friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahyldapadd.htm

263 lines
15 KiB
HTML
Raw Permalink Blame History

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - ldapmodify and ldapadd</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<a name="rzahyldapadd"></a>
<h3 id="rzahyldapadd">ldapmodify and ldapadd</h3>
<p>The LDAP modify-entry and LDAP add-entry tools</p>
<p><span class="bold">Synopsis</span></p>
<pre class="xmp">ldapmodify [-a] [-b] [-c] [-C charset] [-d debuglevel][-D binddn][-g]
[-f file][-F][-g][-G realm] [-h ldaphost] [-i file] [-k] [-K keyfile]
[-m mechanism] [-M][-n][-N certificatename] [-O maxhops] [-p ldapport]
[-P keyfilepw] [-r] [-R][-U username] [-v] [-V] [-w passwd | ?] [-y proxydn]
[-Y] [-Z]
ldapadd [-a] [-b] [-c] [-C charset] [-d debuglevel][-D binddn][-g]
[-f file][-F][-g][-G realm] [-h ldaphost] [-i file] [-k] [-K keyfile]
[-m mechanism] [-M][-n][-N certificatename] [-O maxhops] [-p ldapport]
[-P keyfilepw] [-r] [-R][-U username] [-v] [-V] [-w passwd | ?] [-y proxydn]
[-Y] [-Z] </pre>
<p><span class="bold">Description</span></p>
<p><span class="bold">ldapmodify</span> is a command-line interface to the
ldap_modify, ldap_add, ldap_delete, and ldap_modrdn application programming
interfaces (APIs).<span class="bold">ldapadd</span> is implemented as a
renamed version of ldapmodify. When invoked as ldapadd, the <span class="bold">-a</span> (add new entry) flag is turned on automatically.</p>
<p><span class="bold">ldapmodify</span> opens a connection to an LDAP server,
and binds to the server. You can use <span class="bold">ldapmodify</span> to
change or add entries. The entry information is read from standard input or
from file through the use of the <span class="bold">-i</span> option.</p>
<p>To display syntax help for <span class="bold">ldapmodify</span> or <span class="bold">ldapadd</span>, type </p>
<pre class="xmp">ldapmodify -?</pre><p class="indatacontent"> or </p>
<pre class="xmp">ldapadd -?</pre>
<p><span class="bold">Options</span></p>
<dl>
<dt class="bold">-a</dt>
<dd>Add new entries. The default action for <span class="bold">ldapmodify</span> is to change existing entries. If invoked as <span class="bold">ldapadd</span>, this flag is always set.
</dd>
<dt class="bold">-b</dt>
<dd>Assume that any values that start with a `/' are binary values and that
the actual value is in a file whose path is specified in place of the value.
</dd>
<dt class="bold">-c</dt>
<dd>Continuous operation mode. Errors are reported, but <span class="bold">ldapmodify</span> continues with modifications. Otherwise he default action
is to exit after reporting an error.
</dd>
<dt class="bold">-C <span class="italic">charset</span> </dt>
<dd>Specifies that strings supplied as input to the <span class="bold">ldapmodify</span> and <span class="bold">ldapadd</span> utilities are represented
in a local character set as specified by charset, and must be converted to
UTF-8. Use the <span class="bold">-C <span class="italic">charset</span></span> option if the input string codepage is different from the job codepage
value. Refer to the <a href="../apis/ldap_set_iconv_local_charset.htm">ldap_set_iconv_local_charset()</a> API to see supported charset values.
</dd>
<dt class="bold">-d <span class="italic">debuglevel</span> </dt>
<dd>Set the LDAP debugging level to debuglevel.
</dd>
<dt class="bold">-D <span class="italic">binddn</span></dt>
<dd>Use <span class="bold-italic">binddn</span> to bind to the LDAP directory. <span class="bold-italic">binddn</span> is a string-represented DN. When used with
-m DIGEST-MD5, it is used to specify the authorization ID. It can either be
a DN, or an authzId string starting with "u:" or "dn:".
</dd>
<dt class="bold">-f <span class="italic">file</span> </dt>
<dd>Read the entry modification information from an LDIF file instead of
from standard input. If an LDIF file is not specified, you must use standard
input to specify the update records in LDIF format.
</dd>
<dt class="bold">-F </dt>
<dd>Force application of all changes regardless of the contents of input
lines that begin with replica: (by default, replica: lines are compared against
the LDAP server host and port in use to decide if a replication log record
should actually be applied).
</dd><img src="delta.gif" alt="Start of change" />
<dt class="bold">-g</dt>
<dd>Do not strip trailing spaces on attribute values.
