet.txt
The ldclt tool creates entries in a numeric sequence. That means that the method of adding those entries and of counting the sequence have to be defined as well. Some possible options for this include:
  • -r and -R to set the numeric range for entries
  • incr or random to set the method of assigning numbers (these are only used with -f)
  • -r and -R to set the numeric range for entries
  • noloop, to stop the add operations when it hits the end of the range rather than looping back

Example B.2. Adding Entries

# ldclt -b ou=people,dc=example,dc=com -D "cn=Directory Manager" -w secret -e add,person,incr,noloop,commoncounter -r0 -R99999 -f "cn=MrXXXXX" -v -q
The add operation can also be used to build a directory tree for more complex testing. Whenever an entry is added to the directory that belongs to a non-existent branch, the ldclt tool automatically creates that branch entry.


The first time that an entry is added that is the child of non-existent branch, the branch entry is added to the directory. However, the entry itself is not added. Subsequent entries will be added to the new branch.
For a branch entry to be added automatically, its naming attribute must be cn, o, or ou.

Example B.3. Creating the Directory Tree

# ldclt -b ou=DeptXXX,dc=example,dc=com -D "cn=Directory Manager" -w secret -e add,person,incr,noloop,commoncounter -r0 -R99999 -f "cn=MrXXXXX" -v -q

B.1.5.4. Modify Operations

The attreplace execution parameter replaces specific attributes in the entries.
The modify operation uses the RDN filter to search for the entries to update. The rdn and object parameters provide the format for the entries to add or edit in the directory. The rdn execution parameter takes a keyword pattern (as listed in Table B.4, “ldclt Template LDIF File Keywords”) and draws its entry pool from the entries listed in a text file.

Example B.9. Modify Operation

# ldclt -h localhost  -p 389 -D "cn=Directory Manager" -w secret -b "ou=people,dc=example,dc=com" -e rdn='uid:[RNDN(0;99999;5)]' -I 32 -e attreplace='description: random modify XXXXX'

B.1.5.5. modrdn Operations

The ldclt command supports two kinds of modrdn operations:
  • Renaming entries
  • Moving an entry to a new parent
The ldclt utility creates the new entry name or parent from a randomly-selected DN.
The basic rename operation requires three execution parameters:
  • rename
  • rdn='pattern'
  • object=file
The rdn and object parameters provide the format for the entries to add or edit in the directory. The rdn execution parameter takes a keyword pattern (as listed in Table B.4, “ldclt Template LDIF File Keywords”) and draws its entry pool from the entries listed in a text file.

Example B.10. Simple Rename Operation

# ldclt -h localhost -p 389 -D "cn=Directory Manager" -w secret -b "ou=people,dc=example,dc=com" -I 32 -I 68 -e rename,rdn='uid:[RNDN(0;999;5)]',object="inet.txt"
Using the withnewparent execution parameter renames the entry and moves it beneath a new parent entry. If the parent entry does not exist, then the ldclt tool creates it.[3]

Example B.11. Renaming an Entry and Moving to a New Parent

# ldclt -h localhost -p 389 -D "cn=Directory Manager" -w secret12 -b "ou=DeptXXX,dc=example,dc-com" -I 32 -I 68 -e rename,withnewparent,rdn='uid:Mr[RNDN(0;99999;5)]',object="inet.txt"

B.1.5.6. Delete Operations

The ldclt delete operation is exactly the reverse of the add operation. As with the add, delete operations can remove entries in several different ways:
  • Randomly (-e delete,random)
  • RDN-ranges (-e delete,rdn=[pattern])
  • Sequentially (-e delete,incr)
Random deletes are configured to occur within the specified range of entries. This requires the following options:
  • -e delete,random
  • -r and -R for the range bounds
  • -f for the filter to match the entries

