1ipa-ldap-updater(1) ipa-ldap-updater(1)
2
3
4
6 ipa-ldap-updater - Update the IPA LDAP configuration
7
9 ipa-ldap-updater [options] input_file(s) ipa-ldap-updater [options]
10
12 Run with no file arguments, ipa-ldap-updater will process all files
13 with the extension .update in /usr/share/ipa/updates.
14
15 An update file describes an LDAP entry and a set of operations to be
16 performed on that entry. It can be used to add new entries or modify
17 existing entries. It cannot remove entries, just specific values in a
18 given attribute.
19
20 Blank lines and lines beginning with # are ignored.
21
22 There are 4 keywords:
23
24 * default: the starting value
25 * add: add a value (or values) to an attribute
26 * remove: remove a value (or values) from an attribute
27 * only: set an attribute to this
28
29 Values is a comma-separated field so multi-values may be added at one
30 time. Double or single quotes may be put around individual values that
31 contain embedded commas.
32
33 The difference between the default and add keywords is if the DN of the
34 entry exists then default is ignored. So for updating something like
35 schema, which will be under cn=schema, you must always use add (because
36 cn=schema is guaranteed to exist). It will not re-add the same informa‐
37 tion again and again.
38
39 It alsos provide some things that can be templated such as architecture
40 (for plugin paths), realm and domain name.
41
42 The available template variables are:
43
44 * $REALM - the kerberos realm (EXAMPLE.COM)
45 * $FQDN - the fully-qualified domain name of the IPA server being
46 updated (ipa.example.com)
47 * $DOMAIN - the domain name (example.com)
48 * $SUFFIX - the IPA LDAP suffix (dc=example,dc=com)
49 * $LIBARCH - set to 64 on x86_64 systems to be used for plugin
50 paths
51 * $TIME - an integer representation of current time
52
53 A few rules:
54
55 1. Only one rule per line
56 2. Each line stands alone (e.g. an only followed by an only results
57 in the last only being used)
58 3. adding a value that exists is ok. The request is ignored, dupli‐
59 cate values are not added
60 4. removing a value that doesn't exist is ok. It is simply ignored.
61 5. If a DN doesn't exist it is created from the 'default' entry and
62 all updates are applied
63 6. If a DN does exist the default values are skipped
64 7. Only the first rule on a line is respected
65
67 -d, --debug
68 Enable debug logging when more verbose output is needed
69
70 -t, --test
71 Run through the update without changing anything. If changes are
72 available then the command returns 2. If no updates are avail‐
73 able it returns 0.
74
75 -y File containing the Directory Manager password
76
78 0 if the command was successful
79
80 1 if an error occurred
81
82 2 if run with in test mode (-t) and updates are available
83
84
85
86freeipa Sep 12 2008 ipa-ldap-updater(1)