1LDAPMODIFY(1) General Commands Manual LDAPMODIFY(1)
2
3
4
6 ldapmodify, ldapadd - LDAP modify entry and LDAP add entry tools
7
9 ldapmodify [-V[V]] [-d debuglevel] [-n] [-v] [-a] [-c] [-f file]
10 [-S file] [-M[M]] [-x] [-D binddn] [-W] [-w passwd] [-y passwdfile]
11 [-H ldapuri] [-h ldaphost] [-p ldapport] [-P {2|3}]
12 [-e [!]ext[=extparam]] [-E [!]ext[=extparam]] [-o opt[=optparam]]
13 [-O security-properties] [-I] [-Q] [-N] [-U authcid] [-R realm]
14 [-X authzid] [-Y mech] [-Z[Z]]
15
16 ldapadd [-V[V]] [-d debuglevel] [-n] [-v] [-c] [-f file] [-S file]
17 [-M[M]] [-x] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri]
18 [-h ldaphost] [-p ldapport] [-P {2|3}] [-e [!]ext[=extparam]]
19 [-E [!]ext[=extparam]] [-o opt[=optparam]] [-O security-properties]
20 [-I] [-Q] [-N] [-U authcid] [-R realm] [-X authzid] [-Y mech] [-Z[Z]]
21
23 ldapmodify is a shell-accessible interface to the ldap_add_ext(3),
24 ldap_modify_ext(3), ldap_delete_ext(3) and ldap_rename(3). library
25 calls. ldapadd is implemented as a hard link to the ldapmodify tool.
26 When invoked as ldapadd the -a (add new entry) flag is turned on auto‐
27 matically.
28
29 ldapmodify opens a connection to an LDAP server, binds, and modifies or
30 adds entries. The entry information is read from standard input or
31 from file through the use of the -f option.
32
34 -V[V] Print version info. If -VV is given, only the version informa‐
35 tion is printed.
36
37 -d debuglevel
38 Set the LDAP debugging level to debuglevel. ldapmodify must be
39 compiled with LDAP_DEBUG defined for this option to have any
40 effect.
41
42 -n Show what would be done, but don't actually modify entries.
43 Useful for debugging in conjunction with -v.
44
45 -v Use verbose mode, with many diagnostics written to standard out‐
46 put.
47
48 -a Add new entries. The default for ldapmodify is to modify exist‐
49 ing entries. If invoked as ldapadd, this flag is always set.
50
51 -c Continuous operation mode. Errors are reported, but ldapmodify
52 will continue with modifications. The default is to exit after
53 reporting an error.
54
55 -f file
56 Read the entry modification information from file instead of
57 from standard input.
58
59 -S file
60 Add or change records which were skipped due to an error are
61 written to file and the error message returned by the server is
62 added as a comment. Most useful in conjunction with -c.
63
64 -M[M] Enable manage DSA IT control. -MM makes control critical.
65
66 -x Use simple authentication instead of SASL.
67
68 -D binddn
69 Use the Distinguished Name binddn to bind to the LDAP directory.
70 For SASL binds, the server is expected to ignore this value.
71
72 -W Prompt for simple authentication. This is used instead of spec‐
73 ifying the password on the command line.
74
75 -w passwd
76 Use passwd as the password for simple authentication.
77
78 -y passwdfile
79 Use complete contents of passwdfile as the password for simple
80 authentication.
81
82 -H ldapuri
83 Specify URI(s) referring to the ldap server(s); only the proto‐
84 col/host/port fields are allowed; a list of URI, separated by
85 whitespace or commas is expected.
86
87 -h ldaphost
88 Specify an alternate host on which the ldap server is running.
89 Deprecated in favor of -H.
90
91 -p ldapport
92 Specify an alternate TCP port where the ldap server is listen‐
93 ing. Deprecated in favor of -H.
94
95 -P {2|3}
96 Specify the LDAP protocol version to use.
97
98 -e [!]ext[=extparam]
99
100 -E [!]ext[=extparam]
101
102 Specify general extensions with -e and modify extensions with
103 -E. ´!´ indicates criticality.
