1LDAPMODIFY(1) General Commands Manual LDAPMODIFY(1)
2
6 ldapmodify, ldapadd - LDAP modify entry and LDAP add entry tools
7
9 ldapmodify [-a] [-c] [-S file] [-n] [-v] [-M[M]] [-d debuglevel]
10 [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost]
11 [-p ldapport] [-P {2|3}] [-e [!]ext[=extparam]] [-E [!]ext[=extparam]]
12 [-O security-properties] [-I] [-Q] [-U authcid] [-R realm] [-x]
13 [-X authzid] [-Y mech] [-Z[Z]] [-f file]
14 ldapadd [-c] [-S file] [-n] [-v] [-M[M]] [-d debuglevel] [-D binddn]
16 [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldap‐
17 port] [-P {2|3}] [-O security-properties] [-I] [-Q] [-U authcid]
18 [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] [-f file]
19
21 ldapmodify is a shell-accessible interface to the ldap_add_ext(3),
22 ldap_modify_ext(3), ldap_delete_ext(3) and ldap_rename(3). library
23 calls. ldapadd is implemented as a hard link to the ldapmodify tool.
24 When invoked as ldapadd the -a (add new entry) flag is turned on auto‐
25 matically.
26 ldapmodify opens a connection to an LDAP server, binds, and modifies or
28 adds entries. The entry information is read from standard input or
29 from file through the use of the -f option.
30
32 -a Add new entries. The default for ldapmodify is to modify exist‐
33 ing entries. If invoked as ldapadd, this flag is always set.
34 -c Continuous operation mode. Errors are reported, but ldapmodify
36 will continue with modifications. The default is to exit after
37 reporting an error.
38 -S file
40 Add or change records which where skipped due to an error are
41 written to file and the error message returned by the server is
42 added as a comment. Most useful in conjunction with -c.
43 -n Show what would be done, but don't actually modify entries.
45 Useful for debugging in conjunction with -v.
46 -v Use verbose mode, with many diagnostics written to standard out‐
48 put.
49 -M[M] Enable manage DSA IT control. -MM makes control critical.
51 -d debuglevel
53 Set the LDAP debugging level to debuglevel. ldapmodify must be
54 compiled with LDAP_DEBUG defined for this option to have any
55 effect.
56 -f file
58 Read the entry modification information from file instead of
59 from standard input.
60 -x Use simple authentication instead of SASL.
62 -D binddn
64 Use the Distinguished Name binddn to bind to the LDAP directory.
65 For SASL binds, the server is expected to ignore this value.
66 -W Prompt for simple authentication. This is used instead of spec‐
68 ifying the password on the command line.
69 -w passwd
71 Use passwd as the password for simple authentication.
72 -y passwdfile
74 Use complete contents of passwdfile as the password for simple
75 authentication.
76 -H ldapuri
78 Specify URI(s) referring to the ldap server(s); only the proto‐
79 col/host/port fields are allowed; a list of URI, separated by
80 whitespace or commas is expected.
81 -h ldaphost
83 Specify an alternate host on which the ldap server is running.
84 Deprecated in favor of -H.
85 -p ldapport
87 Specify an alternate TCP port where the ldap server is listen‐
88 ing. Deprecated in favor of -H.
89 -P {2|3}
91 Specify the LDAP protocol version to use.
92 -O security-properties
94 Specify SASL security properties.
95 -e [!]ext[=extparam]
97 -E [!]ext[=extparam]
99 Specify general extensions with -e and search extensions with
101 -E. ´!´ indicates criticality.
