1 .TH LDAPMODIFY 1 "20 April 2000" "OpenLDAP LDVERSION"
3 .\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools
30 .BI \-d \ debuglevel\fR]
38 .BI \-h \ ldaphost\fR]
40 .BI \-p \ ldapport\fR]
42 .BI \-P \ 2\fR\||\|\fI3\fR]
48 .BI \-U \ username\fR]
76 .BI \-d \ debuglevel\fR]
84 .BI \-h \ ldaphost\fR]
86 .BI \-p \ ldapport\fR]
88 .BI \-P \ 2\fR\||\|\fI3\fR]
94 .BI \-U \ username\fR]
105 is a shell-accessible interface to the
111 is implemented as a hard link to the ldapmodify tool. When invoked as
113 the -a (add new entry) flag is turned on automatically.
116 opens a connection to an LDAP server, binds, and modifies or adds entries.
117 The entry information is read from standard input or from \fIfile\fP through
118 the use of the -f option.
122 Add new entries. The default for
124 is to modify existing entries. If invoked as
126 this flag is always set.
129 Assume that any values that start with a `/' are binary values and that
130 the actual value is in a file whose path is specified in the place where
131 values normally appear.
134 Automatically chase referrals.
137 Continuous operation mode. Errors are reported, but
139 will continue with modifications. The default is to exit after
143 Replace existing values by default.
146 Show what would be done, but don't actually modify entries. Useful for
147 debugging in conjunction with -v.
150 Use verbose mode, with many diagnostics written to standard output.
153 Use Kerberos authentication instead of simple authentication. It is
154 assumed that you already have a valid ticket granting ticket. You must
155 compile with KERBEROS defined for this option to have any effect.
158 Same as \-k, but only does step 1 of the kerberos bind. This is useful
159 when connecting to a slapd and there is no x500dsa.hostname principal
160 registered with your kerberos servers.
163 Force application of all changes regardless of the contents of input
164 lines that begin with
166 (by default, replica: lines are compared against the LDAP server host
167 and port in use to decide if a replog record should actually be applied).
170 Enable manage DSA IT control.
172 makes control critical.
175 Set the LDAP debugging level to \fIdebuglevel\fP.
177 must be compiled with LDAP_DEBUG defined for this option to have any effect.
180 Read the entry modification information from \fIfile\fP instead of from
184 Use \fIbinddn\fP to bind to the LDAP directory. \fIbinddn\fP should be
185 a string-represented DN as defined in RFC 1779.
188 Prompt for simple authentication.
189 This is used instead of specifying the password on the command line.
192 Use \fIpasswd\fP as the password for simple authentication.
195 Specify an alternate host on which the ldap server is running.
198 Specify an alternate TCP port where the ldap server is listening.
200 .BI \-P \ 2\fR\||\|\fI3
201 Specify the LDAP protocol version to use.
204 Requset the use of SASL privacy (encryption). If the server allows it, data
205 sent between the client and the server will be encrypted. If the server
206 requires the use of encryption and this flag is not specified, the command
207 will fail. If you use
209 , the command will fail if the server does not support encryption.
215 Request the use of SASL integrity checking. It protects data sent between the
216 client and the server from being modified along the way, but it does not
217 prevent sniffing. If the server requires the use of integrity checking and
218 this flag is not specified, the command will fail.If you use
220 , the command will fail if the server does not support this function.
223 Specify the username for SASL bind. The syntax of the username depends on the
224 actual SASL mechanism used.
227 Specify the requested authorization ID for SASL bind.
229 must be one of the following formats:
231 .I <distinguished name>
237 Specify the SASL mechanism to be used for authentication. If it's not
238 specified, the program will choose the best mechanism the server knows.
241 Issue StartTLS (Transport Layer Security) extended operation. If you use
243 , the command will require the operation to be successful.
245 The contents of \fIfile\fP (or standard input if no \-f flag is given on
246 the command line) should conform to the format defined in
247 .BR slapd.replog (5),
248 with the exceptions noted below.
250 If the first line of a record consists of a decimal number (entry id),
253 Lines that begin with "replica:" are matched against the LDAP server host
254 and port in use to decide if a particular replog record should be applied.
255 Any other lines that precede the "dn:" line are ignored.
256 The -F flag can be used to force
258 to apply all of the replog changes, regardless of the presence or
259 absence of any "replica:" lines.
261 If no "changetype:" line is present, the default is "add" if the -a
262 flag is set (or if the program was invoked as
264 and "modify" otherwise.
266 If changetype is "modify" and no "add:", "replace:", or "delete:" lines
267 appear, the default is "replace" if the -r flag is set and "add"
270 Note that the above exceptions to the
274 entries to be used as input to
278 .SH ALTERNATIVE INPUT FORMAT
279 An alternative input format is supported for compatibility with older
282 This format consists of one or more entries separated by blank lines,
283 where each entry looks like:
286 Distinguished Name (DN)
291 where \fIattr\fP is the name of the attribute and \fIvalue\fP is the
294 By default, values are added. If the
297 given, the default is to replace existing values with the new one.
298 Note that it is permissible for a given attribute to appear more than
299 once (for example, to add more than one value for an attribute). Also
300 note that you can use a trailing `\\' to continue values across lines and
301 preserve newlines in the value itself (this is useful for modifying
302 QUIPU iattr attributes among others).
305 should be preceded by a \fB-\fP to remove a value. The `=' and
306 value should be omitted to remove an entire attribute.
309 should be preceded by a \fB+\fP to add a value in the presence of the
313 Assuming that the file
315 exists and has the contents:
318 dn: cn=Modify Me, dc=OpenLDAP, dc=Org
321 mail: modme@OpenLDAP.org
327 jpegPhoto:< file://tmp/modme.jpeg
336 ldapmodify -b -r -f /tmp/entrymods
339 will replace the contents of the "Modify Me" entry's
341 attribute with the value "modme@OpenLDAP.org", add a
343 of "Grand Poobah", and the contents of the file "/tmp/modme.jpeg"
346 and completely remove the
349 The same modifications as above can be performed using the older
354 cn=Modify Me, dc=OpenLDAP, dc=org
355 mail=modme@OpenLDAP.org
357 +jpegPhoto=/tmp/modme.jpeg
364 ldapmodify -b -r -f /tmp/entrymods
367 Assuming that the file
369 exists and has the contents:
372 dn: cn=Barbara Jensen, dc=OpenLDAP, dc=org
377 title: the world's most famous mythical manager
378 mail: bjensen@OpenLDAP.org
384 ldapadd -f /tmp/entrymods
387 will add a new entry for Babs Jensen, using the values from the
391 Assuming that the file
393 exists and has the contents:
396 dn: cn=Barbara Jensen, dc=OpenLDAP, dc=org
402 ldapmodify -f /tmp/entrymods
405 will remove Babs Jensen's entry.
407 Exit status is 0 if no errors occur. Errors result in a non-zero exit
408 status and a diagnostic message being written to standard error.
423 .IR "A String Representation of Distinguished Names",
426 ISODE Consortium, March 1995.
428 There is no interactive mode, but there probably should be.
431 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
433 is derived from University of Michigan LDAP 3.3 Release.