1 .TH LDAPMODIFY 1 "RELEASEDATE" "OpenLDAP LDVERSION"
3 .\" Copyright 1998-2005 The OpenLDAP Foundation All Rights Reserved.
4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools
26 .BI \-d \ debuglevel\fR]
34 .BI \-y \ passwdfile\fR]
38 .BI \-h \ ldaphost\fR]
40 .BI \-p \ ldapport\fR]
42 .BI \-P \ 2\fR\||\|\fI3\fR]
44 .BR \-O \ security-properties ]
80 .BI \-d \ debuglevel\fR]
88 .BI \-y \ passwdfile\fR]
90 .BI \-h \ ldaphost\fR]
92 .BI \-p \ ldapport\fR]
94 .BI \-P \ 2\fR\||\|\fI3\fR]
96 .BR \-O \ security-properties ]
102 .BI \-U \ authcid\fR]
108 .BI \-X \ authzid\fR]
117 is a shell-accessible interface to the
123 is implemented as a hard link to the ldapmodify tool. When invoked as
125 the -a (add new entry) flag is turned on automatically.
128 opens a connection to an LDAP server, binds, and modifies or adds entries.
129 The entry information is read from standard input or from \fIfile\fP through
130 the use of the -f option.
134 Add new entries. The default for
136 is to modify existing entries. If invoked as
138 this flag is always set.
141 Continuous operation mode. Errors are reported, but
143 will continue with modifications. The default is to exit after
147 Add or change records which where skipped due to an error are written to \fIfile\fP
148 and the error message returned by the server is added as a comment. Most useful in
152 Show what would be done, but don't actually modify entries. Useful for
153 debugging in conjunction with -v.
156 Use verbose mode, with many diagnostics written to standard output.
159 Use Kerberos IV authentication instead of simple authentication. It is
160 assumed that you already have a valid ticket granting ticket. You must
161 compile with Kerberos support for this option to have any effect.
164 Same as \-k, but only does step 1 of the Kerberos IV bind. This is useful
165 when connecting to a slapd and there is no x500dsa.hostname principal
166 registered with your Kerberos Domain Controller(s).
169 Force application of all changes regardless of the contents of input
170 lines that begin with
172 (by default, replica: lines are compared against the LDAP server host
173 and port in use to decide if a replog record should actually be applied).
176 Enable manage DSA IT control.
178 makes control critical.
181 Set the LDAP debugging level to \fIdebuglevel\fP.
183 must be compiled with LDAP_DEBUG defined for this option to have any effect.
186 Read the entry modification information from \fIfile\fP instead of from
190 Use simple authentication instead of SASL.
193 Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
196 Prompt for simple authentication.
197 This is used instead of specifying the password on the command line.
200 Use \fIpasswd\fP as the password for simple authentication.
203 Use complete contents of \fIpasswdfile\fP as the password for
204 simple authentication.
207 Specify URI(s) referring to the ldap server(s); only the protocol/host/port
208 fields are allowed; a list of URI, separated by whitespace or commas
212 Specify an alternate host on which the ldap server is running.
213 Deprecated in favor of -H.
216 Specify an alternate TCP port where the ldap server is listening.
217 Deprecated in favor of -H.
219 .BI \-P \ 2\fR\||\|\fI3
220 Specify the LDAP protocol version to use.
222 .BI \-O \ security-properties
223 Specify SASL security properties.
226 Enable SASL Interactive mode. Always prompt. Default is to prompt
230 Enable SASL Quiet mode. Never prompt.
233 Specify the authentication ID for SASL bind. The form of the ID
234 depends on the actual SASL mechanism used.
237 Specify the realm of authentication ID for SASL bind. The form of the realm
238 depends on the actual SASL mechanism used.
241 Specify the requested authorization ID for SASL bind.
243 must be one of the following formats:
245 .I <distinguished name>
251 Specify the SASL mechanism to be used for authentication. If it's not
252 specified, the program will choose the best mechanism the server knows.
255 Issue StartTLS (Transport Layer Security) extended operation. If you use
257 , the command will require the operation to be successful.
259 The contents of \fIfile\fP (or standard input if no \-f flag is given on
260 the command line) should conform to the format defined in
261 .BR slapd.replog (5),
262 with the exceptions noted below.
264 Lines that begin with "replica:" are matched against the LDAP server host
265 and port in use to decide if a particular replog record should be applied.
266 Any other lines that precede the "dn:" line are ignored.
267 The -F flag can be used to force
269 to apply all of the replog changes, regardless of the presence or
270 absence of any "replica:" lines.
272 If no "changetype:" line is present, the default is "add" if the -a
273 flag is set (or if the program was invoked as
275 and "modify" otherwise.
277 If changetype is "modify" and no "add:", "replace:", or "delete:" lines
278 appear, the default is "replace" for
283 Note that the above exceptions to the
287 entries to be used as input to
292 Assuming that the file
294 exists and has the contents:
297 dn: cn=Modify Me,dc=example,dc=com
300 mail: modme@example.com
306 jpegPhoto:< file:///tmp/modme.jpeg
315 ldapmodify -f /tmp/entrymods
318 will replace the contents of the "Modify Me" entry's
320 attribute with the value "modme@example.com", add a
322 of "Grand Poobah", and the contents of the file "/tmp/modme.jpeg"
325 and completely remove the
329 Assuming that the file
331 exists and has the contents:
334 dn: cn=Barbara Jensen,dc=example,dc=com
339 title: the world's most famous mythical manager
340 mail: bjensen@example.com
346 ldapadd -f /tmp/newentry
349 will add a new entry for Babs Jensen, using the values from the
353 Assuming that the file
355 exists and has the contents:
358 dn: cn=Barbara Jensen,dc=example,dc=com
364 ldapmodify -f /tmp/entrymods
367 will remove Babs Jensen's entry.
369 Exit status is zero if no errors occur. Errors result in a non-zero
370 exit status and a diagnostic message being written to standard error.
384 The OpenLDAP Project <http://www.openldap.org/>
387 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
389 is derived from University of Michigan LDAP 3.3 Release.