PingDirectory

Modifying entries using ldapmodify

You can use the ldapmodify tool to modify entries from the command line or by using an LDIF file that has the changetype:modify directive and value.

If you have more than one change, you can separate them using the - (dash) symbol.

Modifying an attribute from the command line

Steps

  1. To locate a specific entry, run the ldapsearch tool.

    Example:

$ bin/ldapsearch -h server.example.com -p 389 -D "cn=admin,dc=example,dc=com" \
  -w password -b dc=example,dc=com "(uid=user.2004)"

  1. To change attributes from the command line, run the ldapmodify command.

    1. Specify the modification using the changetype:modify directive and then specify which attributes are to be changed using the replace directive.

      Example:

      In this example, we change the telephone number of a specific user entry.

      $ bin/ldapmodify -h server.example.com -p 389 -D "cn=admin,dc=example,dc=com" \
  -w password
dn: uid=user.2004,ou=People,dc=example,dc=com
changetype: modify
replace: telephoneNumber
telephoneNumber: +1 097 453 8232

  2. Process the request:

    Choose from:

    • For Unix EOF escape sequence, enter ctrl+d twice.

    • For Windows, enter ctrl+z.

Modifying multiple attributes in an entry from the command line

Steps

  1. To locate a specific entry, run the ldapsearch tool.

    Example:

    $ bin/ldapsearch -h server.example.com -p 389 -D "cn=admin,dc=example,dc=com" \
  -w password -b dc=example,dc=com "(uid=user.2004)"

  2. To change attributes from the command line, use the ldapmodify command.

    1. Specify the modification using the changetype:modify subcommand.

    2. Specify the attributes to change using the add and replace subcommand.

      Example:

      In this example, we add the postOfficeBox attribute and change the mobile and telephone numbers of a specific user entry. The postOfficeBox attribute must be present in your schema to allow the addition. The three changes are separated by a dash ("-").

      $ bin/ldapmodify -h server.example.com -p 389 -D "cn=admin,dc=example,dc=com" -w password
dn: uid=user.2004,ou=People,dc=example,dc=com
changetype: modify
add: postOfficeBox
postOfficeBox: 111
-
replace: mobile
mobile: +1 039 831 3737
-
replace: telephoneNumber
telephoneNumber: +1 097 453 8232

  3. Process the request.

    Choose from:

    • For Unix, enter ctrl+d twice.

    This is the Unix EOF escape sequence.

    • For Windows, enter ctrl+z.

Adding an attribute from the command line

Steps

  1. Run the ldapmodify tool from the command line interface.

  2. Specify the modification using the changetype:modify subcommand.

  3. Specify which attributes to add using the add option.

    Example:

    In this example, we add another value for the cn attribute, which is multi-valued.

    $ bin/ldapmodify -h server.example.com -p 389 -D "cn=admin,dc=example,dc=com" \
  -w password
dn: uid=user.2004,ou=People,dc=example,dc=com
changetype: modify
add: cn
cn: Sally Tea Tree

  4. To process the request, enter ctrl+d twice.

    This is the UNIX EOF escape sequence.

    An error might occur if the attribute is single-valued, if the value already exists, if the value does not meet the proper syntax, or if the value does not meet the entry’s objectclass requirements.

    Remove any trailing spaces after the attribute value.

Adding an attribute using the language subtype

About this task

The PingDirectory server provides support for attributes using language subtypes. The operation must specifically match the subtype for successful operation. Any non-ASCII characters must be in UTF-8 format.

Steps

  1. Run the ldapmodify tool from the command line interface.

  2. Specify the modification using changetype:modify.

  3. Specify which attributes to add using the add option.

    Example:

    In this example, we add another value for the lang attribute.

    $ bin/ldapmodify -h server.example.com -p 389 -w password
dn: uid=user.2004,ou=People,dc=example,dc=com
changetype: modify
add: postalAddress; lang-ko
postalAddress; lang-ko:Byung-soon Kim$2020-14 Seoul

  4. To process the request, enter ctrl+d twice.

    This is the UNIX EOF escape sequence.

Adding an attribute using the binary subtype

About this task

The PingDirectory server provides support for attributes using binary subtypes, which are typically used for certificates or JPEG images that you can store in an entry. The operation must specifically match the subtype for successful operation. You must use the version directive with a value of "1" for binary subtypes. Typical binary attribute types are userCertificate and jpegPhoto.

Steps

  1. To add an attribute with a binary subtype, run the ldapmodify tool from the command line interface.

  2. Specify the modification using changetype:modify.

  3. Specify which attributes to add using the add option.

    Example:

    The attribute in this example points to the filepath of the certificate.

    $ bin/ldapmodify -h server.example.com -p 389 -D "cn=admin,dc=example,dc=com" \
  -w password
version: 1
dn: uid=user.2004,ou=People,dc=example,dc=com
changetype: modify
add: userCertificate;binary
userCertificate;binary:<file:///path/to/cert

Deleting an attribute

Steps

  1. To delete an attribute, run the ldapmodify tool with the LDIF delete subcommand.

    Example:

    $ bin/ldapmodify -h server.example.com -p 389 -D "cn=admin,dc=example,dc=com" \
  -w password
dn: uid=user.2004,ou=People,dc=example,dc=com
changetype: modify
delete: employeeNumber

Deleting one value from an attribute with multiple values

About this task

Use the LDIF delete subcommand to delete a specific attribute value from an attribute.

