ou change entries in your directory using LDAP clients. Most LDAP clients provide an interface that allows you to change, delete, or add entries to your directory. Note, however, that you cannot modify your directory unless the appropriate access control has been set in your directory. For information on setting access control in your directory, see Chapter 5, "Managing Access Control."
ldapmodify
ldapdelete
ldapmodify and ldapdelete command-line utilities.
-D "cn=Barbara Jensen, ou=Product Development, o=airius.com"
-D "cn=Patricia Fuentes, ou=people, o=Airius Bolivia\, S.A."
ldapmodify and ldapdelete allow you to provide input both from an input file (using the -f parameter), as well as from the command line. If you want to provide input from the command line, do not specify the -f parameter when you call these commands.
The tool collects statements that you enter to the shell in exactly the same way as if they were reading from a file. When you are done providing input to the utility, enter the character that your shell recognizes as the end of file (EOF) marker. This causes the utility to begin operations based on the input you have supplied.
Typically, the EOF escape sequence is usually one of the following, depending upon the type of machine that you are using:
ldapmodify. Then you would do the following:
prompt> ldapmodify -D <bindn> -w <password> -h <hostname>
> dn: cn=Barry Nixon, ou=people, o=airius.com
> changetype: modify
> delete: telephonenumber
> -
> add: manager
> manager: cn=Harry Cruise, ou=people, o=airius.com
> ^D
prompt>
ldapdelete command-line utility to delete entries from an existing directory server database. This utility opens a connection to the specified server using the specified distinguished name and password, and deletes the entry or entries.
For information on where you can find the command-line utilities in your directory server installation, see "Finding the Command-Line Utilities".
A Note on Deleting Entries
You can only delete entries at the end of a branch. You cannot delete entries that are branch points in the directory tree. For example, of the following three entries:
ou=People, o=airius.comyou can delete only the last two entries. The entry that identifies the People subtree can be deleted only if no other entries exist below it.
cn=Paula Simon, ou=People, o=airius.com
cn=Jerry O'Connor, ou=People, o=airius.com
ldapdelete command-line utility with the following parameters:
-D uid=bjensen,
o=airius.com. Access control is described in Chapter 5, "Managing Access
Control.".
-w mypassword.
-h
cyclops.
ldapdelete is to use LDAPS when communicating with your directory server. These parameters are valid only when LDAPS has been turned on and configured for your directory server. For more information on LDAPS, see "Managing SSL".
Make sure that you specify your directory server's encrypted port when you use these parameters:
-Z
Specifies that SSL is to be used for the delete request.
-P
Specifies the path and filename of the security files for the client. This
parameter is used only with the -Z parameter. When used on a machine where
a SSL-enabled web browser is configured, the path specified on this parameter
can be pointed to the security database for the web browser. For example,
-P
c:\security\cert.db. Note that the client security files can also be stored
on the directory server in the <NSHOME>/alias directory. In this case, the -P
parameter would call out a path and filename similar to the following: -P
c:\Netscape\Suitespot\alias\client-cert.db.
-N
Specifies the certificate name to use for certificate-based client authentication. For
example,
-N Server-Cert. If this parameter is specified, then the -Z, -K, and -W
parameters are required. Also, if this parameter is specified, then the -D and -w parameters must not be specified, or certificate-based authentication will not occur and the
bind operation will use the authentication credentials specified on -D and -w.
-K
Specifies the name of the certificate key file used for certificate-based client
authentication. For example,
-K Server-Key.
-W
Specifies the password for the certificate key file identified on the -P parameter.
For example,
-W serverpassword.
-Q
Specifies the number of the slot into which you plugged your FORTEZZA
crypto card and, optionally, the name of the FORTEZZA certificate you want to
use. The slot number and certificate name are separated by a colon. For
example, if you plugged your crypto card into slot 2 and want to use the certificate named doe, you would specify the following:
-Q 2:doe.
-I
Specifies the personal identification number (PIN) associated with the
FORTEZZA crypto card and certificate you specified in the -Q parameter.
-X
Specifies the path and filename of the compromised key list (CKL).
Additional ldapdelete Parameters
The following parameters offer additional functionality:
-c
Specifies that the utility run in continuous operation mode. Errors are reported,
but the utility will continue with deletions. The default is to quit after reporting
an error.
-f
Specifies the file containing the distinguished names of entries to be deleted.
For example, -f modify_statements. Omit this parameter if you want to supply
a distinguished name directly to the command line.
