Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 3. Managing Directory Entries

You can manage directory entries using the command line or the web console.

3.1. Managing Directory Entries Using the Command Line
Copia collegamento

To perform LDAP operations using the command line, install the openldap-clients package. The utilities installed by this package enable you to:
  • Add new entries
  • Add new attributes to existing entries
  • Update existing entries and attributes
  • Delete entries and attributes from entries
  • Perform bulk operations
To install the openldap-clients package: 
# yum install openldap-clients
Copy to Clipboard Toggle word wrap

Note

To perform LDAP operations, you need the appropriate permissions. For details about access control, see Chapter 18, Managing Access Control.

3.1.1. Providing Input to the ldapadd, ldapmodify, and ldapdelete Utilities
Copia collegamento

When you add, update, or delete entries or attributes in your directory, you can either use the interactive mode of the utilities to enter LDAP Data Interchange Format (LDIF) statements or pass an LDIF file to them.
For further details about LDIF, see Section B.1, “About the LDIF File Format”.

3.1.1.1. Providing Input Using the Interactive Mode
Copia collegamento

In the interactive mode, the ldapadd, ldapmodify, and ldapdelete utilities read the input from the command line. To exit the interactive mode, press the Ctrl+D (^D) key combination to send the End Of File (EOF) escape sequence.
In interactive mode, the utility sends the statements to the LDAP server when you press Enter twice or when you send the EOF sequence.
Use the interactive mode:
  • To enter LDIF statements without creating a file:

    Example 3.1. Using the ldapmodify Interactive Mode to Enter LDIF Statements

    The following example starts ldapmodify in interactive mode, deletes the telephoneNumber attribute, and adds the manager attribute with the cn=manager_name,ou=people,dc=example,dc=com value to the uid=user,ou=people,dc=example,dc=com entry. Press Ctrl+D after the last statement to exit the interactive mode. 
    # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: uid=user,ou=people,dc=example,dc=com
changetype: modify
delete: telephoneNumber
-
add: manager
manager: cn=manager_name,ou=people,dc=example,dc=com
^D
    Copy to Clipboard Toggle word wrap
  • To redirect LDIF statements, outputted by another command, to Directory Server:

    Example 3.2. Using the ldapmodify Interactive Mode with Redirected Content

    The following example redirects the output of the command_that_outputs_LDIF command to ldapmodify. The interactive mode exits automatically after the redirected command exits. 
    # command_that_outputs_LDIF | ldapmodify -D "cn=Directory Manager" \
     -W -p 389 -h server.example.com -x
    Copy to Clipboard Toggle word wrap

3.1.1.2. Providing Input Using an LDIF File
Copia collegamento

In the interactive mode, the ldapadd, ldapmodify, and ldapdelete utilities read the LDIF statements from a file. Use this mode to send a larger number of LDIF statements to Directory Server.

Example 3.3. Passing a File with LDIF Statements to ldapmodify

  1. Create a file with the LDIF statements. For example, create the ~/example.ldif file with the following statements: 
    dn: uid=user,ou=people,dc=example,dc=com
changetype: modify
delete: telephoneNumber
-
add: manager
manager: cn=manager_name,ou=people,dc=example,dc=com
    Copy to Clipboard Toggle word wrap
    This example deletes the telephoneNumber attribute and to adds the manager attribute with the cn=manager_name,ou=people,dc=example,dc=com value to the uid=user,ou=people,dc=example,dc=com entry.
  2. Pass the file to the ldapmodify command using the -f file_name option: 
    # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x \
     -f ~/example.ldif
    Copy to Clipboard Toggle word wrap

3.1.2. The Continuous Operation Mode
Copia collegamento

If you send multiple LDIF statements to Directory Server and one operation fails, the process stops. However, entries processed before the error occurred were successfully added, modified, or deleted.
To ignore errors and continue processing further LDIF statements in a batch, pass the -c option to ldapadd and ldapmodify. For example: 
# ldpamodify -c -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
Copy to Clipboard Toggle word wrap

3.1.3. Adding an Entry
Copia collegamento

To add a new entry to the directory, use the ldapadd or ldapmodify utility. Note that ldapadd is a symbolic link to /bin/ldapmodify. Therefore, ldapadd performs the same operation as ldapmodify -a.

Note

You can only add a new directory entry, if the parent entry already exists. For example, you cannot add the cn=user,ou=people,dc=example,dc=com entry, if the ou=people,dc=example,dc=com parent entry does not exist.

