Applies a set of add, delete, modify, and/or modify DN operations to a directory server. The changes to apply should be supplied in LDIF format, either via standard input or from a file specified with the 'ldifFile' argument. Change records must be separated by at least one blank line.
ldapmodify --hostname ldap.example.com --port 389 \ --bindDN uid=admin,dc=example,dc=com --bindPassword password --defaultAdd
ldapmodify --hostname ds1.example.com --port 636 --hostname ds2.example.com \ --port 636 --useSSL --bindDN uid=admin,dc=example,dc=com \ --bindPassword password --filename changes.ldif \ --modifyEntriesMatchingFilter "(objectClass=person)" --searchPageSize 100
-H
--help
Description | Display general usage information |
--help-ldap
Description | Display help for using LDAP options |
--help-sasl
Description | Display help for using SASL options |
--help-debug
Description | Display help for using debug options |
Advanced | Yes |
-h {host}
--hostname {host}
Description | The IP address or resolvable name to use to connect to the directory server. If this is not provided, then a default value of 'localhost' will be used. |
Default Value | localhost |
Required | Yes |
Multi-Valued | Yes |
-p {port}
--port {port}
Description | The port to use to connect to the directory server. If this is not provided, then a default value of 389 will be used. |
Default Value | 389 |
Required | Yes |
Multi-Valued | No |
-D {dn}
--bindDN {dn}
Description | The DN to use to bind to the directory server when performing simple authentication. |
Required | No |
Multi-Valued | No |
-w {password}
--bindPassword {password}
Description | The password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism. |
Required | No |
Multi-Valued | No |
-j {path}
--bindPasswordFile {path}
Description | The path to the file containing the password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism. |
Required | No |
Multi-Valued | No |
--promptForBindPassword
Description | Indicates that the tool should interactively prompt the user for the bind password. |
-Z
--useSSL
Description | Use SSL when communicating with the directory server. |
-q
--useStartTLS
Description | Use StartTLS when communicating with the directory server. |
-X
--trustAll
Description | Trust any certificate presented by the directory server. |
-K {path}
--keyStorePath {path}
Description | The path to the file to use as the key store for obtaining client certificates when communicating securely with the directory server. |
Required | No |
Multi-Valued | No |
-W {password}
--keyStorePassword {password}
Description | The password to use to access the key store contents. |
Required | No |
Multi-Valued | No |
-u {path}
--keyStorePasswordFile {path}
Description | The path to the file containing the password to use to access the key store contents. |
Required | No |
Multi-Valued | No |
--promptForKeyStorePassword
Description | Indicates that the tool should interactively prompt the user for the password to use to access the key store contents. |
--keyStoreFormat {format}
Description | The format (e.g., jks, jceks, pkcs12, etc.) for the key store file. |
Required | No |
Multi-Valued | No |
-P {path}
--trustStorePath {path}
Description | The path to the file to use as trust store when determining whether to trust a certificate presented by the directory server. |
Required | No |
Multi-Valued | No |
-T {password}
--trustStorePassword {password}
Description | The password to use to access the trust store contents. |
Required | No |
Multi-Valued | No |
-U {path}
--trustStorePasswordFile {path}
Description | The path to the file containing the password to use to access the trust store contents. |
Required | No |
Multi-Valued | No |
--promptForTrustStorePassword
Description | Indicates that the tool should interactively prompt the user for the password to use to access the trust store contents. |
--trustStoreFormat {format}
Description | The format (e.g., jks, jceks, pkcs12, etc.) for the trust store file. |
Required | No |
Multi-Valued | No |
-N {nickname}
--certNickname {nickname}
Description | The nickname (alias) of the client certificate in the key store to present to the directory server for SSL client authentication. |
Required | No |
Multi-Valued | No |
--enableSSLDebugging
Description | Enable Java's low-level support for debugging SSL/TLS communication. This is equivalent to setting the "javax.net.debug" property to "all". |
-o {name=value}
--saslOption {name=value}
Description | A name-value pair providing information to use when performing SASL authentication. |
Required | No |
Multi-Valued | Yes |
--useSASLExternal
Description | Use the SASL EXTERNAL mechanism to authenticate. |
--helpSASL
Description | Provide information about the supported SASL mechanisms, including the properties available for use with each. |
-f {path}
--ldifFile {path}
Description | The path to the LDIF file containing the changes to process. If this is not provided, then the changes will be read from standard input. If this argument is provided multiple times to supply multiple LDIF files, then they will be processed in the order they were provided on the command line. |
Required | No |
Multi-Valued | Yes |
--encryptionPassphraseFile {path}
