Product SiteDocumentation Site

Chapter 2. Creating Directory Entries

2.1. Managing Entries from the Directory Console
2.1.1. Creating a Root Entry
2.1.2. Creating Directory Entries
2.1.3. Modifying Directory Entries
2.1.4. Deleting Directory Entries
2.2. Managing Entries from the Command-Line
2.2.1. Providing Input from the Command-Line
2.2.2. Creating a Root Entry from the Command-Line
2.2.3. Adding Entries Using LDIF
2.2.4. Adding and Modifying Entries Using ldapmodify
2.2.5. Deleting Entries Using ldapdelete
2.2.6. Using Special Characters
2.3. Tracking Modifications to Directory Entries
2.4. LDIF Update Statements
2.4.1. Adding an Entry Using LDIF
2.4.2. Renaming an Entry Using LDIF
2.4.3. Modifying an Entry Using LDIF
2.4.4. Deleting an Entry Using LDIF
2.4.5. Modifying an Entry in an Internationalized Directory
2.5. Maintaining Referential Integrity
2.5.1. How Referential Integrity Works
2.5.2. Using Referential Integrity with Replication
2.5.3. Enabling/Disabling Referential Integrity
2.5.4. Modifying the Update Interval
2.5.5. Modifying the Attribute List
This chapter discusses how to use the Directory Server Console and the ldapmodify and ldapdelete command-line utilities to modify the contents of your directory.
Entries stored in Active Directory can be added to the Directory Server through Windows Sync; see Chapter 19, Synchronizing Red Hat Directory Server with Microsoft Active Directory for more information on adding or modifying synchronized entries through Windows User Sync.

2.1. Managing Entries from the Directory Console

You can use the Directory tab and the Property Editor on the Directory Server Console to add, modify, or delete entries individually.
To add several entries simultaneously, use the command-line utilities described in Section 2.1, “Managing Entries from the Directory Console”.

NOTE

You cannot modify your directory unless the appropriate access control rules have been set. For information on creating access control rules for your directory, see Chapter 6, Managing Access Control.

2.1.1. Creating a Root Entry

Each time you create a new database, you associate it with the suffix that will be stored in the database. The directory entry representing that suffix is not automatically created.
To create a root entry for a database, do the following:

NOTE

For information on starting the Directory Server Console, see Section 1.4, “Starting the Directory Server Console”.
  1. In the Directory Server Console, select the Configuration tab.
  2. Create a new database, as explained in Section 3.2, “Creating and Maintaining Databases”.
  3. In the Directory tab, right-click the top object representing the Directory Server, and choose New Root Object.
    The secondary menu under New Root Object displays a list of suffixes that do not have a corresponding entry.
  4. Choose the suffix corresponding to the entry to create.
    The New Object window opens.
  5. In the New Object window, select the object class corresponding to the new entry.
    The object class you select must contain the attribute you used to name the suffix. For example, if you are creating the entry corresponding to the suffix ou=people,dc=example,dc=com, then you can choose the organizationalUnit object class or another object class that allows the ou attribute.
  6. Click OK in the New Object window.
The Property Editor for the new entry opens. You can either accept the current values by clicking OK or modify the entry, as explained in Section 2.1.3, “Modifying Directory Entries”.

2.1.2. Creating Directory Entries

Directory Server Console offers several predefined templates for creating directory entries. Templates are available for the following types of entries:
  • User
  • Group
  • Organizational Unit
  • Role
  • Class of Service
Table 2.1, “Entry Templates and Corresponding Object Classes” shows what type of object class is used for each template.
Template Object Class
User inetOrgPerson
Group groupOfUniqueNames
Organizational Unit organizationalUnit
Role nsRoleDefinition
Class of Service cosSuperDefinition
Table 2.1. Entry Templates and Corresponding Object Classes

These templates contain fields representing all the mandatory attributes and some of the commonly used optional attributes. To create an entry using one of these templates, refer to Section 2.1.2.1, “Creating an Entry Using a Predefined Template”. To create any other type of entry, refer to Section 2.1.2.2, “Creating Other Types of Entries”.

2.1.2.1. Creating an Entry Using a Predefined Template

  1. In the Directory Server Console, select the Directory tab.
    For information on starting the Directory Server Console, see Section 1.4, “Starting the Directory Server Console”.
  2. In the left pane, right-click the main entry to to add the new entry, and select the type of entry: User, Group, Organizational Unit, Role, Class of Service, or Other.
    The corresponding Create window opens.
  3. Supply values for all of the mandatory attributes (identified by an asterisk) and, if you want, for any of the optional attributes.
  4. The Create window does not provide fields for all optional attributes. To display the full list of attributes, click the Advanced button.
    In the Property Editor (described in Section 2.1.3, “Modifying Directory Entries”), select any additional attributes, and fill in the attribute values.
  5. Click OK to save the entry. The new entry opens in the right pane.

