User Commands ldapmodify(1)
NAME
ldapmodify, ldapadd - ldap entry addition and modification
tools
SYNOPSIS
ldapmodify [-a] [-c] [-r] [-n] [-v] [-F] [-b] [-A] [-q]
[-H] [-?] [-E] [-J] [-Z] [-M] [-d debuglevel]
[-D bindDN] [-j filename] [-J [:criticality]
[-B baseDN] [-V version] [-Y proxyDN] [-O hopLimit]
[-i locale] [-k path] [-e errorFile] [-P path]
[-N certificate] [-w passwd] [-o attributename=value]
[-h ldaphost] [-W password] [-p ldapport] [-f file]
[-l nb-ldap-connections]
ldapadd [-c] [-n] [-v] [-F]
[ [-b] [-A] [-q] [-H] [-?] [-E] [-J] [-Z] [-M]-d debuglevel]
[-D bindDN] [-j filename] [-B baseDN] [-V version]
[-Y proxyDN] [-O hopLimit] [-i locale] [-k path]
[-e errorFile] [-P path] [-N certificate] [-w passwd]
[-o attributename=value] [-h ldaphost] [-W password]
[-p ldapport] [-f file] [-l nb-ldap-connections]
DESCRIPTION
The ldapmodify utility opens a connection to an LDAP server,
binds and modifies or adds entries. The entry information is
read from standard input or from file, specified using the
-f option. The ldapadd utility is implemented as a hard link
to the ldapmodify tool. When invoked as ldapadd, the -a (add
new entry) option is turned on automatically.
Both ldapadd and ldapmodify reject duplicate attribute-
name/value pairs for the same entry.
OPTIONS
The following options are supported:
-a
Adds new entries. The default for ldapmodify is to
modify existing entries. If invoked as ldapadd, this
option is always set.
-A
Non-ASCI mode: display non-ASCI values, in conjunction
with the -v option.
SunOS 5.11 Last change: 15 Jan 2004 1
User Commands ldapmodify(1)
-b
Handle binary files. The ldapmodify tool will scan every
attribute value in the input to determine whether it is
a valid file reference. If the reference is valid, it
will use the contents of the file as the attribute's
value. This option is used to input binary data, such as
a JPEG image, for an attribute. For example, the
corresponding LDIF input would be: " jpegPhoto:
/tmp/photo.jpg" The ldapmodify tool also supports the
LDIF :< URL notation for directly including file con-
tents.
-B baseDN
Specify the base DN when performing additions, usually
in double quotes ("") for the shell. All entries will be
placed under this suffix, thus providing bulk import
functionality.
-c
Specifies continuous operation mode. Errors are
reported, but ldapmodify and ldapadd continue with
modifications. The default is to exit after reporting an
error.
-D bindDN
Uses the distinguished name bindDN to bind to the direc-
tory.
-d debuglevel
Sets the LDAP debugging level. Useful levels of debug-
ging for ldapmodify and ldapadd are:
1 Trace
2 Packets
4 Arguments
32 Filters
SunOS 5.11 Last change: 15 Jan 2004 2
User Commands ldapmodify(1)
128 Access control
To request more than one category of debugging informa-
tion, add the masks. For example, to request trace and
filter information, specify a debuglevel of 33.
-e errorFile
Invalid update statements in the input will be copied to
the errorFile for debugging. Use with the -c option to
correct errors when processing large LDIF input.
-E
Ask server to expose (report) bind identity by means of
authentication response control.
-F
Forces application of all changes regardless of the con-
tent of input lines that begin with replica:. By
default, replica: lines are compared against the LDAP
server host and port in use to decide whether a replog
record should be applied.
-f file
Reads the entry modification information from file
instead of from standard input.
-?
Display the usage help text that briefly describes all
options.
-H
Display the usage help text that briefly describes all
options.
-h ldaphost
Specifies an alternate host on which the LAPD server is
running.
SunOS 5.11 Last change: 15 Jan 2004 3
User Commands ldapmodify(1)
-i locale
Specify the character set to use for the -f LDIFfile or
standard input. The default is the character set speci-
fied in the LANG environment variable. You might choose
to use this option to perform the conversion from the
specified character set to UTF8, thus overriding the
LANG setting.
-j filename
Specify a file containing the password for the bind DN
or the password for the SL client's key database. To
protect the password, use this option in scripts and
place the password in a secure file. This option is
mutually exclusive of the -w and -W options.
-J [:criticality[:value::b64valueb64value:fileurl]
Criticality is a boolean value (default is false).
-k path
Specify the path to a directory containing conversion
routines. These routines are used if you want to specify
a locale that is not supported by default by your direc-
tory server. This is for NLS support.
-l nb-ldap-connections
Specifies the number of LDAP connections that ldapadd or
ldapmodify will open to process the modifications in the
directory. The default is one connection.
-M
Manage smart referrals. When they are the target of the
operation, modify the entry containing the referral
instead of the entry obtained by following the referral.
-n
Previews modifications, but makes no changes to entries.
Useful in conjunction with -v and -d for debugging.
SunOS 5.11 Last change: 15 Jan 2004 4
User Commands ldapmodify(1)
-N certificate
Specify the certificate name to use for certificate-
based client authentication. For example: -N
"Directory-Cert".
-o attributename=value
For SASL mechanisms and other options such as security
properties, mode of operation, authorization ID, authen-
tication ID, and so forth.
