JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Directory Server Enterprise Edition Man Page Reference 11g Release 1 (
search filter icon
search icon

Document Information


User Commands























Administration Commands

Directory Server Configuration

Directory Proxy Server Configuration

File Formats

LDAP Schema Collections

LDAP Schema Attribute Types

LDAP Schema Object Classes



- add, modify, rename, move, or delete LDAP entries




The ldapmodify command requests the addition, modification, rename, move, or deletion of entries stored by a directory server.

You must bind as a user having access to perform the requested operation.

The directory server may check all modifications against its schema, and reject updates that cause entries not to conform to the schema.

You must specify additions and modifications in the proper order, because the directory server performs the updates in the order you request them. For example, to add entries to a subtree that does not yet exist, you must first update the base entry at the root of the subtree before adding entries under the base entry. When a requested operation fails, the ldapmodify command stops processing further input unless you use the -c option. The ldapmodify command does not save rejected entries unless you use the -e option.


The following options are supported:


Ignore LDAP library version mismatches.

When this option is omitted, the default behavior is to assert that the revision number of the LDAP API be greater than or equal to that used to compile the tool. Also, if the library and the tool have the same vendor name, the tool will assert that the vendor version number of the API be greater than or equal to that used to compile the tool. Revision and version numbers are based on the contents of the LDAPAPIInfo structure defined in <ldap.h> or header files included by <ldap.h>.


Check host names in SSL certificates.


Display non-ASCII values when the -v option is used.

-B baseDN

Bulk import entries into the suffix under the specified DN.

Note - Bulk import using the ldapmodify command erases the existing entries under the target suffix.

-D bindDN

Use the specified bind DN to authenticate to the directory server.

If the bind DN and its password are omitted, the ldapmodify command binds anonymously. The bind DN determines what entries and attributes appear in the comparison results, according to the search permissions for the bind DN.


Request that the directories expose (report) bind identities.


Force application of all modifications, even if some lines are duplicates.


Display usage information.

-I filename

Read SSL key password for the client key database specified using the -P option from filename.

The default is key3.db.

-J controloid[:criticality[:value|::base64value|:<fileurl]]

Use the specified control OID.

The criticality, a boolean, is false by default.

An LDAP control can be associated with a value. Proxy authorization takes a proxy authorization ID, for example, passed with the control OID, and criticality. If a value is necessary you specify it using value, base64value, or <fileurl.

-K pathname

Use the SSL key database located in pathname, the full path to the key database file.

The default is to search for the key database file, key3.db, in the directory specified by the -P option.


Manage referrals, modifying the entry containing the referral instead of the entry obtained by following the referral.

-N certificate

Use the specified certificate for certificate-based client authentication, for example: -N "Client-Cert", where Client-Cert is the subject name of the user certificate.

-O limit

Follow at maximum limit referral hops. Default is 5.

-P filename

Use the certificate database located in filename, the full path to the certificate database file.

The default is to search for the certificate database file, cert8.db, in the current directory.

-Q [token][:certificate-name]

Use PKCS 11.


Do not follow referrals automatically.

-V n

Use LDAP protocol version n, where n is 2 or 3. Default is 3.

-W -

Prompt for the password for the client key database specified using the -P option.

The -W option is required for certificate-based client authentication.

-W password

Specify the password for the client key database specified using the -P option.

The -W option is required for certificate-based client authentication.

-Y proxydn

Use the rights of the entry having the specified DN for performing LDAP operations. When using this option, you must also specify how to bind before you assume the rights of the proxy. Thus, when using simple authentication, you would also use the -D and -w options with this option.

Before proxy authentication can work in Directory Server, you must set up the appropriate access control instructions.


Use Start TLS to provide certificate-based client authentication.

The -ZZ option requires the -N and -W options and any other SSL options needed to identify the certificate and the key database.


Use a start TLS request .

The -Z option requires the -N and -W options and any other SSL options needed to identify the certificate and the key database.


Add LDAP entries, rather than modifying existing entries.


Handle binary files.

Note - This option is deprecated. Use standard LDIF notation as described in RFC 2849 instead.

When you use the -b option, the ldapmodify command scans every attribute value to determine whether it specifies a valid file reference, such as /home/bjensen/bjensen.jpg. If so, the ldapmodify command uses the content of the specified file as the attribute value.