Description | The path to a file that contains the passphrase used to generate the key used to encrypt the LDIF data. If the data is encrypted and this argument is not provided, then the tool will interactively prompt for the correct password. |
Required | No |
Multi-Valued | No |
-i {charset}
--characterSet {charset}
Description | The character set for the LDIF data to be read. If this argument is not provided, a default encoding of UTF-8 will be used. |
Default Value | UTF-8 |
Required | No |
Multi-Valued | No |
-R {path}
--rejectFile {path}
Description | The path to a file to which the tool should write information about any rejected changes. |
Required | No |
Multi-Valued | No |
-v
--verbose
Description | Provide verbose output for operations processed. |
--modifyEntriesMatchingFilter {filter}
Description | Indicates that the changes read from standard input or the specified LDIF file should be applied to all entries that match the specified filter. Only modify operations will be processed when this argument is provided, and the DN of the modify change record will be used as the base DN for the search used to identify the entries to modify. If the filter may match a large number of entries, then it is strongly recommended that the searchPageSize argument be provided to process the search in batches. This argument may be provided multiple times to specify multiple filters to use to search for entries to modify. |
Required | No |
Multi-Valued | No |
--modifyEntriesMatchingFiltersFromFile {path}
Description | Indicates that the changes read from standard input or the specified LDIF file should be applied to all entries that match a filter read from the specified file. Only modify operations will be processed when this argument is provided, and the DN of the modify change record will be used as the base DN for the search used to identify the entries to modify. If any of the filters may match a large number of entries, then it is strongly recommended that the searchPageSize argument be provided to process the search in batches. This argument may be provided multiple times to specify multiple filter files to use to search for entries to modify. |
Required | No |
Multi-Valued | Yes |
--modifyEntryWithDN {dn}
Description | Indicates that the changes read from standard input or the specified LDIF file should be applied to the entry with the specified DN rather than the DN contained in the change record. Only modify operations will be processed when this argument is provided, and it may be provided multiple times to specify the DNs of multiple entries to modify. |
Required | No |
Multi-Valued | Yes |
--modifyEntriesWithDNsFromFile {path}
Description | Indicates that the changes read from standard input or the specified LDIF file should be applied to the entries whose DNs are contained in the specified file rather than the DN contained in the change record. Only modify operations will be processed when this argument is provided, and it may be provided multiple times to specify multiple DN files. |
Required | No |
Multi-Valued | Yes |
--searchPageSize {value}
Description | Specifies the page size to use in conjunction with the simple paged results control when searching for entries to modify based on the filter provided in the --modifyEntriesMatchingFilter or --modifyEntriesMatchingFiltersFromFile argument. If this argument is not provided, then the simple paged results control will not be used. |
Upper Bound | 2147483647 |
Required | No |
Multi-Valued | No |
--retryFailedOperations
Description | Indicates that, if an operation fails in a way that indicates the connection to the server may no longer be valid, the tool should automatically create a new connection and re-try the operation before reporting it as a failure. |
-n
--dryRun
Description | Parse the LDIF representations of the changes to apply but don't actually perform any LDAP communication. |
-a
--defaultAdd
Description | Assume that any LDIF change record without a changeType represents an add operation. If this is not provided, then any change record without a changeType will be considered an error. |
-c
--continueOnError
Description | Continue processing changes even if an error is encountered. If this is not provided, then processing will abort after the first failed operation. |
--stripTrailingSpaces
Description | Indicates that the tool should strip any illegal trailing spaces from LDIF records before attempting to process them. If this is not provided, then any LDIF record with one or more illegal trailing spaces will be considered an error. |
--followReferrals
Description | Attempt to follow any referrals encountered while processing changes. If this is not provided, then any referral received will be considered an error. |
-Y {authzID}
--proxyAs {authzID}
Description | Indicates that all requests should include the proxied authorization request control (as described in RFC 4370) to process the operation under an alternate authorization identity. The authorization ID should generally be specified in the form 'dn:' followed by the target user's DN, or 'u:' followed by the username. |
Required | No |
Multi-Valued | No |
--proxyV1As {dn}
Description | Indicates that all requests should include the legacy proxied authorization v1 request control (as described in draft-weltman-ldapv3-proxy-04) to process the operation under an alternate authorization identity, specified as the DN of the desired user. |