Steps

  1. Run the ldapmodify tool from the command line.

  2. Specify the modification using changetype:modify.

  3. Specify the attribute pair that you want to delete using delete.

    Example:

    The following sample assumes you have multiple values of cn in an entry, such as cn: Sally Tree, cn: Sally Tea Tree. This sample keeps cn:Sally Tree and deletes the cn: Sally Tea Tree.

    $ bin/ldapmodify -h server.example.com -p 389 -D "cn=admin,dc=example,dc=com" \
  -w password
dn: uid=user.2004,ou=People,dc=example,dc=com
changetype: modify
delete: cn
cn: Sally Tea Tree

Renaming an entry

Rename an entry by changing the relative distinguished name (RDN) of an entry.

About this task

You cannot rename an RDN if it has children entries because this violates the LDAP protocol.

Steps

  1. Run the ldapmodify tool to rename an entry.

    1. Run the changetype, newrdn, and deleteoldrdn directives.

      Example:

      The following command changes uid=user.14 to uid=user.2014 and uses the changetype, newrdn, and deleteoldrdn directives.

      $ bin/ldapmodify
dn: uid=user.14,ou=People,dc=example,dc=com
changetype:moddn
newrdn: uid=user.2014
deleteoldrdn: 1

Moving an entry within a PingDirectory server

Run the ldapmodify tool to move an entry from one base distinguished name (DN) to another base DN.

Before you begin

  • Assign access control instructions (ACIs) on the parent entries.

    • The source parent entry must have an ACI that allows export operations: allow(export).

    • The target parent entry must have an ACI that allows import operations: allow(import).

About this task

For more information on access control instructions, see Overview of access control.

Steps

  1. To move an entry from one branch to another, run the ldapmodify tool.

    Example:

    In this example, an entry moves from the ou=contractors branch to the ou=People branch.

    $ bin/ldapmodify
dn: uid=user.14,ou=contractors,dc=example,dc=com
changetype:moddn
newrdn: uid=user.2014
deleteoldrdn: 0
newsuperior: ou=People,dc=example,dc=com

  2. Specify the modification using changetype:moddn.

Moving an entry from one machine to another

About this task

The PingDirectory server provides the move-subtree tool to move a subtree or one entry on one machine to another.

The move-subtree tool moves a subtree or multiple entries from one machine to another. The tool does not copy the entries. After the entries are moved, they are no longer present on the source server.

The subtree or entry must exist on the source server and cannot be present on the target server. The source server must also support the real attributes only request control. The target server must support the Ignore NO-USER-MODIFICATION request control.

Steps

  • To move an entry, such as uid=test.user,ou=People,dc=example,dc=com, from the source host to the target host, run the move-subtree tool.

    Example:

    $ bin/move-subtree --sourceHost source.example.com --sourcePort 389 \
  --sourceBindDN "uid=admin,dc=example,dc=com" --sourceBindPassword password \
  --targetHost target.example.com --targetPort 389 \
  --targetBindDN "uid=admin,dc=example,dc=com" --targetBindPassword password \
  --entryDN uid=test.user,ou=People,dc=example,dc=com

Moving multiple entries from one machine to another

About this task

The move-subtree tool provides the ability to move multiple entries listed in a distinguished name (DN) file from one machine to another. Lines that begin with the octothorpe character (#) and empty lines will be ignored. You can prefix entry DNs with dn: , but long DNs can’tt be wrapped across multiple lines.

Steps

  1. In a text editor, create a new text file, enter a list of DNs, one DN per line, and then save the file.

    You can also use the ldapsearch command with the special character "1.1" to create a file containing a list of DNs that you want to move.

    Example:

    The following example searches for all entries that match "(department=Engineering)" and returns only the DNs that match the criteria. The results are re-directed to an output file, test-dns.ldif.

    $ bin/ldapsearch --baseDN dc=example,dc=com \
  --searchScope sub "(department=Engineering)" "1.1" > test-dns.ldif

  2. To specify the file of DNs to move from one machine to another, run the move-subtree tool with the --entryDNFile option.

    Example:

    $ bin/move-subtree --sourceHost source.example.com --sourcePort 389 \
  --sourceBindDN "uid=admin,dc=example,dc=com" --sourceBindPassword password \
  --targetHost target.example.com --targetPort 389 \
  --targetBindDN "uid=admin,dc=example,dc=com" --targetBindPassword password \
  --entryDNFile /path/to/file/test-dns.ldif

    If an error occurs with one of the DNs in the file, the output message shows the error. The move-subtree tool keeps processing the remaining DNs in the file.

    An error occurred while communicating with the target server: The entry
uid=user.2,ou=People,dc=example,dc=com cannot be added because an entry with that name
already exists
Entry uid=user.3,ou=People,dc=example,dc=com was successfully moved from
source.example.com:389 to target.example.com:389
Entry uid=user.4,ou=People,dc=example,dc=com was successfully moved from
source.example.com:389 to target.example.com:389