The different attribute names and their values are as
follows:
secProp="number" For defining SASL security proper-
ties.
realm="value" Specifies SASL realm (default is
realm=none).
authzid="value" Specify the authorization ID name
for SASL bind.
authid="value" Specify the authentication ID for
SASL bind.
mech="value" Specifies the various SASL mechan-
isms.
-O hopLimit
Specify the maximum number of referral hops to follow
while finding an entry to modify. By default, there is
no limit.
-p ldapport
Specifies an alternate TCP port where the secure LDAP
server is listening.
-P path
SunOS 5.11 Last change: 15 Jan 2004 5
User Commands ldapmodify(1)
Specify the path and filename of the client's certifi-
cate database. For example:
-P /home/uid/.netscape/cert7.db
When using the command on the same host as the directory
server, you can use the server's own certificate data-
base. For example:
-P installDir/lapd-serverID/alias/cert7.db
Use the -P option alone to specify server authentication
only.
-r
Replaces existing value with the specified value. This
is the default for ldapmodify. When ldapadd is called,
or if the -a option is specified, the -r option is
ignored.
-v
Uses verbose mode, with diagnostics written to standard
output.
-V version
Specify the LDAP protocol version number to be used for
the delete operation, either 2 or 3. LDAP v3 is the
default. Specify LDAP v2 when connecting to servers that
do not support v3.
-W password
Specify the password for the client's key database given
in the -P option. This option is required for
certificate-based client authentication. Specifying
password on the command line has security issues because
the password can be seen by others on the system by
means of the ps command. Use the -j instead to specify
the password from the file. This option is mutually
exclusive of -j.
-w passwd
Use passwd as the password for authentication to the
SunOS 5.11 Last change: 15 Jan 2004 6
User Commands ldapmodify(1)
directory. When you use -w passwd to specify the pass-
word to be used for authentication, the password is
visible to other users of the system by means of the ps
command, in script files or in shell history. If you use
either the ldapmodify command or the ldapadd command
without this option, the command will prompt for the
password and read it from standard in. When used without
the -w option, the password will not be visible to other
users.
-Y proxyid
Specify the proxy DN (proxied authorization id) to use
for the modify operation, usually in double quotes ("")
for the shell.
-Z
Specify that SL be used to provide certificate-based
client authentication. This option requires the -N and
SL password and any other of the SL options needed to
identify the certificate and the key database.
EXIT STATUS
The following exit values are returned:
0 Successful completion.
Non-zero An error occurred. A diagnostic message is
written to standard error.
EXAMPLES
The format of the content of file (or standard input if no
-f option is specified) is illustrated in the following
examples.
Example 1 Modifying an Entry
The file /tmp/entrymods contains the following modification
instructions:
dn: cn=Modify Me, o=XYZ, c=US
changetype: modify
replace: mail
mail: modme@atlanta.xyz.com
SunOS 5.11 Last change: 15 Jan 2004 7
User Commands ldapmodify(1)
-
add: title
title: System Manager
-
add: jpegPhoto
jpegPhoto:< file:/tmp/modme.jpeg
-
delete: description
-
The command:
example% ldapmodify -r -f /tmp/entrymods
modifies the Modify Me entry as follows:
1. The current value of the mail attribute is replaced
with the value, modme@atlanta.xyz.com.
2. A title attribute with the value, System Manager,
is added.
3. A jpegPhoto attribute is added, using the contents
of the file, /tmp/modme.jpeg, as the attribute
value.
4. The description attribute is removed.
Example 2 Creating a New Entry
The file, /tmp/newentry, contains the following information
for creating a new entry:
dn: cn=Ann Jones, o=XYZ, c=US
objectClass: person
cn: Ann Jones
cn: Annie Jones
sn: Jones
title: Director of Research and Development
mail: ajones@londonrd.xyz.us.com
uid: ajones
SunOS 5.11 Last change: 15 Jan 2004 8
User Commands ldapmodify(1)
The command
example% ldapadd -f /tmp/newentry
adds a new entry for Ann Jones, using the information in the
file.
Example 3 Creating a New Entry on an IPv6 Server
The file, /tmp/newentry, contains the following information
for creating a new entry: on an IPv6 server.
dn: cn=Ann Jones, o=XYZ, c=US
objectClass: person
cn: Ann Jones
cn: Annie Jones
sn: Jones
title: Director of Research and Development
mail: ajones@londonrd.xyz.us.com
uid: ajones
The command
example% ldapadd -c -v -h '['fec0::111:a00:20ff:feaa:a364']':389 \
-D cn=Directory Manager -w secret \
-f /tmp/entry
adds a new entry for Directory Manager, using the informa-
tion in the file.
Example 4 Deleting an Entry
The file, /tmp/badentry, contains the following information
about an entry to be deleted:
dn: cn=Ann Jones, o=XYZ, c=US
SunOS 5.11 Last change: 15 Jan 2004 9
User Commands ldapmodify(1)
changetype: delete
The command:
example% ldapmodify -f /tmp/badentry
removes Ann Jones' entry.
ATRIBUTES
See attributes(5) for a description of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWcsu
Stability Level Evolving
SEE ALSO
ldap(1), ldapdelete(1), ldaplist(1), ldapmodrdn(1), ldap-
search(1), ldapaddent(1M), ldapcachemgr(1M),
ldapgetoption(3LDAP), ldapsetoption(3LDAP), attri-
butes(5)
SunOS 5.11 Last change: 15 Jan 2004 10
|
