Previous Next Contents Index


Chapter 9 Managing Directory Entries

In Netscape Directory Server, you add, modify, and delete entries using an LDAP client.

Netscape Directory Server comes with the following LDAP clients that allow you to search and modify your directory:

This chapter discusses how to use the Directory Server Console and the ldapmodify and ldapdelete command-line utilities to modify the contents of your directory in the following sections:

Note. You cannot modify your directory unless the appropriate access control has been set. For information on setting access control in your directory, see Chapter  5, "Managing Access Control."


Managing Entries Using the Server Console
Use the Directory tab and the Property Editor on the Directory Server Console to add, modify, or delete entries one at a time. You can also use the Directory tab to access the Users and Groups dialog boxes that allow you to manage users, groups, and organizational units. The Users and Groups dialog boxes are also accessible from the Users and Groups area of the Netscape Console. See Managing Servers with Netscape Console for more information.

Use the command line to add multiple entries simultaneously. See  "Managing Entries Using the Command-Line Utilities" for more information.

This section provides information about:

Managing Users, Groups, and Org. Units Using the Server Console

Use the Users and Groups dialog boxes and the Property Editor on the Directory Server Console to add and modify users, groups, and organizational units one at a time. Use LDIF to add or modify multiple entries simultaneously. You can also add or modify users, groups, and organizational units through the Netscape Console Users and Groups tab, the directory server gateway, and through Netscape Directory Express. For information on how to do this, see Managing Servers with Netscape Console or the online help for the gateway and Directory Express.

This section provides information about:

For information about adding other types of entries using the server console, see "Adding Other Types of Entries Using the Property Editor".

Adding Users, Groups, and Org. Units Using the Server Console

To add users, groups, and organizational units one at a time:

  1. On the Directory Server Console, select the Directory tab.

  2. Right-click the entry in the left pane under which you want to add the user, group, or organizational unit and select New|User, New|Group, or New|Organizational Unit from the pop-up menu.

    3. The new entry will be created as a child entry of the entry you select. The Create New User, Create New Group, or Create New Organizational Unit dialog box appears.

    Provide the information for the new entry in the dialog box. Click Help for more detailed information about the options on these dialog boxes.

    If you want to add attributes or object classes that are not displayed through the Users and Groups dialog boxes, click Advanced to access the Property Editor. For more information on using the Property Editor, see "Using the Property Editor to Manage Entries".

  3. When you are finished defining the information for the entry, click OK.
Modifying Users, Groups, and Org. Units Using the Server Console

To modify users, groups, and organizational units one at a time:

  1. On the Directory Server Console, select the Directory tab.

    2. The directory contents appear in the left pane.

  2. Right-click the entry you want to modify and select Open from the pop-up menu.

    3. If you selected a user entry, the Edit User dialog box appears. If you selected a group entry, the Edit Group dialog box appears. If you selected an organizational unit, the Edit Entry dialog box appears. Click Help for more detailed information about the options on these dialog boxes.

    If you want to modify attributes or object classes that are not displayed through the Users and Groups dialog boxes, click Advanced to access the Property Editor. For more information on using the Property Editor, see "Using the Property Editor to Manage Entries".

    If you selected an entry that is not a user, group, or organizational unit, the property editor appears. See "Using the Property Editor to Manage Entries" for more information.

Using the Property Editor to Manage Entries

You can use the Property Editor to add or modify attributes and object classes for users, groups, and organizational units. To access the Property Editor from the Users and Groups dialog boxes, click Advanced. See "Managing Users, Groups, and Org. Units Using the Server Console" and Managing Servers with Netscape Console for more information about the Users and Groups dialog boxes.

You can also use the Directory tab and the Property Editor to add and modify entries other than users, groups, and organizational units. For example, you can use this method to define entries based on object classes you have created.

The Property Editor contains a list of attributes defined for the object class(es) you selected.

Figure 9.1 Directory Server Console - Property Editor

The following procedures describe how to add and modify entries using the Property Editor.

Adding Other Types of Entries Using the Property Editor

To add entries other than users, groups, and organizational units using the Property Editor:

  1. On the Directory Server Console, select the Directory tab.

  2. Right-click the entry in the left pane to which you want to add the entry and select New|Other from the pop-up menu.

    3. The New Object dialog box appears.

  3. Select the object class(es) with which you want to define the entry.

    4. To select multiple object classes, use Ctrl+click or Shift+click. Click OK. The Property Editor appears.

    If you select an object class related to a user or group, such as inetOrgPerson or organizationalPerson, the Create New User or Create New Group dialog box appears. See  "Adding Users, Groups, and Org. Units Using the Server Console" for information about adding users and groups. If you want to further define the new user, group, or organizational unit, click Advanced. (For more information about object classes, see the Netscape Directory Server Schema Reference Guide.)

