Using ldapmodify
Learn how to efficiently make changes to your LDAP directory by using the ldapmodify command in this comprehensive guide.
Updated at October 11th, 2024
Table of Contents
Date: 11-04-2022
ldapmodify
Syntax: ldapmodify <opts> -f <file.ldif>
The ldapmodify command may be used to add, modify and delete entries. This section will focus on entry modifications
Modification LDIFs
- ldapmodify uses "changetype" LDIF input. All entry modifications will have a changetype of "modify" and action specifiers for the attribute being changed
- Multiple attributes may be modified in one modify operation. Simply put a single line with the "-" character between each action
- Modifications are atomic, so if any part of a modification fails, the entire modification is discarded unless there are multiple entries being modified and the continue (-c) option is used
Adding Attributes
Example adding two attributes, one with multiple values to an entry:
dn: cn=may gaul,ou=accounting,dc=example,dc=com
changetype: modify
add: telephoneNumber
telephoneNumber: +1 213 867 5309
-
add: description
description: This is a description
description: This is another descriptionReplacing Attributes
Note: When replacing multivalued attributes and a specific value is to be replaced, the specific value must be deleted and then the new value must be added. If replace is used on an attribute with more than one value, all values will be deleted and the new value will be saved. Examples:
# Replace an attribute with a single value:
dn: cn=may gaul,ou=accounting,dc=example,dc=com
changetype: modify
replace: telephoneNumber
telephoneNumber: +65 223 867 5309
# Replace a specific value in an attribute with multiple values:
dn: cn=may gaul,ou=accounting,dc=example,dc=com
changetype: modify
delete: description
description: This is the a description
-
add: description
description: This is the replaced descriptionDeleting attributes
Note: When deleting multivalued attributes and a specific value is to be deleted, the value must be specified in the delete action. If delete is used on an attribute with more than one value and a value isn't specified, all values will be deleted. Examples:
# Delete all description attributes in an entry:
dn: cn=may gaul,ou=accounting,dc=example,dc=com
changetype: modify
delete: description
# Delete a specific value in an attribute with multiple values:
dn: cn=may gaul,ou=accounting,dc=example,dc=com
changetype: modify
delete: description
description: This is the replaced descriptionIncrementing Attributes
Integer-type attributes may be incremented with the "increment" changetype. This is a useful feature for keeping track of sequential ID numbers. Example:
# Increment an attribute by one
dn: cn=uidNumber,dc=example,dc=com
changetype: modify
increment: uidNumber
uidNumber: 1
# Increment an attribute by five
dn: cn=uidNumber,dc=example,dc=com
changetype: modify
increment: uidNumber
uidNumber: 5Renaming or Moving Entries
Entries may be renamed and/or moved with the "modrdn" changetype:
# Let's create a ou=terminated so we have a place to put terminated users:
ldapadd -Qv <<<'
dn: ou=terminated,dc=example,dc=com
objectClass: organizationalUnit
ou: Terminated
description: Terminated employees go here
# Rename the RDN of an entry and move it to the "terminated" OU and delete the old RDN
dn: cn=Ann Tully,ou=Accounting,dc=example,dc=com
changetype: modrdn
newrdn: cn=T-Ann Tully
deleteoldrdn: 1
newsuperior: ou=terminated,dc=example,dc=comAdding Entries
Full entries may be added using "add" changetype:
# Add an entire entry
dn: ou=terminated,dc=example,dc=com
changetype: add
objectClass: organizationalUnit
ou: Terminated
description: Terminated employees go hereDeleting Entries
Full entries may be deleted using the "delete" changetype:
```
Delete an entry
dn: ou=terminated,dc=example,dc=com changetype: delete