6.5. ldapmodify

ldapmodify makes changes to directory entries via LDAP.

Syntax

ldapmodify [ optional_options ]

ldapmodify [ -D binddn ] [ -w passwd ] [ -acmnrvFR ] [ -d debug_level ] [ -h host ] [ -p port ] [ -M auth_mechanism ] [ -Z/ZZ/ZZZ ] [ -V version ] [ -f file ] [ -l number_of_ldap_connections ] [ entryfile ]

Commonly-Used ldapmodify Options

Option	Description
`-a`	Adds LDIF entries to the directory without requiring the `changetype:add` LDIF update statement. This provides a simplified method of adding entries to the directory. This option also allows directly adding a file created by `ldapmodify`.
`-B`	Specifies the suffix under which the new entries will be added.
`-D`	Specifies the distinguished name with which to authenticate to the server. The value must be a DN recognized by the Directory Server, and it must also have the authority to modify the entries. For example: -D "uid=bjensen, dc=example,dc=com" This option cannot be used with the `-N` option.
`-f`	Option that specifies the file containing the LDIF update statements used to define the directory modifications. For example: -f modify_statements If this option is not supplied, the update statements are read from `stdin`. For information on supplying LDIF update statements from the command-line, see the "Creating Directory Entries" chapter in the Directory Server Administration Guide.
`-g`	Specifies that the password policy request control not be sent with the bind request. By default, the new LDAP password policy request control is sent with bind requests. The `ldapmodify` tool can parse and display information from the response control if it is returned by a server; that is, the tool will print an appropriate error or warning message when a server sends the password policy response control with an appropriate value. The criticality of the request control is set to `false` to ensure that all LDAPv3 servers that do not understand the control can ignore it. To suppress sending of the request control with the bind request, include `-g` on the command-line.
`-h`	Specifies the name of the host on which the server is running. For example: -h cyclops
`-p`	Specifies the port number that the server uses. For example: -p 1049 The default is `389`. If `-Z` is used, the default is `636`.
`-q`	Causes each add to be performed silently as opposed to being echoed to the screen individually.
`-w`	Specifies the password associated with the distinguished name specified in the `-D` option. For example: -w mypassword If a dash (-) is used as the password value, the utility prompts for the password after the command is entered. This avoids having the password on the command line.

Table 6.10. Commonly-Used ldapmodify Options

SSL Options

Use the following command-line options to specify that ldapmodify is to use LDAP over SSL (LDAPS) when communicating with the Directory Server. LDAPS encrypts data during transit. Also, use these options for certificate-based authentication. These options are valid only when SSL has been turned on and configured for the Directory Server. For more information on certificate-based authentication and on creating a certificate database for use with LDAP clients, see the "Managing SSL" chapter in the Directory Server Administration Guide.

Ensure that the Directory Server's encrypted port is specified when using these options.

Option	Description
`-3`	Specifies that hostnames should be checked in SSL certificates.
`-I`	Specifies the SSL key password file that contains the token:password pair.
`-K`	Specifies the path, including the filename, of the private key database of the client. Either the absolute or relative (to the server root) path can be specified. The `-K` option must be used when the key database has a different name than `key3.db` or when the key database is not under the same directory as the certificate database, the `cert8.db` file (the path for which is specified with the `-P` option).
`-N`	Specifies the certificate name to use for certificate-based client authentication. For example: -N Server-Cert If this option is specified, then the `-Z` and `-W` options are required. Also, if this option is specified, then the `-D` and `-w` options must not be specified, or certificate-based authentication will not occur, and the bind operation will use the authentication credentials specified on `-D` and `-w`.
`-P`	Specifies the absolute path, including the filename, of the certificate database of the client. This option is used only with the `-Z` option. When used on a machine where an SSL-enabled web browser is configured, the path specified on this option can be pointed to the certificate database for the web browser. For example: -P /security/cert.db The client security files can be stored on the Directory Server in the `/etc/dirsrv/slapd-instance_name` directory. In this case, the `-P` option calls out a path and filename similar to the following: -P /etc/dirsrv/slapd-`instance_name`/client-cert.db
`-Q`	Specifies the token and certificate name, which is separated by a semicolon (:) for PKCS11.
`-W`	Specifies the password for the certificate database identified on the `-P` option. For example: -W serverpassword
`-Z`	Specifies that SSL is to be used for the directory request.
`-ZZ`	Specifies the Start TLS request. Use this option to make a cleartext connection into a secure one. If the server does not support Start TLS, the command does not need aborted; it will continue in cleartext.
`-ZZZ`	Enforces the Start TLS request. The server must respond that the request was successful. If the server does not support Start TLS, such as Start TLS is not enabled or the certificate information is incorrect, the command is aborted immediately.