  4. Fill in the values for the required attributes and click OK to save the new entry.
Adding an Object Class to an Entry Using the Property Editor

To add an object class to an entry from the Property Editor:

  1. On the Directory tab of the Directory Server Console, right-click the entry you want to modify and select Open from the pop-up menu.

    2. The Property Editor appears.

  2. Scroll down the table until you see the object class attribute in the left column.

  3. Right click object class and select Add Value from the pop-up menu.

    4. The Add Object Class dialog box appears.

  4. Select the object class you want to add and click OK to return to the Property Editor.

  5. Click OK again when you are finished editing the entry.
Removing an Object Class From an Entry Using the Property Editor

To remove an object class from an entry from the Property Editor:

  1. On the Directory tab of the Directory Server Console, right-click the entry you want to modify and select Open from the pop-up menu.

    2. The Property Editor appears.

  2. Scroll down the table until you see the object class attribute in the left column.

  3. Click the cursor in the text box in the right column that contains the object class you want to remove and select Delete Value from the Edit menu.

  4. Click OK when you are finished editing the entry.
Adding an Attribute Value to an Entry Using the Property Editor

Before you can add an attribute value to an entry, the entry must contain an object class that either requires or allows the attribute. See "Adding an Object Class to an Entry Using the Property Editor" and Netscape Directory Server Schema Reference Guide for more information.

To add an attribute value to an entry from the Property Editor:

  1. On the Directory tab of the Directory Server Console, right-click the entry you want to modify and select Open from the pop-up menu.

    2. The Property Editor appears.

  2. Select Add Attribute from the Edit menu.

    3. The Add Attribute dialog box displays.

  3. Select the attribute you want to add in the list and click OK to return to the Property Editor.

  4. Scroll through the attributes list until you find the attribute you added.

  5. Type the value for the new attribute in the empty text box to the right of the attribute name.

  6. Click OK when you are finished editing the entry.
Adding Values to an Attribute Using the Property Editor

You can add more than one value to multi-valued attributes contained within an entry.

To add an additional value using the Property Editor:

  1. On the Directory tab of the Directory Server Console, right-click the entry you want to modify and select Open from the pop-up menu.

    2. The Property Editor appears.

  2. Scroll down the table until you see the attribute in the left column.

  3. Right click the attribute and select Add Value from the pop-up menu.

  4. In the empty text box that appears, type in the name of the new attribute value.

  5. Click OK.
Removing an Attribute Value From an Entry Using the Property Editor

To remove an attribute value from an entry from the Property Editor:

  1. On the Directory tab of the Directory Server Console, right-click the entry you want to modify and select Open from the pop-up menu.

    2. The Property Editor appears.

  2. Scroll through the attributes list until you find the attribute for which you want to remove a value.

  3. Click the cursor in the text box in the right column that contains the attribute value you want to remove and select Delete Value from the Edit menu.

    4. If you want to remove the entire attribute and all its values from the entry, select Delete Attribute from the Edit menu.

  4. Click OK when you are finished editing the entry.
Adding an Attribute Subtype Using the Property Editor

You can add three different kinds of subtypes to attributes contained within an entry; language, binary, and pronunciation.

To add a subtype using the Property Editor:

  1. On the Directory tab of the Directory Server Console, right-click the entry you want to modify and select Open from the pop-up menu.

    2. The Property Editor appears.

  2. Select Add Attribute from the Edit menu.

    3. The Add Attribute dialog box displays.

  3. Select the attribute you want to add in the list.

  4. To assign a language subtype to the attribute, select it from the Language drop-down list.

    5. Sometimes a user's name can be more accurately represented in characters of a language other than the default language. For example, Noriko's name is Japanese, and she has indicated on her hiring forms that she prefers that her name be represented by Japanese characters when possible. You can select Japanese as a language subtype for the givenname attribute so that other users can search for her Japanese name.

