1LDAPMODIFY(1) General Commands Manual LDAPMODIFY(1)
2
6 ldapmodify, ldapadd - LDAP modify entry and LDAP add entry tools
7
9 ldapmodify [-V[V]] [-d debuglevel] [-n] [-v] [-a] [-c] [-f file]
10 [-S file] [-M[M]] [-x] [-D binddn] [-W] [-w passwd] [-y passwdfile]
11 [-H ldapuri] [-h ldaphost] [-p ldapport] [-P {2|3}]
12 [-e [!]ext[=extparam]] [-E [!]ext[=extparam]] [-o opt[=optparam]]
13 [-O security-properties] [-I] [-Q] [-N] [-U authcid] [-R realm] [-X au‐
14 thzid] [-Y mech] [-Z[Z]]
15 ldapadd [-V[V]] [-d debuglevel] [-n] [-v] [-c] [-f file] [-S file]
17 [-M[M]] [-x] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri]
18 [-h ldaphost] [-p ldapport] [-P {2|3}] [-e [!]ext[=extparam]]
19 [-E [!]ext[=extparam]] [-o opt[=optparam]] [-O security-properties]
20 [-I] [-Q] [-N] [-U authcid] [-R realm] [-X authzid] [-Y mech] [-Z[Z]]
21
23 ldapmodify is a shell-accessible interface to the ldap_add_ext(3),
24 ldap_modify_ext(3), ldap_delete_ext(3) and ldap_rename(3). library
25 calls. ldapadd is implemented as a hard link to the ldapmodify tool.
26 When invoked as ldapadd the -a (add new entry) flag is turned on auto‐
27 matically.
28 ldapmodify opens a connection to an LDAP server, binds, and modifies or
30 adds entries. The entry information is read from standard input or
31 from file through the use of the -f option.
32
34 -V[V] Print version info. If -VV is given, only the version informa‐
35 tion is printed.
36 -d debuglevel
38 Set the LDAP debugging level to debuglevel. ldapmodify must be
39 compiled with LDAP_DEBUG defined for this option to have any ef‐
40 fect.
41 -n Show what would be done, but don't actually modify entries.
43 Useful for debugging in conjunction with -v.
44 -v Use verbose mode, with many diagnostics written to standard out‐
46 put.
47 -a Add new entries. The default for ldapmodify is to modify exist‐
49 ing entries. If invoked as ldapadd, this flag is always set.
50 -c Continuous operation mode. Errors are reported, but ldapmodify
52 will continue with modifications. The default is to exit after
53 reporting an error.
54 -f file
56 Read the entry modification information from file instead of
57 from standard input.
58 -S file
60 Add or change records which were skipped due to an error are
61 written to file and the error message returned by the server is
62 added as a comment. Most useful in conjunction with -c.
63 -M[M] Enable manage DSA IT control. -MM makes control critical.
65 -x Use simple authentication instead of SASL.
67 -D binddn
69 Use the Distinguished Name binddn to bind to the LDAP directory.
70 For SASL binds, the server is expected to ignore this value.
71 -W Prompt for simple authentication. This is used instead of spec‐
73 ifying the password on the command line.
74 -w passwd
76 Use passwd as the password for simple authentication.
77 -y passwdfile
79 Use complete contents of passwdfile as the password for simple
80 authentication.
81 -H ldapuri
83 Specify URI(s) referring to the ldap server(s); only the proto‐
84 col/host/port fields are allowed; a list of URI, separated by
85 whitespace or commas is expected.
86 -h ldaphost
88 Specify an alternate host on which the ldap server is running.
89 Deprecated in favor of -H.
90 -p ldapport
92 Specify an alternate TCP port where the ldap server is listen‐
93 ing. Deprecated in favor of -H.
94 -P {2|3}
96 Specify the LDAP protocol version to use.
97 -e [!]ext[=extparam]
99 -E [!]ext[=extparam]
101 Specify general extensions with -e and modify extensions with
103 -E. ´!´ indicates criticality.
104 General extensions:
106 [!]assert=<filter> (an RFC 4515 Filter)
107 !authzid=<authzid> ("dn:<dn>" or "u:<user>")
108 [!]bauthzid (RFC 3829 authzid control)
109 [!]chaining[=<resolve>[/<cont>]]
110 [!]manageDSAit
111 [!]noop
112 ppolicy
113 [!]postread[=<attrs>] (a comma-separated attribute list)
114 [!]preread[=<attrs>] (a comma-separated attribute list)
115 [!]relax
116 sessiontracking
117 abandon,cancel,ignore (SIGINT sends abandon/cancel,
118 or ignores response; if critical, doesn't wait for SIGINT.
119 not really controls)
120 Modify extensions:
122 [!]txn[=abort|commit]
123 -o opt[=optparam]]
125 Specify any ldap.conf(5) option or one of the following:
127 nettimeout=<timeout> (in seconds, or "none" or "max")
128 ldif_wrap=<width> (in columns, or "no" for no wrapping)
129 -O security-properties
132 Specify SASL security properties.
133 -I Enable SASL Interactive mode. Always prompt. Default is to
135 prompt only as needed.
136 -Q Enable SASL Quiet mode. Never prompt.
138 -N Do not use reverse DNS to canonicalize SASL host name.
140 -U authcid
142 Specify the authentication ID for SASL bind. The form of the ID
143 depends on the actual SASL mechanism used.
144 -R realm
146 Specify the realm of authentication ID for SASL bind. The form
147 of the realm depends on the actual SASL mechanism used.
148 -X authzid
150 Specify the requested authorization ID for SASL bind. authzid
151 must be one of the following formats: dn:<distinguished name> or
152 u:<username>
153 -Y mech
155 Specify the SASL mechanism to be used for authentication. If
156 it's not specified, the program will choose the best mechanism
157 the server knows.
158 -Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If
160 you use -ZZ, the command will require the operation to be suc‐
161 cessful.
162
164 The contents of file (or standard input if no -f flag is given on the
165 command line) must conform to the format defined in ldif(5) (LDIF as
166 defined in RFC 2849).
167
169 Assuming that the file /tmp/entrymods exists and has the contents:
170 dn: cn=Modify Me,dc=example,dc=com
172 changetype: modify
173 replace: mail
174 mail: modme@example.com
175 -
176 add: title
177 title: Grand Poobah
178 -
179 add: jpegPhoto
180 jpegPhoto:< file:///tmp/modme.jpeg
181 -
182 delete: description
183 -
184 the command:
186 ldapmodify -f /tmp/entrymods
188 will replace the contents of the "Modify Me" entry's mail attribute
190 with the value "modme@example.com", add a title of "Grand Poobah", and
191 the contents of the file "/tmp/modme.jpeg" as a jpegPhoto, and com‐
192 pletely remove the description attribute.
193 Assuming that the file /tmp/newentry exists and has the contents:
195 dn: cn=Barbara Jensen,dc=example,dc=com
197 objectClass: person
198 cn: Barbara Jensen
199 cn: Babs Jensen
200 sn: Jensen
201 title: the world's most famous mythical manager
202 mail: bjensen@example.com
203 uid: bjensen
204 the command:
206 ldapadd -f /tmp/newentry
208 will add a new entry for Babs Jensen, using the values from the file
210 /tmp/newentry.
211 Assuming that the file /tmp/entrymods exists and has the contents:
213 dn: cn=Barbara Jensen,dc=example,dc=com
215 changetype: delete
216 the command:
218 ldapmodify -f /tmp/entrymods
220 will remove Babs Jensen's entry.
222
224 Exit status is zero if no errors occur. Errors result in a non-zero
225 exit status and a diagnostic message being written to standard error.
226
228 ldapadd(1), ldapdelete(1), ldapmodrdn(1), ldapsearch(1), ldap.conf(5),
229 ldap(3), ldap_add_ext(3), ldap_delete_ext(3), ldap_modify_ext(3),
230 ldif(5)
231
233 The OpenLDAP Project <http://www.openldap.org/>
234
236 OpenLDAP Software is developed and maintained by The OpenLDAP Project
237 <http://www.openldap.org/>. OpenLDAP Software is derived from the Uni‐
238 versity of Michigan LDAP 3.3 Release.
239OpenLDAP 2.4.57 2021/01/18 LDAPMODIFY(1)