-H
Lists all available
ldapdelete parameters.
-M
Manage smart referrals. Causes the server to not return the smart referral
contained on the entry, but to instead delete the actual entry containing the
smart referral. For more information about smart referrals, see "Creating and
Changing Smart Referrals".
-n
Specifies that the entries are not to be actually deleted, but that
ldapdelete is to
show what it would do with the specified input.
-O
Specifies the maximum number of referral hops to follow. For example,
-O 2.
-R
Specifies that referrals are not to be followed automatically.
-v
Specifies that the utility is to run in verbose mode.
-V
Specifies the LDAP version number to be used on the operation. For example,
-V 2. LDAP v3 is the default. Note that you cannot perform an LDAP v3
operation against a directory server that only supports LDAP v2.
ldapdelete Examples
Suppose:
cn=Robert Jenkins, ou=People, o=airius.com and cn=Lisa Jangles, ou=People, o=airius.com.
cn=Directory Manager, o=airius.com.
King~Pin.
cyclops.
ldapdelete -D "cn=Directory Manager, o=airius.com" -w King~Pin -h cyclops -p 845 "cn=Robert Jenkins, ou=People, o=airius.com" "cn=Lisa Jangles, ou=People, o=airius.com"To delete user Patricia Fuentes from the Airius Bolivia, S.A. tree, you would enter the following command. Note that because the DN of the entry you are deleting contains a comma, you must escape the comma with a backslash (\).
ldapdelete -D "cn=Directory Manager, o=airius.com" -w King~Pin -h cyclops -p 845 "cn=Patricia Fuentes, ou=People, o=Airius Bolivia\, S.A."
ldapmodify command along with the appropriate LDIF update statements. For details, refer to "Modifying Entries Using ldapmodify". You can also use an LDIF file to add multiple entries by using the Database Management | Add Entries form. Finally, you can also import an entire database from LDIF. For details, refer to "Importing LDIF Using the Server Manager". For details on LDIF, see Chapter 2, "LDAP Data Interchange Format."
A Note on Adding Entries
When you add an entry, make sure that an entry representing a branch point is created before new entries are created under that branch. For example, if you want to place an entry in a Person and a Group subtree, then create the branch point for those subtrees before creating entries within the subtrees. For example:
dn: o=airius.com
dn: ou=People, o=airius.com
...
<People subtree entries.>
...
dn: ou=Group, o=airius.com
...
<Group subtree entries.>
...
Modifying Entries Using ldapmodify
You use the ldapmodify command-line utility to modify entries in an existing directory server database. This utility opens a connection to the specified server using the specified distinguished name and password, and modifies the entries based on LDIF update statements contained in a specified file.
For information on where you can find the command-line utilities in your directory server installation, see "Finding the Command-Line Utilities".
Note
Because
ldapmodify uses LDIF update statements, ldapmodify can do
everything that ldapdelete can do.
If schema checking is turned on when you use this utility, then schema
checking is performed for the entire entry when it is modified. If the server
detects an attribute or object class in the entry that is not known to the server,
then the entire modify operation will fail. This happens even if the offending
object class or attribute is not being modified.
This situation will occur if you ran the directory server with schema checking
turned off, added unknown object classes or attributes, and then turned schema
checking on.
For more information, see "Schema Checking".
Commonly Used ldapmodify Parameters
To modify an entry or entries in an existing directory, use the ldapmodify command-line utility with the following parameters:
-D
Specifies the distinguished name with which to authenticate to the server. The value must
be a DN recognized by the directory server or the local directory, and it must also have
the authority to modify the entries. For example,
-D uid=bjensen,
o=airius.com.
-w
Specifies the password associated with the distinguished name specified in the
-D parameter. For example, -w mypassword.
-h
Specifies the name of the host on which the server is running. For example,
-h
cyclops.
-p
Specifies the port number that the server uses. For example,
-p 1049. The default is
389. If -Z is used, the default is 636.
-f
Optional parameter that specifies the file containing the LDIF update statements used to
define the directory modifications. For example, -f modify_statements. For information on supplying LDIF update statements from the command line, refer to
"Providing Input from the Command Line".
-a
Allows you to add LDIF entries to the directory without requiring the
changetype:add LDIF update statement. This provides a simplified method of
adding entries to the directory.