    If you specify a language subtype for an attribute, the subtype is added to the attribute name as follows:

    <attribute>;lang-<subtype>

    Where <attribute> is the attribute you are adding to the entry and <subtype> is the two character abbreviation for the language. See Table  B.2 for a list of supported language subtypes. For example:

    givenname;lang-ja

    You can assign only one language subtype per instance of an attribute in an entry. To assign multiple language subtypes, add another instance of the attribute to the entry and then assign the new language subtype to the copy. For example, cn;lang-ja;lang-en-GB:Smith is illegal. Instead, use:

    cn: lang-ja: <ja_value>
    cn: lang-en-GB: <en-GB_value>

  5. You can also assign one of two other subtypes to any instance of an attribute:

  6. Click OK to return to the Property Editor.

  7. When you are finished defining the information for the entry, click OK.
Deleting Entries Using the Server Console

To delete entries using the Server Console:

  1. On the Directory Server Console, select the Directory tab.

    2. The directory contents appear in the left pane.

  2. Right-click the entry you want to delete and select Delete from the pop-up menu.

    3. To select multiple entries, use Ctrl+click or Shift+click and then select Delete from the Edit menu.

    The server deletes the entry or entries immediately. There is no undo.


Managing Entries Using the Command-Line Utilities
The command-line client utilities allow you to manipulate the contents of your directory. The command-line utilities are especially useful for writing scripts to perform bulk management of your directory, or for testing your Directory Server to ensure that it is working correctly (especially if you have changed your access control information) or written a custom client.

This section provides information about:

Using Special Characters

When using the Directory Server command-line client tools, you may need to specify values that contain characters that have special meaning to the command-line interpreter (such as space [ ], asterisk [*], backslash [\], and so forth). When this situation occurs, enclose the value in quotation marks (""). For example:

-D "cn=Barbara Jensen, ou=Product Development, o=airius.com"

Depending on the command-line utility you use, you should use either single or double quotation marks for this purpose. Refer to your operating system documentation for more information.

In addition, if you are using DNs that contain commas, you must escape the commas with a backslash (\). For example:

-D "cn=Patricia Fuentes, ou=people, o=Airius Bolivia\, S.A."

Providing Input From the Command Line

ldapmodify and ldapdelete allow you to provide input both from an input file (using the -f parameter), as well as from the command line. If you want to provide input from the command line, do not specify the -f parameter when you use these commands.

The tool collects statements you enter in exactly the same way as if they were read from a file. When you finish providing input, enter the character that your shell recognizes as the end of file (EOF) marker. This causes the utility to begin operations based on the input you supplied.

Typically, the EOF escape sequence is one of the following, depending upon the type of machine you use:

For example, suppose you wanted to specify some LDIF update statements to ldapmodify. Then, on Unix, you would do the following:

prompt> ldapmodify -D <bindDN> -w <password> -h <hostname>
> dn: cn=Barry Nixon, ou=people, o=airius.com
> changetype: modify
> delete: telephonenumber
> -
> add: manager
> manager: cn=Harry Cruise, ou=people, o=airius.com
> ^D
prompt>

When you add an entry from the command-line or from LDIF, make sure that an entry representing a branch point is created before new entries are created under that branch. For example, if you want to place an entry in a Person and a Group subtree, then create the branch point for those subtrees before creating entries within the subtrees. For example:

dn: o=airius.com
dn: ou=People, o=airius.com
...
<People subtree entries.>
...
dn: ou=Group, o=airius.com
...
<Group subtree entries.>
...

Adding Entries Using LDIF

You can use an LDIF file to add multiple entries or to import an entire database. For details, refer to "Importing LDIF From the Server Console". You can also add or edit entries using the ldapmodify command along with the appropriate LDIF update statements. For details, refer to "Adding and Modifying Entries Using ldapmodify". For details on LDIF, see Chapter  2, "LDAP Data Interchange Format."

To add entries using an LDIF file and the Directory Server Console:

  1. Define the entries in an LDIF file.

    2. LDIF is described in Chapter  2, "LDAP Data Interchange Format."

  2. Import the LDIF file from the Directory Server Console.

    3. See "Importing Databases From LDIF" for information. When you import the LDIF file, select "Append to database" on the Import dialog box so that the server will only import entries that do not currently exist in the directory.

Adding and Modifying Entries Using ldapmodify

You use the ldapmodify command-line utility to modify entries in an existing Directory Server database. ldapmodify opens a connection to the specified server using the distinguished name and password you supply, and modifies the entries based on LDIF update statements contained in a specified file. Because ldapmodify uses LDIF update statements, ldapmodify can do everything that ldapdelete can do.

For information on where you can find the command-line utilities in your Directory Server installation, see "Finding the Command-Line Utilities".

If schema checking is turned on when you use this utility, then the server performs schema checking for the entire entry when it is modified. If the server detects an attribute or object class in the entry that is not known to the server, then the entire modify operation fails. Also, if a required attribute is not present, the modify operation fails. This happens even if the offending object class or attribute is not being modified.

