LDAP provides command line tools that correspond to the operations performed by the LDAP API. Each tool supports a common set of options, including authentication and bind parameters.
Search for directory entry. Display attributes and values found.
Modify, add, delete, or rename directory entry.
Add new directory entry.
Delete existing directory entry.
Rename existing directory entry.
The ldapsearch, ldapadd, and ldapmodify tools support a common text-based format for representing directory information called the LDAP Data Interchange Format (LDIF).
LDIF is the format produced by the ldapsearch tool, the format accepted by the ldapadd tool, and is the basis for the change information format that the ldapmodify tool uses.
An LDIF file contains one or more entries. Each entry is separated by an empty line. The basic form on an LDIF file entry is:
[id] dn: entryDN attrtype: attrvalue ... |
where:
id
is an optional numeric entry identifier ( not used by the LDAP tools).
is the LDAP Distinguished Name (DN) of the directory entry.
is an LDAP attribute type, such as cn or telephoneNumber.
is a value for attrtype.
The attrtype: attrvalue line can be repeated as many times as necessary to list all of the attribute values present in an entry. The line can be continued by inserting a single space or horizontal tab character at the start of the next line.
For example, an LDIF file that contains Joe Qwerty's entry includes five attributes (cn and objectclass have two values):
dn: cn=Joseph Qwerty, o=Ultra Keyboards Inc., c=US cn: Joseph Qwerty cn: Joe Qwerty sn: Qwerty mail: jqwerty@ultra.com seeAlso: cn=Joe Qwerty, ou=Engineering Division, o=Peo ple, o=IEEE, c=US objectClass: top objectClass: person |
The value of seeAlso is split across two lines by inserting a single space character at the start of the line that begins with “ ple, ...”.
Use ldapsearch(1) to find a directory entry. ldapsearch opens a connection to the LDAP directory server, binds to the directory server, and performs a search of the directory.
Find members of IEEE that work at Ultra Keyboards in the United States.
% ldapsearch -L -b "o=IEEE, o=Ultra Keyboards Inc., c=US" uid=\* |
The results of the search are:
dn: uid=jqwerty, o=IEEE, o=Ultra keyboards Inc., c=US uid: jqwerty cn: jqwerty userpassword: {crypt}somecryptedtext uidnumber: 12345 gidnumber: 123 gecos: Joseph Qwerty homedirectory: /home/jqwerty loginshell: /bin/csh objectclass: top objectclass: shadowAccount objectclass: account objectclass: posixAccount shadowlastchange: 3455 dn: uid=bhand, o=IEEE, o=Ultra keyboards Inc., c=US uid: bhand cn: bhand userpassword: {crypt}somecryptedtext uidnumber: 12347 gidnumber: 123 gecos: William Handset homedirectory: /home/bhand loginshell: /bin/csh objectclass: top objectclass: shadowAccount objectclass: account objectclass: posixAccount shadowlastchange: 3440 |
Use ldapmodify(1) to change a directory entry. ldapmodify opens a connection to the LDAP directory server, binds to the directory server, and performs a sequence of LDAP modify operations on the directory.
Bind as the directory manager (password “enigma”) and add email address eng@ultra.com Joe Qwerty entry
% ldapmodify -D "cn=Manager, o=Ultra Keyboards Inc., \ c=US" -w enigma < modfile |
The contents of modfile are:
dn: cn=carol,ou=People,o=Ultra Keyboards Inc.,c=US changetype: modify replace: userpassword userpassword: {crypt}mgq25KV6CE0p6 - replace: objectclass objectclass: top objectclass: shadowAccount objectclass: account objectclass: posixAccount - add: shadowlastchange shadowlastchange: 6447 - dn: cn=stephen,ou=People,o=Ultra Keyboards Inc.,c=US changetype: modify replace: userpassword userpassword: {crypt}w.4P1JPV3w.Zs - replace: objectclass objectclass: top objectclass: shadowAccount objectclass: account objectclass: posixAccount - add: shadowlastchange shadowlastchange: 6447 - dn: cn=frank,ou=People,o=Ultra Keyboards Inc.,c=US changetype: modify replace: userpassword userpassword: {crypt}mMBEaHRlf5rJQ - replace: objectclass objectclass: top objectclass: shadowAccount objectclass: account objectclass: posixAccount - add: shadowlastchange shadowlastchange: 9712 - |
A line with just a hyphen separates a series of modification commands for the same directory entry. A blank lines separates different directory entries.
If the operation is successful, ldapmodify returns a message similar to the following:
# ldapmodify -D "cn=Directory Manager" -w nssecret -f domain.ldif modifying entry dc=sun,dc=com |
If unsuccessful an error message is displayed.
Use ldapadd(1) to add an entry to the directory. ldapadd opens a connection to the LDAP directory server, binds to the directory server, and performs a sequence of LDAP add operations on the directory.
Bind as the directory manager (password “enigma”) and add an entries for Penny Gold and Amy Lamb.
% ldapadd -D "cn=Manager, o=Ultra Keyboards Inc., \ c=US" -w enigma < addfile |
The contents of addfile are:
dn: cn=Penny Gold, o=Ultra Keyboards Inc., c=US changetype: add objectclass: top objectclass: person objectclass: inetOrgPerson cn: Penny Gold sn: Gold mail: pgold@ultra.com dn: cn=Amy Lamb, o=Ultra Keyboards Inc., c=US changetype: add objectclass: top objectclass: person objectclass: inetOrgPerson cn: Amy Lamb sn: Lamb mail: alamb@ultra.com |
Use ldapdelete(1) to delete an entry from the directory. ldapdelete opens a connection to the LDAP directory server, binds to the directory server, and performs one or more LDAP delete entry operations on the directory.
Bind as the directory manager (password “enigma”) and delete the entry for Penny Gold.
% ldapdelete -D "cn=Manager, o=Ultra Keyboards Inc., \ c=US" -w enigma "cn=Penny Gold, o=Ultra Keyboards Inc., c=US" |
ldapdelete returns nothing if the operation is successful; otherwise, an error message is displayed.
Use ldapmodrdn(1) to rename an existing directory entry. ldapmodrdn opens a connection to the LDAP directory server, binds to the directory server, and performs one or more LDAP modify RDN (rename) operations on the directory.
Bind as the directory manager (password “enigma”) and change the RDN cn value from “User Interface” to “Ergonomic”.
% ldapmodrdn -r -D "cn=Manager, o=Ultra Keyboards Inc., \ c=US" -w enigma "cn=User Interface, o=Ultra Keyboards Inc., \ c=US" "cn=Ergonomic" |
ldapmodrdn returns nothing if the operation is successful; otherwise, an error message is displayed.