ldapmodify — perform LDAP modify, add, delete, mod DN operations
Synopsis
ldapmodify {options} [changes_files ...]
Description
This utility can be used to perform LDAP modify, add, delete, and modify DN operations in the Directory Server. When not using file(s) to specify modifications, end your input with EOF (Ctrl+D on UNIX, Ctrl+Z on Windows).
Options
The ldapmodify command takes the following options:
Command options:
--assertionFilter {filter}Use the LDAP assertion control with the provided filter.
-c | --continueOnErrorContinue processing even if there are errors.
Default: false
-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}Use a request control with the provided information.
For some controloid values, you can replace object identifiers with user-friendly strings. The values are not case-sensitive:
Assertion,LdapAssertionAssertion Request Control, Object Identifier: 1.3.6.1.1.12
AccountUsable,AccountUsabilityAccount Usability Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8
AuthzId,AuthorizationIdentityAuthorization Identity Request Control, Object Identifier: 2.16.840.1.113730.3.4.16
Csn,ChangeNumber,ChangeSequenceNumberChange Sequence Number Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.9
This is an internal DS server control.
EffectiveRights,GetEffectiveRightsGet Effective Rights Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2
ManageDsaItManage DSAIT Request Control, Object Identifier: 2.16.840.1.113730.3.4.2
Noop,No-OpNo-Op Request Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.2
PwdPolicy,PasswordPolicyPassword Policy Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1
PasswordQualityAdvicePassword Quality Advice Request Control, Object Identifier: 1.3.6.1.4.1.36733.2.1.5.5
PermissiveModifyPermissive Modify Request Control, Object Identifier: 1.2.840.113556.1.4.1413
PSearch,PersistentSearchPersistent Search Request Control, Object Identifier: 2.16.840.1.113730.3.4.3
PostReadPost Read Request Control, Object Identifier: 1.3.6.1.1.13.2
PreReadPre Read Request Control, Object Identifier: 1.3.6.1.1.13.1
ProxiedAuthV1Proxied Authorization Request Control V1, Object Identifier: 2.16.840.1.113730.3.4.12
ProxiedAuth,ProxiedAuthV2Proxied Authorization Request Control V2, Object Identifier: 2.16.840.1.113730.3.4.18
RealAttrsOnly,RealAttributesOnlyReal Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.17
RelaxRulesRelax Rules Request Control, Object Identifier: 1.3.6.1.4.1.4203.666.5.12
TreeDelete,SubTreeDeleteSubtree Delete Request Control, Object Identifier: 1.2.840.113556.1.4.805
Sort,ServerSideSortServer Side Sort Request Control, Object Identifier: 1.2.840.113556.1.4.473
PagedResults,SimplePagedResultsSimple Paged Results Control, Object Identifier: 1.2.840.113556.1.4.319
SubEntriesSub-Entries Request Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.1
TxnId,TransactionIdTransaction ID Control, Object Identifier: 1.3.6.1.4.1.36733.2.1.5.1
This is an internal ForgeRock control.
VirtualAttrsOnly,VirtualAttributesOnlyVirtual Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.19
Vlv,VirtualListViewVirtual List View Request Control, Object Identifier: 2.16.840.1.113730.3.4.9
-n | --dry-runShow what would be done but do not perform any operation and do not contact the server.
Default: false
--numConnections {numConnections}Number of connections.
Default: 1
--postReadAttributes {attrList}Use the LDAP ReadEntry post-read control.
--preReadAttributes {attrList}Use the LDAP ReadEntry pre-read control.
-Y | --proxyAs {authzID}Use the proxied authorization control with the given authorization ID.
LDAP connection options:
--connectTimeout {timeout}Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
Default: 30000
-D | --bindDn {bindDN}DN to use to bind to the server.
Default:
-E | --reportAuthzIdUse the authorization identity control.
Default: false
-h | --hostname {host}Fully-qualified server host name or IP address.
Default: localhost.localdomain
-N | --certNickname {nickname}Nickname of the certificate that should be sent to the server for SSL client authentication.
-o | --saslOption {name=value}SASL bind options.
-p | --port {port}Directory server port number.
-q | --useStartTlsUse StartTLS to secure communication with the server.
Default: false
-T | --trustStorePassword {trustStorePassword}Truststore cleartext password.
--useJavaKeyStore {keyStorePath}JKS keystore containing the certificate which should be used for SSL client authentication.
--useJavaTrustStore {trustStorePath}Use a JKS truststore file for validating server certificate.
--useJceKeyStore {keyStorePath}JCEKS keystore containing the certificate which should be used for SSL client authentication.
--useJceTrustStore {trustStorePath}Use a JCEKS truststore file for validating server certificate.
--useJvmTrustStoreUse the a JVM truststore for validating server certificate.
Default: false
--usePasswordPolicyControlUse the password policy request control.
