1 .TH LDAPMODIFY 1 "12 July 2000" "OpenLDAP LDVERSION"
3 .\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools
30 .BI \-d \ debuglevel\fR]
38 .BI \-h \ ldaphost\fR]
40 .BI \-p \ ldapport\fR]
42 .BI \-P \ 2\fR\||\|\fI3\fR]
44 .BR \-O \ security-properties ]
50 .BI \-U \ username\fR]
80 .BI \-d \ debuglevel\fR]
88 .BI \-h \ ldaphost\fR]
90 .BI \-p \ ldapport\fR]
92 .BI \-P \ 2\fR\||\|\fI3\fR]
98 .BI \-U \ username\fR]
100 .BI \-X \ authzid\fR]
109 is a shell-accessible interface to the
115 is implemented as a hard link to the ldapmodify tool. When invoked as
117 the -a (add new entry) flag is turned on automatically.
120 opens a connection to an LDAP server, binds, and modifies or adds entries.
121 The entry information is read from standard input or from \fIfile\fP through
122 the use of the -f option.
126 Add new entries. The default for
128 is to modify existing entries. If invoked as
130 this flag is always set.
133 Assume that any values that start with a `/' are binary values and that
134 the actual value is in a file whose path is specified in the place where
135 values normally appear.
138 Automatically chase referrals.
141 Continuous operation mode. Errors are reported, but
143 will continue with modifications. The default is to exit after
147 Replace existing values by default.
150 Show what would be done, but don't actually modify entries. Useful for
151 debugging in conjunction with -v.
154 Use verbose mode, with many diagnostics written to standard output.
157 Use Kerberos authentication instead of simple authentication. It is
158 assumed that you already have a valid ticket granting ticket. You must
159 compile with KERBEROS defined for this option to have any effect.
162 Same as \-k, but only does step 1 of the kerberos bind. This is useful
163 when connecting to a slapd and there is no x500dsa.hostname principal
164 registered with your kerberos servers.
167 Force application of all changes regardless of the contents of input
168 lines that begin with
170 (by default, replica: lines are compared against the LDAP server host
171 and port in use to decide if a replog record should actually be applied).
174 Enable manage DSA IT control.
176 makes control critical.
179 Set the LDAP debugging level to \fIdebuglevel\fP.
181 must be compiled with LDAP_DEBUG defined for this option to have any effect.
184 Read the entry modification information from \fIfile\fP instead of from
188 Use simple authentication instead of SASL.
191 Use \fIbinddn\fP to bind to the LDAP directory. \fIbinddn\fP should be
192 a string-represented DN as defined in RFC 1779.
195 Prompt for simple authentication.
196 This is used instead of specifying the password on the command line.
199 Use \fIpasswd\fP as the password for simple authentication.
202 Specify an alternate host on which the ldap server is running.
205 Specify an alternate TCP port where the ldap server is listening.
207 .BI \-P \ 2\fR\||\|\fI3
208 Specify the LDAP protocol version to use.
210 .BI \-O \ security-properties
211 Specify SASL security properties.
214 Enable SASL Interactive mode. Always prompt. Default is to prompt
218 Enable SASL Quiet mode. Never prompt.
221 Specify the username for SASL bind. The syntax of the username depends on the
222 actual SASL mechanism used.
225 Specify the requested authorization ID for SASL bind.
227 must be one of the following formats:
229 .I <distinguished name>
235 Specify the SASL mechanism to be used for authentication. If it's not
236 specified, the program will choose the best mechanism the server knows.
239 Issue StartTLS (Transport Layer Security) extended operation. If you use
241 , the command will require the operation to be successful.
243 The contents of \fIfile\fP (or standard input if no \-f flag is given on
244 the command line) should conform to the format defined in
245 .BR slapd.replog (5),
246 with the exceptions noted below.
248 If the first line of a record consists of a decimal number (entry id),
251 Lines that begin with "replica:" are matched against the LDAP server host
252 and port in use to decide if a particular replog record should be applied.
253 Any other lines that precede the "dn:" line are ignored.
254 The -F flag can be used to force
256 to apply all of the replog changes, regardless of the presence or
257 absence of any "replica:" lines.
259 If no "changetype:" line is present, the default is "add" if the -a
260 flag is set (or if the program was invoked as
262 and "modify" otherwise.
264 If changetype is "modify" and no "add:", "replace:", or "delete:" lines
265 appear, the default is "replace" if the -r flag is set and "add"
268 Note that the above exceptions to the
272 entries to be used as input to
276 .SH ALTERNATIVE INPUT FORMAT
277 An alternative input format is supported for compatibility with older
280 This format consists of one or more entries separated by blank lines,
281 where each entry looks like:
284 Distinguished Name (DN)
289 where \fIattr\fP is the name of the attribute and \fIvalue\fP is the
292 By default, values are added. If the
295 given, the default is to replace existing values with the new one.
296 Note that it is permissible for a given attribute to appear more than
297 once (for example, to add more than one value for an attribute). Also
298 note that you can use a trailing `\\' to continue values across lines and
299 preserve newlines in the value itself (this is useful for modifying
300 QUIPU iattr attributes among others).
303 should be preceded by a \fB-\fP to remove a value. The `=' and
304 value should be omitted to remove an entire attribute.
307 should be preceded by a \fB+\fP to add a value in the presence of the
311 Assuming that the file
313 exists and has the contents:
316 dn: cn=Modify Me, dc=OpenLDAP, dc=Org
319 mail: modme@OpenLDAP.org
325 jpegPhoto:< file://tmp/modme.jpeg
334 ldapmodify -b -r -f /tmp/entrymods
337 will replace the contents of the "Modify Me" entry's
339 attribute with the value "modme@OpenLDAP.org", add a
341 of "Grand Poobah", and the contents of the file "/tmp/modme.jpeg"
344 and completely remove the
347 The same modifications as above can be performed using the older
352 cn=Modify Me, dc=OpenLDAP, dc=org
353 mail=modme@OpenLDAP.org
355 +jpegPhoto=/tmp/modme.jpeg
362 ldapmodify -b -r -f /tmp/entrymods
365 Assuming that the file
367 exists and has the contents:
370 dn: cn=Barbara Jensen, dc=OpenLDAP, dc=org
375 title: the world's most famous mythical manager
376 mail: bjensen@OpenLDAP.org
382 ldapadd -f /tmp/entrymods
385 will add a new entry for Babs Jensen, using the values from the
389 Assuming that the file
391 exists and has the contents:
394 dn: cn=Barbara Jensen, dc=OpenLDAP, dc=org
400 ldapmodify -f /tmp/entrymods
403 will remove Babs Jensen's entry.
405 Exit status is 0 if no errors occur. Errors result in a non-zero exit
406 status and a diagnostic message being written to standard error.
421 .IR "A String Representation of Distinguished Names",
424 ISODE Consortium, March 1995.
426 There is no interactive mode, but there probably should be.
428 The OpenLDAP Project <http://www.openldap.org/>
431 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
433 is derived from University of Michigan LDAP 3.3 Release.