---
title: Modifying entries using ldapmodify
description: You can use the ldapmodify tool to modify entries from the command line or by using an LDIF file that has the changetype:modify directive and value.
component: pingdirectory
version: 11.0
page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_modify_entries_ldapmodify
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_modify_entries_ldapmodify.html
revdate: September 13, 2023
page_aliases: ["pd_ds_modify_attribute_from_command_line.adoc", "pd_ds_modify_multiple_attrs_from_command_line.adoc", "pd_ds_add_attribute_from_command_line.adoc", "pd_ds_add_attribute_using_language_subtype.adoc", "pd_ds_add_attribute_using_binary_subtype.adoc", "pd_ds_delete_an_attribute.adoc", "pd_ds_delete_one_value_from_attribute.adoc", "pd_ds_rename_an_entry.adoc", "pd_ds_move_entry_within_server.adoc", "pd_ds_move_entry_from_one_mach_to_another.adoc", "pd_ds_move_mult_entries_from_one_mach_to_another.adoc"]
section_ids:
  modifying-an-attribute-from-the-command-line: Modifying an attribute from the command line
  steps: Steps
  example: Example:
  example-2: Example:
  choose-from: Choose from:
  modifying-multiple-attributes-in-an-entry-from-the-command-line: Modifying multiple attributes in an entry from the command line
  steps-2: Steps
  example-3: Example:
  example-4: Example:
  choose-from-2: Choose from:
  adding-an-attribute-from-the-command-line: Adding an attribute from the command line
  steps-3: Steps
  example-5: Example:
  adding-an-attribute-using-the-language-subtype: Adding an attribute using the language subtype
  about-this-task: About this task
  steps-4: Steps
  example-6: Example:
  adding-an-attribute-using-the-binary-subtype: Adding an attribute using the binary subtype
  about-this-task-2: About this task
  steps-5: Steps
  example-7: Example:
  deleting-an-attribute: Deleting an attribute
  steps-6: Steps
  example-8: Example:
  deleting-one-value-from-an-attribute-with-multiple-values: Deleting one value from an attribute with multiple values
  about-this-task-3: About this task
  steps-7: Steps
  example-9: Example:
  renaming-an-entry: Renaming an entry
  about-this-task-4: About this task
  steps-8: Steps
  example-10: Example:
  moving-an-entry-within-a-pingdirectory-server: Moving an entry within a PingDirectory server
  before-you-begin: Before you begin
  about-this-task-5: About this task
  steps-9: Steps
  example-11: Example:
  moving-an-entry-from-one-machine-to-another: Moving an entry from one machine to another
  about-this-task-6: About this task
  steps-10: Steps
  example-12: Example:
  moving-multiple-entries-from-one-machine-to-another: Moving multiple entries from one machine to another
  about-this-task-7: About this task
  steps-11: Steps
  example-13: Example:
  example-14: Example:
---

# Modifying entries using ldapmodify

You can use the `ldapmodify` tool to modify entries from the command line or by using an LDIF file that has the `changetype:modify` directive and value.

If you have more than one change, you can separate them using the `-` (dash) symbol.

## Modifying an attribute from the command line

### Steps

1. To locate a specific entry, run the `ldapsearch` tool.

   #### Example:

   ```shell
   $ bin/ldapsearch -h server.example.com -p 389 -D "cn=admin,dc=example,dc=com" \
     -w password -b dc=example,dc=com "(uid=user.2004)"
   ```

2. To change attributes from the command line, run the `ldapmodify` command.

   1. Specify the modification using the `changetype:modify` directive and then specify which attributes are to be changed using the `replace` directive.

      #### Example:

      In this example, we change the telephone number of a specific user entry.

      ```shell
      $ bin/ldapmodify -h server.example.com -p 389 -D "cn=admin,dc=example,dc=com" \
        -w password
      dn: uid=user.2004,ou=People,dc=example,dc=com
      changetype: modify
      replace: telephoneNumber
      telephoneNumber: +1 097 453 8232
      ```

3. Process the request:

   #### Choose from:

   * For Unix EOF escape sequence, enter `ctrl+d` twice.

   * For Windows, enter `ctrl+z`.

## Modifying multiple attributes in an entry from the command line

### Steps

1. To locate a specific entry, run the `ldapsearch` tool.

   #### Example:

   ```shell
   $ bin/ldapsearch -h server.example.com -p 389 -D "cn=admin,dc=example,dc=com" \
     -w password -b dc=example,dc=com "(uid=user.2004)"
   ```

2. To change attributes from the command line, use the `ldapmodify` command.

   1. Specify the modification using the `changetype:modify` subcommand.

   2. Specify the attributes to change using the `add` and `replace` subcommand.

      #### Example:

      In this example, we add the `postOfficeBox` attribute and change the mobile and telephone numbers of a specific user entry. The `postOfficeBox` attribute must be present in your schema to allow the addition. The three changes are separated by a dash ("-").

