--- title: LDAP updates description: Examples in this documentation depend on features activated in the ds-evaluation setup profile. component: pingds version: 8.1 page_id: pingds:ldap-guide:write-ldap canonical_url: https://docs.pingidentity.com/pingds/8.1/ldap-guide/write-ldap.html revdate: 2025-10-22T14:42:39Z keywords: ["LDAP"] section_ids: add-ldap: Add entries add-two-users: Add users bulk-add: Bulk adds modify-ldap: Modify entries modify-add-attribute: Add attributes modify-replace-attribute: Change an attribute modify-delete-attribute: Delete an attribute modify-delete-attribute-value: Delete one attribute value modify-stdin: From standard input modify-optimistic-concurrency: Optimistic concurrency (MVCC) json-update: JSON attribute filter-adds-modifies: Change incoming updates attr-cleanup-rename: Rename attributes attr-cleanup-remove: Remove attributes rename-ldap: Rename entries rename-moddn: Move entries move-entries-in-same-backend: Move a branch move-entry-example: Move an entry delete-ldap: Delete entries delete-subtree: Remove a branch delete-stdin: From standard input --- # LDAP updates | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Examples in this documentation depend on features activated in [the `ds-evaluation` setup profile](../install-guide/setup-ds.html#about-ds-evaluation).The code samples demonstrate how to contact the server over HTTPS using the deployment CA certificate. Before trying the samples, generate the CA certificate in PEM format from the server deployment ID and password:```console $ dskeymgr \ export-ca-cert \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --outputFile ca-cert.pem ``` | For details on the LDIF format shown in the examples that follow, refer to [RFC 2849](https://www.rfc-editor.org/info/rfc2849). ## Add entries ### Add users The following example adds two new users: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \ --bindPassword bribery << EOF dn: cn=Arsene Lupin,ou=Special Users,dc=example,dc=com objectClass: person objectClass: top cn: Arsene Lupin telephoneNumber: +33 1 23 45 67 89 sn: Lupin dn: cn=Horace Velmont,ou=Special Users,dc=example,dc=com objectClass: person objectClass: top cn: Horace Velmont telephoneNumber: +33 1 12 23 34 45 sn: Velmont EOF ``` ### Bulk adds The following example adds 10,000 generated entries, using the `--numConnections` option to perform multiple add operations in parallel. It generates user entries with user IDs larger than existing user IDS, removes container entries, and bulk adds users: ```console $ makeldif \ --outputLdif output.ldif \ <(sed "s///" /path/to/opendj/config/MakeLDIF/example.template) $ sed '1,10d' output.ldif > /tmp/generated-users.ldif $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \ --bindPassword bribery \ --numConnections 64 \ /tmp/generated-users.ldif ``` When you use the `--numConnections` option, the number of connection is rounded up to the nearest power of two for performance reasons. ## Modify entries ### Add attributes The following example shows you how to add a description and JPEG photo, [picture.jpg](../_attachments/images/picture.jpg), to Sam Carter's entry: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \ --bindPassword bribery << EOF dn: uid=scarter,ou=people,dc=example,dc=com changetype: modify add: description description: Accounting Manager - add: jpegphoto jpegphoto: **Collapse: Show output** > > ``` > dn: uid=bjensen,ou=People,dc=example,dc=com > l: San Francisco > roomNumber: 0209 > telephoneNumber: +1 408 555 1862 > ETag: ETAG > ``` Bob prepares his changes in your application. Bob is almost ready to submit the new location and description when Carol stops by to ask Bob a few questions. Alice starts just after Bob, but manages to submit her changes without interruption. Now Babs's entry has a new phone number, room number, and ETag: ```console $ ldapsearch \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery \ --baseDN dc=example,dc=com \ "(uid=bjensen)" \ telephoneNumber roomNumber l ETag ``` > **Collapse: Show output** > > ``` > dn: uid=bjensen,ou=People,dc=example,dc=com > telephoneNumber: +47 2108 1746 > roomNumber: 1389 > l: San Francisco > ETag: NEW_ETAG > ``` In your application, you use the ETag value with the assertion control to prevent Bob's update from succeeding. The application tries the equivalent of the following commands with Bob's updates: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \ --bindPassword bribery \ --assertionFilter "(ETag=${ETAG})" << EOF dn: uid=bjensen,ou=People,dc=example,dc=com changetype: modify replace: l l: Grenoble - add: description description: Employee of the Month EOF ``` > **Collapse: Show output** > > ``` > # The LDAP modify request failed: 122 (Assertion Failed) > # Additional Information: Entry uid=bjensen,ou=People,dc=example,dc=com cannot be modified because the request contained an LDAP assertion control and the associated filter did not match the contents of the entry > ``` The application reloads Babs's entry with the new ETag value, and tries Bob's update again. This time Bob's changes