SSL Parameters
You can use the following command-line parameters to specify that ldapmodify is to use LDAPS when communicating with your directory server. These parameters are valid only when LDAPS has been turned on and configured for your directory server. For more information on LDAPS, see "Managing SSL".
Make sure that you specify your directory server's encrypted port when you use these parameters:
-Z
Specifies that SSL is to be used for the directory request.
-P
Specifies the path and filename of the security files for the client. This parameter is used
only with the -Z parameter. When used on a machine where a SSL-enabled web browser
is configured, the path specified on this parameter can be pointed to the security database
for the web browser. For example,
-P c:\security\cert.db. Note that the
client security files can also be stored on the directory server in the <NSHOME>/alias
directory. In this case, the -P parameter would call out a path and filename similar to the
following: -P c:\Netscape\Suitespot\alias\client-cert.db.
-N
Specifies the certificate name to use for certificate-based client authentication. For
example,
-N Server-Cert. If this parameter is specified, then the -Z, -K, and -W
parameters are required. Also, if this parameter is specified, then the -D and -w parameters must not be specified, or certificate-based authentication will not occur and the
bind operation will use the authentication credentials specified on -D and -w.
-K
Specifies the name of the certificate key file used for certificate-based client authentication. For example,
-K Server-Key.
-W
Specifies the password for the certificate key file identified on the -P parameter. For
example,
-W serverpassword.
-Q
Specifies the number of the slot into which you plugged your FORTEZZA crypto card
and, optionally, the name of the FORTEZZA certificate you want to use. The slot
number and certificate name are separated by a colon. For example, if you plugged your
crypto card into slot 2 and want to use the certificate named doe, you would specify the
following:
-Q 2:doe.
-I
Specifies the personal identification number (PIN) associated with the FORTEZZA
crypto card and certificate you specified in the -Q parameter.
-X
Specifies the path and filename of the compromised key list (CKL).
Additional ldapmodify Parameters
The following parameters offer additional functionality:
-b
Causes the utility to check every attribute value to determine whether the value is a valid
file reference. If the value is a valid file reference, then the contents of the referenced file
is used as the attribute value. This is often used for specifying a path to a file containing
binary data, such as JPEG. For example, if you wanted to add a
jpegPhoto attribute,
then specify the -b parameter on the ldapmodify call. In the LDIF you provide to
ldapadd, include something like the following:
jpegPhoto: /tmp/photo.jpeg
ldapmodify will read the contents of the photo.jpeg file into the jpegPhoto
attribute that you are placing on the entry.
jpegPhoto: c:/tmp/photo.jpeg
ldapmodify parameters.
ldapmodify is to
show what it would do with the specified input.
-O 2.
-V 2.
LDAP v3 is the default. Note that you can not perform an LDAP v3 operation against a
directory server that only supports LDAP v2.
modify_statements.
cn=Directory Manager, o=airius.com.
King~Pin.
cyclops.
modify_statements file, and then enter the following command:
ldapmodify -D "cn=Directory Manager, o=airius.com" -w King~Pin -h cyclops -p 845 -f modify_statements
ldapmodify should change your directory. In general, LDIF update statements are a series of statements that:
changetype: add) is assumed. However, any other changetype will override the -a parameter.
changetype: modify), a change
operation is required that indicates how the entry should be changed.
If you specify
changetype: modrdn, change operations are required that
specify how the relative distinguished name (RDN) is to be modified. A
distinguished name's RDN is the left-most value in the DN. For example, the
distinguished name uid=ssarette, o=airius.com has an RDN of uid=ssarette.
dn: <distinguished name>
<changetype identifier>
<change operation identifier>
<list of attributes> ... - <change operation identifier>
<list of attributes>
... - ...
dn: cn=Lisa Jangles, ou=People, o=airius.comIn addition, the line continuation operator is a single space. Therefore, the following two statements are identical:
changetype: modify
add: telephonenumber
telephonenumber: (408) 555-2468
-
add: manager
manager: cn=Harry Cruise, ou=People, o=airius.com
dn: cn=Lisa Jangles, ou=People, o=airius.com dn: cn=Lisa Jangles,The following sections describe the changetypes in detail.
