5.4. The ldapsearch, ldapdelete and ldapmodify utilities

ldapsearch - ldapsearch is a shell accessible interface to the ldap_search(3) library call. Use this utility to search for entries on your LDAP database backend.

The synopsis to call ldapsearch is the following (take a look at the ldapsearch man page to see what each option means):


ldapsearch  [-n]  [-u]  [-v]  [-k]  
[-K]  [-t]  [-A] [-B] [-L] 
[-R] [-d debuglevel] [-F sep] [-f file] 
[-x] [-D binddn]  [-W]  [-w bindpasswd]  
[-h ldaphost]  [-p ldapport]   [-b searchbase]   
[-s base|one|sub] 
[-a never|always|search|find] [-l timelimit] 
[-z sizelimit] filter [attrs...] 

ldapsearch opens a connection to an LDAP server, binds, and performs a search using the filter filter. The filter should conform to the string representation for LDAP filters as defined in RFC 1558. If ldapsearch finds one or more entries, the attributes specified by attrs are retrieved and the entries and values are printed to standard output. If no attrs are listed, all attributes are returned.


ldapsearch -x -b 'o=TUDelft,c=NL' 'objectclass=*' 

ldapsearch -b 'o=TUDelft,c=NL' 'cn=Rene van Leuken' 

ldasearch -u -b 'o=TUDelft,c=NL' 'cn=Luiz Malere' sn mail

The -b option stands for searchbase (initial search point), the -u option stands for userfriendly output information and the -x option is used to specify simple authentication.

ldapdelete - ldapdelete is a shell accessible interface to the ldap_delete(3) library call. Use this utility to delete entries on our LDAP database backend.

The synopsis to call ldapdelete is the following (take a look at the ldapdelete man page to see what each option means):


ldapdelete   [-n]   [-v]  [-k]  [-K]  
[-c]  [-d debuglevel]  [-f file]  [-D binddn]  
[-W]  [-w passwd] [-h ldaphost] [-p ldapport] 
[dn]... 

ldapdelete opens a connection to an LDAP server, binds, and deletes one or more entries. If one or more dn arguments are provided, entries with those Distinguished Names are deleted. Each dn should be a string-represented DN as defined in RFC 1779. If no dn arguments are provided, a list of DNs is read from standard input (or from file if the -f flag is used).

Here are some examples of the use of ldapdelete:


ldapdelete 'cn=Luiz Malere,o=TUDelft,c=NL' 

ldapdelete -v 'cn=Rene van Leuken,o=TUDelft,c=NL' -D 'cn=Luiz Malere,o=TUDelft,c=NL' -W 

The -v option stands for verbose mode, the -D option stands for Binddn (the dn to authenticate against) and the -W option stands for password prompt.

ldapmodify - ldapmodify is a shell accessible interface to the ldap_modify(3) and ldap_add(3) library calls. Use this utility to modify entries on our LDAP database backend.

The synopsis to call ldapmodify is the following (take a look at the ldapmodify man page to see what each option mean):


ldapmodify   [-a]  [-b]  [-c]  [-r]  
[-n]  [-v]  [-k]  [-d debuglevel]  
[-D binddn]  [-W]  [-w passwd] 
[-h ldaphost] [-p ldapport] [-f file] 

ldapadd [-b] [-c] [-r] [-n] 
[-v]  [-k]  [-K]  [-d debuglevel]  
[-D binddn]  [-w passwd]  [-h ldaphost] 
[-p ldapport] [-f file] 

ldapadd is implemented as a hard link to the ldapmodify tool. When invoked as ldapadd the -a (add new entry) flag of ldapmodify is turned on automatically. ldapmodify opens a connection to an LDAP server, binds, and modifies or adds entries. The entry information is read from standard input or from file through the use of the -f option.

Here are some examples of the use of ldapmodify:

Assuming that the file /tmp/entrymods exists and has the contents:


dn: cn=Modify Me, o=University of Michigan, c=US 
changetype: modify 
replace: mail 
mail: modme@terminator.rs.itd.umich.edu 
- 
add: title 
title: Grand Poobah 
- 
add: jpegPhoto 
jpegPhoto: /tmp/modme.jpeg 
- 
delete: description 
- 

The command:

ldapmodify -b -r -f /tmp/entrymods 

will replace the contents of the "Modify Me" entry's mail attribute with the value "modme@terminator.rs.itd.umich.edu", add a title of "Grand Poobah", and the contents of the file /tmp/modme.jpeg as a jpegPhoto, and completely remove the description attribute.

The same modifications as above can be performed using the older ldapmodify input format:


cn=Modify Me, o=University of Michigan, c=US 
mail=modme@terminator.rs.itd.umich.edu 
+title=Grand Poobah 
+jpegPhoto=/tmp/modme.jpeg 
-description 

And plus the command bellow:

ldapmodify -b -r -f /tmp/entrymods 

Assuming that the file /tmp/newentry exists and has the contents:


dn: cn=Barbara Jensen, o=University of Michigan, c=US 
objectClass: person 
cn: Barbara Jensen 
cn: Babs Jensen 
sn: Jensen 
title: the world's most famous manager 
mail: bjensen@terminator.rs.itd.umich.edu 
uid: bjensen 

The command:

ldapadd -f /tmp/entrymods 

will add the entry with dn: cn=Barbara Jensen, o=University of Michigan, c=US if it's not already present. If an entry with this dn already exists, the command will point out the error and will not overwrite the entry.

Assuming that the file /tmp/newentry exists and has the contents:


dn: cn=Barbara Jensen, o=University of Michigan, c=US 
changetype: delete 

The command:

ldapmodify -f /tmp/entrymods 

will remove Babs Jensen's entry.

The -f option stands for file (read the modification information from a file instead of standard input), the -b option stands for binary (any values starting with a '/' on the input file are interpreted as binaries), the -r stands for replace (replace existing values by default).