Name

ldapmodify — perform LDAP modify, add, delete, mod DN operations

Synopsis

ldapmodify [changes_files ...]

Options

The ldapmodify command takes the following options:

Command options:

-a | --defaultAdd

Legacy argument for ForgeRock OpenDJ compatibility.

Default: false

--assertionFilter {filter}

Use the LDAP assertion control with the provided filter.

-c | --continueOnError

Continue processing even if there are errors.

Default: false

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}

Use a request control with the provided information.

For some controloid values, you can replace object identifiers with user-friendly strings. The strings are listed here in lower case, but the case is not important. You can use camelCase if you prefer, for example.

accountusable
accountusability

Account Usability Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8

authzid
authorizationidentity

Authorization Identity Request Control, Object Identifier: 2.16.840.1.113730.3.4.16

effectiverights
geteffectiverights

Get Effective Rights Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2

managedsait

Manage DSAIT Request Control, Object Identifier: 2.16.840.1.113730.3.4.2

noop
no-op

No-Op Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.2

pwpolicy
passwordpolicy

Password Policy Control, Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1

realattrsonly
realattributesonly

Real Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.17

subtreedelete
treedelete

Subtree Delete Request Control, Object Identifier: 1.2.840.113556.1.4.805

virtualattrsonly
virtualattributesonly

Virtual Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.19

-n | --dry-run

Show what would be done but do not perform any operation.

Default: false

--postReadAttributes {attrList}

Use the LDAP ReadEntry post-read control.

--preReadAttributes {attrList}

Use the LDAP ReadEntry pre-read control.

-Y | --proxyAs {authzID}

Use the proxied authorization control with the given authorization ID.

LDAP connection options:

-D | --bindDN {bindDN}

DN to use to bind to the server.

Default:

-E | --reportAuthzID

Use the authorization identity control.

Default: false

-h | --hostname {host}

The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server port number.

Default: 389

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-q | --useStartTLS

Use StartTLS to secure communication with the server.

Default: false

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

-Z | --useSSL

Use SSL for secure communication with the server.

Default: false

Utility input/output options:

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-v | --verbose

Use verbose mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

ldap-error

An LDAP error occurred while processing the operation.

LDAP result codes are described in RFC 4511. Also see the additional information for details.

89

An error occurred while parsing the command-line arguments.

Examples

The following example demonstrates use of the command to add an entry to the directory:

$ cat newuser.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
uid: newuser
facsimileTelephoneNumber: +1 408 555 1213
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
givenName: New
cn: New User
cn: Real Name
telephoneNumber: +1 408 555 1212
sn: Jensen
roomNumber: 1234
homeDirectory: /home/newuser
uidNumber: 10389
mail: newuser@example.com
l: South Pole
ou: Product Development
ou: People
gidNumber: 10636

$ ldapmodify -p 1389 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery newuser.ldif
Processing ADD request for uid=newuser,ou=People,dc=example,dc=com
ADD operation successful for DN uid=newuser,ou=People,dc=example,dc=com
 

The following listing shows a UNIX shell script that adds a user entry:

#!/bin/sh
#
# Add a new user with the ldapmodify utility.
#

usage(){
        echo "Usage: $0 uid firstname lastname"
        exit 1
}
[[ $# -lt 3 ]] && usage

LDAPMODIFY=/path/to/opendj/bin/ldapmodify
HOST=opendj.example.com
PORT=1389
ADMIN=uid=kvaughan,ou=people,dc=example,dc=com
PWD=bribery

$LDAPMODIFY -h $HOST -p $PORT -D $ADMIN -w $PWD <<EOF
dn: uid=$1,ou=people,dc=example,dc=com
uid: $1
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: $2 $3
givenName: $2
sn: $3
mail: $1@example.com
EOF
 

The following example demonstrates adding a Description attribute to the new user's entry:

$ cat newdesc.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
changetype: modify
add: description
description: A new user's entry

$ ldapmodify -p 1389 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery newdesc.ldif
Processing MODIFY request for uid=newuser,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=newuser,ou=People,dc=example,dc=com
 

The following example demonstrates changing the Description attribute for the new user's entry:

$ cat moddesc.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
changetype: modify
replace: description
description: Another description

$ ldapmodify -p 1389 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery moddesc.ldif
Processing MODIFY request for uid=newuser,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=newuser,ou=People,dc=example,dc=com
 

The following example demonstrates deleting the new user's entry:

$ cat deluser.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
changetype: delete

$ ldapmodify -p 1389 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery deluser.ldif
Processing DELETE request for uid=newuser,ou=People,dc=example,dc=com
DELETE operation successful for DN uid=newuser,ou=People,dc=example,dc=com