The following options are supported:
-a
Adds new entries. The default for ldapmodify is to
modify existing entries. If invoked as ldapadd, this option is always
set.
-A
Non-ASCII mode: display non-ASCII values, in conjunction
with the -v option.
-b
Handle binary files. The ldapmodify tool will scan
every attribute value in the input to determine whether it is a valid file
reference. If the reference is valid, it will use the contents of the file as
the attribute's value. This option is used to input binary data, such as a
JPEG image, for an attribute. For example, the corresponding LDIF input would
be: " jpegPhoto: /tmp/photo.jpg" The ldapmodify
tool also supports the LDIF :< URL notation for
directly including file contents.
-B baseDN
Specify the base DN when performing additions, usually in
double quotes ("") for the shell. All entries will be placed
under this suffix, thus providing bulk import functionality.
-c
Specifies continuous operation mode. Errors are reported,
but ldapmodify and ldapadd continue with modifications. The
default is to exit after reporting an error.
-D bindDN
Uses the distinguished name bindDN to bind to the
directory.
-d debuglevel
Sets the
LDAP debugging level. Useful levels of
debugging for
ldapmodify and
ldapadd are:
1
Trace
2
Packets
4
Arguments
32
Filters
128
Access control
To request more than one category of debugging information, add
the masks. For example, to request trace and filter information, specify a
debuglevel of 33.
-e errorFile
Invalid update statements in the input will be copied to
the errorFile for debugging. Use with the -c option to correct
errors when processing large LDIF input.
-E
Ask server to expose (report) bind identity by means of
authentication response control.
-F
Forces application of all changes regardless of the
content of input lines that begin with replica:. By default,
replica: lines are compared against the LDAP server host and
port in use to decide whether a replog record should be applied.
-f file
Reads the entry modification information from file
instead of from standard input.
-?
Display the usage help text that briefly describes all
options.
-H
Display the usage help text that briefly describes all
options.
-h ldaphost
Specifies an alternate host on which the LAPD server is
running.
-i locale
Specify the character set to use for the -f
LDIFfile or standard input. The default is the character set specified
in the LANG environment variable. You might choose to use this option
to perform the conversion from the specified character set to UTF8, thus
overriding the LANG setting.
-j filename
Specify a file containing the password for the bind DN or
the password for the SSL client's key database. To protect the password, use
this option in scripts and place the password in a secure file. This option is
mutually exclusive of the -w and -W options.
-J
[:criticality[:value|::b64value|b64value|:fileurl]]
Criticality is a boolean value (default is
false).
-k path
Specify the path to a directory containing conversion
routines. These routines are used if you want to specify a locale that is not
supported by default by your directory server. This is for NLS support.
-l nb-ldap-connections
Specifies the number of LDAP connections that
ldapadd or ldapmodify will open to process the modifications in
the directory. The default is one connection.
-M
Manage smart referrals. When they are the target of the
operation, modify the entry containing the referral instead of the entry
obtained by following the referral.
-n
Previews modifications, but makes no changes to entries.
Useful in conjunction with -v and -d for debugging.
-N certificate
Specify the certificate name to use for certificate-based
client authentication. For example: -N
"Directory-Cert".
-o attributename=value
For SASL mechanisms and other options such as security
properties, mode of operation, authorization ID, authentication ID, and so
forth.
The different attribute names and their values are as follows:
secProp="number"
For defining SASL security properties.
realm="value"
Specifies SASL realm (default is
realm=none).
authzid="value"
Specify the authorization ID name for SASL bind.
authid="value"
Specify the authentication ID for SASL bind.
mech="value"
Specifies the various SASL mechanisms.
-O hopLimit
Specify the maximum number of referral hops to follow
while finding an entry to modify. By default, there is no limit.
-p ldapport
Specifies an alternate TCP port where the secure
LDAP server is listening.
-P path
Specify the path and filename of the client's certificate
database. For example:
-P /home/uid/.netscape/cert7.db
When using the command on the same host as the directory server,
you can use the server's own certificate database. For example:
-P installDir/lapd-serverID/alias/cert7.db
Use the -P option alone to specify server authentication
only.
-r
Replaces existing value with the specified value. This is
the default for ldapmodify. When ldapadd is called, or if the
-a option is specified, the -r option is ignored.
-v
Uses verbose mode, with diagnostics written to standard
output.
-V version
Specify the LDAP protocol version number to be used for
the delete operation, either 2 or 3. LDAP v3 is the default. Specify LDAP v2
when connecting to servers that do not support v3.
-W password
Specify the password for the client's key database given
in the -P option. This option is required for certificate-based client
authentication. Specifying password on the command line has security
issues because the password can be seen by others on the system by means of
the ps command. Use the -j instead to specify the password from
the file. This option is mutually exclusive of -j.
-w passwd
Use passwd as the password for authentication to
the directory. When you use -w passwd to specify the password to
be used for authentication, the password is visible to other users of the
system by means of the ps command, in script files or in shell history.
If you use either the ldapmodify command or the ldapadd command
without this option, the command will prompt for the password and read it from
standard in. When used without the -w option, the password will not be
visible to other users.
-Y proxyid
Specify the proxy DN (proxied authorization id) to use
for the modify operation, usually in double quotes ("") for the
shell.
-Z
Specify that SSL be used to provide certificate-based
client authentication. This option requires the -N and SSL password and
any other of the SSL options needed to identify the certificate and the key
database.
The format of the content of file (or standard input if no -f
option is specified) is illustrated in the following examples.
Example 1 Modifying an Entry
The file /tmp/entrymods contains the following modification
instructions:
dn: cn=Modify Me, o=XYZ, c=US
changetype: modify
replace: mail
mail: modme@atlanta.example.com
-
add: title
title: System Manager
-
add: jpegPhoto
jpegPhoto:< file:///tmp/modme.jpeg
-
delete: description
-
The command:
example% ldapmodify -r -f /tmp/entrymods
modifies the Modify Me entry as follows:
- 1.
- The current value of the mail attribute is replaced with the value,
modme@atlanta.example.com.
- 2.
- A title attribute with the value, System Manager, is
added.
- 3.
- A jpegPhoto attribute is added, using the contents of the file,
/tmp/modme.jpeg, as the attribute value.
- 4.
- The description attribute is removed.
Example 2 Creating a New Entry
The file, /tmp/newentry, contains the following information
for creating a new entry:
dn: cn=Ann Jones, o=XYZ, c=US
objectClass: person
cn: Ann Jones
cn: Annie Jones
sn: Jones
title: Director of Research and Development
mail: ajones@londonrd.example.com
uid: ajones
The command
example% ldapadd -f /tmp/newentry
adds a new entry for Ann Jones, using the information in
the file.
Example 3 Creating a New Entry on an IPv6 Server
The file, /tmp/newentry, contains the following information
for creating a new entry: on an IPv6 server.
dn: cn=Ann Jones, o=XYZ, c=US
objectClass: person
cn: Ann Jones
cn: Annie Jones
sn: Jones
title: Director of Research and Development
mail: ajones@londonrd.example.com
uid: ajones
The command
example% ldapadd -c -v -h '['fec0::111:a00:20ff:feaa:a364']':389 \
-D cn=Directory Manager -w secret \
-f /tmp/entry
adds a new entry for Directory Manager, using the
information in the file.
Example 4 Deleting an Entry
The file, /tmp/badentry, contains the following information
about an entry to be deleted:
dn: cn=Ann Jones, o=XYZ, c=US
changetype: delete
The command:
example% ldapmodify -f /tmp/badentry
removes Ann Jones' entry.