1.lf 1 stdin
2.TH LDAPMODIFY 1 "2020/04/28" "OpenLDAP 2.4.50"
3.\" $OpenLDAP$
4.\" Copyright 1998-2020 The OpenLDAP Foundation All Rights Reserved.
5.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
6.SH NAME
7ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools
8.SH SYNOPSIS
9.B ldapmodify
10[\c
11.BR \-V [ V ]]
12[\c
13.BI \-d \ debuglevel\fR]
14[\c
15.BR \-n ]
16[\c
17.BR \-v ]
18[\c
19.BR \-a ]
20[\c
21.BR \-c ]
22[\c
23.BI \-f \ file\fR]
24[\c
25.BI \-S \ file\fR]
26[\c
27.BR \-M [ M ]]
28[\c
29.BR \-x ]
30[\c
31.BI \-D \ binddn\fR]
32[\c
33.BR \-W ]
34[\c
35.BI \-w \ passwd\fR]
36[\c
37.BI \-y \ passwdfile\fR]
38[\c
39.BI \-H \ ldapuri\fR]
40[\c
41.BI \-h \ ldaphost\fR]
42[\c
43.BI \-p \ ldapport\fR]
44[\c
45.BR \-P \ { 2 \||\| 3 }]
46[\c
47.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
48[\c
49.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
50[\c
51.BI \-o \ opt \fR[= optparam \fR]]
52[\c
53.BI \-O \ security-properties\fR]
54[\c
55.BR \-I ]
56[\c
57.BR \-Q ]
58[\c
59.BR \-N ]
60[\c
61.BI \-U \ authcid\fR]
62[\c
63.BI \-R \ realm\fR]
64[\c
65.BI \-X \ authzid\fR]
66[\c
67.BI \-Y \ mech\fR]
68[\c
69.BR \-Z [ Z ]]
70.LP
71.B ldapadd
72[\c
73.BR \-V [ V ]]
74[\c
75.BI \-d \ debuglevel\fR]
76[\c
77.BR \-n ]
78[\c
79.BR \-v ]
80[\c
81.BR \-c ]
82[\c
83.BI \-f \ file\fR]
84[\c
85.BI \-S \ file\fR]
86[\c
87.BR \-M [ M ]]
88[\c
89.BR \-x ]
90[\c
91.BI \-D \ binddn\fR]
92[\c
93.BR \-W ]
94[\c
95.BI \-w \ passwd\fR]
96[\c
97.BI \-y \ passwdfile\fR]
98[\c
99.BI \-H \ ldapuri\fR]
100[\c
101.BI \-h \ ldaphost\fR]
102[\c
103.BI \-p \ ldapport\fR]
104[\c
105.BR \-P \ { 2 \||\| 3 }]
106[\c
107.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
108[\c
109.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
110[\c
111.BI \-o \ opt \fR[= optparam \fR]]
112[\c
113.BI \-O \ security-properties\fR]
114[\c
115.BR \-I ]
116[\c
117.BR \-Q ]
118[\c
119.BR \-N ]
120[\c
121.BI \-U \ authcid\fR]
122[\c
123.BI \-R \ realm\fR]
124[\c
125.BI \-X \ authzid\fR]
126[\c
127.BI \-Y \ mech\fR]
128[\c
129.BR \-Z [ Z ]]
130.SH DESCRIPTION
131.B ldapmodify
132is a shell-accessible interface to the
133.BR ldap_add_ext (3),
134.BR ldap_modify_ext (3),
135.BR ldap_delete_ext (3)
136and
137.BR ldap_rename (3).
138library calls.
139.B ldapadd
140is implemented as a hard link to the ldapmodify tool.  When invoked as
141.B ldapadd
142the \fB\-a\fP (add new entry) flag is turned on automatically.
143.LP
144.B ldapmodify
145opens a connection to an LDAP server, binds, and modifies or adds entries.
146The entry information is read from standard input or from \fIfile\fP through
147the use of the \fB\-f\fP option.
148.SH OPTIONS
149.TP
150.BR \-V [ V ]
151Print version info.
152If \fB\-VV\fP is given, only the version information is printed.