Required | No |
Multi-Valued | No |
--useAdministrativeSession
Description | Indicates that the tool should attempt to use an administrative session to process all operations using a dedicated pool of worker threads. This may be useful when trying to diagnose problems in a server that is unresponsive because all normal worker threads are busy processing other requests. |
--operationPurpose {purpose}
Description | Indicates that all operations should include the UnboundID-proprietary 'operation purpose' request control to provide the specified reason for the operation. |
Required | No |
Multi-Valued | No |
--useManageDsaIT
Description | Indicates that all requests should include the manageDsaIT request control to indicate that referral entries should be treated as regular entries. |
--useTransaction
Description | Indicates that the server should create a transaction to process all operations as a single atomic unit. This should generally only be used with a relatively small number of changes, and it is recommended that the changes be supplied in an LDIF file rather than via standard input. |
--multiUpdateErrorBehavior {atomic|abort-on-error|continue-on-error}
Description | Indicates that all add, delete, modify, and modify DN requests should be sent to the server in a single multi-update request with the specified error behavior. The value for this argument must be one of 'atomic' (to indicate that all updates should be processed atomically so that they will either all succeed or all fail), 'abort-on-error' (to indicate that the server should only process changes until the first error is encountered and ignore any remaining changes after that error), or 'continue-on-error' (to indicate that the server should continue attempting to process changes, even after one of them has resulted in a failure). |
Required | No |
Multi-Valued | No |
--assertionFilter {filter}
Description | A filter that will be used in conjunction with the LDAP assertion request control (as described in RFC 4528) to indicate that the server should only apply changes to entries that match this filter. |
Required | No |
Multi-Valued | No |
-E
--authorizationIdentity
Description | Indicates that all bind requests should include the 'authorization identity' request control as defined in RFC 3829. With this control, a successful bind result should include the authorization identity assigned to the connection. |
--generatePassword
Description | Indicates that all add requests should include the 'generate password' request control to request that the server generate a password for the new account. The generated password will be returned in a corresponding response control. |
--getAuthorizationEntryAttribute {attr}
Description | Indicates that all bind requests should include the UnboundID-proprietary 'get authorization entry' request control to request that the server return the specified attribute (or collection of attributes, in the case of a special identifier like '*' to indicate all user attributes or '+' to indicate all operational attributes) from the authenticated user's entry. This argument may be provided multiple times to specify multiple attributes to request. |
Required | No |
Multi-Valued | Yes |
--getBackendSetID
Description | Indicates that all add, delete, modify, and modify DN requests should include the UnboundID-proprietary 'get backend set ID' request control to request that the Directory Proxy Server include a corresponding get backend set ID response control in each operation response, indicating the entry-balancing backend set in which the write was processed. |
--getServerID
Description | Indicates that all add, delete modify, and modify DN requests should include the UnboundID-proprietary 'get server ID' request control to request that server include a corresponding get server ID response control in each operation response, indicating the server in which the write was processed. |
--getUserResourceLimits
Description | Indicates that all bind requests should include the UnboundID-proprietary 'get user resource limits' request control to request that the server return information about resource limits (e.g., size limit, time limit, idle time limit, etc.) imposed for the user. |
--ignoreNoUserModification
Description | Indicates that all add requests should include the UnboundID-proprietary 'ignore NO-USER-MODIFICATION' request control to permit setting values for certain operational attributes not normally permitted to be provided by external clients. |
--preReadAttribute {attr}
Description | Indicates that all delete, modify, and modify DN requests should include the pre-read control (as described in RFC 4527) to retrieve the value(s) of the specified attribute as they appear immediately before the operation has been processed. |
Required | No |
Multi-Valued | Yes |
--postReadAttribute {attr}
Description | Indicates that all add, modify, and modify DN requests should include the post-read control (as described in RFC 4527) to retrieve the value(s) of the specified attribute as they appear immediately after the operation has been processed. |
Required | No |
Multi-Valued | Yes |
--routeToBackendSet {entry-balancing-processor-id:backend-set-id}