This situation occurs if you ran the Directory Server with schema checking turned off, added unknown object classes or attributes, and then turned schema checking on.

Note. You cannot create a root entry (such as o=airius.com) using ldapmodify unless you bind to the directory as the root DN, for example, cn=Directory Manager.

For more information, see "Turning Schema Checking On and Off".

This section provides information about:

Commonly Used ldapmodify Parameters

To modify an entry or entries in an existing directory, use the ldapmodify command-line utility with the following parameters:

-a. Allows you to add LDIF entries to the directory without requiring the changetype:add LDIF update statement. This provides a simplified method of adding entries to the directory. This option also allows you to directly add a file created by ldapsearch.

-D. Specifies the distinguished name with which to authenticate to the server. The value must be a DN recognized by the directory server, and it must also have the authority to modify the entries. For example, -D uid=bjensen, o=airius.com. You cannot use this parameter with the -N parameter.

-f. Optional parameter that specifies the file containing the LDIF update statements used to define the directory modifications. For example, -f modify_statements. If you do not supply this parameter, the update statements are read from stdin. For information on supplying LDIF update statements from the command line, refer to "Providing Input From the Command Line".

-h. Specifies the name of the host on which the server is running. For example, -h cyclops.

-p. Specifies the port number that the server uses. For example, -p 1049. The default is 389. If -Z is used, the default is 636.

-w. Specifies the password associated with the distinguished name specified in the
-D parameter. For example, -w mypassword.

SSL Parameters

You can use the following command-line parameters to specify that ldapmodify is to use LDAP over SSL (LDAPS) when communicating with your Directory Server. LDAPS encrypts data during transit. You also use these parameters if you want to use certificate-based authentication. These parameters are valid only when SSL has been turned on and configured for your Directory Server. For more information on certificate-based authentication, see See  "Using Certificate-Based Authentication". For information on creating a certificate database for use with LDAP clients, see See  "Creating Certificate Databases for LDAP Clients".

Make sure that you specify your Directory Server's encrypted port when you use these parameters:

-I. FORTEZZA only. Specifies the personal identification number (PIN) associated with the FORTEZZA crypto card and certificate you specified in the -Q parameter.

-K. Specifies the name of the certificate key used for certificate-based client authentication. For example, -K Server-Key.

-N. Specifies the certificate name to use for certificate-based client authentication. For example, -N Server-Cert. If this parameter is specified, then the -Z, and -W parameters are required. Also, if this parameter is specified, then the -D and -w parameters must not be specified, or certificate-based authentication will not occur and the bind operation will use the authentication credentials specified on -D and -w.

-P. Specifies the path and filename of the security files for the client. This parameter is used only with the -Z parameter. When used on a machine where a SSL-enabled web browser is configured, the path specified on this parameter can be pointed to the security database for the web browser. For example, -P c:\security\cert.db. You can also store the client security files on the Directory Server in the <NSHOME>/alias directory. In this case, the -P parameter calls out a path and filename similar to the following: -P  c:\Netscape\Suitespot\alias\client-cert.db

-Q. FORTEZZA only. Specifies the number of the slot into which you plugged your FORTEZZA crypto card and, optionally, the name of the FORTEZZA certificate you want to use. The slot number and certificate name are separated by a colon. For example, if you plugged your crypto card into slot 2 and want to use the certificate named doe, you would specify the following: -Q 2:doe.

-W. Specifies the password for the certificate database identified on the -P parameter. For example, -W serverpassword.

-X. FORTEZZA only. Specifies the path and filename of the compromised key list (CKL).

-Z. Specifies that SSL is to be used for the directory request.

Additional ldapmodify Parameters

The following parameters offer additional functionality:

-b. Causes the utility to check every attribute value to determine whether the value is a valid file reference. If the value is a valid file reference, then the content of the referenced file is used as the attribute value. This is often used for specifying a path to a file containing binary data, such as JPEG. For example, if you wanted to add a jpegPhoto attribute, then specify the -b parameter on the ldapmodify call. In the LDIF you provide to ldapmodify, include something like the following:

jpegPhoto: /tmp/photo.jpeg

ldapmodify reads the contents of the photo.jpeg file into the jpegPhoto attribute that you are placing on the entry.

On Windows NT, the format of this parameter is exactly the same (including the forward slashes, except that you can specify a drive letter. For example:

jpegPhoto: c:/tmp/photo.jpeg

-c. Specifies that the utility run in continuous operation mode. Errors are reported, but the utility continues with modifications. The default is to quit after reporting an error.