153.TP
154.BI \-d \ debuglevel
155Set the LDAP debugging level to \fIdebuglevel\fP.
156.B ldapmodify
157must be compiled with LDAP_DEBUG defined for this option to have any effect.
158.TP
159.B \-n
160Show what would be done, but don't actually modify entries.  Useful for
161debugging in conjunction with \fB\-v\fP.
162.TP
163.B \-v
164Use verbose mode, with many diagnostics written to standard output.
165.TP
166.B \-a
167Add new entries.  The default for
168.B ldapmodify
169is to modify existing entries.  If invoked as
170.BR ldapadd ,
171this flag is always set.
172.TP
173.B \-c
174Continuous operation mode.  Errors are reported, but
175.B ldapmodify
176will continue with modifications.  The default is to exit after
177reporting an error.
178.TP
179.BI \-f \ file
180Read the entry modification information from \fIfile\fP instead of from
181standard input.
182.TP
183.BI \-S \ file
184Add or change records which were skipped due to an error are written to \fIfile\fP 
185and the error message returned by the server is added as a comment. Most useful in 
186conjunction with \fB\-c\fP.
187.TP
188.BR \-M [ M ]
189Enable manage DSA IT control.
190.B \-MM
191makes control critical.
192.TP
193.B \-x 
194Use simple authentication instead of SASL.
195.TP
196.BI \-D \ binddn
197Use the Distinguished Name \fIbinddn\fP to bind to the LDAP directory.
198For SASL binds, the server is expected to ignore this value.
199.TP
200.B \-W
201Prompt for simple authentication.
202This is used instead of specifying the password on the command line.
203.TP
204.BI \-w \ passwd
205Use \fIpasswd\fP as the password for simple authentication.
206.TP
207.BI \-y \ passwdfile
208Use complete contents of \fIpasswdfile\fP as the password for
209simple authentication.
210.TP
211.BI \-H \ ldapuri
212Specify URI(s) referring to the ldap server(s); only the protocol/host/port
213fields are allowed; a list of URI, separated by whitespace or commas
214is expected.
215.TP
216.BI \-h \ ldaphost
217Specify an alternate host on which the ldap server is running.
218Deprecated in favor of \fB\-H\fP.
219.TP
220.BI \-p \ ldapport
221Specify an alternate TCP port where the ldap server is listening.
222Deprecated in favor of \fB\-H\fP.
223.TP
224.BR \-P \ { 2 \||\| 3 }
225Specify the LDAP protocol version to use.
226.TP
227.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
228.TP
229.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
230
231Specify general extensions with \fB\-e\fP and modify extensions with \fB\-E\fP.
232\'\fB!\fP\' indicates criticality.
233
234General extensions:
235.nf
236  [!]assert=<filter>    (an RFC 4515 Filter)
237  !authzid=<authzid>    ("dn:<dn>" or "u:<user>")
238  [!]bauthzid           (RFC 3829 authzid control)
239  [!]chaining[=<resolve>[/<cont>]]
240  [!]manageDSAit
241  [!]noop
242  ppolicy
243  [!]postread[=<attrs>] (a comma-separated attribute list)
244  [!]preread[=<attrs>]  (a comma-separated attribute list)
245  [!]relax
246  sessiontracking
247  abandon,cancel,ignore (SIGINT sends abandon/cancel,
248  or ignores response; if critical, doesn't wait for SIGINT.
249  not really controls)
250.fi
251
252Modify extensions:
253.nf
254  [!]txn[=abort|commit]
255.fi
256.TP
257.BI \-o \ opt \fR[= optparam \fR]]
258
259Specify general options.
260
261General options:
262.nf
263  nettimeout=<timeout>  (in seconds, or "none" or "max")
264  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
265.fi
266.TP
267.BI \-O \ security-properties
268Specify SASL security properties.
269.TP
270.B \-I
271Enable SASL Interactive mode.  Always prompt.  Default is to prompt
272only as needed.
273.TP
274.B \-Q
275Enable SASL Quiet mode.  Never prompt.
276.TP
277.B \-N
278Do not use reverse DNS to canonicalize SASL host name.