      ```shell
      $ bin/ldapmodify -h server.example.com -p 389 -D "cn=admin,dc=example,dc=com" -w password
      dn: uid=user.2004,ou=People,dc=example,dc=com
      changetype: modify
      add: postOfficeBox
      postOfficeBox: 111
      -
      replace: mobile
      mobile: +1 039 831 3737
      -
      replace: telephoneNumber
      telephoneNumber: +1 097 453 8232
      ```

3. Process the request.

   #### Choose from:

   * For Unix, enter `ctrl+d` twice.

     This is the Unix EOF escape sequence.

   * For Windows, enter `ctrl+z`.

## Adding an attribute from the command line

### Steps

1. Run the `ldapmodify` tool from the command line interface.

2. Specify the modification using the `changetype:modify` subcommand.

3. Specify which attributes to add using the `add` option.

   #### Example:

   In this example, we add another value for the `cn` attribute, which is multi-valued.

   ```shell
   $ bin/ldapmodify -h server.example.com -p 389 -D "cn=admin,dc=example,dc=com" \
     -w password
   dn: uid=user.2004,ou=People,dc=example,dc=com
   changetype: modify
   add: cn
   cn: Sally Tea Tree
   ```

4. To process the request, enter `ctrl+d` twice.

   This is the UNIX EOF escape sequence.

   |   |                                                                                                                                                                                                                                                               |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | An error might occur if the attribute is single-valued, if the value already exists, if the value does not meet the proper syntax, or if the value does not meet the entry's `objectclass` requirements.Remove any trailing spaces after the attribute value. |

## Adding an attribute using the language subtype

### About this task

The PingDirectory server provides support for attributes using language subtypes. The operation must specifically match the subtype for successful operation. Any non-ASCII characters must be in UTF-8 format.

### Steps

1. Run the `ldapmodify` tool from the command line interface.

2. Specify the modification using `changetype:modify`.

3. Specify which attributes to add using the `add` option.

   #### Example:

   In this example, we add another value for the `lang` attribute.

   ```shell
   $ bin/ldapmodify -h server.example.com -p 389 -w password
   dn: uid=user.2004,ou=People,dc=example,dc=com
   changetype: modify
   add: postalAddress; lang-ko
   postalAddress; lang-ko:Byung-soon Kim$2020-14 Seoul
   ```

4. To process the request, enter `ctrl+d` twice.

   This is the UNIX EOF escape sequence.

## Adding an attribute using the binary subtype

### About this task

The PingDirectory server provides support for attributes using binary subtypes, which are typically used for certificates or JPEG images that you can store in an entry. The operation must specifically match the subtype for successful operation. You must use the version directive with a value of "1" for binary subtypes. Typical binary attribute types are `userCertificate` and `jpegPhoto`.

### Steps

1. To add an attribute with a binary subtype, run the `ldapmodify` tool from the command line interface.

2. Specify the modification using `changetype:modify`.

3. Specify which attributes to add using the `add` option.

   #### Example:

   The attribute in this example points to the filepath of the certificate.

   ```shell
   $ bin/ldapmodify -h server.example.com -p 389 -D "cn=admin,dc=example,dc=com" \
     -w password
   version: 1
   dn: uid=user.2004,ou=People,dc=example,dc=com
   changetype: modify
   add: userCertificate;binary
   userCertificate;binary:<file:///path/to/cert
   ```

## Deleting an attribute

### Steps

* To delete an attribute, run the `ldapmodify` tool with the LDIF `delete` subcommand.

  #### Example:

  ```shell
  $ bin/ldapmodify -h server.example.com -p 389 -D "cn=admin,dc=example,dc=com" \
    -w password
  dn: uid=user.2004,ou=People,dc=example,dc=com
  changetype: modify
  delete: employeeNumber
  ```

## Deleting one value from an attribute with multiple values

### About this task

Use the LDIF `delete` subcommand to delete a specific attribute value from an attribute.

### Steps

1. Run the `ldapmodify` tool from the command line.

2. Specify the modification using `changetype:modify`.

3. Specify the attribute pair that you want to delete using `delete`.

   #### Example:

   The following sample assumes you have multiple values of `cn` in an entry, such as `cn: Sally Tree`, `cn: Sally Tea Tree`. This sample keeps `cn:Sally Tree` and deletes the `cn: Sally Tea Tree`.

   ```shell
   $ bin/ldapmodify -h server.example.com -p 389 -D "cn=admin,dc=example,dc=com" \
     -w password
   dn: uid=user.2004,ou=People,dc=example,dc=com
   changetype: modify
   delete: cn
   cn: Sally Tea Tree
   ```

## Renaming an entry

Rename an entry by changing the relative distinguished name (RDN) of an entry.