</dd><img src="deltaend.gif" alt="End of change" />
<dt class="bold">-G</dt>
<dd>Specify the realm. This parameter is optional. When used with -m DIGEST-MD5,
the value is passed to the server during the bind.
</dd>
<dt class="bold">-h <span class="italic">ldaphost</span></dt>
<dd>Specify an alternate host on which the ldap server is running.
</dd>
<dt class="bold">-i <span class="italic">file</span></dt>
<dd>Read the entry modification information from an LDIF file instead of
from standard input. If an LDIF file is not specified, you must use standard
input to specify the update records in LDIF format.
</dd>
<dt class="bold">-k </dt>
<dd>Specifies to use server administration control.
</dd>
<dt class="bold">-K <span class="italic">keyfile</span></dt>
<dd>Specify the name of the SSL key database file with default extension
of <span class="bold">kdb</span>. If the key database file is not in
the current directory, specify the fully-qualified key database filename.
If a key database filename is not specified, this utility will first look
for the presence of the SSL_KEYRING environment variable with an associated
filename. If the SSL_KEYRING environment variable is not defined, the system
keyring file will be used, if present.
<p>This parameter effectively enables the <span class="bold">-Z</span> switch. For Directory Server on i5/OS if you use -Z and do not use
-K or -N, the certificate associated with the Directory Services Client application
ID will be used.</p>
</dd>
<dt class="bold">-m <span class="italic">mechanism</span></dt>
<dd>Use <span class="bold-italic">mechanism</span> to specify the SASL mechanism
to be used to bind to the server. The <a href="../apis/ldap_sasl_bind_s.htm">ldap_sasl_bind_s()</a> API is used. The <span class="bold">-m</span> parameter is ignored
if <span class="bold">-V 2</span> is set. If <span class="bold">-m</span> is
not specified, simple authentication is used. Valid mechanisms are:
<ul>
<li>CRAM-MD5 - protects the password sent to the server.</li>
<li>EXTERNAL - uses the SSL certificate. Requires -Z.</li>
<li>GSSAPI - uses the user's Kerberos credentials</li>
<li><img src="delta.gif" alt="Start of change" />DIGEST-MD5 - requires that the client send a username value
to the server. Requires -U. The -D parameter (usually the bind DN) is used
to specify the authorization ID. It can be a DN, or an authzId string starting
with u: or dn:.<img src="deltaend.gif" alt="End of change" /></li>
<li><img src="delta.gif" alt="Start of change" />OS400_PRFTKN - authenticates to the local LDAP server as the
current i5/OS user using the DN of the user in the system projected backend.
The -D (bind DN) and -w (password) parameters should not be specified.<img src="deltaend.gif" alt="End of change" /></li></ul>
</dd>
<dt class="bold">-M</dt>
<dd>Manage referral objects as regular entries.
</dd>
<dt class="bold">-n</dt>
<dd>Show what would be done, but do not actually modify entries. Useful
for debugging in conjunction with -v.
</dd>
<dt class="bold">-N <span class="italic">certificatename</span></dt>
<dd>Specify the label associated with the client certificate in the key
database file. If the LDAP server is configured to perform server authentication
only, a client certificate is not required. If the LDAP server is configured
to perform client and server authentication, a client certificate might be
required. <span class="bold-italic">certificatename</span> is not required
if a certificate/private key pair has been designated as the default for the
key database file. Similarly, <span class="bold-italic">certificatename</span> is not required if there is a single certificate/private key pair in
the designated key database file. This parameter is ignored if neither <span class="bold">-Z</span> nor <span class="bold">-K</span> is specified. For Directory Server on i5/OS if you use -Z and do not
use -K or -N, the certificate associated with the Directory Services Client
application ID will be used.
</dd>
<dt class="bold">-O <span class="italic">maxhops</span></dt>
<dd>Specify <span class="bold-italic">maxhops</span> to
set the maximum number of hops that the client library takes when chasing
referrals. The default hopcount is 10.
</dd>
<dt class="bold">-p <span class="italic">ldapport</span> </dt>
<dd>Specify an alternate TCP port where the ldap server is listening.
The default LDAP port is 389. If <span class="bold">-p</span> is
not specified and <span class="bold">-Z</span> is specified, the
default LDAP SSL port 636 is used.
</dd>
<dt class="bold">-P <span class="italic">keyfilepw</span></dt>
<dd>Specify the key database password. This password is required
to access the encrypted information in the key database file, which might
include one or more private keys. If a password stash file is associated with
the key database file, the password is obtained from the password stash file,
and the <span class="bold">-P</span> parameter is not required.