Description | Specifies the ID of an entry-balancing backend set to which the Directory Proxy Server should send all of the add, delete, modify, and modify DN requests. The value should be formatted as the entry-balancing request processor ID followed by a colon and the desired backend set ID for that entry-balancing request processor. This argument can be provided multiple times to specify multiple backend set IDs for the same or different entry-balancing request processors. The request control will be configured to use absolute routing rather than a routing hint. |
Required | No |
Multi-Valued | Yes |
--routeToServer {id}
Description | Specifies the ID of the backend server to which the Directory Proxy Server should send all add, delete, modify, and modify DN requests. |
Required | No |
Multi-Valued | No |
--useAssuredReplication
Description | Indicates that all operation requests should include the UnboundID-proprietary assured replication request control to indicate that the server should delay returning a response to the client until a minimum amount of replication processing has been performed for the operation. The '--assuredReplicationLocalLevel', '--assuredReplicationRemoteLevel', and '--assuredReplicationTimeout' arguments may be used to configure the settings to use for the assured replication control, but the server will automatically determine an appropriate value for any argument that is not provided. |
--assuredReplicationLocalLevel {level}
Description | Specifies the local assurance level to use for the assured replication request control. This should only be used if the '--useAssuredReplication' argument is provided. The value should be one of none, received-any-server, or processed-all-servers. If assured replication is to be used but this argument is not provided, then the server will automatically determine the local assurance level to use. |
Required | No |
Multi-Valued | No |
--assuredReplicationRemoteLevel {level}
Description | Specifies the remote assurance level to use for the assured replication request control. This should only be used if the '--useAssuredReplication' argument is provided. The value should be one of none, received-any-remote-location, received-all-remote-locations, or processed-all-remote-servers. If assured replication is to be used but this argument is not provided, then the server will automatically determine the remote assurance level to use. |
Required | No |
Multi-Valued | No |
--assuredReplicationTimeout {timeout}
Description | Specifies the timeout to use for assured replication processing. This should only be used if the '--useAssuredReplication' argument is also provided. If assured replication is to be used but this argument is not provided, then the server will automatically determine the timeout to use. |
Required | No |
Multi-Valued | No |
--replicationRepair
Description | Indicates that all operation requests should include the UnboundID-proprietary 'replication repair' request control. This will cause the change to be applied only to the target directory server instance but not to any other server in the replication topology. |
--nameWithEntryUUID
Description | Include the UnboundID-proprietary 'name with entryUUID' request control in all add requests sent to the server to indicate that the server should use the entryUUID operational attribute as the naming attribute for the resulting entry instead of the provided RDN. |
--noOperation
Description | Include the LDAP no-operation control in all add, delete, modify, and modify DN requests sent to the server to indicate that the operation should be validated but no changes should actually be applied. |
--passwordUpdateBehavior {name=value}
Description | Specifies that all add and modify requests should include the password update behavior request control with the specified behavior. Values for this argument must be in the form 'name=value', where the property name can be any of the following: is-self-change, allow-pre-encoded-password, skip-password-validation, ignore-password-history, ignore-minimum-password-age, password-storage-scheme, and must-change-password. The value for each property should be either 'true' or 'false', with the exception of the password-storage-scheme property, whose value should be the name of the desired password storage scheme. This argument can be provided multiple times to specify multiple password update behaviors. |
Required | No |
Multi-Valued | Yes |
--getPasswordValidationDetails
Description | Indicates that all add and modify requests that target either the 'userPassword' or 'authPassword' attribute should include the UnboundID-proprietary password validation details request control to indicate that the response should include information about the password quality requirements that the server will impose for the target users password and whether the provided password satisfies each of those constraints. |
--permissiveModify
Description | Indicates that all modify operation requests should include the 'permissive modify' request control, which indicates that the server should be more lenient for certain types of changes (e.g., trying to add an attribute value that already exists, or trying to remove a value that does not exist) that would normally cause the modify operation to be rejected. |
--clientSideSubtreeDelete