ou=People,
o=airius.com
changetype: add to add an entry to your directory. When you add an entry, make sure to create an entry representing a branch point before you try to create new entries under that branch. That is, if you want to place an entry in a People and an Groups subtree, then create the branch point for those subtrees before creating entries within the subtrees. For more information, see "A Note on Adding Entries".dn: o=airius.com
changetype: add
objectclass: organization
o: Airius Corporation dn: ou=People, o=airius.com
changetype: add
objectclass: organizationalUnit
ou: People
ou: Marketing dn: cn=Pete Minsky, ou=People, o=airius.com
changetype: add
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Pete Minsky
givenName: Pete
sn: Minsky
ou: People
ou: Marketing
uid: pminsky dn: cn=Sue Jacobs, ou=People, o=airius.com
changetype: add
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Sue Jacobs
givenName: Sue
sn: Jacobs
ou: People
ou: Marketing
uid: sjacobs dn: ou=Groups, o=airius.com
changetype: add
objectclass: organizationalUnit
ou: Groups dn: cn=Administrators, ou=Groups, o=airius.com
changetype: add
objectclass: groupOfNames
member: cn=Sue Jacobs, ou=People, o=airius.com
member: cn=Pete Minsky, ou=People, o=airius.com
cn: Administrators
dn: ou=Airius Bolivia\, S.A., o=airius.com
changetype: add
objectclass: organizationalUnit
ou: Airius Bolivia\, S.A.
dn: cn=Carla Flores, ou=Airius Bolivia\, S.A., o=airius.com
changetype: add
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Carla Flores
givenName: Carla
sn: Flores
ou: Airius Bolivia\, S.A.
uid: cflores
changetype: add statement by specifying the -a parameter on the call to ldapmodify. In this case, simply provide LDIF (as opposed to LDIF update statements) to ldapmodify. For example:
> ldapmodify -a -h <hostname> -p <port> -D <bind dn> -w <password>... ^z
dn: o=airius.com
objectclass: organization
o: Airius Corporation dn: ou=People, o=airius.com
objectclass: organizationalUnit
ou: People dn: cn=Pete Minsky, ou=People, o=airius.com
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Pete Minsky
givenName: Pete
sn: Minsky
ou: People
ou: Marketing
changetype:delete to delete an entry from your directory. You can only delete entries at the end of a branch. Therefore, when you delete an entry, make sure that no other entries exist under that entry in the directory tree. That is, you cannot delete an organizational unit entry unless you have first deleted all the entries that belong to the organizational unit.
For example, of the following three entries:
ou=People, o=airius.comyou can delete only the last two entries. The entry that identifies the People subtree can be deleted only if no other entries exist below it. The following LDIF update statements can be used to delete person entries:
cn=Paula Simon, ou=People, o=airius.com
cn=Jerry O'Connor, ou=People, o=airius.com
dn: cn=Pete Minsky, ou=People, o=airius.com
changetype: delete dn: cn=Sue Jacobs, ou=People, o=airius.com
changetype: delete
changetype:modrdn to change an entry's relative distinguished name (RDN). An entry's RDN is the leftmost element in the distinguished name. Therefore, the RDN for:
cn=Barry Nixon, ou=People, o=airius.comis:
cn=Barry NixonAnd the RDN for:
ou=People, o=airius.comis:
ou=PeopleTherefore, this rename operation allows you to change the left-most value in an entry's distinguished name. For example, the entry:
cn=Sue Jacobs, ou=People, o=airius.comcan be modified to be:
cn=Susan Jacobs, ou=People, o=airius.combut it cannot be modified to be:
cn=Sue Jacobs, ou=old employees, o=airius.comThe following example can be used to rename Sue Jacobs to Susan Jacobs:
dn: cn=Sue Jacobs, ou=Marketing, o=airius.comBecause
changetype: modrdn
newrdn: cn=Susan Jacobs
deleteoldrdn: 0
deleteoldrdn is 0, this example retains the existing RDN in the new entry. The resulting entry would therefore have a common name (cn) attribute set to both Sue Jacobs and Susan Jacobs in addition to all the other attributes included in the original entry.
ou=People, o=airius.comyou can only rename the last two entries. The entry that identifies the People subtree can only be renamed if no other entries exist below it.
cn=Paula Simon, ou=People, o=airius.com
cn=Jerry O'Connor, ou=People, o=airius.com
changetype:modify to add, replace, or remove attributes and/or attribute values to the entry. When you specify changetype:modify, you must also provide a change operation to indicate how the entry is to be modified. Change operations can be:
add: <attribute>--Adds the specified attribute or attribute value. If the attribute does not currently exist for the entry, then the attribute and its corresponding value are created. If the attribute already exists for the entry, then the specified attribute value is added to the existing value.
replace: <attribute>--The specified values are used to entirely replace the attribute's value. If the attribute does not already exist, it is created. If no replacement value is specified for the attribute, the attribute is deleted.
delete: <attribute>--The specified attribute is deleted. If more than one instance of an attribute exists for the entry, then all instances of the attribute are deleted in the entry. To delete just one of many attribute instances, specify the attribute and associated value on the line following the delete change operation.
changetype:modify with the delete operation to delete an attribute from an entry. If the entry has more than one instance of the attribute, you must indicate which of the attributes you want to delete.
