1 .TH LDAPMODIFY 1 "RELEASEDATE" "OpenLDAP LDVERSION"
3 .\" Copyright 1998-2018 The OpenLDAP Foundation All Rights Reserved.
4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools
12 .BI \-d \ debuglevel\fR]
36 .BI \-y \ passwdfile\fR]
40 .BI \-h \ ldaphost\fR]
42 .BI \-p \ ldapport\fR]
44 .BR \-P \ { 2 \||\| 3 }]
46 .BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
48 .BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
50 .BI \-o \ opt \fR[= optparam \fR]]
52 .BI \-O \ security-properties\fR]
74 .BI \-d \ debuglevel\fR]
96 .BI \-y \ passwdfile\fR]
100 .BI \-h \ ldaphost\fR]
102 .BI \-p \ ldapport\fR]
104 .BR \-P \ { 2 \||\| 3 }]
106 .BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
108 .BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
110 .BI \-o \ opt \fR[= optparam \fR]]
112 .BI \-O \ security-properties\fR]
120 .BI \-U \ authcid\fR]
124 .BI \-X \ authzid\fR]
131 is a shell-accessible interface to the
132 .BR ldap_add_ext (3),
133 .BR ldap_modify_ext (3),
134 .BR ldap_delete_ext (3)
139 is implemented as a hard link to the ldapmodify tool. When invoked as
141 the \fB\-a\fP (add new entry) flag is turned on automatically.
144 opens a connection to an LDAP server, binds, and modifies or adds entries.
145 The entry information is read from standard input or from \fIfile\fP through
146 the use of the \fB\-f\fP option.
151 If \fB\-VV\fP is given, only the version information is printed.
154 Set the LDAP debugging level to \fIdebuglevel\fP.
156 must be compiled with LDAP_DEBUG defined for this option to have any effect.
159 Show what would be done, but don't actually modify entries. Useful for
160 debugging in conjunction with \fB\-v\fP.
163 Use verbose mode, with many diagnostics written to standard output.
166 Add new entries. The default for
168 is to modify existing entries. If invoked as
170 this flag is always set.
173 Continuous operation mode. Errors are reported, but
175 will continue with modifications. The default is to exit after
179 Read the entry modification information from \fIfile\fP instead of from
183 Add or change records which were skipped due to an error are written to \fIfile\fP
184 and the error message returned by the server is added as a comment. Most useful in
185 conjunction with \fB\-c\fP.
188 Enable manage DSA IT control.
190 makes control critical.
193 Use simple authentication instead of SASL.
196 Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
197 For SASL binds, the server is expected to ignore this value.
200 Prompt for simple authentication.
201 This is used instead of specifying the password on the command line.
204 Use \fIpasswd\fP as the password for simple authentication.
207 Use complete contents of \fIpasswdfile\fP as the password for
208 simple authentication.
211 Specify URI(s) referring to the ldap server(s); only the protocol/host/port
212 fields are allowed; a list of URI, separated by whitespace or commas
216 Specify an alternate host on which the ldap server is running.
217 Deprecated in favor of \fB\-H\fP.
220 Specify an alternate TCP port where the ldap server is listening.
221 Deprecated in favor of \fB\-H\fP.
223 .BR \-P \ { 2 \||\| 3 }
224 Specify the LDAP protocol version to use.
226 .BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
228 .BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
230 Specify general extensions with \fB\-e\fP and modify extensions with \fB\-E\fP.
231 \'\fB!\fP\' indicates criticality.
235 [!]assert=<filter> (an RFC 4515 Filter)
236 !authzid=<authzid> ("dn:<dn>" or "u:<user>")
237 [!]bauthzid (RFC 3829 authzid control)
238 [!]chaining[=<resolve>[/<cont>]]
242 [!]postread[=<attrs>] (a comma-separated attribute list)
243 [!]preread[=<attrs>] (a comma-separated attribute list)
245 sessiontracking[=<username>]
246 abandon,cancel,ignore (SIGINT sends abandon/cancel,
247 or ignores response; if critical, doesn't wait for SIGINT.
253 [!]txn[=abort|commit]
256 .BI \-o \ opt \fR[= optparam \fR]]
260 option or one of the following:
262 nettimeout=<timeout> (in seconds, or "none" or "max")
263 ldif_wrap=<width> (in columns, or "no" for no wrapping)
267 .BI \-O \ security-properties
268 Specify SASL security properties.
271 Enable SASL Interactive mode. Always prompt. Default is to prompt
275 Enable SASL Quiet mode. Never prompt.
278 Do not use reverse DNS to canonicalize SASL host name.
281 Specify the authentication ID for SASL bind. The form of the ID
282 depends on the actual SASL mechanism used.
285 Specify the realm of authentication ID for SASL bind. The form of the realm
286 depends on the actual SASL mechanism used.
289 Specify the requested authorization ID for SASL bind.
291 must be one of the following formats:
292 .BI dn: "<distinguished name>"
297 Specify the SASL mechanism to be used for authentication. If it's not
298 specified, the program will choose the best mechanism the server knows.
301 Issue StartTLS (Transport Layer Security) extended operation. If you use
303 , the command will require the operation to be successful.
305 The contents of \fIfile\fP (or standard input if no \fB\-f\fP flag is given on
306 the command line) must conform to the format defined in
308 (LDIF as defined in RFC 2849).
310 Assuming that the file
312 exists and has the contents:
315 dn: cn=Modify Me,dc=example,dc=com
318 mail: modme@example.com
324 jpegPhoto:< file:///tmp/modme.jpeg
333 ldapmodify \-f /tmp/entrymods
336 will replace the contents of the "Modify Me" entry's
338 attribute with the value "modme@example.com", add a
340 of "Grand Poobah", and the contents of the file "/tmp/modme.jpeg"
343 and completely remove the
347 Assuming that the file
349 exists and has the contents:
352 dn: cn=Barbara Jensen,dc=example,dc=com
357 title: the world's most famous mythical manager
358 mail: bjensen@example.com
365 ldapadd \-f /tmp/newentry
368 will add a new entry for Babs Jensen, using the values from the
372 Assuming that the file
374 exists and has the contents:
377 dn: cn=Barbara Jensen,dc=example,dc=com
384 ldapmodify \-f /tmp/entrymods
387 will remove Babs Jensen's entry.
389 Exit status is zero if no errors occur. Errors result in a non-zero
390 exit status and a diagnostic message being written to standard error.
398 .BR ldap_add_ext (3),
399 .BR ldap_delete_ext (3),
400 .BR ldap_modify_ext (3),
401 .BR ldap_modrdn_ext (3),
404 The OpenLDAP Project <http://www.openldap.org/>