Run in continuous mode, not stopping on errors.

In continuous mode, errors are reported but the ldapmodify command continues performing comparisons. When not running in continuous mode, the ldapmodify command quits after the first error.

-d level

Set LDAP debug level to the specified value.

The following debug levels are supported:


Display verbose debugging messages; LDAP_DEBUG_TRACE.


Display messages about the content of network packets; LDAP_DEBUG_PACKETS.


Display messages about LDIF parsing; LDAP_DEBUG_PARSE.


Display informational messages; LDAP_DEBUG_ANY.

Use the sum of the levels to specify more than one debug level. For example, to set the debug level to display both verbose debugging messages, and messages about the content of network packets, specify -d 3.

-e filename

Save rejected entries in the specified file.

-f filename

Read modifications from the specified file.

The file format is standard LDIF notation as described in RFC 2849.

-h host

Contact the LDAP server on the specified host, which may be a host name or an IP address. Enclose IPv6 addresses in brackets ([]) as described in RFC 2732.

For example, when mapping the IPv4 address to IPv6, pass the -h option with its argument as -h [::ffff:]. Notice the brackets.

When using GSSAPI with Directory Server, specify the host as a fully-qualified host name which matches the value of the nsslapd-localhost attribute on the cn=config entry. The GSSAPI authentication process requires that the host name provided by the client match the one provided by the server.

The default is localhost.

-i charset

Use the specified character set to override the value of the LANG environment variable. This option is useful, as the command converts certain arguments you specify to UTF-8 before sending the request to the server. The following arguments are converted: base DN, bind DN, LDAP filter, and password.

You can prevent the command from converting passwords by using the -k option.

Examples of charset values include ISO8859-1, ISO8859-15, ibm-1275, and windows-1251.

-j filename

Read the bind password for simple authentication from the specified file.


Do not convert the passwords to UTF-8.

-m pathname

Use the security module database located in the specified directory.

Use the -m option if the security module database is in a different directory from the certificate database itself.


Show what would be done, but do not actually do it.

-o attrname=attrvalue

Use the specified attribute values when performing SASL authentication.

The following attrname arguments are supported:


Use the specified authentication identity.


Use the specified authorization identity.


Request the specified SASL mechanism for the bind.


Use the specified realm to complete the bind.


Use the specified security level.

The attrvalue is a valid value corresponding to the attrname you specify.

-p port

Contact the LDAP server on the specified port.

The default is 389 (636 if SSL is used).


Run in quiet mode, not displaying information about the operations performed.


Run in verbose mode, displaying diagnostics on standard output.


Prompt for the bind password for simple authentication.

-w password

Use the specified bind password for simple authentication.


Examples in this section use the following conventions:

Example 1 Adding an Entry

The following commands demonstrate adding a single entry to the directory:

$ cat add.ldif
dn: uid=bcubbins,ou=People,dc=example,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: bcubbins
givenName: Bartholomew
sn: Cubbins
cn: Bartholomew Cubbins
userPassword: bcubbins
facsimiletelephonenumber: +1 234 567 8910

$ ldapmodify -a -h host -D uid=bjensen,ou=people,dc=example,dc=com \ -w - -f add.ldif
Enter bind password: 
adding new entry uid=bcubbins,ou=People,dc=example,dc=com


Example 2 Modifying an Entry

The following commands demonstrate modifying an entry. Notice a line with a single dash (-) separates multiple modifications to a single entry.

$ cat modify.ldif 
dn: uid=bcubbins,ou=People,dc=example,dc=com
changetype: modify
add: description
description: Added with ldapmodify
replace: mail

$ ./ldapmodify -h host -c -v \ -D uid=bjensen,ou=People,dc=example,dc=com -w - -f modify.ldif
Enter bind password: 
modifying entry uid=bcubbins,ou=People,dc=example,dc=com


Example 3 Deleting an Entry Interactively

The following commands delete the entry added and modified in previous examples.

$ ./ldapmodify -h host -D uid=bjensen,ou=People,dc=example,dc=com -w -
Enter bind password: 
dn: uid=bcubbins,ou=People,dc=example,dc=com
changetype: delete
deleting entry uid=bcubbins,ou=People,dc=example,dc=com


Example 4 Using Server Authentication

The following command uses server authentication during the bind, where the server only accepts binds by clients with trusted certificates. Notice only the -P option is used without other SSL-related options.

