Skip Navigation Links | |
Exit Print View | |
man pages section 1: User Commands Oracle Solaris 11 Information Library |
- ldap entry addition and modification tools
ldapmodify [-a] [-c] [-r] [-n] [-v] [-F] [-b] [-A] [-q] [-H] [-?] [-E] [-J] [-Z] [-M] [-d debuglevel] [-D bindDN] [-j filename] [-J [:criticality]] [-B baseDN] [-V version] [-Y proxyDN] [-O hopLimit] [-i locale] [-k path] [-e errorFile] [-P path] [-N certificate] [-w passwd] [-o attributename=value] [-h ldaphost] [-W password] [-p ldapport] [-f file] [-l nb-ldap-connections]
ldapadd [-c] [-n] [-v] [-F] [ [-b] [-A] [-q] [-H] [-?] [-E] [-J] [-Z] [-M]-d debuglevel] [-D bindDN] [-j filename] [-B baseDN] [-V version] [-Y proxyDN] [-O hopLimit] [-i locale] [-k path] [-e errorFile] [-P path] [-N certificate] [-w passwd] [-o attributename=value] [-h ldaphost] [-W password] [-p ldapport] [-f file] [-l nb-ldap-connections]
The ldapmodify utility opens a connection to an LDAP server, binds and modifies or adds entries. The entry information is read from standard input or from file, specified using the -f option. The ldapadd utility is implemented as a hard link to the ldapmodify tool. When invoked as ldapadd, the -a (add new entry) option is turned on automatically.
Both ldapadd and ldapmodify reject duplicate attribute-name/value pairs for the same entry.
The following options are supported:
Adds new entries. The default for ldapmodify is to modify existing entries. If invoked as ldapadd, this option is always set.
Non-ASCII mode: display non-ASCII values, in conjunction with the -v option.
Handle binary files. The ldapmodify tool will scan every attribute value in the input to determine whether it is a valid file reference. If the reference is valid, it will use the contents of the file as the attribute's value. This option is used to input binary data, such as a JPEG image, for an attribute. For example, the corresponding LDIF input would be: jpegPhoto: /tmp/photo.jpg. The ldapmodify tool also supports the LDIF :< URL notation for directly including file contents.
Specify the base DN when performing additions, usually in double quotes ("") for the shell. All entries will be placed under this suffix, thus providing bulk import functionality.
Specifies continuous operation mode. Errors are reported, but ldapmodify and ldapadd continue with modifications. The default is to exit after reporting an error.
Uses the distinguished name bindDN to bind to the directory.
Sets the LDAP debugging level. Useful levels of debugging for ldapmodify and ldapadd are:
Trace
Packets
Arguments
Filters
Access control
To request more than one category of debugging information, add the masks. For example, to request trace and filter information, specify a debuglevel of 33.
Invalid update statements in the input will be copied to the errorFile for debugging. Use with the -c option to correct errors when processing large LDIF input.
Ask server to expose (report) bind identity by means of authentication response control.
Forces application of all changes regardless of the content of input lines that begin with replica:. By default, replica: lines are compared against the LDAP server host and port in use to decide whether a replog record should be applied.
Reads the entry modification information from file instead of from standard input.
Display the usage help text that briefly describes all options.
Display the usage help text that briefly describes all options.
Specifies an alternate host on which the LAPD server is running.
Specify the character set to use for the -f LDIFfile or standard input. The default is the character set specified in the LANG environment variable. You might choose to use this option to perform the conversion from the specified character set to UTF8, thus overriding the LANG setting.
Specify a file containing the password for the bind DN or the password for the SSL client's key database. To protect the password, use this option in scripts and place the password in a secure file. This option is mutually exclusive of the -w and -W options.
Criticality is a boolean value (default is false).
Specify the path to a directory containing conversion routines. These routines are used if you want to specify a locale that is not supported by default by your directory server. This is for NLS support.
Specifies the number of LDAP connections that ldapadd or ldapmodify will open to process the modifications in the directory. The default is one connection.
Manage smart referrals. When they are the target of the operation, modify the entry containing the referral instead of the entry obtained by following the referral.
Previews modifications, but makes no changes to entries. Useful in conjunction with -v and -d for debugging.
Specify the certificate name to use for certificate-based client authentication. For example: -N "Directory-Cert".
For SASL mechanisms and other options such as security properties, mode of operation, authorization ID, authentication ID, and so forth.