do not collide with other changes. Babs's entry is successfully updated: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \ --bindPassword bribery \ --assertionFilter "(ETag=${NEW_ETAG})" << EOF dn: uid=bjensen,ou=People,dc=example,dc=com changetype: modify replace: l l: Grenoble - add: description description: Employee of the Month EOF ``` > **Collapse: Show output** > > ``` > # MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com > ``` ### JSON attribute DS servers support attribute values that have JSON syntax as demonstrated in [JSON query filters](search-ldap.html#json-search). This example depends on the configuration and sample data used in [JSON query matching rule index](../config-guide/idx-config.html#json-index-example). Unless you have installed the server with the evaluation profile, perform the commands in that example to prepare the server before trying this one. The following example replaces the existing JSON value with a new JSON value: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \ --bindPassword bribery << EOF dn: uid=bjensen,ou=people,dc=example,dc=com changetype: modify add: objectClass objectClass: jsonObject - add: json json: {"stuff":["things","devices","paraphernalia"]} EOF ``` Notice that the JSON object is replaced entirely. When DS servers receive update requests for `Json` syntax attributes, they expect valid JSON objects. By default, `Json` syntax attribute values must comply with *The JavaScript Object Notation (JSON) Data Interchange Format*, described in [RFC 7159](https://www.rfc-editor.org/info/rfc7159). You can use the advanced core schema configuration option `json-validation-policy` to have the server be more lenient in what it accepts, or to disable JSON syntax checking. The following example relaxes JSON syntax checking to allow comments, single quotes, and unquoted control characters such as newlines, in strings: ```console $ dsconfig \ set-schema-provider-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --provider-name "Core Schema" \ --set json-validation-policy:lenient \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt ``` ## Change incoming updates Some client applications send updates including attributes with names that differ from the attribute names defined in the LDAP schema. Other client applications might try to update attributes they should not update, such as the operational attributes `creatorsName`, `createTimestamp`, `modifiersName`, and `modifyTimestamp`. Ideally, you would fix the client application behavior, but that is not always possible. You can configure the attribute cleanup plugin to filter add and modify requests, rename attributes in requests using incorrect names, and remove attributes that applications should not change. ### Rename attributes The following example renames incoming `email` attributes to `mail` attributes: 1. Configure the attribute cleanup plugin to rename the inbound attribute: ```console $ dsconfig \ create-plugin \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --type attribute-cleanup \ --plugin-name "Rename email to mail" \ --set enabled:true \ --set rename-inbound-attributes:email:mail \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt ``` 2. Confirm that it worked as expected: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \ --bindPassword bribery << EOF dn: uid=newuser,ou=People,dc=example,dc=com uid: newuser objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: top cn: New User sn: User ou: People email: newuser@example.com userPassword: chngthspwd EOF $ ldapsearch \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery \ --baseDN dc=example,dc=com \ "(uid=newuser)" \ mail ``` > **Collapse: Show output** > > ``` > dn: uid=newuser,ou=People,dc=example,dc=com > mail: newuser@example.com > ``` ### Remove attributes The following example prevents client applications from adding or modifying `creatorsName`, `createTimestamp`, `modifiersName`, and `modifyTimestamp` attributes. 1. Set up the attribute cleanup plugin: ```console $ dsconfig \ create-plugin \ --type attribute-cleanup \ --plugin-name "Remove attrs" \ --set enabled:true \ --set remove-inbound-attributes:creatorsName \ --set remove-inbound-attributes:createTimestamp \ --set remove-inbound-attributes:modifiersName \ --set remove-inbound-attributes:modifyTimestamp \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt ``` 2. Confirm that it worked as expected: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \ --bindPassword bribery << EOF dn: uid=badattr,ou=People,dc=example,dc=com uid: newuser objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: top cn: Bad Attr sn: Attr ou: People mail: badattr@example.com userPassword: chngthspwd creatorsName: cn=Bad Attr createTimestamp: Never in a million years. modifiersName: uid=admin modifyTimestamp: 20110930164937Z EOF $ ldapsearch \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery \ --baseDN dc=example,dc=com \ "(uid=badattr)" \ creatorsName createTimestamp modifiersTimestamp modifyTimestamp ``` > **Collapse: Show output** > > ``` > dn: uid=badattr,ou=People,dc=example,dc=com > createTimestamp: > creatorsName: uid=kvaughan,ou=People,dc=example,dc=com > ``` ## Rename entries The relative distinguished name (RDN) *(tooltip: \
