Users changed, or you made a mistake, so you want to change an existing directory entry. How do you do this?
One way is using ldapmodify. You'll need to create a new LDIF file in a special format. This example adds a title, changes the email address, and adds a photograph:
##/etc/ldap/modfile.ldif dn: uid=thanson,ou=people,dc=alrac,dc=net changetype:modify add:title title:Fire Marshal - replace:mail mail:terry@wolfgrrl.com - add: jpegphoto jpegphoto:< file:///filename.jpg
Next, use the LDIF file this way:
# ldapmodify -x -D "cn=admin,dc=alrac,dc=net" -W -f modfile.ldif
Enter LDAP Password:
modifying entry "cn=Terry Hanson,ou=people,dc=alrac,dc=net"Then, verify it with ldapsearch:
$ ldapsearch -xtb 'dc=alrac,dc=net' 'cn=terry hanson' [...] # Terry Hanson, people, alrac.net dn: cn=Terry Hanson,ou=people,dc=alrac,dc=net objectClass: inetOrgPerson cn: Terry Hanson sn: Hanson uid: thanson telephoneNumber: 333.444.4545 homePhone: 222-333-5555 description: burning down the house title: Fire Marshal mail: terry@wolfgrrl.com jpegPhoto:< file:///tmp/ldapsearch-jpegPhoto-Sx11P8 [...]
For changes to a small number of entries, a graphical LDAP browser (see Recipe 12.10) is usually faster and easier. Using LDIFs is usually faster for bulk changes and for ace scripting gurus.
Note the new -t option to
ldapsearch. This tells
ldapsearch to store photos, audio files, or other
noncharacter data in temporary files. If you don't use this, you'll
get masses of encoding, like this:
fdtvWuJG2BwGFzjms1d7eTubLmBp5EFktAAPZfvNUzNVthoyz6sMbkgtSAd6dj3mqudjOCW6QxUAItBmSbQw
638J7W+NQArNTIZ4wNQbkdXh3sATNVnpSns2yveXHeYU5+1o46yelp6pu02LGcYBKimkNyRuq/j+/QUGJBp
3mdwf3q2PTbca2gFkCkkKVRixIltTMw4m3+91vTmZYaGy5Ktbxnq0When you're adding a JPEG photograph, it must be available, or
ldapmodify will return with the message ldapmodify: invalidformat. That is a long
way from "I can't find the file," but that's what it means. JPEGs are
imported into the database in base-64 MIME encoding. If you're going
to include ID photographs of people, make sure they are small in
physical and file size, or they're going to look strange in your LDAP
clients.
OpenLDAP is finicky about the format and syntax of a changefile.
Start with the DN to identify the entry, then the keyword changetype followed by the type of change:
add, modify, modrdn, or delete. Deleting an entry requires only two
lines:
dn: cn=Terry Hanson,ou=people,dc=alrac,dc=net changetype:delete
The syntax for the jpegPhoto
and audio attributes is
fussy:
jpegphoto:< file:///filename.jpg
There must be no space between :<, and then one space.
file:// has two slashes, then the
filename.
When you're modifying an existing entry, your possible keywords
are add, replace, or delete. replace is all-or-nothing; for
example, if the entry has three email addresses, and your LDIF file
contains:
replace: mail mail: thanson@foosite.com
It will delete the three old addresses, and then add the one new one.
delete can be all-or-nothing,
or selective. If your entry has three homePhone attributes, and you use:
delete: homephone
then all three will be deleted. To delete a single attribute, do this:
delete: homephone homePhone: 222-333-5555
OpenLDAP.org: http://www.openldap.org/
LDAP Directories Explained: An Introduction and Analysis, by Brian Arkills (Addison-Wesley)
LDAP System Administration, by Gerald Carter (O'Reilly)