-H. Lists all available ldapmodify parameters.

-M. Manage smart referrals. Causes the server to not return the smart referral contained on the entry, but to instead apply the modification request directly to the entry. Use this parameter if you are attempting to add, change, or delete a directory entry that contains a smart referral. For more information about smart referrals, see "Creating and Changing Smart Referrals".

-n. Specifies that the entries are not to be actually modified, but that ldapmodify is to show what it would do with the specified input.

-O. Specifies the maximum number of referral hops to follow. For example, -O 2.

-R. Specifies that referrals are not to be followed automatically.

-v. Specifies that the utility is to run in verbose mode.

-V. Specifies the LDAP version number to be used on the operation. For example, -V 2. LDAP v3 is the default. You can not perform an LDAP v3 operation against a Directory Server that only supports LDAP v2.

-y. Specifies the proxy DN to use for the modify operation. This argument is provided for testing purposes. For more information about proxied authorization, see "Overview of Proxied Authorization".

ldapmodify Example

Suppose:

Then to modify the entries, first specify the appropriate LDIF update statements in the modify_statements file, and then enter the following command:

ldapmodify -D "cn=Directory Manager, o=airius.com" -w King-Pin -h cyclops -p 845 -f modify_statements

Deleting Entries Using ldapdelete

You use the ldapdelete command-line utility to delete entries from an existing Directory Server database. This utility opens a connection to the specified server using the distinguished name and password you provide, and deletes the entry or entries. (For information on where you can find the command-line utilities in your Directory Server installation, see "Finding the Command-Line Utilities".)

You can only delete entries at the end of a branch. You cannot delete entries that are branch points in the directory tree. For example, of the following three entries:

ou=People, o=airius.com
cn=Paula Simon, ou=People, o=airius.com
cn=Jerry O'Connor, ou=People, o=airius.com

you can delete only the last two entries. The entry that identifies the People subtree can be deleted only if no other entries exist below it. If you want to delete ou=People, o=airius.com, you must first delete cn=Paula Simon, ou=People, o=airius.com and cn=Jerry O'Connor, ou=People, o=airius.com.

This section provides information about:

Commonly Used ldapdelete Parameters

To delete an entry or entries from an existing database, use the ldapdelete command-line utility with the following parameters:

-D. Specifies the distinguished name with which to authenticate to the server. The value must be a DN recognized by the Directory Server, and it must also have the authority to delete the entries. For example, -D uid=bjensen, o=airius.com. Access control is described in Chapter  5, "Managing Access Control." If you use the -D parameter, you cannot use the -N parameter.

-h. Specifies the name of the host on which the server is running. For example, -h cyclops. The default is localhost.

-p. Specifies the port number that the server uses. Default is 389. If -Z is used, the default is 636.

-w. Specifies the password associated with the distinguished name specified in the
-D parameter. For example, -w mypassword. The default is "", or anonymous.

SSL Parameters

You can use the following parameters to specify that ldapdelete use LDAPS when communicating with your Directory Server. You also use these parameters if you want to use certificate-based authentication. These parameters are valid only when LDAPS has been turned on and configured for your Directory Server. For more information on certificate-based authentication, see See  "Using Certificate-Based Authentication". For information on creating a certificate database for use with LDAP clients, see See  "Creating Certificate Databases for LDAP Clients".

Make sure that you specify your Directory Server's encrypted port when you use these parameters:

-I. FORTEZZA Only. Specifies the personal identification number (PIN) associated with the FORTEZZA crypto card and certificate you specified in the -Q parameter.

-K. Specifies the name of the certificate key used for certificate-based client authentication. For example, -K Server-Key.

-N. Specifies the certificate name to use for certificate-based client authentication. For example, -N Server-Cert. If this parameter is specified, then the -Z, and -W parameters are required. Also, if this parameter is specified, then the -D and -w parameters must not be specified, or certificate-based authentication will not occur and the bind operation will use the authentication credentials specified on -D and -w.

-P. Specifies the path and filename of the security files for the client. This parameter is used only with the -Z parameter. When used on a machine where an SSL-enabled web browser is configured, the path specified on this parameter can point to the security database for the web browser. For example, -P c:\security\cert.db. The client security files can also be stored on the Directory Server in the <NSHOME>/alias directory (where NSHOME is the directory where you installed the server). In this case, the -P parameter calls out a path and filename similar to the following: -P  c:\Netscape\Suitespot\alias\client-cert.db.