Description | Indicates that all delete requests should be processed as client-side subtree deletes by searching for all entries below the target entry and then deleting them. |
--serverSideSubtreeDelete
Description | Indicates that all delete requests should be processed as server-side subtree deletes using the 'subtree delete' request control. |
-s
--softDelete
Description | Indicates that all delete requests should include the UnboundID-proprietary 'soft delete' request control, which indicates that the server should hide the entry for a period of time before deleting it so that it may be restored with an undelete operation if the delete should be reverted. |
--hardDelete
Description | Indicates that all delete requests should include the UnboundID-proprietary 'hard delete' request control, which will permanently delete the target entry even if the server would have otherwise performed a soft delete operation to hide the entry for a period of time before deleting it. |
--allowUndelete
Description | Treat any add operation that includes the 'ds-undelete-from-dn' attribute as an undelete operation. Undelete requests may be used to restore a soft-deleted entry, optionally using a different DN than was originally assigned to the entry. The server must be configured to allow soft delete operations, and the requester must have the soft-delete-read privilege. |
--retireCurrentPassword
Description | Indicates that any modify operation that targets either the 'userPassword' or 'authPassword' attribute should include the UnboundID-proprietary retire current password request control. This will indicate that the server should continue to allow the user to authenticate with their current password (in addition to the new password) for a brief period of time. |
--purgeCurrentPassword
Description | Indicates that any modify operation that targets either the 'userPassword' or 'authPassword' attribute should include the UnboundID-proprietary purge current password request control. This will indicate that the server should could purge the current password from the entry (even if it would have otherwise been retired for a brief period of time). |
--suppressOperationalAttributeUpdates {attr}
Description | Indicates that all operations should include the UnboundID-proprietary 'suppress operational attribute updates' request control to indicate that the server should not apply any updates to the specified operational attributes. The value may be one of 'last-access-time', 'last-login-time', 'last-login-ip', or 'lastmod'. |
Required | No |
Multi-Valued | Yes |
--suppressReferentialIntegrityUpdates
Description | Indicates that the tool should include the UnboundID-proprietary 'suppress referential integrity updates' request control in all delete and modify DN operations to indicate that the server should not perform any referential integrity processing for those operations. |
--usePasswordPolicyControl
Description | Indicates that all add, bind and modify requests should include the 'password policy' request control (as defined in draft-behera-ldap-password-policy-10) to request that the response include password policy-related information about the target entry. |
--uniquenessAttribute {attr}
Description | Indicates that all add, modify, and modify DN requests should include a uniqueness request control that indicates that the server should attempt to prevent the requested operation from introducing a conflict with the same value in an existing entry. This may be provided multiple times to specify multiple unique attribute types, and in that case the '--uniquenessMultipleAttributeBehavior' argument may be used to specify the behavior to exhibit for conflicts across those attribute types. |
Required | No |
Multi-Valued | Yes |
--uniquenessFilter {filter}
Description | Indicates that all add, modify and modify DN requests should include a uniqueness request control that indicates that the server should attempt to prevent the requested operation from introducing a conflict with other entries matching the provided filter. If the '--uniquenessAttribute' argument is provided, then this filter will be used to narrow the set of potentially conflicting entries to only those that also match this filter. If the '--uniquenessAttribute' argument is not provided, then the server will consider it a conflict if any other entry matches the provided filter. |
Required | No |
Multi-Valued | No |
--uniquenessBaseDN {dn}
Description | Specifies the base DN that should be included in the uniqueness request control. This can only be used if at least one of the '--uniquenessAttribute' or '--uniquenessFilter' arguments is provided. If this is not given, the server will look for uniqueness conflicts within all public naming contexts. |
Required | No |
Multi-Valued | No |
--uniquenessMultipleAttributeBehavior {behavior}