279.TP
280.BI \-U \ authcid
281Specify the authentication ID for SASL bind. The form of the ID
282depends on the actual SASL mechanism used.
283.TP
284.BI \-R \ realm
285Specify the realm of authentication ID for SASL bind. The form of the realm
286depends on the actual SASL mechanism used.
287.TP
288.BI \-X \ authzid
289Specify the requested authorization ID for SASL bind.
290.I authzid
291must be one of the following formats:
292.BI dn: "<distinguished name>"
293or
294.BI u: <username>
295.TP
296.BI \-Y \ mech
297Specify the SASL mechanism to be used for authentication. If it's not
298specified, the program will choose the best mechanism the server knows.
299.TP
300.BR \-Z [ Z ]
301Issue StartTLS (Transport Layer Security) extended operation. If you use
302.B \-ZZ\c
303, the command will require the operation to be successful.
304.SH INPUT FORMAT
305The contents of \fIfile\fP (or standard input if no \fB\-f\fP flag is given on
306the command line) must conform to the format defined in
307.BR ldif (5)
308(LDIF as defined in RFC 2849).
309.SH EXAMPLES
310Assuming that the file
311.B /tmp/entrymods
312exists and has the contents:
313.LP
314.nf
315    dn: cn=Modify Me,dc=example,dc=com
316    changetype: modify
317    replace: mail
318    mail: modme@example.com
319    \-
320    add: title
321    title: Grand Poobah
322    \-
323    add: jpegPhoto
324    jpegPhoto:< file:///tmp/modme.jpeg
325    \-
326    delete: description
327    \-
328.fi
329.LP
330the command:
331.LP
332.nf
333    ldapmodify \-f /tmp/entrymods
334.fi
335.LP
336will replace the contents of the "Modify Me" entry's
337.I mail
338attribute with the value "modme@example.com", add a
339.I title
340of "Grand Poobah", and the contents of the file "/tmp/modme.jpeg"
341as a
342.IR jpegPhoto ,
343and completely remove the
344.I description
345attribute.
346.LP
347Assuming that the file
348.B /tmp/newentry
349exists and has the contents:
350.LP
351.nf
352    dn: cn=Barbara Jensen,dc=example,dc=com
353    objectClass: person
354    cn: Barbara Jensen
355    cn: Babs Jensen
356    sn: Jensen
357    title: the world's most famous mythical manager
358    mail: bjensen@example.com
359    uid: bjensen
360.fi
361.LP
362the command:
363.LP
364.nf
365    ldapadd \-f /tmp/newentry
366.fi
367.LP
368will add a new entry for Babs Jensen, using the values from the
369file
370.B /tmp/newentry.
371.LP
372Assuming that the file
373.B /tmp/entrymods
374exists and has the contents:
375.LP
376.nf
377    dn: cn=Barbara Jensen,dc=example,dc=com
378    changetype: delete
379.fi
380.LP
381the command:
382.LP
383.nf
384    ldapmodify \-f /tmp/entrymods
385.fi
386.LP
387will remove Babs Jensen's entry.
388.SH DIAGNOSTICS
389Exit status is zero if no errors occur.  Errors result in a non-zero
390exit status and a diagnostic message being written to standard error.
391.SH "SEE ALSO"
392.BR ldapadd (1),
393.BR ldapdelete (1),
394.BR ldapmodrdn (1),
395.BR ldapsearch (1),
396.BR ldap.conf (5),
397.BR ldap (3),
398.BR ldap_add_ext (3),
399.BR ldap_delete_ext (3),
400.BR ldap_modify_ext (3),
401.BR ldap_modrdn_ext (3),
402.BR ldif (5).
403.SH AUTHOR
404The OpenLDAP Project <http://www.openldap.org/>
405.SH ACKNOWLEDGEMENTS
406.lf 1 ./../Project
407.\" Shared Project Acknowledgement Text
408.B "OpenLDAP Software"
409is developed and maintained by The OpenLDAP Project <http://www.openldap.org/>.
410.B "OpenLDAP Software"
411is derived from the University of Michigan LDAP 3.3 Release.  
412.lf 406 stdin
413