3.1.3.1. Adding an Entry Using ldapadd
Copia collegamento

To use the ldapadd utility to add, for example, the cn=user,ou=people,dc=example,dc=com user entry: 
# ldapadd -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: uid=user,ou=People,dc=example,dc=com
uid: user
givenName: given_name
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: surname
cn: user
Copy to Clipboard Toggle word wrap

Note

Running ldapadd automatically performs a changetype: add operation. Therefore, you do not need to specify changetype: add in the LDIF statement.
For further details on the parameters used in the command, see the ldapadd(1) man page.

3.1.3.2. Adding an Entry Using ldapmodify
Copia collegamento

To use the ldapmodify utility to add, for example, the cn=user,ou=people,dc=example,dc=com user entry: 
# ldapmodify -a -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: uid=user,ou=People,dc=example,dc=com
uid: user
givenName: given_name
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: surname
cn: user
Copy to Clipboard Toggle word wrap

Note

When passing the -a option to the ldapmodify command, the utility automatically performs a changetype: add operation. Therefore, you do not need to specify changetype: add in the LDIF statement.
For further details on the parameters used in the command, see the ldapmodify(1) man page.

3.1.3.3. Creating a Root Entry
Copia collegamento

To create the root entry of a database suffix, such as dc=example,dc=com, bind as the cn=Directory Manager user and add the entry.
The DN corresponds to the DN of the root or sub-suffix of the database.
For example, to add the dc=example,dc=com suffix: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: dc=example,dc=com
changetype: add
objectClass: top
objectClass: domain
dc: example
Copy to Clipboard Toggle word wrap

Note

You can add root objects only if you have one database per suffix. If you create a suffix that is stored in several databases, you must use the ldif2db utility with the -n back_end option to set the database that will hold the new entries. For details, see Section 6.1.2, “Importing Using the Command Line”.

3.1.4. Updating a Directory Entry
Copia collegamento

When you modify a directory entry, use the changetype: modify statement. Depending on the change operation, you can add, change, or delete attributes from the entry.
Use the ldapmodify utility to send the LDIF statements to Directory Server. For example, in interactive mode: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
Copy to Clipboard Toggle word wrap
For further details on the parameters used in ldapmodify commands, see the ldapmodify(1) man page.

3.1.4.1. Adding Attributes to an Entry
Copia collegamento

To add an attribute to an entry, use the add operation.
For example, to add the telephoneNumber attribute with the 555-1234567 value to the uid=user,ou=People,dc=example,dc=com entry: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: uid=user,ou=People,dc=example,dc=com
changetype: modify
add: telephoneNumber
telephoneNumber: 555-1234567
Copy to Clipboard Toggle word wrap
If an attribute is multi-valued, you can specify the attribute name multiple times to add all the values in a single operation. For example, to add two telephoneNumber attributes at once to the uid=user,ou=People,dc=example,dc=com: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: uid=user,ou=People,dc=example,dc=com
changetype: modify
add: telephoneNumber
telephoneNumber: 555-1234567
telephoneNumber: 555-7654321
Copy to Clipboard Toggle word wrap

3.1.4.2. Updating an Attribute's Value
Copia collegamento

The procedure for updating an attribute's value depends on if the attribute is single-valued or multi-valued.

Updating a Single-value Attribute

When updating a single-value attribute, use the replace operation to override the existing value. The following command updates the manager attribute of the uid=user,ou=People,dc=example,dc=com entry: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: uid=user,ou=People,dc=example,dc=com
changetype: modify
replace: manager
manager: uid=manager_name,ou=People,dc=example,dc=com
Copy to Clipboard Toggle word wrap

Updating a Specific Value of a Multi-value Attribute

To update a specific value of a multi-value attribute, you must first delete the entry you want to replace, and then add the new value. The following command updates only the telephoneNumber attribute that is currently set to 555-1234567 in the uid=user,ou=People,dc=example,dc=com entry: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: uid=user,ou=People,dc=example,dc=com
changetype: modify
delete: telephoneNumber
telephoneNumber: 555-1234567
-
add: telephoneNumber
telephoneNumber: 555-9876543
Copy to Clipboard Toggle word wrap

3.1.4.3. Deleting Attributes from an Entry
Copia collegamento

To delete an attribute from an entry, use the delete operation.

Deleting an Attribute

For example, to delete the manager attribute from the uid=user,ou=People,dc=example,dc=com entry: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: uid=user,ou=People,dc=example,dc=com
changetype: modify
delete: manager
Copy to Clipboard Toggle word wrap

Note

If the attribute contains multiple values, this operation deletes all of them.