104
105 General extensions:
106 [!]assert=<filter> (an RFC 4515 Filter)
107 !authzid=<authzid> ("dn:<dn>" or "u:<user>")
108 [!]bauthzid (RFC 3829 authzid control)
109 [!]chaining[=<resolve>[/<cont>]]
110 [!]manageDSAit
111 [!]noop
112 ppolicy
113 [!]postread[=<attrs>] (a comma-separated attribute list)
114 [!]preread[=<attrs>] (a comma-separated attribute list)
115 [!]relax
116 sessiontracking
117 abandon,cancel,ignore (SIGINT sends abandon/cancel,
118 or ignores response; if critical, doesn't wait for SIGINT.
119 not really controls)
120
121 Modify extensions:
122 [!]txn[=abort|commit]
123
124 -o opt[=optparam]]
125
126 Specify general options.
127
128 General options:
129 nettimeout=<timeout> (in seconds, or "none" or "max")
130 ldif-wrap=<width> (in columns, or "no" for no wrapping)
131
132 -O security-properties
133 Specify SASL security properties.
134
135 -I Enable SASL Interactive mode. Always prompt. Default is to
136 prompt only as needed.
137
138 -Q Enable SASL Quiet mode. Never prompt.
139
140 -N Do not use reverse DNS to canonicalize SASL host name.
141
142 -U authcid
143 Specify the authentication ID for SASL bind. The form of the ID
144 depends on the actual SASL mechanism used.
145
146 -R realm
147 Specify the realm of authentication ID for SASL bind. The form
148 of the realm depends on the actual SASL mechanism used.
149
150 -X authzid
151 Specify the requested authorization ID for SASL bind. authzid
152 must be one of the following formats: dn:<distinguished name> or
153 u:<username>
154
155 -Y mech
156 Specify the SASL mechanism to be used for authentication. If
157 it's not specified, the program will choose the best mechanism
158 the server knows.
159
160 -Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If
161 you use -ZZ, the command will require the operation to be suc‐
162 cessful.
163
165 The contents of file (or standard input if no -f flag is given on the
166 command line) must conform to the format defined in ldif(5) (LDIF as
167 defined in RFC 2849).
168
170 Assuming that the file /tmp/entrymods exists and has the contents:
171
172 dn: cn=Modify Me,dc=example,dc=com
173 changetype: modify
174 replace: mail
175 mail: modme@example.com
176 -
177 add: title
178 title: Grand Poobah
179 -
180 add: jpegPhoto
181 jpegPhoto:< file:///tmp/modme.jpeg
182 -
183 delete: description
184 -
185
186 the command:
187
188 ldapmodify -f /tmp/entrymods
189
190 will replace the contents of the "Modify Me" entry's mail attribute
191 with the value "modme@example.com", add a title of "Grand Poobah", and
192 the contents of the file "/tmp/modme.jpeg" as a jpegPhoto, and com‐
193 pletely remove the description attribute.
194
195 Assuming that the file /tmp/newentry exists and has the contents:
196
197 dn: cn=Barbara Jensen,dc=example,dc=com
198 objectClass: person
199 cn: Barbara Jensen
200 cn: Babs Jensen
201 sn: Jensen
202 title: the world's most famous mythical manager
203 mail: bjensen@example.com
204 uid: bjensen
205
206 the command:
207
208 ldapadd -f /tmp/newentry
209
210 will add a new entry for Babs Jensen, using the values from the file
211 /tmp/newentry.
212
213 Assuming that the file /tmp/entrymods exists and has the contents:
214
215 dn: cn=Barbara Jensen,dc=example,dc=com
216 changetype: delete
217
218 the command:
219
220 ldapmodify -f /tmp/entrymods
221
222 will remove Babs Jensen's entry.
223
225 Exit status is zero if no errors occur. Errors result in a non-zero
226 exit status and a diagnostic message being written to standard error.
227
229 ldapadd(1), ldapdelete(1), ldapmodrdn(1), ldapsearch(1), ldap.conf(5),
230 ldap(3), ldap_add_ext(3), ldap_delete_ext(3), ldap_modify_ext(3),
231 ldif(5)
232
234 The OpenLDAP Project <http://www.openldap.org/>
235
237 OpenLDAP Software is developed and maintained by The OpenLDAP Project
238 <http://www.openldap.org/>. OpenLDAP Software is derived from the Uni‐
239 versity of Michigan LDAP 3.3 Release.
240
241
242
243OpenLDAP 2.4.46 2018/03/22 LDAPMODIFY(1)