Table 6.11. ldapmodify SSL Options

SASL Options

SASL mechanisms can be used to authenticate a user, using the -o the required SASL information.

To learn which SASL mechanisms are supported, search the root DSE. See the -b option in Table 6.3, “Commonly-Used ldapsearch Options”.

Option	Description
`-o`	Specifies SASL options. The format is `-o` saslOption=value. saslOption can have one of six values: `mech` `authid` `authzid` `secProp` `realm` `flags` The expected values depend on the supported mechanism. The `-o` can be used multiple times to pass all of the required SASL information for the mechanism. For example: -o "mech=DIGEST-MD5" -o "authzid=test_user" -o "authid=test_user"

Table 6.12. SASL Options

See SASL Options for information on how to use SASL options with ldapmodify.

Additional ldapmodify Options

Option	Description
`-b`	Causes the utility to check every attribute value to determine whether the value is a valid file reference. If the value is a valid file reference, then the content of the referenced file is used as the attribute value. This is often used for specifying a path to a file containing binary data, such as JPEG. For example, to add a `jpegPhoto` attribute, specify the `-b` option on the `ldapmodify` call. In the LDIF provided to `ldapmodify`, include a line like the following: jpegPhoto: /tmp/photo.jpeg `ldapmodify` reads the contents of the `photo.jpeg` file into the `jpegPhoto` attribute being added to the entry. As an alternative to the `-b` option, use the `:<` URL specifier notation, which is simpler. For example: jpegphoto:< file:///tmp/myphoto.jpg Although the official notation requires three `///`, the use of one `/` is accepted. NOTE The `:<` URL specifier notation only works if LDIF statement is version 1 or later, meaning `version: 1` is inserted in the lDIF file. Otherwise, the file URL is appended as the attribute value rather than the contents of the file. For further information on the LDIF format, see the "Managing Directory Entries" chapter in the Directory Server Administration Guide.
`-c`	Specifies that the utility run in continuous operation mode. Errors are reported, but the utility continues with modifications. The default is to quit after reporting an error.
`-H`	Lists all available `ldapmodify` options.
`-M`	Manages smart referrals. This causes the server not to return the smart referral contained on the entry but, instead, to apply the modification request directly to the entry. Use this option to add, change, or delete a directory entry that contains a smart referral. For more information about smart referrals, see the "Configuring Directory Databases" chapter in the Directory Server Administration Guide.
`-n`	Specifies that the entries are not actually to be modified but that `ldapmodify` is to show what it would do with the specified input.
`-O`	Specifies the maximum number of referral hops to follow. For example: -O 2
`-R`	Specifies that referrals are not to be followed automatically.
`-v`	Specifies that the utility is to run in verbose mode.
`-V`	Specifies the LDAP version number to be used on the operation. For example: -V 2 LDAPv3 is the default. An LDAPv3 operation cannot be performed against a Directory Server that only supports LDAPv2.
`-Y`	Specifies the proxy DN to use for the modify operation. This argument is provided for testing purposes. For more information about proxied authorization, see the "Managing Access Control" chapter in the Directory Server Administration Guide.