This parameter is ignored if neither <span class="bold">-Z</span> nor <span class="bold">-K</span> is specified.
</dd>
<dt class="bold">-r</dt>
<dd>Replace existing values by default.
</dd>
<dt class="bold">-R</dt>
<dd>Specifies that referrals are not to be automatically followed.
</dd>
<dt class="bold">-U</dt>
<dd>Specify the username. Required with -m DIGEST-MD5 and ignored
with any other mechanism.
</dd>
<dt class="bold">-v</dt>
<dd>Use verbose mode, with many diagnostics written to standard
output.
</dd>
<dt class="bold">-V <span class="italic">version</span></dt>
<dd>Specifies the LDAP version to be used by <span class="bold">ldapmodify</span> when it binds to the LDAP server. By default, an LDAP V3 connection
is established. To explicitly select LDAP V3, specify <span class="bold">-V
3</span>. Specify <span class="bold">-V 2</span> to run as an LDAP V2 application.
</dd>
<dt class="bold">-w <span class="italic">passwd</span> | ?</dt>
<dd>Use <span class="bold-italic">passwd</span> as the password
for authentication. Use the ? to generate a password prompt.
</dd><img src="delta.gif" alt="Start of change" />
<dt class="bold">-y <span class="italic">proxydn</span></dt>
<dd>Set proxied ID for proxied authorization option.
</dd><img src="deltaend.gif" alt="End of change" /><img src="delta.gif" alt="Start of change" />
<dt class="bold">-Y</dt>
<dd>Use a secure LDAP connection (TLS).
</dd><img src="deltaend.gif" alt="End of change" />
<dt class="bold">-Z</dt>
<dd>Use a secure SSL connection to communicate with the LDAP server. For
Directory Server on i5/OS if you use -Z and do not use -K or -N, the certificate
associated with the Directory Services Client application ID will be used.
</dd>
</dl>
<p><span class="bold">Input format</span></p>
<p>The contents of file (or standard input if no <span class="bold">-i</span> flag is given on the command line) should conform to the LDIF format.
See<a href="rzahyldapdif.htm#rzahyldapdif">LDAP data interchange format (LDIF)</a> for more information about the LDIF format.</p>
<p><span class="bold">Examples</span></p>
<p>Assuming that the file <span>/tmp/entrymods</span> exists and has the following contents: </p>
<pre class="xmp">dn: cn=Modify Me, o=University of Higher Learning, c=US
changetype: modify
replace: mail
mail: modme@student.of.life.edu
-
add: title
title: Grand Poobah
-
add: jpegPhoto
jpegPhoto: /tmp/modme.jpeg
-
delete: description
-
</pre><p class="indatacontent">the command: </p>
<pre class="xmp">ldapmodify -b -r -i /tmp/entrymods </pre><p class="indatacontent"> will replace the contents of the Modify Me entry's mail attribute with
the value modme@student.of.life.edu, add a title of Grand Poobah, and the
contents of the file <span>/tmp/modme.jpeg</span> as
a jpegPhoto, and completely remove the description attribute. These same modifications
can be performed using the older ldapmodify input format: </p>
<pre class="xmp">cn=Modify Me, o=University of Higher Learning, c=US
mail=modme@student.of.life.edu
+title=Grand Poobah
+jpegPhoto=/tmp/modme.jpeg
-description
</pre><p class="indatacontent">and the command: </p>
<pre class="xmp">ldapmodify -b -r -i /tmp/entrymods </pre>
<p>Assuming that the file /tmp/newentry exists and has the following contents: </p>
<pre class="xmp">dn: cn=John Doe, o=University of Higher Learning, c=US
objectClass: person
cn: John Doe
cn: Johnny
sn: Doe
title: the world's most famous mythical person
mail: johndoe@student.of.life.edu
uid: jdoe
</pre><p class="indatacontent"> the command: </p>
<pre class="xmp"> ldapadd -i /tmp/entrymods</pre><p class="indatacontent">
adds a new entry for John Doe, using the values from the file <span>/tmp/newentry</span>.</p>
<p><span class="bold">Notes</span></p>
<p>If entry information is not supplied from file through the use of the <span class="bold">-i</span> option, the <span class="bold">ldapmodify</span> command will wait to read entries from standard input.</p>
<p><span class="bold">Diagnostics</span></p>
<p>Exit status is 0 if no errors occur. Errors result in a non-zero exit status
and a diagnostic message being written to standard error.</p>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink