Red Hat SummitChapter 1. Managing directory entries using the command line
You can add, edit, rename, and delete an LDAP entry using the command line.
1.1. Providing input to the ldapadd, ldapmodify, and ldapdelete utilities
When you add, update, or delete entries or attributes in the directory, you can either use the interactive mode of the utilities to enter LDAP Data Interchange Format (LDIF) statements or pass an LDIF file to them.
1.1.1. The interactive mode of OpenLDAP client utilities
In the interactive mode, the ldapadd, ldapmodify, and ldapdelete utilities read the input from the command line. To exit the interactive mode, press the Ctrl+D (^D) key combination to send the end-of-file (EOF) escape sequence.
In interactive mode, the utility sends the statements to the LDAP server when you press Enter twice or when you send the EOF sequence.
Use the interactive mode:
To enter LDAP Data Interchange Format (LDIF) statements without creating a file.
Example 1.1. Using the ldapmodify interactive mode to enter LDIF statements
The following example runs
ldapmodifyin interactive mode, deletes thetelephoneNumberattribute, and adds themanagerattribute with thecn=manager_name,ou=people,dc=example,dc=comvalue to theuid=user,ou=people,dc=example,dc=comentry. Press after the last statement to exit the interactive mode.# ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x dn: uid=user,ou=people,dc=example,dc=com changetype: modify delete: telephoneNumber - add: manager manager: cn=manager_name,ou=people,dc=example,dc=com modifying entry "uid=user,ou=people,dc=example,dc=com" ^DTo redirect LDIF statements, outputted by an another command, to the server:
Example 1.2. Using the ldapmodify interactive mode with redirected content
The following example redirects the output of the
command_that_outputs_LDIFcommand toldapmodify. The interactive mode exits automatically after the redirected command exits.# command_that_outputs_LDIF | ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x
1.1.2. The file mode of OpenLDAP client utilities
In the interactive mode, the ldapadd, ldapmodify, and ldapdelete utilities read the LDAP Data Interchange Format (LDIF) statements from a file. Use this mode to send a larger number of LDIF statements to the server.
Example 1.3. Passing a File with LDIF Statements to ldapmodify
Create a file with the LDIF statements. For example, create the
~/example.ldiffile with the following statements:dn: uid=user,ou=people,dc=example,dc=com changetype: modify delete: telephoneNumber - add: manager manager: cn=manager_name,ou=people,dc=example,dc=comThis example deletes the
telephoneNumberattribute and to adds themanagerattribute with thecn=manager_name,ou=people,dc=example,dc=comvalue to theuid=user,ou=people,dc=example,dc=comentry.Pass the file to the
ldapmodifycommand using the-fparameter:# ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x -f ~/example.ldif
1.1.3. The continuous operation mode of OpenLDAP client utilities
By default, if you send multiple LDAP Data Interchange Format (LDIF) statements to the server and one operation fails, the process stops. However, entries processed before the error occurred were successfully added, modified, or deleted.
To ignore errors and continue processing further LDIF statements in a batch, pass the -c parameter to ldapadd and ldapmodify:
# ldpamodify -c -D "cn=Directory Manager" -W -H ldap://server.example.com -x1.2. Adding an LDAP entry using the command line
To add a new entry to the directory, use the ldapadd or ldapmodify utility. Note that /bin/ldapadd is a symbolic link to /bin/ldapmodify. Therefore, ldapadd performs the same operation as ldapmodify -a.
You can only add a new directory entry if the parent entry already exists. For example, you cannot add cn=user,ou=people,dc=example,dc=com, if the ou=people,dc=example,dc=com parent entry does not exist.
1.2.1. Adding an entry using ldapadd
To use the ldapadd utility to add, for example, the cn=user,ou=people,dc=example,dc=com user entry, enter:
# ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
dn: uid=user,ou=People,dc=example,dc=com
uid: user
givenName: given_name
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: surname
cn: user
Running ldapadd automatically performs a changetype: add operation. Therefore, you do not need to specify changetype: add in the LDIF statement.
1.2.2. Adding an entry using ldapmodify
To use the ldapmodify utility to add, for example, the cn=user,ou=people,dc=example,dc=com user entry, enter:
# ldapmodify -a -D "cn=Directory Manager" -W -H ldap://server.example.com -x
dn: uid=user,ou=People,dc=example,dc=com
uid: user
givenName: given_name
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: surname
cn: user
When passing the -a parameter to the ldapmodify command, the utility automatically performs a changetype: add operation. Therefore, you do not need to specify changetype: add in the LDIF statement.
1.2.3. Creating a root entry of a database suffix
To create the root entry of a database suffix, such as dc=example,dc=com, bind as the cn=Directory Manager user and add the entry. The distinguished name (DN) corresponds to the DN of the root or sub-suffix of the database.
