Command Line Tools

LDAP provides command line tools that correspond to the operations performed by the LDAP API. Each tool supports a common set of options, including authentication and bind parameters.

• ldapsearch

  Search for directory entry. Display attributes and values found.

• ldapmodify

  Modify, add, delete, or rename directory entry.

• ldapadd

  Add new directory entry.

• ldapdelete

  Delete existing directory entry.

• ldapmodrdn

  Rename existing directory entry.

The ldapsearch, ldapadd, and ldapmodify tools support a common text-based format for representing directory information called the LDAP Data Interchange Format (LDIF).

LDAP Data Interchange Format

LDIF is the format produced by the ldapsearch tool, the format accepted by the ldapadd tool, and is the basis for the change information format that the ldapmodify tool uses.

An LDIF file contains one or more entries. Each entry is separated by an empty line. The basic form on an LDIF file entry is:

 [id]
dn: entryDN
attrtype: attrvalue
...

where:

• id

  is an optional numeric entry identifier ( not used by the LDAP tools).

• entryDN

  is the LDAP Distinguished Name (DN) of the directory entry.

• attrtype

  is an LDAP attribute type, such as cn or telephoneNumber.

• attrvalue

  is a value for attrtype.

The attrtype: attrvalue line can be repeated as many times as necessary to list all of the attribute values present in an entry. The line can be continued by inserting a single space or horizontal tab character at the start of the next line.

For example, an LDIF file that contains Joe Qwerty's entry includes five attributes (cn and objectclass have two values):

dn: cn=Joseph Qwerty, o=Ultra Keyboards Inc., c=US
cn: Joseph Qwerty
cn: Joe Qwerty
sn: Qwerty
mail: jqwerty@ultra.com
seeAlso: cn=Joe Qwerty, ou=Engineering Division, o=Peo
 ple, o=IEEE, c=US
objectClass: top
objectClass: person

The value of seeAlso is split across two lines by inserting a single space character at the start of the line that begins with “ ple, ...”.

How to Search the Directory

Use ldapsearch(1) to find a directory entry. ldapsearch opens a connection to the LDAP directory server, binds to the directory server, and performs a search of the directory.

1. Find members of IEEE that work at Ultra Keyboards in the United States.

   % ldapsearch -L -b "o=IEEE, o=Ultra Keyboards Inc., c=US" uid=\*

The results of the search are:

dn: uid=jqwerty, o=IEEE, o=Ultra keyboards Inc., c=US
uid: jqwerty
cn: jqwerty
userpassword: {crypt}somecryptedtext
uidnumber: 12345
gidnumber: 123
gecos: Joseph Qwerty
homedirectory: /home/jqwerty
loginshell: /bin/csh
objectclass: top
objectclass: shadowAccount
objectclass: account
objectclass: posixAccount
shadowlastchange: 3455

dn: uid=bhand, o=IEEE, o=Ultra keyboards Inc., c=US
uid: bhand
cn: bhand
userpassword: {crypt}somecryptedtext
uidnumber: 12347
gidnumber: 123
gecos: William Handset
homedirectory: /home/bhand
loginshell: /bin/csh
objectclass: top
objectclass: shadowAccount
objectclass: account
objectclass: posixAccount
shadowlastchange: 3440

How to Modify a Directory Entry

Use ldapmodify(1) to change a directory entry. ldapmodify opens a connection to the LDAP directory server, binds to the directory server, and performs a sequence of LDAP modify operations on the directory.

1. Bind as the directory manager (password “enigma”) and add email address eng@ultra.com Joe Qwerty entry

   % ldapmodify -D "cn=Manager, o=Ultra Keyboards Inc., \ c=US" -w enigma < modfile

The contents of modfile are:

dn: cn=carol,ou=People,o=Ultra Keyboards Inc.,c=US
changetype: modify
replace: userpassword
userpassword: {crypt}mgq25KV6CE0p6
-
replace: objectclass
objectclass: top
objectclass: shadowAccount
objectclass: account
objectclass: posixAccount
-
add: shadowlastchange
shadowlastchange: 6447
-

dn: cn=stephen,ou=People,o=Ultra Keyboards Inc.,c=US
changetype: modify
replace: userpassword
userpassword: {crypt}w.4P1JPV3w.Zs
-
replace: objectclass
objectclass: top
objectclass: shadowAccount
objectclass: account
objectclass: posixAccount
-
add: shadowlastchange
shadowlastchange: 6447
-

dn: cn=frank,ou=People,o=Ultra Keyboards Inc.,c=US
changetype: modify
replace: userpassword
userpassword: {crypt}mMBEaHRlf5rJQ
-
replace: objectclass
objectclass: top
objectclass: shadowAccount
objectclass: account
objectclass: posixAccount
-
add: shadowlastchange
shadowlastchange: 9712
-

A line with just a hyphen separates a series of modification commands for the same directory entry. A blank lines separates different directory entries.

If the operation is successful, ldapmodify returns a message similar to the following:

# ldapmodify -D "cn=Directory Manager" -w nssecret -f domain.ldif
modifying entry dc=sun,dc=com

If unsuccessful an error message is displayed.

How to Add an entry to the Directory

Use ldapadd(1) to add an entry to the directory. ldapadd opens a connection to the LDAP directory server, binds to the directory server, and performs a sequence of LDAP add operations on the directory.

1. Bind as the directory manager (password “enigma”) and add an entries for Penny Gold and Amy Lamb.

   % ldapadd -D "cn=Manager, o=Ultra Keyboards Inc., \ c=US" -w enigma < addfile

The contents of addfile are:

dn: cn=Penny Gold, o=Ultra Keyboards Inc., c=US
changetype: add
objectclass: top
objectclass: person
objectclass: inetOrgPerson
cn: Penny Gold
sn: Gold
mail: pgold@ultra.com
 
dn: cn=Amy Lamb, o=Ultra Keyboards Inc., c=US
changetype: add
objectclass: top
objectclass: person
objectclass: inetOrgPerson
cn: Amy Lamb
sn: Lamb
mail: alamb@ultra.com

How to Delete an entry From the Directory

Use ldapdelete(1) to delete an entry from the directory. ldapdelete opens a connection to the LDAP directory server, binds to the directory server, and performs one or more LDAP delete entry operations on the directory.

1. Bind as the directory manager (password “enigma”) and delete the entry for Penny Gold.

   % ldapdelete -D "cn=Manager, o=Ultra Keyboards Inc., \ c=US" -w enigma "cn=Penny Gold, o=Ultra Keyboards Inc., c=US"

ldapdelete returns nothing if the operation is successful; otherwise, an error message is displayed.

How to Rename a Directory Entry

Use ldapmodrdn(1) to rename an existing directory entry. ldapmodrdn opens a connection to the LDAP directory server, binds to the directory server, and performs one or more LDAP modify RDN (rename) operations on the directory.

1. Bind as the directory manager (password “enigma”) and change the RDN cn value from “User Interface” to “Ergonomic”.

   % ldapmodrdn -r -D "cn=Manager, o=Ultra Keyboards Inc., \ c=US" -w enigma "cn=User Interface, o=Ultra Keyboards Inc., \ c=US" "cn=Ergonomic"

ldapmodrdn returns nothing if the operation is successful; otherwise, an error message is displayed.