1 .TH LDAPMODIFY 1 "17 August 1999" "OpenLDAP LDVERSION"
3 .\" Copyright 1998-1999 The OpenLDAP Foundation All Rights Reserved.
4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools
28 .BI \-d \ debuglevel\fR]
36 .BI \-h \ ldaphost\fR]
38 .BI \-p \ ldapport\fR]
40 .BI \-P \ 2\fR\||\|\fI3\fR]
46 .BI \-U \ username\fR]
74 .BI \-d \ debuglevel\fR]
82 .BI \-h \ ldaphost\fR]
84 .BI \-p \ ldapport\fR]
86 .BI \-P \ 2\fR\||\|\fI3\fR]
92 .BI \-U \ username\fR]
103 is a shell-accessible interface to the
109 is implemented as a hard link to the ldapmodify tool. When invoked as
111 the -a (add new entry) flag is turned on automatically.
114 opens a connection to an LDAP server, binds, and modifies or adds entries.
115 The entry information is read from standard input or from \fIfile\fP through
116 the use of the -f option.
120 Add new entries. The default for
122 is to modify existing entries. If invoked as
124 this flag is always set.
127 Assume that any values that start with a `/' are binary values and that
128 the actual value is in a file whose path is specified in the place where
129 values normally appear.
132 Continuous operation mode. Errors are reported, but
134 will continue with modifications. The default is to exit after
138 Replace existing values by default.
141 Show what would be done, but don't actually modify entries. Useful for
142 debugging in conjunction with -v.
145 Use verbose mode, with many diagnostics written to standard output.
148 Use Kerberos authentication instead of simple authentication. It is
149 assumed that you already have a valid ticket granting ticket. You must
150 compile with KERBEROS defined for this option to have any effect.
153 Same as \-k, but only does step 1 of the kerberos bind. This is useful
154 when connecting to a slapd and there is no x500dsa.hostname principal
155 registered with your kerberos servers.
158 Force application of all changes regardless of the contents of input
159 lines that begin with
161 (by default, replica: lines are compared against the LDAP server host
162 and port in use to decide if a replog record should actually be applied).
165 Enable manage DSA IT control.
167 makes control critical.
170 Set the LDAP debugging level to \fIdebuglevel\fP.
172 must be compiled with LDAP_DEBUG defined for this option to have any effect.
175 Read the entry modification information from \fIfile\fP instead of from
179 Use \fIbinddn\fP to bind to the LDAP directory. \fIbinddn\fP should be
180 a string-represented DN as defined in RFC 1779.
183 Prompt for simple authentication.
184 This is used instead of specifying the password on the command line.
187 Use \fIpasswd\fP as the password for simple authentication.
190 Specify an alternate host on which the ldap server is running.
193 Specify an alternate TCP port where the ldap server is listening.
195 .BI \-P \ 2\fR\||\|\fI3
196 Specify the LDAP protocol version to use.
199 Requset the use of SASL privacy (encryption). If the server allows it, data
200 sent between the client and the server will be encrypted. If the server
201 requires the use of encryption and this flag is not specified, the command
202 will fail. If you use
204 , the command will fail if the server does not support encryption.
210 Request the use of SASL integrity checking. It protects data sent between the
211 client and the server from being modified along the way, but it does not
212 prevent sniffing. If the server requires the use of integrity checking and
213 this flag is not specified, the command will fail.If you use
215 , the command will fail if the server does not support this function.
218 Specify the username for SASL bind. The syntax of the username depends on the
219 actual SASL mechanism used.
222 Specify the requested authorization ID for SASL bind.
224 must be one of the following formats:
226 .I <distinguished name>
232 Specify the SASL mechanism to be used for authentication. If it's not
233 specified, the program will choose the best mechanism the server knows.
236 Request the use of TLS (Transport Layer Security). If you use
238 , the command will fail if TLS negotiation does not succeed for some reason.
240 The contents of \fIfile\fP (or standard input if no \-f flag is given on
241 the command line) should conform to the format defined in
242 .BR slapd.replog (5),
243 with the exceptions noted below.
245 If the first line of a record consists of a decimal number (entry id),
248 Lines that begin with "replica:" are matched against the LDAP server host
249 and port in use to decide if a particular replog record should be applied.
250 Any other lines that precede the "dn:" line are ignored.
251 The -F flag can be used to force
253 to apply all of the replog changes, regardless of the presence or
254 absence of any "replica:" lines.
256 If no "changetype:" line is present, the default is "add" if the -a
257 flag is set (or if the program was invoked as
259 and "modify" otherwise.
261 If changetype is "modify" and no "add:", "replace:", or "delete:" lines
262 appear, the default is "replace" if the -r flag is set and "add"
265 Note that the above exceptions to the
269 entries to be used as input to
273 .SH ALTERNATIVE INPUT FORMAT
274 An alternative input format is supported for compatibility with older
277 This format consists of one or more entries separated by blank lines,
278 where each entry looks like:
281 Distinguished Name (DN)
286 where \fIattr\fP is the name of the attribute and \fIvalue\fP is the
289 By default, values are added. If the
292 given, the default is to replace existing values with the new one.
293 Note that it is permissible for a given attribute to appear more than
294 once (for example, to add more than one value for an attribute). Also
295 note that you can use a trailing `\\' to continue values across lines and
296 preserve newlines in the value itself (this is useful for modifying
297 QUIPU iattr attributes among others).
300 should be preceded by a \fB-\fP to remove a value. The `=' and
301 value should be omitted to remove an entire attribute.
304 should be preceded by a \fB+\fP to add a value in the presence of the
308 Assuming that the file
310 exists and has the contents:
313 dn: cn=Modify Me, dc=OpenLDAP, dc=Org
316 mail: modme@OpenLDAP.org
322 jpegPhoto:< file://tmp/modme.jpeg
331 ldapmodify -b -r -f /tmp/entrymods
334 will replace the contents of the "Modify Me" entry's
336 attribute with the value "modme@OpenLDAP.org", add a
338 of "Grand Poobah", and the contents of the file "/tmp/modme.jpeg"
341 and completely remove the
344 The same modifications as above can be performed using the older
349 cn=Modify Me, dc=OpenLDAP, dc=org
350 mail=modme@OpenLDAP.org
352 +jpegPhoto=/tmp/modme.jpeg
359 ldapmodify -b -r -f /tmp/entrymods
362 Assuming that the file
364 exists and has the contents:
367 dn: cn=Barbara Jensen, dc=OpenLDAP, dc=org
372 title: the world's most famous mythical manager
373 mail: bjensen@OpenLDAP.org
379 ldapadd -f /tmp/entrymods
382 will add a new entry for Babs Jensen, using the values from the
386 Assuming that the file
388 exists and has the contents:
391 dn: cn=Barbara Jensen, dc=OpenLDAP, dc=org
397 ldapmodify -f /tmp/entrymods
400 will remove Babs Jensen's entry.
402 Exit status is 0 if no errors occur. Errors result in a non-zero exit
403 status and a diagnostic message being written to standard error.
418 .IR "A String Representation of Distinguished Names",
421 ISODE Consortium, March 1995.
423 There is no interactive mode, but there probably should be.
426 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
428 is derived from University of Michigan LDAP 3.3 Release.