For example, to add the dc=example,dc=com suffix, enter:
# ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x
dn: dc=example,dc=com
changetype: add
objectClass: top
objectClass: domain
dc: example
You can add root objects only if you have one database per suffix. If you create a suffix that is stored in several databases, you must use the dsctl ldif2db command to set the database that will hold the new entries.
1.3. Updating an LDAP entry using the command line
When you modify a directory entry, use the changetype: modify statement. Depending on the change operation, you can add, change, or delete attributes from the entry.
1.3.1. Adding attributes to an LDAP entry
To add an attribute to an LDAP entry, use the add operation.
For example, to add the telephoneNumber attribute with the 555-1234567 value to the uid=user,ou=People,dc=example,dc=com entry, enter:
# ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x
dn: uid=user,ou=People,dc=example,dc=com
changetype: modify
add: telephoneNumber
telephoneNumber: 555-1234567
If an attribute is multi-valued, you can specify the attribute name multiple times to add all the values in a single operation. For example, to add two telephoneNumber attributes at once to the uid=user,ou=People,dc=example,dc=com, enter:
# ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x
dn: uid=user,ou=People,dc=example,dc=com
changetype: modify
add: telephoneNumber
telephoneNumber: 555-1234567
telephoneNumber: 555-76543211.3.2. Updating the value of an attribute
The procedure for updating an attribute’s value depends on whether the attribute is single-valued or multi-valued:
Updating a single-value attribute:
When updating a single-value attribute, use the
replaceoperation to override the existing value. The following command updates themanagerattribute of theuid=user,ou=People,dc=example,dc=comentry:# ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x dn: uid=user,ou=People,dc=example,dc=com changetype: modify replace: manager manager: uid=manager_name,ou=People,dc=example,dc=comUpdating a specific value of a multi-value attribute:
To update a specific value of a multi-value attribute, first delete the entry you want to replace, and then add the new value. The following command updates only the
telephoneNumberattribute that is currently set to555-1234567in theuid=user,ou=People,dc=example,dc=comentry:# ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x dn: uid=user,ou=People,dc=example,dc=com changetype: modify delete: telephoneNumber telephoneNumber: 555-1234567 - add: telephoneNumber telephoneNumber: 555-9876543
1.3.3. Deleting attributes from an entry
To delete an attribute from an entry, use the delete operation:
Deleting an attribute:
For example, to delete the
managerattribute from theuid=user,ou=People,dc=example,dc=comentry, enter:# ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x dn: uid=user,ou=People,dc=example,dc=com changetype: modify delete: managerImportantIf the attribute contains multiple values, this operation deletes all of them.
Deleting a specific value of a multi-value attribute:
If you want to delete a specific value from a multi-value attribute, list the attribute and its value in the LDAP Data Interchange Format (LDIF) statement. For example, to delete only the
telephoneNumberattribute that is set to555-1234567from theuid=user,ou=People,dc=example,dc=comentry, enter:# ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x dn: uid=user,ou=People,dc=example,dc=com changetype: modify delete: telephoneNumber telephoneNumber: 555-1234567
1.4. Renaming and moving an LDAP entry
The following rename operations exist:- Renaming an entry
If you rename an entry, the
modrdnoperation changes the relative distinguished name (RDN) of the entry:
- Renaming a subentry
For subtree entries, the
modrdnoperation renames the subtree and also the DN components of child entries:
Note that for large subtrees, this process can take a lot of time and resources.
- Moving an entry to a new parent
A similar action to renaming a subtree is moving an entry from one subtree to another. This is an expanded type of the
modrdnoperation, which simultaneously renames the entry and sets anewSuperiorattribute which moves the entry from one parent to another:
1.4.1. Considerations for renaming LDAP entries
Keep the following in mind when performing rename operations:
- You cannot rename the root suffix.
- Subtree rename operations have minimal effect on replication. Replication agreements are applied to an entire database, not to a subtree within the database. Therefore, a subtree rename operation does not require re-configuring a replication agreement. All name changes after a subtree rename operation are replicated as normal.
- Renaming a subtree might require any synchronization agreements to be reconfigured. Synchronization agreements are set at the suffix or subtree level. Therefore, renaming a subtree can break synchronization.
- Renaming a subtree requires that any subtree-level access control instructions (ACI) set for the subtree be reconfigured manually, as well as any entry-level ACIs set for child entries of the subtree.
-
Trying to change the component of a subtree, such as moving from
outodc, might fail with a schema violation. For example, theorganizationalUnitobject class requires theouattribute. If that attribute is removed as part of renaming the subtree, the operation fails. -
If you move a group, the
MemberOfplug-in automatically updates thememberOfattributes. However, if you move a subtree that contain groups, you must manually create a task in thecn=memberoftask entry or use thedsconf memberof fixupcommand to update the relatedmemberOfattributes.
