Symas OpenLDAP Knowledge Base

Using ldapmodify

ldapmodify

ldapmodify Man Page

Syntax: ldapmodify <opts> -f <file.ldif>

The ldapmodify command may be used to add, modify and delete entries. This section will focus on entry modifications

Modification LDIFs

  • ldapmodify uses “changetype” LDIF input. All entry modifications will have a changetype of “modify” and action specifiers for the attribute being changed

  • Multiple attributes may be modified in one modify operation. Simply put a single line with the “-” character between each action

  • Modifications are atomic, so if any part of a modification fails, the entire modification is discarded unless there are multiple entries being modified and the continue (-c) option is used

Adding Attributes

Example adding two attributes, one with multiple values to an entry:

dn: cn=may gaul,ou=accounting,dc=example,dc=com
changetype: modify
add: telephoneNumber
telephoneNumber: +1 213 867 5309
-
add: description
description: This is a description
description: This is another description

Replacing Attributes

Note: When replacing multivalued attributes and a specific value is to be replaced, the specific value must be deleted and then the new value must be added. If replace is used on an attribute with more than one value, all values will be deleted and the new value will be saved. Examples:

# Replace an attribute with a single value:
dn: cn=may gaul,ou=accounting,dc=example,dc=com
changetype: modify
replace: telephoneNumber
telephoneNumber: +65 223 867 5309

# Replace a specific value in an attribute with multiple values:
dn: cn=may gaul,ou=accounting,dc=example,dc=com
changetype: modify
delete: description
description: This is the a description
-
add: description
description: This is the replaced description

Deleting attributes

Note: When deleting multivalued attributes and a specific value is to be deleted, the value must be specified in the delete action. If delete is used on an attribute with more than one value and a value isn’t specified, all values will be deleted. Examples:

# Delete all description attributes in an entry:
dn: cn=may gaul,ou=accounting,dc=example,dc=com
changetype: modify
delete: description

# Delete a specific value in an attribute with multiple values:
dn: cn=may gaul,ou=accounting,dc=example,dc=com
changetype: modify
delete: description
description: This is the replaced description

Incrementing Attributes

Integer-type attributes may be incremented with the “increment” changetype. This is a useful feature for keeping track of sequential ID numbers. Example:

# Increment an attribute by one
dn: cn=uidNumber,dc=example,dc=com
changetype: modify
increment: uidNumber
uidNumber: 1

# Increment an attribute by five
dn: cn=uidNumber,dc=example,dc=com
changetype: modify
increment: uidNumber
uidNumber: 5

Renaming or Moving Entries

Entries may be renamed and/or moved with the “modrdn” changetype:

# Let's create a ou=terminated so we have a place to put terminated users:
ldapadd -Qv <<<'
dn: ou=terminated,dc=example,dc=com
objectClass: organizationalUnit
ou: Terminated
description: Terminated employees go here

# Rename the RDN of an entry and move it to the "terminated" OU and delete the old RDN 
dn: cn=Ann Tully,ou=Accounting,dc=example,dc=com
changetype: modrdn
newrdn: cn=T-Ann Tully
deleteoldrdn: 1
newsuperior: ou=terminated,dc=example,dc=com

Adding Entries

Full entries may be added using “add” changetype:

# Add an entire entry
dn: ou=terminated,dc=example,dc=com
changetype: add
objectClass: organizationalUnit
ou: Terminated
description: Terminated employees go here

Deleting Entries

Full entries may be deleted using the “delete” changetype:

# Delete an entry
dn: ou=terminated,dc=example,dc=com
changetype: delete