1LDAPMODIFY(1) General Commands Manual LDAPMODIFY(1)
2
3
4
6 ldapmodify, ldapadd - LDAP modify entry and LDAP add entry tools
7
9 ldapmodify [-a] [-c] [-S file] [-n] [-v] [-M[M]] [-d debuglevel]
10 [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost]
11 [-p ldapport] [-P {2|3}] [-e [!]ext[=extparam]] [-E [!]ext[=extparam]]
12 [-O security-properties] [-I] [-Q] [-U authcid] [-R realm] [-x]
13 [-X authzid] [-Y mech] [-Z[Z]] [-f file]
14
15 ldapadd [-c] [-S file] [-n] [-v] [-M[M]] [-d debuglevel] [-D binddn]
16 [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldap‐
17 port] [-P {2|3}] [-O security-properties] [-I] [-Q] [-U authcid]
18 [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] [-f file]
19
21 ldapmodify is a shell-accessible interface to the ldap_add_ext(3),
22 ldap_modify_ext(3), ldap_delete_ext(3) and ldap_rename(3). library
23 calls. ldapadd is implemented as a hard link to the ldapmodify tool.
24 When invoked as ldapadd the -a (add new entry) flag is turned on auto‐
25 matically.
26
27 ldapmodify opens a connection to an LDAP server, binds, and modifies or
28 adds entries. The entry information is read from standard input or
29 from file through the use of the -f option.
30
32 -a Add new entries. The default for ldapmodify is to modify exist‐
33 ing entries. If invoked as ldapadd, this flag is always set.
34
35 -c Continuous operation mode. Errors are reported, but ldapmodify
36 will continue with modifications. The default is to exit after
37 reporting an error.
38
39 -S file
40 Add or change records which where skipped due to an error are
41 written to file and the error message returned by the server is
42 added as a comment. Most useful in conjunction with -c.
43
44 -n Show what would be done, but don't actually modify entries.
45 Useful for debugging in conjunction with -v.
46
47 -v Use verbose mode, with many diagnostics written to standard out‐
48 put.
49
50 -M[M] Enable manage DSA IT control. -MM makes control critical.
51
52 -d debuglevel
53 Set the LDAP debugging level to debuglevel. ldapmodify must be
54 compiled with LDAP_DEBUG defined for this option to have any
55 effect.
56
57 -f file
58 Read the entry modification information from file instead of
59 from standard input.
60
61 -x Use simple authentication instead of SASL.
62
63 -D binddn
64 Use the Distinguished Name binddn to bind to the LDAP directory.
65 For SASL binds, the server is expected to ignore this value.
66
67 -W Prompt for simple authentication. This is used instead of spec‐
68 ifying the password on the command line.
69
70 -w passwd
71 Use passwd as the password for simple authentication.
72
73 -y passwdfile
74 Use complete contents of passwdfile as the password for simple
75 authentication.
76
77 -H ldapuri
78 Specify URI(s) referring to the ldap server(s); only the proto‐
79 col/host/port fields are allowed; a list of URI, separated by
80 whitespace or commas is expected.
81
82 -h ldaphost
83 Specify an alternate host on which the ldap server is running.
84 Deprecated in favor of -H.
85
86 -p ldapport
87 Specify an alternate TCP port where the ldap server is listen‐
88 ing. Deprecated in favor of -H.
89
90 -P {2|3}
91 Specify the LDAP protocol version to use.
92
93 -O security-properties
94 Specify SASL security properties.
95
96 -e [!]ext[=extparam]
97
98 -E [!]ext[=extparam]
99
100 Specify general extensions with -e and search extensions with
101 -E. ´!´ indicates criticality.