1.4.2. Controlling the relative distinguished name behavior when renaming entries
When you rename an entry, the deleteOldRDN attribute controls whether the old relative distinguished name (RDN) will be deleted or retained:
- deleteOldRDN: 0
The existing RDN is retained as a value in the new entry. The resulting entry contains two
cnattributes: one with the old and one with the new common name (CN).For example, the following attributes belong to a group that was renamed from
cn=old_group,dc=example,dc=comtocn=new_group,dc=example,dc=comwith thedeleteOldRDNattribute set to0:dn: cn=new_group,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: old_group cn: new_group- deleteOldRDN: 1
Directory Server deletes the old entry and creates a new entry using the new RDN. The new entry only contains the
cnattribute of the new entry.For example, the following group was renamed to
cn=new_group,dc=example,dc=comwith thedeleteOldRDNattribute set to1:dn: cn=new_group,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupofuniquenames cn: new_group
1.4.3. Renaming an LDAP entry or subtree
To rename an entry or subtree, use the changetype: modrdn operation, and set the new relative distinguished name (RDN) in the newrdn attribute.
For example, to rename the cn=demo1,dc=example,dc=com entry to cn=demo2,dc=example,dc=com, enter:
# ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x
dn: cn=demo1,dc=example,dc=com
changetype: modrdn
newrdn: cn=demo2
deleteOldRDN: 11.4.4. Moving an LDAP entry to a new parent
To move an entry to a new parent, use the changetype: modrdn operation, and set the following to attributes:
-
newrdn: Sets the relative distinguished name (RDN) of the moved entry. You must set this entry, even if the RDN remains the same. -
newSuperior: Sets the distinguished name (DN) of the new parent entry.
For example, to move the cn=demo entry from ou=Germany,dc=example,dc=com to ou=France,dc=example,dc=com, enter:
# ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x
dn: cn=demo,ou=Germany,dc=example,dc=com
changetype: modrdn
newrdn: cn=demo
newSuperior: ou=France,dc=example,dc=com
deleteOldRDN: 11.5. Deleting an LDAP entry using the command line
You can remove entries from an LDAP directory, but you can only delete entries that have no child entries. For example, you cannot delete ou=People,dc=example,dc=com, if the uid=user,ou=People,dc=example,dc=com entry still exists.
1.5.1. Deleting an entry using ldapdelete
The ldapdelete utility enables you to delete one or multiple entries. For example, to delete the uid=user,ou=People,dc=example,dc=com entry, enter:
# ldapdelete -D "cn=Directory Manager" -W -H ldap://server.example.com -x "uid=user,ou=People,dc=example,dc=com"To delete multiple entries in one operation, append them to the command:
# ldapdelete -D "cn=Directory Manager" -W -H ldap://server.example.com -x "uid=user1,ou=People,dc=example,dc=com" "uid=user2,ou=People,dc=example,dc=com"1.5.2. Deleting an entry using ldapmodify
To delete an entry using the ldapmodify utility, use the changetype: delete operation. For example, to delete the uid=user,ou=People,dc=example,dc=com entry, enter:
# ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x
dn: uid=user,ou=People,dc=example,dc=com
changetype: delete1.6. Using special characters in OpenLDAP client utilities
When using the command line, enclose characters that have a special meaning to the command-line interpreter, such as space ( ), asterisk (*), or backslash (\), with quotation marks. Depending on the command-line interpreter, use single or double quotation marks. For example, to authenticate as the cn=Directory Manager user, enclose the user’s distinguished name (DN) in quotation marks:
# ldapmodify -a -D "cn=Directory Manager" -W -H ldap://server.example.com -x
Additionally, if a DN contains a comma in a component, escape it using a backslash. For example, to authenticate as the uid=user,ou=People,dc=example.com Chicago, IL user, enter:
# ldapmodify -a -D "cn=uid=user,ou=People,dc=example.com Chicago\, IL" -W -H ldap://server.example.com -x1.7. Using binary attributes in LDIF statements
Certain attributes support binary values, such as the jpegPhoto attribute. When you add or update such an attribute, the utility reads the value for the attribute from a file. To add or update such an attribute, you can use the ldapmodify utility.
For example, to add the jpegPhoto attribute to the uid=user,ou=People,dc=example,dc=com entry, and read the value for the attribute from the /home/user_name/photo.jpg file, enter:
# ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x
dn: uid=user,ou=People,dc=example,dc=com
changetype: modify
add: jpegPhoto
jpegPhoto:< file:///home/user_name/photo.jpg
Note that there is no space between : and <.
1.8. Updating an LDAP entry in an internationalized directory
To use attribute values with languages other than English, associate the attribute’s value with a language tag.
When using ldapmodify to update an attribute that has a language tag set, you must match the value and language tag exactly or the operation will fail.
For example, to modify an attribute value that has the lang-fr language tag set, include the tag in the modify operation:
# ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x
dn: uid=user,ou=People,dc=example,dc=com
changetype: modify
replace: homePostalAddress;lang-fr
homePostalAddress;lang-fr: 34 rue de Seine
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}