102 General extensions:
104 [!]assert=<filter> (an RFC 4515 Filter)
105 [!]authzid=<authzid> ("dn:<dn>" or "u:<user>")
106 [!]manageDSAit
107 [!]noop
108 ppolicy
109 [!]postread[=<attrs>] (a comma-separated attribute list)
110 [!]preread[=<attrs>] (a comma-separated attribute list)
111 abandon, cancel (SIGINT sends abandon/cancel; not really controls)
112 Search extensions:
114 [!]domainScope (domain scope)
115 [!]mv=<filter> (matched values filter)
116 [!]pr=<size>[/prompt|noprompt] (paged results/prompt)
117 [!]sss=[-]<attr[:OID]>[/[-]<attr[:OID]>...] (server side sorting)
118 [!]subentries[=true|false] (subentries)
119 [!]sync=ro[/<cookie>] (LDAP Sync refreshOnly)
120 rp[/<cookie>][/<slimit>] (LDAP Sync refreshAndPersist)
121 -I Enable SASL Interactive mode. Always prompt. Default is to
123 prompt only as needed.
124 -Q Enable SASL Quiet mode. Never prompt.
126 -U authcid
128 Specify the authentication ID for SASL bind. The form of the ID
129 depends on the actual SASL mechanism used.
130 -R realm
132 Specify the realm of authentication ID for SASL bind. The form
133 of the realm depends on the actual SASL mechanism used.
134 -X authzid
136 Specify the requested authorization ID for SASL bind. authzid
137 must be one of the following formats: dn:<distinguished name> or
138 u:<username>
139 -Y mech
141 Specify the SASL mechanism to be used for authentication. If
142 it's not specified, the program will choose the best mechanism
143 the server knows.
144 -Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If
146 you use -ZZ, the command will require the operation to be suc‐
147 cessful.
148
150 The contents of file (or standard input if no -f flag is given on the
151 command line) must conform to the format defined in ldif(5) (LDIF as
152 defined in RFC 2849).
153
155 Assuming that the file /tmp/entrymods exists and has the contents:
156 dn: cn=Modify Me,dc=example,dc=com
158 changetype: modify
159 replace: mail
160 mail: modme@example.com
161 -
162 add: title
163 title: Grand Poobah
164 -
165 add: jpegPhoto
166 jpegPhoto:< file:///tmp/modme.jpeg
167 -
168 delete: description
169 -
170 the command:
172 ldapmodify -f /tmp/entrymods
174 will replace the contents of the "Modify Me" entry's mail attribute
176 with the value "modme@example.com", add a title of "Grand Poobah", and
177 the contents of the file "/tmp/modme.jpeg" as a jpegPhoto, and com‐
178 pletely remove the description attribute.
179 Assuming that the file /tmp/newentry exists and has the contents:
181 dn: cn=Barbara Jensen,dc=example,dc=com
183 objectClass: person
184 cn: Barbara Jensen
185 cn: Babs Jensen
186 sn: Jensen
187 title: the world's most famous mythical manager
188 mail: bjensen@example.com
189 uid: bjensen
190 the command:
192 ldapadd -f /tmp/newentry
194 will add a new entry for Babs Jensen, using the values from the file
196 /tmp/newentry.
197 Assuming that the file /tmp/entrymods exists and has the contents:
199 dn: cn=Barbara Jensen,dc=example,dc=com
201 changetype: delete
202 the command:
204 ldapmodify -f /tmp/entrymods
206 will remove Babs Jensen's entry.
208
210 Exit status is zero if no errors occur. Errors result in a non-zero
211 exit status and a diagnostic message being written to standard error.
212
214 ldapadd(1), ldapdelete(1), ldapmodrdn(1), ldapsearch(1), ldap.conf(5),
215 ldap(3), ldap_add_ext(3), ldap_delete_ext(3), ldap_modify_ext(3),
216 ldif(5)
217
219 The OpenLDAP Project <http://www.openldap.org/>
220
222 OpenLDAP Software is developed and maintained by The OpenLDAP Project
223 <http://www.openldap.org/>. OpenLDAP Software is derived from Univer‐
224 sity of Michigan LDAP 3.3 Release.
225OpenLDAP 2.4.23 2010/06/30 LDAPMODIFY(1)