Chapter 3. Managing Directory Entries

This chapter discusses how to use command line utilities, such as ldapmodify, to manage entries in Directory Server.
To perform LDAP operations using the command line, install the openldap-clients package. The utilities installed by this package enable you to:
  • Add new entries
  • Add new attributes to existing entries
  • Update existing entries and attributes
  • Delete entries and attributes from entries
  • Perform bulk operations
To install the openldap-clients package:
# dnf install openldap-clients

Note

To perform LDAP operations, you need the appropriate permissions. For details about access control, see Chapter 18, Managing Access Control.

3.1. Providing Input to the ldapadd, ldapmodify, and ldapdelete Utilities

When you add, update, or delete entries or attributes in your directory, you can either use the interactive mode of the utilities to enter LDAP Data Interchange Format (LDIF) statements or pass an LDIF file to them.
For further details about LDIF, see Section B.1, “About the LDIF File Format”.

3.1.1. Providing Input Using the Interactive Mode

In the interactive mode, the ldapadd, ldapmodify, and ldapdelete utilities read the input from the command line. To exit the interactive mode, press the Ctrl+D (^D) key combination to send the End Of File (EOF) escape sequence.
In interactive mode, the utility sends the statements to the LDAP server when you press Enter twice or when you send the EOF sequence.
Use the interactive mode:
  • To enter LDIF statements without creating a file:

    Example 3.1. Using the ldapmodify Interactive Mode to Enter LDIF Statements

    The following example starts ldapmodify in interactive mode, deletes the telephoneNumber attribute, and adds the manager attribute with the cn=manager_name,ou=people,dc=example,dc=com value to the uid=user,ou=people,dc=example,dc=com entry. Press Ctrl+D after the last statement to exit the interactive mode.
    # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: uid=user,ou=people,dc=example,dc=com
    changetype: modify
    delete: telephoneNumber
    -
    add: manager
    manager: cn=manager_name,ou=people,dc=example,dc=com
    ^D
  • To redirect LDIF statements, outputted by another command, to Directory Server:

    Example 3.2. Using the ldapmodify Interactive Mode with Redirected Content

    The following example redirects the output of the command_that_outputs_LDIF command to ldapmodify. The interactive mode exits automatically after the redirected command exits.
    # command_that_outputs_LDIF | ldapmodify -D "cn=Directory Manager" \
         -W -p 389 -h server.example.com -x

3.1.2. Providing Input Using an LDIF File

In the interactive mode, the ldapadd, ldapmodify, and ldapdelete utilities read the LDIF statements from a file. Use this mode to send a larger number of LDIF statements to Directory Server.

Example 3.3. Passing a File with LDIF Statements to ldapmodify

  1. Create a file with the LDIF statements. For example, create the ~/example.ldif file with the following statements:
    dn: uid=user,ou=people,dc=example,dc=com
    changetype: modify
    delete: telephoneNumber
    -
    add: manager
    manager: cn=manager_name,ou=people,dc=example,dc=com
    This example deletes the telephoneNumber attribute and to adds the manager attribute with the cn=manager_name,ou=people,dc=example,dc=com value to the uid=user,ou=people,dc=example,dc=com entry
  2. Pass the file to the ldapmodify command using the -f file_name option:
    # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x \
         -f ~/example.ldif