ldapmodrdn
The LDAP modify-entry RDN tool
Synopsis
ldapmodrdn [-c] [-C charset] [-d debuglevel][-D binddn]
[-f file][-G realm] [-h ldaphost] [-i file] [-k] [-K keyfile]
[-m mechanism] [-M] [-n] [-N certificatename] [-O hopcount]
[-p ldapport] [-P keyfilepw] [-r] [-R] [-U username] [-v] [-V version]
[-w passwd | ?] [-y proxydn] [-Y] [-Z] [dn newrdn | [-i file]]
Description
ldapmodrdn is a command-line interface
to the ldap_modrdn application programming interface (API).
ldapmodrdn opens a connection
to an LDAP server, binds, and modifies the RDN of entries. The entry information
is read from standard input, from file through the use of the - f option, or from the command-line pair dn and rdn.
See Distinguished names (DNs) for information about RDNs (Relative Distinguished
Names) and DNs (Distinguished Names).
To display syntax help for ldapmodrdn, type:
ldapmodrdn -?
Options
- -c
- Continuous operation mode. Errors are reported, but ldapmodrdn continues with modifications. Otherwise the default action
is to exit after reporting an error.
- -C charset
- Specifies that the strings supplied as input to the ldapmodrdn utility are represented in a local character set, as specified
by charset. Use the -C charset option if the input string codepage is different from the
job codepage value. Refer to the ldap_set_iconv_local_charset() API to see
supported charset values.Note that the supported values for charset are the
same values supported for the charset tag that is optionally defined in Version
1 LDIF files.
- -d debuglevel
- Set the LDAP debugging level to debuglevel.
- -D binddn
- Use binddn to bind to the LDAP directory. binddn should be a string-represented DN. When used
with -m DIGEST-MD5, it is used to specify the authorization ID. It can either
be a DN, or an authzId string starting with "u:" or "dn:".
- -f file
- Read the entry modification information from an LDIF file instead of
from standard input or the command-line (by specifying dn and the new rdn).
Standard input can also be supplied from a file (< file).
- -G realm
- Specify the realm. This parameter is optional. When used with
-m DIGEST-MD5, the value is passed to the server during the bind.
- -h ldaphost
- Specify an alternate host on which the ldap server is running.
- -i file
- Read the entry modification information from file instead
of from standard input or the command-line (by specifying rdn and newrdn).
Standard input can be supplied from a file, as well ("< file").
- -k
- Specifies to use server administration control.
- -K keyfile
- Specify the name of the SSL key database file. If the key database file
is not in the current directory, specify the fully-qualified key database
filename.
If the utility cannot locate a key database, it will
use a hard-coded set of default trusted certificate authority roots. The key
database file typically contains one or more certificates of certification
authorities (CAs) that are trusted by the client. These types of X.509 certificates
are also known as trusted roots.
This parameter effectively enables
the -Z switch. For Directory Server
on i5/OS if you use -Z and do not use -K or -N, the certificate associated
with the Directory Services Client application ID will be used.
- -m mechanism
- Use mechanism to specify the
SASL mechanism to be used to bind to the server. The ldap_sasl_bind_s() API is used. The -m parameter is ignored if -V 2 is
set. If -m is not specified, simple
authentication is used. Valid mechanisms are:
- CRAM-MD5 - protects the password sent to the server.
- EXTERNAL - uses the SSL certificate. Requires -Z.
- GSSAPI - uses the user's Kerberos credentials
DIGEST-MD5 - requires that the client send a username value
to the server. Requires -U. The -D parameter (usually the bind DN) is used
to specify the authorization ID. It can be a DN, or an authzId string starting
with u: or dn:.
- OS400_PRFTKN - authenticates to the local LDAP server as the
current i5/OS user using the DN of the user in the system projected backend.
The -D (bind DN) and -w (password) parameters should not be specified.
- -M
- Manage referral objects as regular entries.
- -n
- Show what would be done, but don't actually change entries. Useful for
debugging in conjunction with -v.
- -N certificatename
- Specify the label associated with the client certificate in the key
database file. Note that if the LDAP server is configured to perform server
authentication only, a client certificate is not required. If the LDAP server
is configured to perform client and server authentication, a client certificate
might be required. certificatename is
not required if a default certificate/private key pair has been designated
as the default. Similarly, certificatename is not required if there is a single certificate/private key pair in
the designated key database file. This parameter is ignored if neither -Z nor -K is specified. For Directory Server on i5/OS if you use -Z and do not
use -K or -N, the certificate associated with the Directory Services Client
application ID will be used.
- -O hopcount
- Specify hopcount to
set the maximum number of hops that the client library takes when chasing
referrals. The default hopcount is 10.
- -p ldapport
- Specify an alternate TCP port where the ldap server is listening.
The default LDAP port is 389. If not specified and -Z is specified, the default
LDAP SSL port 636 is used.
- -P keyfilepw
- Specify the key database password. This password is required to access
the encrypted information in the key database file (which can include one
or more private keys). If a password stash file is associated with the key
database file, the password is obtained from the password stash file,
and the -P parameter is not required.
This parameter is ignored if neither -Z nor -K is specified.
- -r
- Remove old RDN values from the entry. Default action is to
keep old values.
- -R
- Specifies that referrals are not to be automatically followed.
- -U username
- Specify the username. Required with -m DIGEST-MD5 and ignored
with any other mechanism.
- -v
- Use verbose mode, with many diagnostics written to standard
output.
- -V version
- Specifies the LDAP version to be used by ldapmodrdn when it binds to the LDAP server. By default, an LDAP V3 connection
is established. To explicitly select LDAP V3, specify -V 3. Specify -V 2 to run as an LDAP
V2 application. An application, like ldapmodrdn, selects LDAP V3 as the preferred protocol by using ldap_init instead
of ldap_open.
- -w passwd | ?
- Use passwd as the password
for authentication. Use the ? to generate a password prompt.
- -y proxydn
- Set proxied ID for proxied authorization operation.
- -Y
- Use a secure LDAP connection (TLS).
- -Z
- Use a secure SSL connection to communicate with the LDAP server. For
Directory Server on i5/OS if you use -Z and do not use -K or -N, the certificate
associated with the Directory Services Client application ID will be used.
- dn newrdn
- See the following section, "Input format for dn newrdn" for
more information.
Input format for dn newrdn
If the command-line arguments dn and newrdn are given, newrdn replaces the RDN of the entry
specified by the DN, dn. Otherwise, the contents of file
(or standard input if no - i flag is
given) consist of one or more entries:
Distinguished Name (DN)
Relative Distinguished Name (RDN)
One or more blank lines can be used to separate each DN and RDN pair.
Examples
Assuming that the file /tmp/entrymods exists and has the contents:
cn=Modify Me, o=University of Life, c=US
cn=The New Me
the command:
ldapmodrdn -r -i /tmp/entrymods
changes the RDN of the Modify Me entry from Modify Me to The New Me and the old cn, Modify Me is
removed.
Notes
If entry information is not supplied from file through the use
of the -i option (or from the command-line
pair dn and rdn), the ldapmodrdn command waits to read entries from standard input.
Diagnostics
Exit status is 0 if no errors occur. Errors result in a non-zero
exit status and a diagnostic message being written to standard error.