Deleting a Specific Value of a Multi-value Attribute

If you want to delete a specific value from a multi-value attribute, list the attribute and its value in the LDIF statement. For example, to delete only the telephoneNumber attribute that is set to 555-1234567 from the uid=user,ou=People,dc=example,dc=com entry: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: uid=user,ou=People,dc=example,dc=com
changetype: modify
delete: telephoneNumber
telephoneNumber: 555-1234567
Copy to Clipboard Toggle word wrap

3.1.5. Deleting an Entry
Copia collegamento

Deleting an entry removes the entry from the directory.

Note

You can only delete entries that have no child entries. For example, you cannot delete the ou=People,dc=example,dc=com entry, if the uid=user,ou=People,dc=example,dc=com entry still exists.

3.1.5.1. Deleting an Entry Using ldapdelete
Copia collegamento

The ldapdelete utility enables you to delete one or multiple entries. For example, to delete the uid=user,ou=People,dc=example,dc=com entry: 
# ldapdelete -D "cn=Directory Manager" -W -p 389 -h server.example.com -x "uid=user,ou=People,dc=example,dc=com"
Copy to Clipboard Toggle word wrap
To delete multiple entries in one operation, append them to the command. For example: 
# ldapdelete -D "cn=Directory Manager" -W -p 389 -h server.example.com -x \
     "uid=user1,ou=People,dc=example,dc=com" \
     "uid=user2,ou=People,dc=example,dc=com"
Copy to Clipboard Toggle word wrap
For further details on the parameters used, see the ldapdelete(1) man page.

3.1.5.2. Deleting an Entry Using ldapmodify
Copia collegamento

To delete an entry using the ldapmodify utility, use the changetype: delete operation. For example, to delete the uid=user,ou=People,dc=example,dc=com entry: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: uid=user,ou=People,dc=example,dc=com
changetype: delete
Copy to Clipboard Toggle word wrap

3.1.6. Renaming and Moving an Entry
Copia collegamento

This section explains how to rename or move entries.

Note

Use the moddn Access Control List (ACL) to grant permissions to move entries. For details, see Section 18.9.2.1, “Targeting Source and Destination DNs”.
The following rename operations exist:
Renaming an Entry
If you rename an entry, the modrdn operation changes the Relative Distinguished Name (RDN) of the entry:
Renaming a Subentry
For subtree entries, the modrdn operation renames the subtree and also the DN components of child entries:
Note that for large subtrees, this process can take a lot of time and resources.
Moving an Entry to a New Parent
A similar action to renaming a subtree is moving an entry from one subtree to another. This is an expanded type of the modrdn operation, which simultaneously renames the entry and sets a newSuperior attribute which moves the entry from one parent to another:

3.1.6.1. Considerations for Renaming Entries
Copia collegamento

Keep the following in mind when performing rename operations:
  • You cannot rename the root suffix.
  • Subtree rename operations have minimal effect on replication. Replication agreements are applied to an entire database, not a subtree within the database. Therefore, a subtree rename operation does not require reconfiguring a replication agreement. All name changes after a subtree rename operation are replicated as normal.
  • Renaming a subtree might require any synchronization agreements to be reconfigured. Synchronization agreements are set at the suffix or subtree level. Therefore, renaming a subtree might break synchronization.
  • Renaming a subtree requires that any subtree-level Access Control Instructions (ACI) set for the subtree be reconfigured manually, as well as any entry-level ACIs set for child entries of the subtree.
  • Trying to change the component of a subtree, such as moving from ou to dc, might fail with a schema violation. For example, the organizationalUnit object class requires the ou attribute. If that attribute is removed as part of renaming the subtree, the operation fails.
  • If you move a group, the MemberOf plug-in automatically updates the memberOf attributes. However, if you move a subtree that contain groups, you must manually create a task in the cn=memberof task entry or use the fixup-memberof.pl to update the related memberOf attributes.
    For details about cleaning up memberOf attribute references, see Section 8.1.4.8, “Regenerating memberOf Values”.

