1ipa-ldap-updater(1)          FreeIPA Manual Pages          ipa-ldap-updater(1)
2
3
4

NAME

6       ipa-ldap-updater - Update the IPA LDAP configuration
7

SYNOPSIS

9       ipa-ldap-updater [options] input_file(s)
10

DESCRIPTION

12       ipa-ldap-updater  is  utility  which can be used to update the IPA LDAP
13       server.
14
15       An update file describes an LDAP entry and a set of  operations  to  be
16       performed  on  that  entry. It can be used to add new entries or modify
17       existing entries.
18
19       Blank lines and lines beginning with # are ignored.
20
21       There are 7 keywords:
22
23           * default: the starting value
24           * add: add a value to an attribute
25           * remove: remove a value from an attribute
26           * only: set an attribute to this
27           * onlyifexist: set an attribute to this only if the entry exists
28           * deleteentry: remove the entry
29           * replace: replace an existing value, format is old::new
30           * addifnew: add a new attribute and value  only  if  the  attribute
31       doesn't already exist. Only works with single-value attributes.
32           *  addifexist:  add  a  new  attribute  and value only if the entry
33       exists. This is used to update optional entries.
34
35       The difference between the default and add keywords is if the DN of the
36       entry  exists  then  default is ignored. So for updating something like
37       schema, which will be under cn=schema, you must always use add (because
38       cn=schema is guaranteed to exist). It will not re-add the same informa‐
39       tion again and again.
40
41       It also provides some things that can be templated such as architecture
42       (for plugin paths), realm and domain name.
43
44       The available template variables are:
45
46           * $REALM - the kerberos realm (EXAMPLE.COM)
47           *  $FQDN  - the fully-qualified domain name of the IPA server being
48       updated (ipa.example.com)
49           * $DOMAIN - the domain name (example.com)
50           * $SUFFIX - the IPA LDAP suffix (dc=example,dc=com)
51           * $ESCAPED_SUFFIX - the ldap-escaped IPA LDAP suffix
52           * $LIBARCH - set to 64 on x86_64 systems  to  be  used  for  plugin
53       paths
54           * $TIME - an integer representation of current time
55
56       For  base64  encoded  values a double colon ('::') must be used between
57       attribute and value.
58
59       Base64 format examples:
60           add:binaryattr::d2UgbG92ZSBiYXNlNjQ=
61           replace:binaryattr::SVBBIGlzIGdyZWF0::SVBBIGlzIHJlYWxseSBncmVhdA==
62
63       A few rules:
64
65          1. Only one rule per line
66          2. Each line stands alone (e.g. an only followed by an only  results
67       in the last only being used)
68          3.  Adding a value that exists is ok. The request is ignored, dupli‐
69       cate values are not added
70          4. Removing a value that doesn't exist is ok. It is simply ignored.
71          5. If a DN doesn't exist it is created from the 'default' entry  and
72       all updates are applied
73          6. If a DN does exist the default values are skipped
74          7. Only the first rule on a line is respected
75
76       ipa-ldap-updater  allows to execute update plugins.  Plugins to be exe‐
77       cuted are specified with following keyword, in update files:
78           * plugin: name of plugin
79
80       This keyword is not bounded to DN, and plugin names have to  be  regis‐
81       tered in API.
82
83       Additionally,  ipa-ldap-updater  can  update  the  schema based on LDIF
84       files.  Any missing object classes and attribute types are  added,  and
85       differing  ones  are  updated  to  match the LDIF file.  To enable this
86       behavior, use the --schema-file options.  Schema  files  should  be  in
87       LDIF  format,  and  may  only  specify attributeTypes and objectClasses
88       attributes of cn=schema.
89
90

OPTIONS

92       -d, --debug
93              Enable debug logging when more verbose output is needed
94
95       -u, --upgrade
96              Upgrade an installed server in offline mode (implies --schema)
97
98       -S, --schema-file
99              Specify a schema file.  May  be  used  multiple  times.  Implies
100              --schema.
101

EXIT STATUS

103       0 if the command was successful
104
105       1 if an error occurred
106
107
108
109FreeIPA                           Sep 12 2008              ipa-ldap-updater(1)
Impressum