\

The initial portion of a DN distinguishing the entry from all others at the same level.\

\
)* refers to the part of an entry's DN that differentiates it from all other DNs at the same level in the directory tree. For example, `uid=bjensen` is the RDN of the entry with the DN `uid=bjensen,ou=People,dc=example,dc=com`. When you change the RDN of the entry, you rename the entry, modifying the naming attribute and DN. In this example, Sam Carter is changing her last name to Jensen, and changing her login from `scarter` to `sjensen`. The following example shows you how to rename and change Sam Carter's entry. Notice the boolean field, `deleteoldrdn: 1`, which indicates that the previous RDN, `uid: scarter`, should be removed. Setting `deleteoldrdn: 0` instead would preserve `uid: scarter` on the entry: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \ --bindPassword bribery << EOF dn: uid=scarter,ou=people,dc=example,dc=com changetype: modrdn newrdn: uid=sjensen deleteoldrdn: 1 dn: uid=sjensen,ou=people,dc=example,dc=com changetype: modify replace: cn cn: Sam Jensen - replace: sn sn: Jensen - replace: homeDirectory homeDirectory: /home/sjensen - replace: mail mail: sjensen@example.com EOF ``` ## Move entries When you rename an entry with child entries, the directory has to move all the entries underneath it. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | DS directory servers support the modify DN operation only for moving entries in the same backend, under the same base DN. Depending on the number of entries you move, this can be a resource-intensive operation. | ### Move a branch The following example moves all entries at and below `ou=People,dc=example,dc=com` under `ou=Subscribers,dc=example,dc=com`. All the entries in this example are in the same backend. The line `deleteoldrdn: 1` indicates that the old RDN, `ou: People`, should be removed: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=admin \ --bindPassword password << EOF dn: ou=People,dc=example,dc=com changetype: modrdn newrdn: ou=Subscribers deleteoldrdn: 1 newsuperior: dc=example,dc=com EOF ``` Be aware that the move doesn't modify ACIs *(tooltip: \
\

An instruction or rule that can be used to grant or deny access to users to perform operations on a server.\

\
)* and other values that depend on `ou=People`. You must also edit any affected entries. ### Move an entry The following example moves an application entry that is under `dc=example,dc=com` under `ou=Apps,dc=example,dc=com` instead. The line `deleteoldrdn: 0` indicates that old RDN, `cn`, should be preserved: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \ --bindPassword bribery << EOF dn: cn=New App,dc=example,dc=com changetype: moddn newrdn: cn=An App deleteoldrdn: 0 newsuperior: ou=Apps,dc=example,dc=com EOF ``` ## Delete entries ### Remove a branch | | | | - | -------------------------------------------------------------------------------------------------------------------------------- | | | This can be a resource-intensive operation. The resources required to remove a branch depend on the number of entries to delete. | The following example shows you how to give an administrator access to use the subtree delete control, and to use the subtree delete option to remove an entry and its child entries: ```console $ dsconfig \ set-access-control-handler-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --add global-aci:"(targetcontrol=\"SubtreeDelete\")\ (version 3.0; acl \"Allow Subtree Delete\"; allow(read) \ userdn=\"ldap:///uid=kvaughan,ou=People,dc=example,dc=com\";)" \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt $ ldapdelete \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN "uid=kvaughan,ou=People,dc=example,dc=com" \ --bindPassword bribery \ --deleteSubtree "ou=Special Users,dc=example,dc=com" ``` ### From standard input A double dash, `--`, signifies the end of command options. After the double dash, only trailing arguments are allowed. To indicate standard input as a trailing argument, use a bare dash, `-`, after the double dash. Consider the following list of [users to delete](../_attachments/text/users-to-delete.txt): ```console $ cat users-to-delete.txt ``` Output ``` uid=sfarmer,ou=People,dc=example,dc=com uid=skellehe,ou=People,dc=example,dc=com uid=slee,ou=People,dc=example,dc=com uid=smason,ou=People,dc=example,dc=com uid=speterso,ou=People,dc=example,dc=com uid=striplet,ou=People,dc=example,dc=com ``` To send this list to the `ldapdelete` command on standard input, use either of the following equivalent constructions: * With dashes: ```console $ cat users-to-delete.txt | ldapdelete \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=people,dc=example,dc=com \ --bindPassword bribery \ -- - ``` * Without dashes: ```console $ cat users-to-delete.txt | ldapdelete \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=people,dc=example,dc=com \ --bindPassword bribery ```