ldapmodify and ldapadd

 

The LDAP modify-entry and LDAP add-entry command line utilities.

 

Synopsis

ldapmodify [-a] [-b] [-c] [-C charset] [-d debuglevel][-D binddn]
[-g] [-f file][-F][-g][-G realm] [-h ldaphost] [-i file] [-k] [-K keyfile]
[-m mechanism] [-M][-n][-N certificatename] [-O maxhops] [-p ldapport]
[-P keyfilepw] [-r] [-R][-U username] [-v] [-V] [-w passwd | ?] [-y proxydn]
[-Y] [-Z]


ldapadd [-a] [-b] [-c] [-C charset] [-d debuglevel] [-D binddn]
[-g] [-f file][-F][-g][-G realm] [-h ldaphost] [-i file] [-k] [-K keyfile]
[-m mechanism] [-M][-n][-N certificatename] [-O maxhops] [-p ldapport]
[-P keyfilepw] [-r] [-R][-U username] [-v] [-V] [-w passwd | ?] [-y proxydn]
[-Y] [-Z] 

 

Description

ldapmodify is a command-line interface to the ldap_modify, ldap_add, ldap_delete, and ldap_modrdn application programming interfaces (APIs). ldapadd is implemented as a renamed version of ldapmodify. When invoked as ldapadd, the -a (add new entry) flag is turned on automatically.

ldapmodify opens a connection to an LDAP server, and binds to the server. You can use ldapmodify to change or add entries. The entry information is read from standard input or from file through the use of the -i option.

To display syntax help for ldapmodify or ldapadd, type

ldapmodify -?

or

ldapadd -?

 

Options

-a

Add new entries. The default action for ldapmodify is to change existing entries. If invoked as ldapadd, this flag is always set.

-b

Assume that any values that start with a `/' are binary values and that the actual value is in a file whose path is specified in place of the value.

-c

Continuous operation mode. Errors are reported, but ldapmodify continues with modifications. Otherwise he default action is to exit after reporting an error.

-C charset

Specifies that strings supplied as input to the ldapmodify and ldapadd utilities are represented in a local character set as specified by charset, and must be converted to UTF-8. Use the -C charset ption if the input string codepage is different from the job codepage value. Refer to the ldap_set_iconv_local_charset() API to see supported charset values.

-d debuglevel

Set the LDAP debugging level to debuglevel.

-D binddn

Use binddn to bind to the LDAP directory. binddn is a string-represented DN. When used with -m DIGEST-MD5, it is used to specify the authorization ID. It can either be a DN, or an authzId string starting with "u:" or "dn:".

-f file

Read the entry modification information from an LDIF file instead of from standard input. If an LDIF file is not specified, use standard input to specify the update records in LDIF format.

-F

Force application of all changes regardless of the contents of input lines that begin with replica: (by default, replica: lines are compared against the LDAP server host and port in use to decide if a replication log record should actually be applied).

-g

Do not strip trailing spaces on attribute values.

–G

Specify the realm. This parameter is optional. When used with -m DIGEST-MD5, the value is passed to the server during the bind.

-h ldaphost

Specify an alternate host on which the ldap server is running.

-i file

Read the entry modification information from an LDIF file instead of from standard input. If an LDIF file is not specified, use standard input to specify the update records in LDIF format.

-k

Specifies to use server administration control.

-K keyfile

Specify the name of the SSL key database file with default extension of kdb. If the key database file is not in the current directory, specify the fully-qualified key database filename. If a key database filename is not specified, this utility will first look for the presence of the SSL_KEYRING environment variable with an associated filename. If the SSL_KEYRING environment variable is not defined, the system keyring file will be used, if present.

This parameter effectively enables the -Z switch. For Directory Server on i5/OS® if you use -Z and do not use -K or -N, the certificate associated with the Directory Services Client application ID will be used.

-m mechanism

Use mechanism to specify the SASL mechanism to be used to bind to the server. The ldap_sasl_bind_s() API is used. The -m parameter is ignored if -V 2 is set. If -m is not specified, simple authentication is used. Valid mechanisms are:

  • CRAM-MD5 - protects the password sent to the server.

  • EXTERNAL - uses the SSL certificate. Requires -Z.

  • GSSAPI - uses the user's Kerberos credentials.

  • DIGEST-MD5 - requires that the client send a username value to the server. Requires -U. The -D parameter (usually the bind DN) is used to specify the authorization ID. It can be a DN, or an authzId string starting with u: or dn:.