The different attribute names and their values are as follows:
For defining SASL security properties.
Specifies SASL realm (default is realm=none).
Specify the authorization ID name for SASL bind.
Specify the authentication ID for SASL bind.
Specifies the various SASL mechanisms.
Specify the maximum number of referral hops to follow while finding an entry to modify. By default, there is no limit.
Specifies an alternate TCP port where the secure LDAP server is listening.
Specify the path and filename of the client's certificate database. For example:
-P /home/uid/.netscape/cert7.db
When using the command on the same host as the directory server, you can use the server's own certificate database. For example:
-P installDir/lapd-serverID/alias/cert7.db
Use the -P option alone to specify server authentication only.
Replaces existing value with the specified value. This is the default for ldapmodify. When ldapadd is called, or if the -a option is specified, the -r option is ignored.
Uses verbose mode, with diagnostics written to standard output.
Specify the LDAP protocol version number to be used for the delete operation, either 2 or 3. LDAP v3 is the default. Specify LDAP v2 when connecting to servers that do not support v3.
Specify the password for the client's key database given in the -P option. This option is required for certificate-based client authentication. Specifying password on the command line has security issues because the password can be seen by others on the system by means of the ps command. Use the -j instead to specify the password from the file. This option is mutually exclusive of -j.
Use passwd as the password for authentication to the directory. When you use -w passwd to specify the password to be used for authentication, the password is visible to other users of the system by means of the ps command, in script files or in shell history. If you use either the ldapmodify command or the ldapadd command without this option, the command will prompt for the password and read it from standard in. When used without the -w option, the password will not be visible to other users.
Specify the proxy DN (proxied authorization id) to use for the modify operation, usually in double quotes ("") for the shell.
Specify that SSL be used to provide certificate-based client authentication. This option requires the -N and SSL password and any other of the SSL options needed to identify the certificate and the key database.
The following exit values are returned:
Successful completion.
An error occurred. A diagnostic message is written to standard error.
The format of the content of file (or standard input if no -f option is specified) is illustrated in the following examples.
Example 1 Modifying an Entry
The file /tmp/entrymods contains the following modification instructions:
dn: cn=Modify Me, o=XYZ, c=US changetype: modify replace: mail mail: modme@atlanta.xyz.com - add: title title: System Manager - add: jpegPhoto jpegPhoto:< file:///tmp/modme.jpeg - delete: description -
The command:
example% ldapmodify -r -f /tmp/entrymods
modifies the Modify Me entry as follows:
The current value of the mail attribute is replaced with the value, modme@atlanta.xyz.com.
A title attribute with the value, System Manager, is added.
A jpegPhoto attribute is added, using the contents of the file, /tmp/modme.jpeg, as the attribute value.
The description attribute is removed.
Example 2 Creating a New Entry
The file, /tmp/newentry, contains the following information for creating a new entry:
dn: cn=Ann Jones, o=XYZ, c=US objectClass: person cn: Ann Jones cn: Annie Jones sn: Jones title: Director of Research and Development mail: ajones@londonrd.xyz.us.com uid: ajones
The command
example% ldapadd -f /tmp/newentry
adds a new entry for Ann Jones, using the information in the file.
Example 3 Creating a New Entry on an IPv6 Server
The file, /tmp/newentry, contains the following information for creating a new entry: on an IPv6 server.
dn: cn=Ann Jones, o=XYZ, c=US objectClass: person cn: Ann Jones cn: Annie Jones sn: Jones title: Director of Research and Development mail: ajones@londonrd.xyz.us.com uid: ajones
The command
example% ldapadd -c -v -h '['fec0::111:a00:20ff:feaa:a364']':389 \ -D cn=Directory Manager -w secret \ -f /tmp/entry
adds a new entry for Directory Manager, using the information in the file.
Example 4 Deleting an Entry
The file, /tmp/badentry, contains the following information about an entry to be deleted:
dn: cn=Ann Jones, o=XYZ, c=US changetype: delete
The command:
example% ldapmodify -f /tmp/badentry
removes Ann Jones' entry.
See attributes(5) for a description of the following attributes:
|
ldapdelete(1), ldaplist(1), ldapmodrdn(1), ldapsearch(1), ldapaddent(1M), ldap_cachemgr(1M), ldap_get_option(3LDAP), ldap_set_option(3LDAP), attributes(5), ldap(5)