How to add new attribute to an existing LDAP user objects
I want to add mail attribute to the existing ldap users. I think, its possible with using ldapmodify but not sure how. I have done that using phpldapadmin web GUI manually, but I have like more than 100 users and dont want to do that manually for all.
Can anyone please guide me in right direction.
Solution 1:
$ ldapmodify -H ldap://yourhost -D cn=youradmin,dc=your,dc=domain -x -W
( enter password here )
dn: uid=username,ou=people,dc=your,dc=domain
changetype: modify
add: mail
mail: [email protected]
Solution 2:
First, I'm going to point you to Section B.4 of the Red Hat Directory Server Administration Guide for a quick tutorial on how to create LDIF files suitable to use with ldapmodify. Create entries for just a couple of your hundred users for a start. This file will help you get the bugs out. Once you're comfortable with the file format, you can create entries for the remaining 100-or-so people. Here's an example of how an individual entry might look:
dn: cn=Joe Smith,dc=example,dc=com
changetype: modify
add: mail
mail: [email protected]
The legal values for changetype:
are add
, modify
, delete
, and modrdn
. If you use changetype: modify
, the legal modifications are add:
, delete:
, and replace:
. Section 3.3 will give you examples of how all of those work.
Then, once you have the file written, you have a couple ways to submit it to your LDAP server. One method is to feed the file directly to the ldapmodify
command:
ldapmodify -x -h $LDAP_HOST -D $LDAP_BINDDN -W -f $FILE
The -W
switch tells ldapmodify
to ask for the password for $LDAP_BINDDN
at the command line. This means you're not leaving the password to your LDAP server in your shell history file. If you do want to incorporate the password into your ldapmodify
command, use -w $PASSWORD
, instead. The -f $FILE
switch tells ldapmodify
which LDIF file to examine for the changes being implemented.
I don't actually like using the -f $FILE
switch. Passing a file to ldapmodify
requires 100% confidence that I've correctly written that LDIF file. If I make a mistake, ldapmodify
will exit without telling me my error. So, I would use a second method. Use the ldapmodify
command I gave as an example, but without that -f $FILE
switch. Without that switch, ldapmodify
gets its modifications from STDIN
. So, I can copy two or three entries from this LDIF file I assembled, and paste them into my shell for ldapmodify
to process. I do 2 - 4 entries at a time, and make corrections to the LDIF entries on the fly as I need to. This is slower than passing a perfect LDIF file directly to ldapmodify
, but faster than figuring out where I made a typo in that file.
Solution 3:
For editing LDAP entries directly I prefer to use "ldapvi" which gives you an editor where you can make your changes in a more user-friendly way.
See http://www.lichteblau.com/ldapvi/