  • OS400_PRFTKN - authenticates to the local LDAP server as the current i5/OS user using the DN of the user in the system projected backend. The -D (bind DN) and -w (password) parameters should not be specified.

-M

Manage referral objects as regular entries.

-n

Specify the no operation option to enable you to preview the result of the command you are issuing without actually performing the action on the directory. This option is especially useful with the -v option for debugging operations, if errors are encountered.

-N certificatename

Specify the label associated with the client certificate in the key database file. If the LDAP server is configured to perform server authentication only, a client certificate is not required. If the LDAP server is configured to perform client and server authentication, a client certificate might be required. certificatename is not required if a certificate/private key pair has been designated as the default for the key database file. Similarly, certificatename is not required if there is a single certificate/private key pair in the designated key database file. This parameter is ignored if neither -Z nor -K is specified. For Directory Server on i5/OS if you use -Z and do not use -K or -N, the certificate associated with the Directory Services Client application ID will be used.

-O maxhops

Specify maxhops to set the maximum number of hops that the client library takes when chasing referrals. The default hopcount is 10.

-p ldapport

Specify an alternate TCP port where the ldap server is listening. The default LDAP port is 389. If -p is not specified and -Z is specified, the default LDAP SSL port 636 is used.

-P keyfilepw

Specify the key database password. This password is required to access the encrypted information in the key database file, which might include one or more private keys. If a password stash file is associated with the key database file, the password is obtained from the password stash file, and the -P parameter is not required. This parameter is ignored if neither -Z nor -K is specified.

-r

Replace existing values by default.

-R

Specifies that referrals are not to be automatically followed.

–U

Specify the username. Required with -m DIGEST-MD5 and ignored with any other mechanism.

-v

Use verbose mode, with many diagnostics written to standard output.

-V version

Specifies the LDAP version to be used by ldapmodify when it binds to the LDAP server. By default, an LDAP V3 connection is established. To explicitly select LDAP V3, specify -V 3. Specify -V 2 to run as an LDAP V2 application.

-w passwd | ?

Use passwd as the password for authentication. Use the ? to generate a password prompt.

-y proxydn

Set proxied ID for proxied authorization option.

-Y

Use a secure LDAP connection (TLS).

-Z

Use a secure SSL connection to communicate with the LDAP server. For Directory Server on i5/OS if you use -Z and do not use -K or -N, the certificate associated with the Directory Services Client application ID will be used.

 

Input format

The contents of file (or standard input if no -i flag is given on the command line) should conform to the LDIF format.

 

Examples

Assuming that the file /tmp/entrymods exists and has the following contents:

dn: cn=Modify Me, o=University of Higher Learning, c=US changetype: modify replace: mail mail: modme@student.of.life.edu -
add: title title: Grand Poobah -
add: jpegPhoto jpegPhoto: /tmp/modme.jpeg -
delete: description -

the command:

ldapmodify -b -r -i /tmp/entrymods 

will replace the contents of the Modify Me entry's mail attribute with the value modme@student.of.life.edu, add a title of Grand Poobah, and the contents of the file /tmp/modme.jpeg as a jpegPhoto, and completely remove the description attribute. These same modifications can be performed using the older ldapmodify input format:

cn=Modify Me, o=University of Higher Learning, c=US mail=modme@student.of.life.edu +title=Grand Poobah +jpegPhoto=/tmp/modme.jpeg -description

and the command:

ldapmodify -b -r -i /tmp/entrymods 

Assuming that the file /tmp/newentry exists and has the following contents:

dn: cn=John Doe, o=University of Higher Learning, c=US objectClass: person cn: John Doe cn: Johnny sn: Doe title: the world's most famous mythical person mail: johndoe@student.of.life.edu uid: jdoe

the command:

ldapadd -i /tmp/entrymods

adds a new entry for John Doe, using the values from the file /tmp/newentry.

 

Notes

If entry information is not supplied from file through the use of the -i option, the ldapmodify command will wait to read entries from standard input.

 

Diagnostics

Exit status is 0 if no errors occur. Errors result in a non-zero exit status and a diagnostic message being written to standard error.

 

Parent topic:

Directory Server command line utilities

 

Related concepts


Suffix (naming context)
Lightweight Directory Access Protocol (LDAP) APIs
Directory Server configuration schema

 

Related reference


LDAP data interchange format (LDIF)