Example B.12. Random Delete Operations

# ldclt -b "ou=people,dc=example,dc=com" -D "cn=Directory Manager" -w secret -e delete,random -r0 -R99999 -f "uid=XXXXXX" -I 32 -v -q
RDN-based deletes use the rdn execution parameter with a keyword (as listed in Table B.4, “ldclt Template LDIF File Keywords”) and draws its entry pool from the entries listed in a text file. This format requires three execution parameters:
  • -e delete
  • -e rdn='pattern'
  • -e object='file'

Example B.13. RDN-Based Delete Operations

# ldclt -b "ou=people,dc=example,dc=com" -D "cn=Directory Manager" -w secret -e delete,rdn='uid:[INCRNNOLOOP(0;99999;5)]',object="inet.txt" -I 32 -v -q
The last delete operation format is much like the random delete format, only it moves sequentially through the given range, rather than randomly:
  • -e delete,incr
  • -r and -R for the range bounds
  • -f for the filter to match the entries

Example B.14. Sequential Delete Operations

# ldclt -b "ou=people,dc=example,dc=com" -D "cn=Directory Manager" -w secret -e delete,incr -r0 -R99999 -f "uid=XXXXXX" -I 32 -v -q

B.1.5.7. Bind Operations

By default, each ldclt thread binds once to the server and then runs all of its operations in a single session. The -e bindeach can be used with any other operation to instruct the ldclt tool to bind for each operation and then unbind before initiating the next operation.
-e add,bindeach ...
To test only bind and unbind operations, use the -e bindeach,bindonly execution parameters and no other operation information. For example:
# ldclt -h localhost -p 389 -b "ou=people,dc=example,dc=com" -e bindeach,bindonly -e bind_info
The bind operation can specify a single user to use for testing by using the -D and -w user name-password pair in the connection parameters.


Use the -e close option with the bind parameters to test the affect that dropping connections has on the Directory Server, instead of unbinding cleanly.

Example B.15. Bind Only and Close Tests

# ldclt -h localhost -p 389 -D "cn=Directory Manager" -w secret -e bindeach,bindonly,close
There are also execution parameters which can be used to select a random bind identity from a given file (randombinddnfromfile) or using a DN selected randomly from within a range (-e randombinddn,randombinddnlow=X,randombinddnhigh=Y).

Example B.16. Random Binds from Identities in a File

# ldclt -h localhost -p 389 -e bindeach,bindonly -e randombinddnfromfile=/tmp/testbind.txt 
Binding with a random identity is useful if identities have been added from a generated LDIF or using -e add, where the accounts were added in a range. The ldclt tool can autogenerate values using X as a variable and incrementing through the specified range.

Example B.17. Random Binds from Random Base DN

# ldclt -h localhost -p 389 -e bindeach,bindonly -D "uid=XXXXX,dc=example,dc=com" -w testXXXXX -e randombinddn,randombinddnlow=0,randombinddnhigh=99999

B.1.5.8. Running Operations on Random Base DNs

Any operation can be run against randomly-selected base DNs. The trio of randombase parameters set the range of organizational units to select from. A variable in the -b base entry sets the format of the base DN.
-b "ou=DeptXXX,dc=example,dc=com" -e randombase,randombaselow=0,randombasehigh=999 ...

B.1.5.9. TLS Authentication

Every operation can be run over TLS to test secure authentication and performance for secure connections. There are two parameters required for TLS authentication.
  • The connection parameters, -Z, which gives the path to the security databases for the Directory Server
  • The execution parameters, cltcertname, keydbfile, and keydbpin, which contains the information that the server will prompt to access the TLS databases
For example, this runs bind tests over TLS:
# ldclt -h host -p port -e bindeach,bindonly -Z certPath -e cltcertname=certName,keydbfile=filename,keydbpin=password

B.1.5.10. Abandon Operations

The -e abandon parameter opens and then cancels operations on the server. This can be run by itself or with other types of operations (like -e add or -e esearch).
# ldclt -e abandon -h localhost -p 389 -D "cn=Directory Manager" -w secret -v -q -b "ou=people,dc=example,dc=com"

[3] As with the add operation, the first time that the parent is referenced by the tool, the parent entry is created, but the entry which prompted the add operation is not created.