-Q. FORTEZZA Only. Specifies the number of the slot into which you plugged your FORTEZZA crypto card and, optionally, the name of the FORTEZZA certificate you want to use. The slot number and certificate name are separated by a colon. For example, if you plugged your crypto card into slot 2 and want to use the certificate named doe, you would specify the following: -Q 2:doe.

-W. Specifies the password for the certificate database identified on the -P parameter. For example, -W serverpassword.

-X. FORTEZZA Only. Specifies the path and filename of the compromised key list (CKL).

-Z. Specifies that SSL is to be used for the delete request.

Additional ldapdelete Parameters

The following parameters offer additional functionality:

-c. Specifies that the utility run in continuous operation mode. Errors are reported, but the utility continues with deletions. The default is to quit after reporting an error.

-f. Specifies the file containing the distinguished names of entries to be deleted. For example, -f modify_statements. Omit this parameter if you want to supply the distinguished name of the entry to be deleted directly to the command line.

-H. Lists all available ldapdelete parameters.

-M. Manage smart referrals. Causes the server to not return the smart referral contained on the entry, but to instead delete the actual entry containing the smart referral. For more information about smart referrals, see "Creating and Changing Smart Referrals".

-n. Specifies that the entries are not to be actually deleted, but that ldapdelete is to show what it would do with the specified input.

-O. Specifies the maximum number of referral hops to follow. For example, -O 2.

-R. Specifies that referrals are not to be followed automatically. By default, the server follows referrals.

-v. Specifies that the utility is to run in verbose mode.

-V. Specifies the LDAP version number to be used on the operation. For example, -V 2. LDAP v3 is the default. You cannot perform an LDAP v3 operation against a Directory Server that only supports LDAP v2.

-y. Specifies the proxy DN to use for the delete operation. This argument is provided for testing purposes. For more information about proxied authorization, see "Overview of Proxied Authorization".

ldapdelete Examples

Suppose:

Then to delete the entries for users Robert Jenkins and Lisa Jangles, enter the following command:

ldapdelete -D "cn=Directory Manager, o=airius.com" -w King~Pin -h cyclops -p 845 "cn=Robert Jenkins, ou=People, o=airius.com" "cn=Lisa Jangles, ou=People, o=airius.com"

To delete user Patricia Fuentes from the Airius Bolivia, S.A. tree, you would enter the following command:

ldapdelete -D "cn=Directory Manager, o=airius.com" -w King~Pin -h cyclops -p 845 "cn=Patricia Fuentes, ou=People, o=Airius Bolivia\, S.A."

The DN of this entry contains a comma, so you must escape the comma with a backslash (\).


LDIF Update Statements
You use LDIF update statements to define how ldapmodify should change your directory. In general, LDIF update statements are a series of statements that:

The general format of LDIF update statements is as follows:

dn: <distinguished name>
<changetype identifier>
<change operation identifier>
<list of attributes>

...

-

<change operation identifier>
<list of attributes>
...

-

...

Note. A dash (-) must be used to denote the end of a change operation if subsequent change operations are specified. For example, the following statement adds the telephone number and manager attributes to the entry: §

dn: cn=Lisa Jangles, ou=People, o=airius.com
changetype: modify
add: telephonenumber
telephonenumber: (408) 555-2468
-
add: manager
manager: cn=Harry Cruise, ou=People, o=airius.com

In addition, the line continuation operator is a single space. Therefore, the following two statements are identical:

dn: cn=Lisa Jangles, ou=People, o=airius.com

dn: cn=Lisa Jangles,
ou=People,
o=airius.com

The following sections describe the changetypes in detail.

Adding an Entry Using LDIF

You use changetype: add to add an entry to your directory. When you add an entry, make sure to create an entry representing a branch point before you try to create new entries under that branch. That is, if you want to place an entry in a People and an Groups subtree, then create the branch point for those subtrees before creating entries within the subtrees.

The following LDIF update statements can be used to create the People and the Groups subtrees, and then create entries within those trees:

dn: o=airius.com
changetype: add
objectclass: top
objectclass: organization
o: airius.com

dn: ou=People, o=airius.com
changetype: add
objectclass: top
objectclass: organizationalUnit
ou: People
ou: Marketing

dn: cn=Pete Minsky, ou=People, o=airius.com
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Pete Minsky
givenName: Pete
sn: Minsky
ou: People
ou: Marketing
uid: pminsky

dn: cn=Sue Jacobs, ou=People, o=airius.com
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Sue Jacobs
givenName: Sue
sn: Jacobs
ou: People
ou: Marketing
uid: sjacobs

dn: ou=Groups, o=airius.com
changetype: add
objectclass: top
objectclass: organizationalUnit
ou: Groups

dn: cn=Administrators, ou=Groups, o=airius.com
changetype: add
objectclass: top
objectclass: groupOfNames
member: cn=Sue Jacobs, ou=People, o=airius.com
member: cn=Pete Minsky, ou=People, o=airius.com
cn: Administrators

dn: ou=Airius Bolivia\, S.A., o=airius.com
changetype: add
objectclass: top
objectclass: organizationalUnit
ou: Airius Bolivia\, S.A.

