How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I append data to an existing user store in DS (All versions)?

Last updated Jun 14, 2021

The purpose of this article is to provide assistance in adding bulk user data to an existing user data store in DS.

2 readers recommend this article


The documentation discusses using import-ldif to add a bulk load of data. However, you should be aware that import-ldif removes all existing data before importing the new data, which is problematic if you have existing data that needs to remain in place after the import.

If you want to add bulk data, there are a few approaches you can take depending on DS version, your environment and the amount of data you want to add:

DS 6 and later

DS 6.5 and 6 each introduced improvements to ldapmodify to improve performance when performing bulk updates. These changes make ldapmodify (which appends entries to an existing user store) suitable for all amounts of data when used as described in the Using ldapmodify to append data section:

  • DS 6.5 introduced support for the experimental LDAP Relax Rules Control, which allows you to temporarily relax specific LDAP rules and allow modifications that are not normally permitted. It is important to restrict which clients or users can access this control to prevent misuse; typically you would only allow directory administrators. See Supported Standards (The LDAP Relax Rules Control (Internet-Draft)) and ACI by Operation (Use Control or Extended Operation section) for further details.
  • DS 6 introduced Faster Bulk Updates, which performs updates in parallel across multiple LDAP connections instead of serializing the updates. See Bulk Adds for further information.

DS 5.x

You can use either ldapmodify or import-ldif depending on the amount of data you have:

  • For small amounts of data, you can use ldapmodify, which allows you to use a ldif file to append entries to an existing user store. However, ldapmodify runs each entry in the ldif as an individual modification, which can have a bigger impact on performance compared to using import-ldif with very large files. See the Using ldapmodify to append data section for details.
  • For large amounts of data, you should use import-ldif. To ensure you don't lose any data, you can export the existing entries, merge them with your new entries and then import the resulting merged ldif. See the Using import-ldif to append data section for details.

There are no definitive limits to the amount of data and likely impact on performance; this will depend on your environment, so you must perform performance testing and choose the most appropriate option.

Using ldapmodify to append data (All versions)

You can use ldapmodify to append data as follows:

  1. Create a ldif file containing the data you want to append (called entries.ldif in this example).
  2. Apply the changes using the following ldapmodify command depending on your version:
    • DS 7.1 and later: $ ./ldapmodify --hostname --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/ --bindDN uid=admin --bindPassword password --control RelaxRules:true --numConnections 4 /path/to/entries.ldif
    • DS 7: $ ./ldapmodify --hostname --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/ --bindDN uid=admin --bindPassword password --control RelaxRules:true --numConnections 4 /path/to/entries.ldif
    • DS 6.5.x: $ ./ldapmodify --hostname --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --control RelaxRules:true --numConnections 4 /path/to/entries.ldif
    • DS 6:  $ ./ldapmodify --hostname --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --numConnections 4 /path/to/entries.ldif
    • DS 5.x: $ ./ldapmodify --hostname --port 1389 --bindDN "cn=Directory Manager" --bindPassword password /path/to/entries.ldif

See Modify Entries for further information.


The ldapmodify operation will fail if any of your ldif entries match existing entries; you can use the --continueOnError option to continue even if an error is encountered.

Using import-ldif to append data (DS 5.x)

You can use import-ldif to append data as follows:

  1. Create a ldif file containing the data you want to append (called newentries.ldif in this example).
  2. Export the existing entries using export-ldif, for example (while the server is online):  $ ./export-ldif --hostname --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --backendID userRoot --includeBranch dc=example,dc=com --ldifFile existing.ldif --start 0 --trustAll
  3. Merge the entries in the ldif files created in steps 1 and 2 using the ldifmodify command, for example: $ ./ldifmodify --outputLDIF merged.ldif existing.ldif newentries.ldif
  4. Import the resulting ldif file using import-ldif, for example:  $. /import-ldif --hostname --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --backendID userRoot --includeBranch dc=example,dc=com --ldifFile merged.ldif --trustAll

You can add the --continueOnError option when you run the ldifmodify command if you have duplicate entries in your new ldif file. Attributes in duplicate entries will not be updated as these entries are ignored when merging the files. 

See Also

Installing and Administering DS

Import and Export

DS 6.5 Release Notes › LDAP Relax Rules control

DS 6 Release Notes › Faster Bulk Updates

ForgeRock DS and the LDAP Relax Rules Control

Related Training


Related Issue Tracker IDs

OPENDJ-4437 (Add support for the LDAP Relax Rules Control)

OPENDJ-4108 (Provide a way to do parallel modifications with LDAPModify)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.