3.1.6.2. Renaming Users, Groups, POSIX Groups, and OUs
Copia collegamento

The dsidm utility can rename several types of objects:
  • Users: 
    # dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" user rename current_user_name new_user_name
    Copy to Clipboard Toggle word wrap
    Note that the dsidm user rename command automatically places ou=People in front of the base DN you have specified.
  • Groups: 
    # dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" group rename current_group_name new_group_name
    Copy to Clipboard Toggle word wrap
    Note that the dsidm group rename command automatically places ou=Groups in front of the base DN you have specified.
  • POSIX Groups: 
    # dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" posixgroup rename current_posix_group_name new_posix_group_name
    Copy to Clipboard Toggle word wrap
    Note that the dsidm posixgroup rename command automatically places ou=Groups in front of the base DN you have specified.
  • Organizational Units (OU) 
    # dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" organizationalunit rename current_ou_name new_ou_name
    Copy to Clipboard Toggle word wrap
    The dsidm organizationalunit rename command performs the rename operation directly in the base DN you have specified.
When you rename an entry, the deleteOldRDN parameter controls whether the old RDN will be deleted or retained.
deleteOldRDN: 0
The existing RDN is retained as a value in the new entry. The resulting entry contains two cn attributes: one with the old and one with the new common name (CN).
For example, the following attributes belong to a group that was renamed from cn=old_group,dc=example,dc=com to cn=new_group,dc=example,dc=com with the deleteOldRDN: 0 parameter set. 
dn: cn=new_group,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: old_group
cn: new_group
Copy to Clipboard Toggle word wrap
deleteOldRDN: 1
Directory Server deletes the old entry and creates a new entry using the new RDN. The new entry only contains the cn attribute of the new entry.
For example, the following group was renamed to cn=new_group,dc=example,dc=com with the deleteOldRDN: 1 parameter set: 
dn: cn=new_group,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupofuniquenames
cn: new_group
Copy to Clipboard Toggle word wrap

3.1.6.4. Renaming an Entry or Subtree Using LDIF Statements
Copia collegamento

To rename an entry or subtree, use the changetype: modrdn operation and, set the new RDN in the newrdn attribute.
For example, to rename the cn=demo1,dc=example,dc=com entry to cn=example_user,dc=example,dc=com: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: cn=demo1,dc=example,dc=com
changetype: modrdn
newrdn: cn=example_user
deleteOldRDN: 1
newSuperior: dc=example,dc=com
Copy to Clipboard Toggle word wrap
For details about the deleteOldRDN, see Section 3.1.6.3, “The deleteOldRDN Parameter When Renaming Entries Using LDIF Statements”.

3.1.6.5. Moving an Entry to a New Parent Using LDIF Statements
Copia collegamento

To move an entry to a new parent, use the changetype: modrdn operation and set the following to attributes:
newrdn
Sets the RDN of the moved entry. You must set this entry, even if the RDN remains the same.
newSuperior
Sets the DN of the new parent entry.
For example, to move the cn=demo entry from ou=Germany,dc=example,dc=com to ou=France,dc=example,dc=com: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: cn=demo,ou=Germany,dc=example,dc=com
changetype: modrdn
newrdn: cn=demo
deleteOldRDN: 1
newSuperior: ou=France,dc=example,dc=com
Copy to Clipboard Toggle word wrap
For details about the deleteOldRDN, see Section 3.1.6.3, “The deleteOldRDN Parameter When Renaming Entries Using LDIF Statements”.

3.1.7. Using Special Characters
Copia collegamento

When using the command line, enclose characters that have a special meaning to the command-line interpreter, such as space ( ), asterisk (*), or backslash (\), with quotation marks. Depending on the command-line interpreter, use single or double quotation marks.
For example, to authenticate as the cn=Directory Manager user, enclose the user's DN in quotation marks: 
# ldapmodify -a -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
Copy to Clipboard Toggle word wrap
Additionally, if a DN contains a comma in a component, escape it using a backslash. For example, to authenticate as the uid=user,ou=People,dc=example.com Chicago, IL user: 
# ldapmodify -a -D "cn=uid=user,ou=People,dc=example.com Chicago\, IL" \
     -W -p 389 -h server.example.com -x
Copy to Clipboard Toggle word wrap

3.1.8. Using Binary Attributes
Copia collegamento

Certain attributes support binary values, such as the jpegPhoto attribute. When you add or update such an attribute, the utility reads the value for the attribute from a file. To add or update such an attribute, you can use the ldapmodify utility.
For example, to add the jpegPhoto attribute to the uid=user,ou=People,dc=example,dc=com entry, and read the value for the attribute from the /home/user_name/photo.jpg file, enter: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: uid=user,ou=People,dc=example,dc=com
changetype: modify
add: jpegPhoto
jpegPhoto:< file:///home/user_name/photo.jpg
Copy to Clipboard Toggle word wrap

Important

Note that there is no space between : and <.

3.1.9. Updating an Entry in an Internationalized Directory
Copia collegamento

To use attribute values with languages other than English, associate the attribute's value with a language tag.
When using ldapmodify to update an attribute that has a language tag set, you must match the value and language tag exactly or the operation will fail.
For example, to modify an attribute value that has the lang-fr language tag set, include the tag in the modify operation: 
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: uid=user,ou=People,dc=example,dc=com
changetype: modify
replace: homePostalAddress;lang-fr
homePostalAddress;lang-fr: 34 rue de Seine
Copy to Clipboard Toggle word wrap
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat