1LDAPMODIFY(1) General Commands Manual LDAPMODIFY(1)
2
3
4
6 ldapmodify, ldapadd - LDAP modify entry and LDAP add entry tools
7
9 ldapmodify [-V[V]] [-d debuglevel] [-n] [-v] [-a] [-c] [-f file]
10 [-S file] [-M[M]] [-x] [-D binddn] [-W] [-w passwd] [-y passwdfile]
11 [-H ldapuri] [-P {2|3}] [-e [!]ext[=extparam]] [-E [!]ext[=extparam]]
12 [-o opt[=optparam]] [-O security-properties] [-I] [-Q] [-N] [-U auth‐
13 cid] [-R realm] [-X authzid] [-Y mech] [-Z[Z]]
14
15 ldapadd [-V[V]] [-d debuglevel] [-n] [-v] [-c] [-f file] [-S file]
16 [-M[M]] [-x] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri]
17 [-P {2|3}] [-e [!]ext[=extparam]] [-E [!]ext[=extparam]] [-o opt[=opt‐
18 param]] [-O security-properties] [-I] [-Q] [-N] [-U authcid] [-R realm]
19 [-X authzid] [-Y mech] [-Z[Z]]
20
22 ldapmodify is a shell-accessible interface to the ldap_add_ext(3),
23 ldap_modify_ext(3), ldap_delete_ext(3) and ldap_rename(3). library
24 calls. ldapadd is implemented as a hard link to the ldapmodify tool.
25 When invoked as ldapadd the -a (add new entry) flag is turned on auto‐
26 matically.
27
28 ldapmodify opens a connection to an LDAP server, binds, and modifies or
29 adds entries. The entry information is read from standard input or
30 from file through the use of the -f option.
31
33 -V[V] Print version info. If -VV is given, only the version informa‐
34 tion is printed.
35
36 -d debuglevel
37 Set the LDAP debugging level to debuglevel. ldapmodify must be
38 compiled with LDAP_DEBUG defined for this option to have any ef‐
39 fect.
40
41 -n Show what would be done, but don't actually modify entries.
42 Useful for debugging in conjunction with -v.
43
44 -v Use verbose mode, with many diagnostics written to standard out‐
45 put.
46
47 -a Add new entries. The default for ldapmodify is to modify exist‐
48 ing entries. If invoked as ldapadd, this flag is always set.
49
50 -c Continuous operation mode. Errors are reported, but ldapmodify
51 will continue with modifications. The default is to exit after
52 reporting an error.
53
54 -f file
55 Read the entry modification information from file instead of
56 from standard input.
57
58 -S file
59 Add or change records which were skipped due to an error are
60 written to file and the error message returned by the server is
61 added as a comment. Most useful in conjunction with -c.
62
63 -M[M] Enable manage DSA IT control. -MM makes control critical.
64
65 -x Use simple authentication instead of SASL.
66
67 -D binddn
68 Use the Distinguished Name binddn to bind to the LDAP directory.
69 For SASL binds, the server is expected to ignore this value.
70
71 -W Prompt for simple authentication. This is used instead of spec‐
72 ifying the password on the command line.
73
74 -w passwd
75 Use passwd as the password for simple authentication.
76
77 -y passwdfile
78 Use complete contents of passwdfile as the password for simple
79 authentication.
80
81 -H ldapuri
82 Specify URI(s) referring to the ldap server(s); only the proto‐
83 col/host/port fields are allowed; a list of URI, separated by
84 whitespace or commas is expected.
85
86 -P {2|3}
87 Specify the LDAP protocol version to use.
88
89 -e [!]ext[=extparam]
90
91 -E [!]ext[=extparam]
92
93 Specify general extensions with -e and modify extensions with
94 -E. ´!´ indicates criticality.
95
96 General extensions:
97 [!]assert=<filter> (an RFC 4515 Filter)
98 !authzid=<authzid> ("dn:<dn>" or "u:<user>")
99 [!]bauthzid (RFC 3829 authzid control)
100 [!]chaining[=<resolve>[/<cont>]]
101 [!]manageDSAit
102 [!]noop
103 ppolicy
104 [!]postread[=<attrs>] (a comma-separated attribute list)
105 [!]preread[=<attrs>] (a comma-separated attribute list)
106 [!]relax
107 sessiontracking[=<username>]
108 abandon,cancel,ignore (SIGINT sends abandon/cancel,
109 or ignores response; if critical, doesn't wait for SIGINT.
110 not really controls)
111
112 Modify extensions:
113 [!]txn[=abort|commit]
114
115 -o opt[=optparam]]
116
117 Specify any ldap.conf(5) option or one of the following:
118 nettimeout=<timeout> (in seconds, or "none" or "max")
119 ldif_wrap=<width> (in columns, or "no" for no wrapping)
120
121
122 -O security-properties
123 Specify SASL security properties.
124
125 -I Enable SASL Interactive mode. Always prompt. Default is to
126 prompt only as needed.
127
128 -Q Enable SASL Quiet mode. Never prompt.
129
130 -N Do not use reverse DNS to canonicalize SASL host name.
131
132 -U authcid
133 Specify the authentication ID for SASL bind. The form of the ID
134 depends on the actual SASL mechanism used.
135
136 -R realm
137 Specify the realm of authentication ID for SASL bind. The form
138 of the realm depends on the actual SASL mechanism used.
139
140 -X authzid
141 Specify the requested authorization ID for SASL bind. authzid
142 must be one of the following formats: dn:<distinguished name> or
143 u:<username>
144
145 -Y mech
146 Specify the SASL mechanism to be used for authentication. If
147 it's not specified, the program will choose the best mechanism
148 the server knows.
149
150 -Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If
151 you use -ZZ, the command will require the operation to be suc‐
152 cessful.
153
155 The contents of file (or standard input if no -f flag is given on the
156 command line) must conform to the format defined in ldif(5) (LDIF as
157 defined in RFC 2849).
158
160 Assuming that the file /tmp/entrymods exists and has the contents:
161
162 dn: cn=Modify Me,dc=example,dc=com
163 changetype: modify
164 replace: mail
165 mail: modme@example.com
166 -
167 add: title
168 title: Grand Poobah
169 -
170 add: jpegPhoto
171 jpegPhoto:< file:///tmp/modme.jpeg
172 -
173 delete: description
174 -
175
176 the command:
177
178 ldapmodify -f /tmp/entrymods
179
180 will replace the contents of the "Modify Me" entry's mail attribute
181 with the value "modme@example.com", add a title of "Grand Poobah", and
182 the contents of the file "/tmp/modme.jpeg" as a jpegPhoto, and com‐
183 pletely remove the description attribute.
184
185 Assuming that the file /tmp/newentry exists and has the contents:
186
187 dn: cn=Barbara Jensen,dc=example,dc=com
188 objectClass: person
189 cn: Barbara Jensen
190 cn: Babs Jensen
191 sn: Jensen
192 title: the world's most famous mythical manager
193 mail: bjensen@example.com
194 uid: bjensen
195
196 the command:
197
198 ldapadd -f /tmp/newentry
199
200 will add a new entry for Babs Jensen, using the values from the file
201 /tmp/newentry.
202
203 Assuming that the file /tmp/entrymods exists and has the contents:
204
205 dn: cn=Barbara Jensen,dc=example,dc=com
206 changetype: delete
207
208 the command:
209
210 ldapmodify -f /tmp/entrymods
211
212 will remove Babs Jensen's entry.
213
215 Exit status is zero if no errors occur. Errors result in a non-zero
216 exit status and a diagnostic message being written to standard error.
217
219 ldapadd(1), ldapdelete(1), ldapmodrdn(1), ldapsearch(1), ldap.conf(5),
220 ldap(3), ldap_add_ext(3), ldap_delete_ext(3), ldap_modify_ext(3),
221 ldif(5)
222
224 The OpenLDAP Project <http://www.openldap.org/>
225
227 OpenLDAP Software is developed and maintained by The OpenLDAP Project
228 <http://www.openldap.org/>. OpenLDAP Software is derived from the Uni‐
229 versity of Michigan LDAP 3.3 Release.
230
231
232
233OpenLDAP 2.6.6 2023/07/31 LDAPMODIFY(1)