dn: cn=Carla Flores, ou=Airius Bolivia\, S.A., o=airius.com
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Carla Flores
givenName: Carla
sn: Flores
ou: Airius Bolivia\, S.A.
uid: cflores

Using the ldapmodify -a Parameter

If you are simply adding entries to your directory, you can avoid the changetype: add statement by specifying the -a parameter on the call to ldapmodify. In this case, simply provide LDIF (as opposed to LDIF update statements) to ldapmodify. For example:

> ldapmodify -a -h <hostname> -p <port> -D <bind dn> -w <password>
dn: o=airius.com
objectclass: top
objectclass: organization
o: airius.com

dn: ou=People, o=airius.com
objectclass: top
objectclass: organizationalUnit
ou: People

dn: cn=Pete Minsky, ou=People, o=airius.com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Pete Minsky
givenName: Pete
sn: Minsky
ou: People
ou: Marketing

...

^z

Renaming an Entry Using LDIF

You use changetype:modrdn to change an entry's relative distinguished name (RDN). An entry's RDN is the leftmost element in the distinguished name. Therefore, the RDN for:

cn=Barry Nixon, ou=People, o=airius.com

is:

cn=Barry Nixon

And the RDN for:

ou=People, o=airius.com

is:

ou=People

Therefore, this rename operation allows you to change the left-most value in an entry's distinguished name. For example, the entry:

cn=Sue Jacobs, ou=People, o=airius.com

can be modified to be:

cn=Susan Jacobs, ou=People, o=airius.com

but it cannot be modified to be:

cn=Sue Jacobs, ou=old employees, o=airius.com

The following example can be used to rename Sue Jacobs to Susan Jacobs:

dn: cn=Sue Jacobs, ou=Marketing, o=airius.com
changetype: modrdn
newrdn: cn=Susan Jacobs
deleteoldrdn: 0

Because deleteoldrdn is 0, this example retains the existing RDN as a value in the new entry. The resulting entry would therefore have a common name (cn) attribute set to both Sue Jacobs and Susan Jacobs in addition to all the other attributes included in the original entry. However, if you used

dn: cn=Sue Jacobs, ou=Marketing, o=airius.com
changetype: modrdn
newrdn: cn=Susan Jacobs
deleteoldrdn: 1

then the server would delete cn=Sue Jacobs and only cn=Susan Jacobs would remain within the entry.

A Note on Renaming Entries

You cannot rename an entry with the modrdn changetype such that the entry moves to a completely different subtree. To move an entry to a completely different branch you must create a new entry in the alternative subtree using the old entry's attributes, and then delete the old entry.

Also, for the same reasons that you cannot delete an entry if it is a branch point, you cannot rename an entry if it has any children. Doing so would orphan the children in the tree, which is not allowed by the LDAP protocol. For example, of the following three entries:

ou=People, o=airius.com
cn=Paula Simon, ou=People, o=airius.com
cn=Jerry O'Connor, ou=People, o=airius.com

you can only rename the last two entries. The entry that identifies the People subtree can only be renamed if no other entries exist below it.

Modifying an Entry Using LDIF

Use changetype:modify to add, replace, or remove attributes and/or attribute values to the entry. When you specify changetype:modify, you must also provide a change operation to indicate how the entry is to be modified. Change operations can be:

This section contains the following topics:

Adding Attributes to Existing Entries Using LDIF

You use changetype:modify with the add operation to add an attribute and an attribute value to an entry.

For example, the following LDIF update statement adds a telephone number to the entry:

dn: cn=Barney Fife, ou=People, o=airius.com
changetype: modify
add: telephonenumber
telephonenumber: 555-1212

The following example adds two telephone numbers to the entry:

dn: cn=Barney Fife, ou=People, o=airius.com
changetype: modify
add: telephonenumber
telephonenumber: 555-1212
telephonenumber: 555-6789

The following example adds two telephonenumber attributes and a manager attribute to the entry:

dn: cn=Barney Fife, ou=People, o=airius.com
changetype: modify
add: telephonenumber
telephonenumber: 555-1212
telephonenumber: 555-6789
-
add: manager
manager: cn=Sally Nixon, ou=People, o=airius.com

The following example adds a jpeg photograph to the directory. The jpeg photo can be displayed by the gateway. In order to add this attribute to the directory, you must use the ldapmodify -b parameter (which indicates that ldapmodify should read the referenced file for binary values if the attribute value begins with a slash (/)):

dn: cn=Barney Fife, ou=People, o=airius.com
changetype: modify
add: jpegphoto
jpegphoto: /path/to/photo

Changing an Attribute Value Using LDIF

You use changetype:modify with the replace operation to change all values of an attribute in an entry.