### About this task

|   |                                                                                              |
| - | -------------------------------------------------------------------------------------------- |
|   | You cannot rename an RDN if it has children entries because this violates the LDAP protocol. |

### Steps

* Run the `ldapmodify` tool to rename an entry.

  * Run the `changetype`, `newrdn`, and `deleteoldrdn` directives.

    #### Example:

    The following command changes `uid=user.14` to `uid=user.2014` and uses the `changetype`, `newrdn`, and `deleteoldrdn` directives.

    ```shell
    $ bin/ldapmodify
    dn: uid=user.14,ou=People,dc=example,dc=com
    changetype:moddn
    newrdn: uid=user.2014
    deleteoldrdn: 1
    ```

## Moving an entry within a PingDirectory server

Run the `ldapmodify` tool to move an entry from one base distinguished name (DN) to another base DN.

### Before you begin

* Assign access control instructions (ACIs) on the parent entries.

  * The source parent entry must have an ACI that allows export operations: `allow(export)`.

  * The target parent entry must have an ACI that allows import operations: `allow(import)`.

### About this task

For more information on access control instructions, see [Overview of access control](../managing_access_control/pd_ds_overview_access_control.html).

### Steps

1. To move an entry from one branch to another, run the `ldapmodify` tool.

   #### Example:

   In this example, an entry moves from the `ou=contractors` branch to the `ou=People` branch.

   ```shell
   $ bin/ldapmodify
   dn: uid=user.14,ou=contractors,dc=example,dc=com
   changetype:moddn
   newrdn: uid=user.2014
   deleteoldrdn: 0
   newsuperior: ou=People,dc=example,dc=com
   ```

2. Specify the modification using `changetype:moddn`.

## Moving an entry from one machine to another

### About this task

The PingDirectory server provides the `move-subtree` tool to move a subtree or one entry on one machine to another.

The `move-subtree` tool moves a subtree or multiple entries from one machine to another. The tool does not copy the entries. After the entries are moved, they are no longer present on the source server.

|   |                                                                                                                                                                                                                                                                    |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | The subtree or entry must exist on the source server and cannot be present on the target server. The source server must also support the `real attributes only` request control. The target server must support the `Ignore NO-USER-MODIFICATION` request control. |

### Steps

* To move an entry, such as `uid=test.user,ou=People,dc=example,dc=com`, from the source host to the target host, run the `move-subtree` tool.

  #### Example:

  ```shell
  $ bin/move-subtree --sourceHost source.example.com --sourcePort 389 \
    --sourceBindDN "uid=admin,dc=example,dc=com" --sourceBindPassword password \
    --targetHost target.example.com --targetPort 389 \
    --targetBindDN "uid=admin,dc=example,dc=com" --targetBindPassword password \
    --entryDN uid=test.user,ou=People,dc=example,dc=com
  ```

## Moving multiple entries from one machine to another

### About this task

The `move-subtree` tool provides the ability to move multiple entries listed in a distinguished name (DN) file from one machine to another. Lines that begin with the octothorpe character (#) and empty lines will be ignored. You can prefix entry DNs with `dn:` , but long DNs can'tt be wrapped across multiple lines.

### Steps

1. In a text editor, create a new text file, enter a list of DNs, one DN per line, and then save the file.

   You can also use the `ldapsearch` command with the special character `"1.1"` to create a file containing a list of DNs that you want to move.

   #### Example:

   The following example searches for all entries that match `"(department=Engineering)"` and returns only the DNs that match the criteria. The results are re-directed to an output file, `test-dns.ldif`.

   ```shell
   $ bin/ldapsearch --baseDN dc=example,dc=com \
     --searchScope sub "(department=Engineering)" "1.1" > test-dns.ldif
   ```

2. To specify the file of DNs to move from one machine to another, run the `move-subtree` tool with the `--entryDNFile` option.

   #### Example:

   ```shell
   $ bin/move-subtree --sourceHost source.example.com --sourcePort 389 \
     --sourceBindDN "uid=admin,dc=example,dc=com" --sourceBindPassword password \
     --targetHost target.example.com --targetPort 389 \
     --targetBindDN "uid=admin,dc=example,dc=com" --targetBindPassword password \
     --entryDNFile /path/to/file/test-dns.ldif
   ```

   |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
   | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | If an error occurs with one of the DNs in the file, the output message shows the error. The `move-subtree` tool keeps processing the remaining DNs in the file.```
   An error occurred while communicating with the target server: The entry
   uid=user.2,ou=People,dc=example,dc=com cannot be added because an entry with that name
   already exists
   Entry uid=user.3,ou=People,dc=example,dc=com was successfully moved from
   source.example.com:389 to target.example.com:389
   Entry uid=user.4,ou=People,dc=example,dc=com was successfully moved from
   source.example.com:389 to target.example.com:389
   ``` |