102
103 General extensions:
104 [!]assert=<filter> (an RFC 4515 Filter)
105 [!]authzid=<authzid> ("dn:<dn>" or "u:<user>")
106 [!]manageDSAit
107 [!]noop
108 ppolicy
109 [!]postread[=<attrs>] (a comma-separated attribute list)
110 [!]preread[=<attrs>] (a comma-separated attribute list)
111 abandon, cancel (SIGINT sends abandon/cancel; not really controls)
112
113 Search extensions:
114 [!]domainScope (domain scope)
115 [!]mv=<filter> (matched values filter)
116 [!]pr=<size>[/prompt|noprompt] (paged results/prompt)
117 [!]sss=[-]<attr[:OID]>[/[-]<attr[:OID]>...] (server side sorting)
118 [!]subentries[=true|false] (subentries)
119 [!]sync=ro[/<cookie>] (LDAP Sync refreshOnly)
120 rp[/<cookie>][/<slimit>] (LDAP Sync refreshAndPersist)
121
122 -I Enable SASL Interactive mode. Always prompt. Default is to
123 prompt only as needed.
124
125 -Q Enable SASL Quiet mode. Never prompt.
126
127 -U authcid
128 Specify the authentication ID for SASL bind. The form of the ID
129 depends on the actual SASL mechanism used.
130
131 -R realm
132 Specify the realm of authentication ID for SASL bind. The form
133 of the realm depends on the actual SASL mechanism used.
134
135 -X authzid
136 Specify the requested authorization ID for SASL bind. authzid
137 must be one of the following formats: dn:<distinguished name> or
138 u:<username>
139
140 -Y mech
141 Specify the SASL mechanism to be used for authentication. If
142 it's not specified, the program will choose the best mechanism
143 the server knows.
144
145 -Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If
146 you use -ZZ, the command will require the operation to be suc‐
147 cessful.
148
150 The contents of file (or standard input if no -f flag is given on the
151 command line) must conform to the format defined in ldif(5) (LDIF as
152 defined in RFC 2849).
153
155 Assuming that the file /tmp/entrymods exists and has the contents:
156
157 dn: cn=Modify Me,dc=example,dc=com
158 changetype: modify
159 replace: mail
160 mail: modme@example.com
161 -
162 add: title
163 title: Grand Poobah
164 -
165 add: jpegPhoto
166 jpegPhoto:< file:///tmp/modme.jpeg
167 -
168 delete: description
169 -
170
171 the command:
172
173 ldapmodify -f /tmp/entrymods
174
175 will replace the contents of the "Modify Me" entry's mail attribute
176 with the value "modme@example.com", add a title of "Grand Poobah", and
177 the contents of the file "/tmp/modme.jpeg" as a jpegPhoto, and com‐
178 pletely remove the description attribute.
179
180 Assuming that the file /tmp/newentry exists and has the contents:
181
182 dn: cn=Barbara Jensen,dc=example,dc=com
183 objectClass: person
184 cn: Barbara Jensen
185 cn: Babs Jensen
186 sn: Jensen
187 title: the world's most famous mythical manager
188 mail: bjensen@example.com
189 uid: bjensen
190
191 the command:
192
193 ldapadd -f /tmp/newentry
194
195 will add a new entry for Babs Jensen, using the values from the file
196 /tmp/newentry.
197
198 Assuming that the file /tmp/entrymods exists and has the contents:
199
200 dn: cn=Barbara Jensen,dc=example,dc=com
201 changetype: delete
202
203 the command:
204
205 ldapmodify -f /tmp/entrymods
206
207 will remove Babs Jensen's entry.
208
210 Exit status is zero if no errors occur. Errors result in a non-zero
211 exit status and a diagnostic message being written to standard error.
212
214 ldapadd(1), ldapdelete(1), ldapmodrdn(1), ldapsearch(1), ldap.conf(5),
215 ldap(3), ldap_add_ext(3), ldap_delete_ext(3), ldap_modify_ext(3),
216 ldif(5)
217
219 The OpenLDAP Project <http://www.openldap.org/>
220
222 OpenLDAP Software is developed and maintained by The OpenLDAP Project
223 <http://www.openldap.org/>. OpenLDAP Software is derived from Univer‐
224 sity of Michigan LDAP 3.3 Release.
225
226
227
228OpenLDAP 2.4.23 2010/06/30 LDAPMODIFY(1)