2.1.2.2. Creating Other Types of Entries

  1. In the Directory Server Console, select the Directory tab.
    For information on starting the Directory Server Console, see Section 1.4, “Starting the Directory Server Console”.
  2. In the left pane, right-click the main entry under which to add the new entry, and select Other.
    The New Object window opens.
  3. In the object class list, select an object class to define the new entry.
  4. Click OK.
    If you selected an object class related to a type of entry for which a predefined template is available, the corresponding Create window opens, as described in Section 2.1.2.1, “Creating an Entry Using a Predefined Template”.
    In all other cases, the Property Editor opens. It contains a list of mandatory attributes for the selected object class.
  5. Supply a value for all the listed attributes.
    • Some fields are empty, but some might have a placeholder value such as New. Fill in all attributes with a meaningful value for the entry.
    • Some object classes can have several naming attributes. Select the naming attribute to use to name the new entry.
    • Open the Property Editor to add optional attributes, as described in Section 2.1.3, “Modifying Directory Entries”.
  6. Click OK to save the new entry. The new entry opens in the right pane.

2.1.3. Modifying Directory Entries

Modifying directory entries in Directory Server Console uses a dialog window called the Property Editor. The Property Editor contains the list of object classes and attributes belonging to an entry and can be used to edit the object classess and attributes belonging to that entry:
  • Add and remove object classes
  • Add and remove an attribute
  • Add and remove an attribute value
  • Add an attribute subtype
This section describes how to start the Property Editor and use it to modify an entry's attributes and attribute values.

2.1.3.1. Displaying the Property Editor

The Property Editor can be opened in several ways:

2.1.3.2. Adding an Object Class to an Entry

To add an object class to an entry, do the following:
  1. In the Directory tab of the Directory Server Console, right-click the entry to modify, and select Advanced from the pop-up menu.
    Alternatively, double-click the entry to open the Property Editor, and click the Advanced button.
  2. Select the object class field, and click Add Value.
    The Add Object Class window opens. It shows a list of object classes that can be added to the entry.
  3. Select the object class to add, and click OK.
    The selected object class appears in the list of object classes in the Advanced Property Editor. To dismiss the Add Object Class window, click Cancel.
  4. Click OK in the Advanced Property Editor when you have finished editing the entry, then click OK to close the Property Editor.

2.1.3.3. Removing an Object Class

To remove an object class from an entry, do the following:
  1. In the Directory tab of the Directory Server Console, right-click the entry to modify, and select Advanced from the pop-up menu.
    Alternatively, double-click the entry to open the Property Editor opens, and click the Advanced button.
  2. Click the text box that shows the object class to remove, and then click Delete Value.
  3. Click OK in the Advanced Property Editor, then click OK to save the changes and close the Property Editor.

2.1.3.4. Adding an Attribute to an Entry

Before you can add an attribute to an entry, the entry must contain an object class that either requires or allows the attribute. refer to Section 2.1.3.2, “Adding an Object Class to an Entry” and Chapter 9, Extending the Directory Schema for more information.
Add an attribute to an entry as follows:
  1. In the Directory tab of the Directory Server Console, right-click the entry to modify, and select Advanced from the pop-up menu.
    Alternatively, double-click the entry to open the Property Editor, and then click the Advanced button.
  2. Click Add Attribute. The Add Attribute dialog box opens.
  3. Select the attribute to add from the list, and click OK.
    The Add Attribute window is dismissed, and the selected attribute appears in the list of attributes in the Advanced Property Editor.
  4. Type in the value for the new attribute in the field to the right of the attribute name.
  5. Click OK in the Advanced Property Editor to save the attribute to the entry and close the Advanced Property Editor.
    Click OK to close the Property Editor.

NOTE

If the attribute you want to add is not listed, add the object class containing the attribute first, then add the attribute. See Section 2.1.3.2, “Adding an Object Class to an Entry” for instructions on adding an object class.

2.1.3.5. Adding Very Large Attributes

The configuration attribute nsslapd-maxbersize sets the maximum size limit for LDAP requests. The default configuration of Directory Server sets this attribute at 2 megabytes. LDAP add or modify operations will fail when attempting to add very large attributes that result in a request that is larger than 2 megabytes.
To add very large attributes, first change the setting for the nsslapd-maxbersize configuration attribute to a value larger than the largest LDAP request you will make.
When determining the value to set, consider all elements of the LDAP add and modify operations used to add the attributes, not just the single attribute. There are a number of different factors to considerin, including the following:
  • The size of each attribute name in the request
  • The size of the values of each of the attributes in the request
  • The size of the DN in the request
  • Some overhead; usually 10 kilobytes is sufficient
One common issue that requires increasing the nsslapd-maxbersize setting is using attributes which hold CRL values, such as certificateRevocationList, authorityRevocationList, and deltaRevocationList.
For further information about the nsslapd-maxbersize attribute and for information about setting this attribute, see the section "nsslapd-maxbersize (MaximumMessage Size)" in chapter 2, "Core Server Configuration Reference," in Red Hat Directory Server Configuration, Command, and File Reference.