For example, the following LDIF update statement changes Barney's manager from Sally Nixon to Wally Hensford:

dn: cn=Barney Fife, ou=People, o=airius.com
changetype: modify
replace: manager
manager: cn=Wally Hensford, ou=People, o=airius.com

If the entry has multiple instances of the attribute, then to change one of the attribute values, you must delete the attribute value that you want to change, and then add the replacement value. For example, consider the following entry:

cn=Barney Fife, ou=People, o=airius.com
objectClass: inetOrgPerson
cn: Barney Fife
sn: Fife
telephonenumber: 555-1212
telephonenumber: 555-5678

To change 555-1212 to 555-4321, use the following LDIF update statement:

dn: cn=Barney Fife, ou=People, o=airius.com
changetype: modify
delete: telephonenumber
telephonenumber: 555-1212
-
add: telephonenumber
telephonenumber: 555-4321

Barney's entry now is now as follows:

cn=Barney Fife, ou=People, o=airius.com
objectClass: inetOrgPerson
cn: Barney Fife
sn: Fife
telephonenumber: 555-5678
telephonenumber: 555-4321

Deleting All Values of an Attribute Using LDIF

You use changetype:modify with the delete operation to delete an attribute from an entry. If the entry has more than one instance of the attribute, you must indicate which of the attributes you want to delete.

For example, the following LDIF update statement deletes all instances of the telephonenumber attribute from the entry, regardless of how many times it appears in the entry:

dn: cn=Barney Fife, ou=People, o=airius.com
changetype: modify
delete: telephonenumber

If you want to delete just a specific instance of the telephonenumber attribute, then you simply delete that specific attribute value. The following section describes how to do this.

Deleting a Specific Attribute Value Using LDIF

You use changetype:modify with the delete operation to delete an attribute value from an entry. You must then indicate which of the actual attributes you want to delete.

For example, consider the following entry:

cn=Barney Fife, ou=People, o=airius.com
objectClass: inetOrgPerson
cn: Barney Fife
sn: Fife
telephonenumber: 555-1212
telephonenumber: 555-5678

To delete the 555-1212 telephone number from this entry, use the following LDIF update statement:

dn: cn=Barney Fife, ou=People, o=airius.com
changetype: modify
delete: telephonenumber
telephonenumber: 555-1212

Barney's entry then becomes:

cn=Barney Fife, ou=People, o=airius.com
objectClass: inetOrgPerson
cn: Barney Fife
sn: Fife
telephonenumber: 555-5678

Deleting an Entry Using LDIF

You use changetype:delete to delete an entry from your directory. You can only delete entries at the end of a branch. Therefore, when you delete an entry, make sure that no other entries exist under that entry in the directory tree. That is, you cannot delete an organizational unit entry unless you have first deleted all the entries that belong to the organizational unit.

For example, of the following three entries:

ou=People, o=airius.com
cn=Paula Simon, ou=People, o=airius.com
cn=Jerry O'Connor, ou=People, o=airius.com

you can delete only the last two entries. The entry that identifies the People subtree can be deleted only if no other entries exist below it.

The following LDIF update statements can be used to delete person entries:

dn: cn=Pete Minsky, ou=People, o=airius.com
changetype: delete

dn: cn=Sue Jacobs, ou=People, o=airius.com
changetype: delete

Modifying an Entry in an Internationalized Directory

If the attribute values in your directory are associated with one or more languages other than English, the attribute values are associated with language tags. When using the ldapmodify command-line utility to modify an attribute that has an associated language tag, you must match the value and language tag exactly or the modify operation will fail.

For example, if you want to modify an attribute value that has a language tag of lang-fr, you must include the lang-fr in the modify operation as follows:

dn: bjensen, o=airius.com
changetype: modify
replace: homePostalAddress;lang-fr
homePostalAddress;lang-fr: 34 rue Seine

 

© Copyright 1999 Netscape Communications Corporation, a subsidiary of America Online, Inc. All Rights Reserved.