Description | Specifies the behavior that the server should exhibit if the multiple unique attribute types are configured. This can only be used if the '--uniquenessAttribute' argument is provided. Allowed values for this argument are 'unique-within-each-attribute' (to indicate that each attribute should be considered separately), 'unique-across-all-attributes-including-in-same-entry' (to indicate that the value of one unique attribute cannot also be present in the value of any other unique attributes, even if the conflicting values are in the same entry), 'unique-across-all-attributes-except-in-same-entry' (to indicate that the value of one unique attribute cannot also be present in the value of any other unique attribute, although the same entry will be permitted to have the same value in multiple attributes), or 'unique-in-combination' (to indicate that no other entry will be permitted to have the same combination of unique attribute values). If this is not specified, then a default of 'unique-within-each-attribute' will be used. |
Required | No |
Multi-Valued | No |
--uniquenessPreCommitValidationLevel {level}
Description | Specifies the level of pre-commit validation that should be used for the uniqueness request control. This can only be used if at least one of the '--uniquenessAttribute' or '--uniquenessFilter' arguments is provided. Allowed values for this argument are 'none' (to indicate that no pre-commit validation should be performed), 'all-subtree-views' (to indicate that a minimum of one pre-commit check should be performed in each applicable subtree view), 'all-backend-sets' (to indicate that a minimum of one pre-commit check should be performed in each entry-balancing backend set), and 'all-available-backend-servers' (to indicate that the pre-commit check should be made in all backend servers available through the Directory Proxy Server). If this is not specified, then a default of 'all-subtree-views' will be used. |
Required | No |
Multi-Valued | No |
--uniquenessPostCommitValidationLevel {level}
Description | Specifies the level of post-commit validation that should be used for the uniqueness request control. This can only be used if at least one of the '--uniquenessAttribute' or '--uniquenessFilter' arguments is provided. Allowed values for this argument are 'none' (to indicate that no post-commit validation should be performed), 'all-subtree-views' (to indicate that a minimum of one post-commit check should be performed in each applicable subtree view), 'all-backend-sets' (to indicate that a minimum of one post-commit check should be performed in each entry-balancing backend set), and 'all-available-backend-servers' (to indicate that the post-commit check should be made in all backend servers available through the Directory Proxy Server). If this is not specified, then a default of 'all-subtree-views' will be used. |
Required | No |
Multi-Valued | No |
-J {oid}[:{criticality}[:{stringValue}|::{base64Value}]]
--control {oid}[:{criticality}[:{stringValue}|::{base64Value}]]
Description | Specifies a control that should be included in all add, delete, modify, and modify DN requests sent to the server. |
Required | No |
Multi-Valued | No |
--addControl {oid}[:{criticality}[:{stringValue}|::{base64Value}]]
Description | Specifies a control that should be included in all add requests sent to the server. |
Required | No |
Multi-Valued | No |
--bindControl {oid}[:{criticality}[:{stringValue}|::{base64Value}]]
Description | Specifies a control that should be included in all bind requests used to authenticate to the server. |
Required | No |
Multi-Valued | No |
--deleteControl {oid}[:{criticality}[:{stringValue}|::{base64Value}]]
Description | Specifies a control that should be included in all delete requests sent to the server. |
Required | No |
Multi-Valued | No |
--modifyControl {oid}[:{criticality}[:{stringValue}|::{base64Value}]]
Description | Specifies a control that should be included in all modify requests sent to the server. |
Required | No |
Multi-Valued | No |
--modifyDNControl {oid}[:{criticality}[:{stringValue}|::{base64Value}]]
Description | Specifies a control that should be included in all modify DN requests sent to the server. |
Required | No |
Multi-Valued | No |
-r {num}
--ratePerSecond {num}
Description | Specifies a maximum operation rate that the tool should be permitted to achieve. |
Upper Bound | 2147483647 |
Required | No |
Multi-Valued | No |
--version
Description | Display Directory Server version information |
--interactive
Description | Launch the tool in interactive mode. |
--outputFile {path}
Description | Write all standard output and standard error messages to the specified file instead of to the console. |
Required | No |
Multi-Valued | No |
--appendToOutputFile
Description | Indicates that the tool should append to the file specified by the --outputFile argument if it already exists. If this argument is not provided and the output file already exists, it will be overwritten. |
--teeOutput
Description | Write all standard output and standard error messages to the console as well as to the specified output file. The --outputFile argument must also be provided. |
--propertiesFilePath {path}
Description | The path to a properties file used to specify default values for arguments not supplied on the command line. |
Required | No |
Multi-Valued | No |
--generatePropertiesFile {path}
Description | Write an empty properties file that may be used to specify default values for arguments. |
Required | No |
Multi-Valued | No |
--noPropertiesFile
Description | Do not obtain any argument values from a properties file. |
--suppressPropertiesFileComment
Description | Suppress output listing the arguments obtained from a properties file. |