2.1.3.6. Adding Attribute Values

Multi-valued attributes allow multiple value for one attribute to be added to an entry. To add an attribute value to a multi-valued attribute:
  1. In the Directory tab of the Directory Server Console, right-click the entry to modify, and select Advanced from the pop-up menu.
    Alternatively, double-click the entry to open the Property Editor, and click the Advanced button.
  2. Select the attribute to which to add a value, and then click Add Value. A new blank text field opens in the right column.
  3. Type in the new attribute value.
  4. Click OK in the Advanced Property Editor to close the Advanced Property Editor, then click OK again to close the Property Editor.

2.1.3.7. Removing an Attribute Value

To remove an attribute value from an entry, do the following:
  1. In the Directory tab of the Directory Server Console, right-click the entry to modify, and select Advanced from the pop-up menu.
    Alternatively, double-click the entry to open the Property Editor, and click the Advanced button.
  2. Click the text box of the attribute value to remove, and click Delete Value.
    To remove the entire attribute and all its values from the entry, select Delete Attribute from the Edit menu.
  3. Click OK to close the Advanced Property Editor, then click OK to close the Property Editor.

2.1.3.8. Adding an Attribute Subtype

There are three different kinds of subtypes to attributes which can be added to an entry: language, binary, and pronunciation.
2.1.3.8.1. Language Subtype
Sometimes a user's name can be more accurately represented in characters of a language other than the default language. For example, a user, Noriko, has a name in Japanese and prefers that her name be represented by Japanese characters when possible. You can select Japanese as a language subtype for the givenname attribute so that other users can search for her name in Japanese as well as English. For example: 
givenname;lang-ja
To specify a language subtype for an attribute, add the subtype to the attribute name as follows: 
attribute;lang-subtype:attribute value
attribute is the attribute being added to the entry and subtype is the two character abbreviation for the language. The supported language subtypes are listed in Table D.2, “Supported Language Subtypes”.
Only one language subtype can be added per attribute instance in an entry. To assign multiple language subtypes, add another attribute instance to the entry, and then assign the new language subtype. For example, the following is illegal: 
cn;lang-ja;lang-en-GB:value
Instead, use: 
cn;lang-ja:ja-value
cn;lang-en-GB:value
2.1.3.8.2. Binary Subtype
Assigning the binary subtype to an attribute indicates that the attribute value is binary, such as user certificates (usercertificate;binary).
Although you can store binary data within an attribute that does not contain the binary subtype (for example, jpegphoto), the binary subtype indicates to clients that multiple variants of the attribute type may exist.
2.1.3.8.3. Pronunciation Subtype
Assigning the pronunciation subtype to an attribute indicates that the attribute value is a phonetic representation. The subtype is added to the attribute name as attribute;phonetic. This subtype is commonly used in combination with a language subtype for languages that have more than one alphabet, where one is a phonetic representation.
This subtype is useful with attributes that are expected to contain user names, such as cn or givenname. For example, givenname;lang-ja;phonetic indicates that the attribute value is the phonetic version of the user's Japanese name.
2.1.3.8.4. Adding a Subtype to an Attribute
To add a subtype to an entry, do the following:
  1. In the Directory tab of the Directory Server Console, right-click the entry to modify, and select Properties from the pop-up menu.
    Alternatively, double-click the entry to open the Property Editor.
  2. Click Add Attribute. The Add Attribute dialog box opens.
  3. Select the attribute to add from the list.
  4. To assign a language subtype to the attribute, select the subtype from the Language drop-down list.
    Assign one of the other two subtypes, binary or pronunciation, from the Subtype drop-down list.
  5. Click OK to close the Add Attribute window, then click OK again to close the Property Editor.

2.1.4. Deleting Directory Entries

To delete entries using the Directory Server Console, do the following:
  1. In the Directory Server Console, select the Directory tab.
    For information on starting the Directory Server Console, see Section 1.4, “Starting the Directory Server Console”.
  2. Right-click the entry to delete in the navigation tree or in the right pane. To select multiple entries, use Ctrl or Shift.
  3. Select Delete from the Edit menu.

WARNING

The server deletes the entry or entries immediately. There is no way to undo the delete operation.