For example, the following LDIF update statement deletes all instances of the telephonenumber attribute from the entry, regardless of how many times it appears in the entry:
dn: cn=Barney Fife, ou=People, o=airius.comIf you want to delete just a specific instance of the
changetype: modify
delete: telephonenumber
telephonenumber attribute, then you simply delete that specific attribute value. The following section describes how to do this.
changetype:modify with the delete operation to delete an attribute value from an entry. You must then indicate which of the actual attributes you want to delete.
For example, consider the following entry:
cn=Barney Fife, ou=People, o=airius.comTo delete the 555-1212 telephone number from this entry, use the following LDIF update statement:
objectClass: inetOrgPerson
cn: Barney Fife
sn: Fife
telephonenumber: 555-1212
telephonenumber: 555-5678
dn: cn=Barney Fife, ou=People, o=airius.comBarney's entry then becomes:
changetype: modify
delete: telephonenumber
telephonenumber: 555-1212
cn=Barney Fife, ou=People, o=airius.com
objectClass: inetOrgPerson
cn: Barney Fife
sn: Fife
telephonenumber: 555-5678
changetype:modify with the add operation to add an attribute and an attribute value to an entry.
For example, the following LDIF update statement adds a telephone number to the entry:
dn: cn=Barney Fife, ou=People, o=airius.comThe following example adds two telephone numbers to the entry:
changetype: modify
add: telephonenumber
telephonenumber: 555-1212
dn: cn=Barney Fife, ou=People, o=airius.comThe following example adds two
changetype: modify
add: telephonenumber
telephonenumber: 555-1212
telephonenumber: 555-6789
telephonenumber attributes and a manager attribute to the entry:
dn: cn=Barney Fife, ou=People, o=airius.comThe following example adds a jpeg photograph to the directory. The jpeg photo can be displayed by the gateway. Note that in order to add this attribute to the directory, you must use the ldapmodify -b parameter (which indicates that ldapmodify should read the referenced file for binary values if the attribute value begins with a slash (/)): dn: cn=Barney Fife, ou=People, o=airius.com
changetype: modify
add: telephonenumber
telephonenumber: 555-1212
telephonenumber: 555-6789
-
add: manager
manager: cn=Sally Nixon, ou=People, o=airius.com
changetype:modify with the replace operation to change an attribute value when there is only a single instance of that attribute in the entry.
For example, the following LDIF update statement changes Barney's manager from Sally Nixon to Wally Hensford:
dn: cn=Barney Fife, ou=People, o=airius.comIf the entry has multiple instances of the attribute, then to change one of the attribute values, you must delete the attribute value that you want to change, and then add the replacement value. For example, consider the following entry:
changetype: modify
replace: manager
manager: cn=Wally Hensford, ou=People, o=airius.com
cn=Barney Fife, ou=People, o=airius.comTo change 555-1212 to 555-4321, use the following LDIF update statement:
objectClass: inetOrgPerson
cn: Barney Fife
sn: Fife
telephonenumber: 555-1212
telephonenumber: 555-5678
dn: cn=Barney Fife, ou=People, o=airius.comBarney's entry now is now as follows:
changetype: modify
delete: telephonenumber
telephonenumber: 555-1212
-
add: telephonenumber
telephonenumber: 555-4321
cn=Barney Fife, ou=People, o=airius.com
objectClass: inetOrgPerson
cn: Barney Fife
sn: Fife
telephonenumber: 555-5678
telephonenumber: 555-4321
ldapmodify command-line utility to modify an attribute that has an associated language tag, you must match the value and language tag exactly or the modify operation will fail.
For example, if you want to modify an attribute value that has a language tag of lang-fr, you must include the lang-fr in the modify operation as follows:
dn: bjensen, o=airius.com
changetype: modify
replace: homePostalAddress;lang-fr
homePostalAddress;lang-fr: 34 rue Seine