ldapmodify — perform LDAP modify, add, delete, mod DN operations
ldapmodify
[changes_files ...]
This utility can be used to perform LDAP modify, add, delete, and modify DN operations in the Directory Server. When not using file(s) to specify modifications, end your input with EOF (Ctrl+D on UNIX, Ctrl+Z on Windows).
The ldapmodify command takes the following options:
Command options:
-a | --defaultAdd
Legacy argument for ForgeRock OpenDJ compatibility.
Default: false
--assertionFilter {filter}
Use the LDAP assertion control with the provided filter.
-c | --continueOnError
Continue processing even if there are errors.
Default: false
--connectTimeout {timeout}
Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
Default: 30000
-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}
Use a request control with the provided information.
For some controloid
values,
you can replace object identifiers with user-friendly strings.
The strings are listed here in lower case, but the case is not important.
You can use camelCase if you prefer, for example.
accountusable
accountusability
Account Usability Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8
authzid
authorizationidentity
Authorization Identity Request Control, Object Identifier: 2.16.840.1.113730.3.4.16
effectiverights
geteffectiverights
Get Effective Rights Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2
managedsait
Manage DSAIT Request Control, Object Identifier: 2.16.840.1.113730.3.4.2
noop
no-op
No-Op Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.2
pwpolicy
passwordpolicy
Password Policy Control, Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1
realattrsonly
realattributesonly
Real Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.17
subtreedelete
treedelete
Subtree Delete Request Control, Object Identifier: 1.2.840.113556.1.4.805
virtualattrsonly
virtualattributesonly
Virtual Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.19
-n | --dry-run
Show what would be done but do not perform any operation.
Default: false
--postReadAttributes {attrList}
Use the LDAP ReadEntry post-read control.
--preReadAttributes {attrList}
Use the LDAP ReadEntry pre-read control.
-Y | --proxyAs {authzID}
Use the proxied authorization control with the given authorization ID.
LDAP connection options:
-D | --bindDN {bindDN}
DN to use to bind to the server.
Default:
-E | --reportAuthzID
Use the authorization identity control.
Default: false
-h | --hostname {host}
The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.
Default: localhost.localdomain
-j | --bindPasswordFile {bindPasswordFile}
Bind password file.
-K | --keyStorePath {keyStorePath}
Certificate key store path.
-N | --certNickname {nickname}
Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.
-o | --saslOption {name=value}
SASL bind options.
-p | --port {port}
Directory server port number.
Default: 389
-P | --trustStorePath {trustStorePath}
Certificate trust store path.
-q | --useStartTLS
Use StartTLS to secure communication with the server.
Default: false
-T | --trustStorePassword {trustStorePassword}
Certificate trust store PIN.
-u | --keyStorePasswordFile {keyStorePasswordFile}
Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.
-U | --trustStorePasswordFile {path}
Certificate trust store PIN file.
--usePasswordPolicyControl
Use the password policy request control.
Default: false
-w | --bindPassword {bindPassword}
Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.
-W | --keyStorePassword {keyStorePassword}
Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.
-X | --trustAll
Trust all server SSL certificates.
Default: false
-Z | --useSSL
Use SSL for secure communication with the server.
Default: false
Utility input/output options:
--noPropertiesFile
No properties file will be used to get default command line argument values.
Default: false
--propertiesFilePath {propertiesFilePath}
Path to the file containing default property values used for command line arguments.
-v | --verbose
Use verbose mode.
Default: false
General options:
-V | --version
Display Directory Server version information.
Default: false
-H | --help
Display this usage information.
Default: false
The command completed successfully.
ldap-error
An LDAP error occurred while processing the operation.
LDAP result codes are described in RFC 4511. Also see the additional information for details.
An error occurred while parsing the command-line arguments.
You can use ~/.opendj/tools.properties
to set the defaults for bind DN, host name, and port number
as in the following example.
hostname=directory.example.com port=1389 bindDN=uid=kvaughan,ou=People,dc=example,dc=com ldapcompare.port=1389 ldapdelete.port=1389 ldapmodify.port=1389 ldappasswordmodify.port=1389 ldapsearch.port=1389
The following example demonstrates use of the command to add an entry to the directory:
$cat newuser.ldif
dn: uid=newuser,ou=People,dc=example,dc=com uid: newuser facsimileTelephoneNumber: +1 408 555 1213 objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top givenName: New cn: New User cn: Real Name telephoneNumber: +1 408 555 1212 sn: Jensen roomNumber: 1234 homeDirectory: /home/newuser uidNumber: 10389 mail: newuser@example.com l: South Pole ou: Product Development ou: People gidNumber: 10636
$ldapmodify -p 1389 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery newuser.ldif
Processing ADD request for uid=newuser,ou=People,dc=example,dc=com ADD operation successful for DN uid=newuser,ou=People,dc=example,dc=com
The following listing shows a UNIX shell script that adds a user entry:
#!/bin/sh # # Add a new user with the ldapmodify utility. # usage(){ echo "Usage: $0 uid firstname lastname" exit 1 } [[ $# -lt 3 ]] && usage LDAPMODIFY=/path/to/opendj/bin/ldapmodify HOST=opendj.example.com PORT=1389 ADMIN=uid=kvaughan,ou=people,dc=example,dc=com PWD=bribery $LDAPMODIFY -h $HOST -p $PORT -D $ADMIN -w $PWD <<EOF dn: uid=$1,ou=people,dc=example,dc=com uid: $1 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: $2 $3 givenName: $2 sn: $3 mail: $1@example.com EOF
The following example demonstrates adding a Description attribute to the new user's entry:
$cat newdesc.ldif
dn: uid=newuser,ou=People,dc=example,dc=com changetype: modify add: description description: A new user's entry
$ldapmodify -p 1389 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery newdesc.ldif
Processing MODIFY request for uid=newuser,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=newuser,ou=People,dc=example,dc=com
The following example demonstrates changing the Description attribute for the new user's entry:
$cat moddesc.ldif
dn: uid=newuser,ou=People,dc=example,dc=com changetype: modify replace: description description: Another description
$ldapmodify -p 1389 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery moddesc.ldif
Processing MODIFY request for uid=newuser,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=newuser,ou=People,dc=example,dc=com
The following example demonstrates deleting the new user's entry:
$cat deluser.ldif
dn: uid=newuser,ou=People,dc=example,dc=com changetype: delete
$ldapmodify -p 1389 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery deluser.ldif
Processing DELETE request for uid=newuser,ou=People,dc=example,dc=com DELETE operation successful for DN uid=newuser,ou=People,dc=example,dc=com