1ipa-ldap-updater(1) FreeIPA Manual Pages ipa-ldap-updater(1)
2
3
4
6 ipa-ldap-updater - Update the IPA LDAP configuration
7
9 ipa-ldap-updater [options] input_file(s) ipa-ldap-updater [options]
10
12 ipa-ldap-updater is used to apply updates to the IPA LDAP server when
13 the IPA packages are being updated. It is not intended to be executed
14 by end-users.
15
16 When run with no file arguments, ipa-ldap-updater will process all
17 files with the extension .update in /usr/share/ipa/updates.
18
19 An update file describes an LDAP entry and a set of operations to be
20 performed on that entry. It can be used to add new entries or modify
21 existing entries.
22
23 Blank lines and lines beginning with # are ignored.
24
25 There are 7 keywords:
26
27 * default: the starting value
28 * add: add a value (or values) to an attribute
29 * remove: remove a value (or values) from an attribute
30 * only: set an attribute to this
31 * deleteentry: remove the entry
32 * replace: replace an existing value, format is old: new
33 * addifnew: add a new attribute and value only if the attribute
34 doesn't already exist. Only works with single-value attributes.
35 * addifexist: add a new attribute and value only if the entry
36 exists. This is used to update optional entries.
37
38 Values is a comma-separated field so multi-values may be added at one
39 time. Double or single quotes may be put around individual values that
40 contain embedded commas.
41
42 The difference between the default and add keywords is if the DN of the
43 entry exists then default is ignored. So for updating something like
44 schema, which will be under cn=schema, you must always use add (because
45 cn=schema is guaranteed to exist). It will not re-add the same informa‐
46 tion again and again.
47
48 It alsos provide some things that can be templated such as architecture
49 (for plugin paths), realm and domain name.
50
51 The available template variables are:
52
53 * $REALM - the kerberos realm (EXAMPLE.COM)
54 * $FQDN - the fully-qualified domain name of the IPA server being
55 updated (ipa.example.com)
56 * $DOMAIN - the domain name (example.com)
57 * $SUFFIX - the IPA LDAP suffix (dc=example,dc=com)
58 * $ESCAPED_SUFFIX - the ldap-escaped IPA LDAP suffix
59 * $LIBARCH - set to 64 on x86_64 systems to be used for plugin
60 paths
61 * $TIME - an integer representation of current time
62
63 A few rules:
64
65 1. Only one rule per line
66 2. Each line stands alone (e.g. an only followed by an only results
67 in the last only being used)
68 3. adding a value that exists is ok. The request is ignored, dupli‐
69 cate values are not added
70 4. removing a value that doesn't exist is ok. It is simply ignored.
71 5. If a DN doesn't exist it is created from the 'default' entry and
72 all updates are applied
73 6. If a DN does exist the default values are skipped
74 7. Only the first rule on a line is respected
75
76 Adds and updates are applied from shortest to longest length of DN.
77 Deletes are done from longest to shortest.
78
80 -d, --debug
81 Enable debug logging when more verbose output is needed
82
83 -t, --test
84 Run through the update without changing anything. If changes are
85 available then the command returns 2. If no updates are avail‐
86 able it returns 0.
87
88 -y File containing the Directory Manager password
89
90 -l, --ldapi
91 Connect to the LDAP server using the ldapi socket
92
93 -p, ---plugins
94 Execute update plugins as well as any update files. There is no
95 way to execute only the plugins.
96
97 -u, ---upgrade
98 Upgrade an installed server in offline mode (implies --ldapi and
99 --plugins)
100
101 -W, ---password
102 Prompt for the Directory Manager password
103
105 0 if the command was successful
106
107 1 if an error occurred
108
109 2 if run with in test mode (-t) and updates are available
110
111
112
113FreeIPA Sep 12 2008 ipa-ldap-updater(1)