Home / server / Questions / 455621
Accepted
Ramesh Kumar
Asked: 2012-12-07 02:19:58 +0800 CST

How to add new attribute to an existing LDAP user objects

  • 772

I want to add mail attribute to the existing ldap users. I think, its possible with using ldapmodify but not sure how. I have done that using phpldapadmin web GUI manually, but I have like more than 100 users and dont want to do that manually for all.

Can anyone please guide me in right direction.

ldap

4 Answers

  1. Best Answer
    $ ldapmodify -H ldap://yourhost -D cn=youradmin,dc=your,dc=domain -x -W
( enter password here )
dn: uid=username,ou=people,dc=your,dc=domain
changetype: modify
add: mail
mail: [email protected]
    • 10

  2. First, I'm going to point you to Section B.4 of the Red Hat Directory Server Administration Guide for a quick tutorial on how to create LDIF files suitable to use with ldapmodify. Create entries for just a couple of your hundred users for a start. This file will help you get the bugs out. Once you're comfortable with the file format, you can create entries for the remaining 100-or-so people. Here's an example of how an individual entry might look:

    dn: cn=Joe Smith,dc=example,dc=com
changetype: modify
add: mail
mail: [email protected]

    The legal values for changetype: are add, modify, delete, and modrdn. If you use changetype: modify, the legal modifications are add:, delete:, and replace:. Section 3.3 will give you examples of how all of those work.

    Then, once you have the file written, you have a couple ways to submit it to your LDAP server. One method is to feed the file directly to the ldapmodify command:

    ldapmodify -x -h $LDAP_HOST -D $LDAP_BINDDN -W -f $FILE

    The -W switch tells ldapmodify to ask for the password for $LDAP_BINDDN at the command line. This means you're not leaving the password to your LDAP server in your shell history file. If you do want to incorporate the password into your ldapmodify command, use -w $PASSWORD, instead. The -f $FILE switch tells ldapmodify which LDIF file to examine for the changes being implemented.

    I don't actually like using the -f $FILE switch. Passing a file to ldapmodify requires 100% confidence that I've correctly written that LDIF file. If I make a mistake, ldapmodify will exit without telling me my error. So, I would use a second method. Use the ldapmodify command I gave as an example, but without that -f $FILE switch. Without that switch, ldapmodify gets its modifications from STDIN. So, I can copy two or three entries from this LDIF file I assembled, and paste them into my shell for ldapmodify to process. I do 2 - 4 entries at a time, and make corrections to the LDIF entries on the fly as I need to. This is slower than passing a perfect LDIF file directly to ldapmodify, but faster than figuring out where I made a typo in that file.

    • 4

  3. For editing LDAP entries directly I prefer to use "ldapvi" which gives you an editor where you can make your changes in a more user-friendly way.

    See http://www.lichteblau.com/ldapvi/

    • 2

  4. Yes, you can use ldapmodify for this. You need to generate LDIF files which contains the change statements and then direct these to your LDAP server with ldapmodify. For more informations, please read man ldapmodify, which also contains examples.

    • 0