$ ./ldapmodify -h host -p 636 -c -f modify.ldif -P /home/bjensen/security \ -D "uid=bjensen,ou=People,dc=example,dc=com" -w -
Enter bind password:

Example 5 Using Client Authentication

The following command uses client authentication during the bind, where the server only accepts binds by clients with trusted certificates, and the client must sign the certificate with a password-protected private key. Notice the options used in this example.

$ ldapmodify -h host -p 636 -c -Z -P /home/bjensen/security \ -N "bjscert" -K /home/bjensen/security -W keypassword -f modify.ldif

Example 6 Moving an Entry

The following command moves an entry from one branch of a suffix to another:

$./ldapmodify -h host -D uid=hmiller,ou=people,dc=example,dc=com -w -
Enter bind password: 
dn: uid=jwallace,ou=people,dc=example,dc=com
changetype: modrdn
newrdn: uid=jwallace
deleteoldrdn: 0
newsuperior: ou=special users,dc=example,dc=com

Exit Status

The exit status returned reflects the return values of the underlying functions used, which may depend on return values sent by the server. Common exit status codes follow:


Successful completion; LDAP_SUCCESS; 0x00.


Server encountered errors while processing the request; LDAP_OPERATIONS_ERROR; 0x01.


Server encountered errors, such as a BER-decoding error, while processing the request; LDAP_PROTOCOL_ERROR; 0x02.


DN of the entry to modify belongs to an entry handled by neither server, and the referral URL identifies another server that handles the entry; LDAP_REFERRAL; 0x0a.


Attribute to be modified does not exist; LDAP_NO_SUCH_ATTRIBUTE; 0x10.


Attribute modification requested is not a proper modification. For example, a requested change to userpassword would result in a user password shorter than the minimum length allowed; LDAP_CONSTRAINT_VIOLATION; 0x13.


Attribute to add already exists with the specified value; LDAP_TYPE_OR_VALUE_EXISTS; 0x14.


The value modified does not respect the syntax for the attribute type; LDAP_INVALID_SYNTAX; 0x15.


DN of the entry to modify belongs to an entry handled by neither server, and no referral URL is available for the entry; LDAP_NO_SUCH_OBJECT; 0x20.


DN of the entry to modify is not a valid DN; LDAP_INVALID_DN_SYNTAX; 0x22.


Bind DN user does not have permission to read the entry from the directory; LDAP_INSUFFICIENT_ACCESS; 0x32.


Directory is read-only; LDAP_UNWILLING_TO_PERFORM; 0x35.


Requested modification would cause the entry not to comply with the directory schema; LDAP_OBJECT_CLASS_VIOLATION; 0x41.


Entry specified has child-entries that must be deleted first; LDAP_NOT_ALLOWED_ON_NONLEAF; 0x42.


Requested modification would cause the entry to be missing attributes that are components of the entry DN; LDAP_NOT_ALLOWED_ON_RDN; 0x43.


An entry already exists with the same DN as the entry to add; LDAP_ALREADY_EXISTS; 0x44.


One of the directories did not respond to the request, or the connection was lost; LDAP_SERVER_DOWN; 0x51.


An error occurred while receiving results; LDAP_LOCAL_ERROR; 0x52.


The request could not be BER-encoded; LDAP_ENCODING_ERROR; 0x53.


A result could not be decoded; LDAP_DECODING_ERROR; 0x54.


An option or argument is not valid; LDAP_PARAM_ERROR; 0x59.


Needed memory could not be allocated; LDAP_NO_MEMORY; 0x5a.


A specified host name or port is not valid; LDAP_CONNECT_ERROR; 0x5b.


At least one server supports only LDAPv2, and the -V 2 option was not used, or the -V 2 option was used, but the server no longer supports LDAP v2; LDAP_NOT_SUPPORTED; 0x5c.


See attributes(5) for descriptions of the following attributes:

Stability Level

See Also

ldapcmp(1), ldapcompare(1), ldapdelete(1), ldappasswd(1), ldapsearch(1)