Default: false
--usePkcs11KeyStorePKCS#11 keystore containing the certificate which should be used for SSL client authentication.
Default: false
--usePkcs12KeyStore {keyStorePath}PKCS#12 keystore containing the certificate which should be used for SSL client authentication.
--usePkcs12TrustStore {trustStorePath}Use a PKCS#12 truststore file for validating server certificate.
-w | --bindPassword {bindPassword}Password to use to bind to the server. Omit this option while providing the bind DN to ensure that the command prompts for the password, rather than entering the password as a command argument.
-W | --keyStorePassword {keyStorePassword}Keystore cleartext password.
-X | --trustAllTrust all server SSL certificates.
Default: false
-Z | --useSslUse SSL for secure communication with the server.
Default: false
Utility input/output options:
--no-promptUse non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.
Default: false
--noPropertiesFileNo properties file will be used to get default command line argument values.
Default: false
--propertiesFilePath {propertiesFilePath}Path to the file containing default property values used for command line arguments.
-v | --verboseUse verbose mode.
Default: false
General options:
-V | --versionDisplay Directory Server version information.
Default: false
-H | --helpDisplay this usage information.
Default: false
Exit Codes
- 0
The command completed successfully.
- ldap-error
An LDAP error occurred while processing the operation.
LDAP result codes are described in RFC 4511. Also see the additional information for details.
- 89
An error occurred while parsing the command-line arguments.
Files
You can use ~/.opendj/tools.properties to set the defaults for bind DN, host name, and port number as in the following example:
hostname=directory.example.com port=1389 bindDN=uid=kvaughan,ou=People,dc=example,dc=com ldapcompare.port=1389 ldapdelete.port=1389 ldapmodify.port=1389 ldappasswordmodify.port=1389 ldapsearch.port=1389
Examples
The following example demonstrates use of the command to add an entry to the directory:
$cat newuser.ldifdn: uid=newuser,ou=People,dc=example,dc=com uid: newuser facsimileTelephoneNumber: +1 408 555 1213 objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top givenName: New cn: New User cn: Real Name telephoneNumber: +1 408 555 1212 sn: Jensen roomNumber: 1234 homeDirectory: /home/newuser uidNumber: 10389 mail: newuser@example.com l: South Pole ou: Product Development ou: People gidNumber: 10636$ldapmodify \ --port 1389 \ --bindDn uid=kvaughan,ou=people,dc=example,dc=com \ --bindPassword bribery \ newuser.ldifProcessing ADD request for uid=newuser,ou=People,dc=example,dc=com ADD operation successful for DN uid=newuser,ou=People,dc=example,dc=com
The following listing shows a UNIX shell script that adds a user entry:
#!/bin/sh
#
# Add a new user with the ldapmodify utility.
#
usage(){
echo "Usage: $0 uid firstname lastname"
exit 1
}
[[ $# -lt 3 ]] && usage
LDAPMODIFY=/path/to/opendj/bin/ldapmodify
HOST=opendj.example.com
PORT=1389
ADMIN=uid=kvaughan,ou=people,dc=example,dc=com
PWD=bribery
$LDAPMODIFY --hostname $HOST --port $PORT --bindDn $ADMIN --bindPassword $PWD <<EOF
dn: uid=$1,ou=people,dc=example,dc=com
uid: $1
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: $2 $3
givenName: $2
sn: $3
mail: $1@example.com
EOFThe following example demonstrates adding a description attribute to the new user's entry:
$cat newdesc.ldifdn: uid=newuser,ou=People,dc=example,dc=com changetype: modify add: description description: A new user's entry$ldapmodify \ --port 1389 \ --bindDn uid=kvaughan,ou=people,dc=example,dc=com \ --bindPassword bribery \ newdesc.ldifProcessing MODIFY request for uid=newuser,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=newuser,ou=People,dc=example,dc=com
The following example demonstrates changing the description attribute for the new user's entry:
$cat moddesc.ldifdn: uid=newuser,ou=People,dc=example,dc=com changetype: modify replace: description description: Another description$ldapmodify \ --port 1389 \ --bindDn uid=kvaughan,ou=people,dc=example,dc=com \ --bindPassword bribery \ moddesc.ldifProcessing MODIFY request for uid=newuser,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=newuser,ou=People,dc=example,dc=com
The following example demonstrates deleting the new user's entry:
$cat deluser.ldifdn: uid=newuser,ou=People,dc=example,dc=com changetype: delete$ldapmodify \ --port 1389 \ --bindDn uid=kvaughan,ou=people,dc=example,dc=com \ --bindPassword bribery \ deluser.ldifProcessing DELETE request for uid=newuser,ou=People,dc=example,dc=com DELETE operation successful for DN uid=newuser,ou=People,dc=example,dc=com