DBA Tips Archive for Oracle

  


Using LDAP Command-Line Tools

by Jeff Hunter, Sr. Database Administrator


Contents

  1. Overview
  2. Adding an Entry
  3. Searching for an Entry
  4. Modifying an Entry
  5. Deleting an Entry
  6. Modify RDN / DN Operations


Overview

The installation of Oracle Internet Directory will include several command-line tools that can be useful for searching and modifying entries within your LDAP directory. Some of these utilities include:

For the purpose of this document, I will be providing an example of how to add, search, modify, and delete an LDAP entry. The directory context (document root) I will be using for these example is o=airius.com. For details on configuring your LDAP directory with the airius.com examples, see my article on: Importing airiusplus.ldif into Oracle Internet Directory.

Adding an Entry
In this section, I will be adding an entry to an LDAP directory using the ldapadd command.

Creating an LDIF File

Create an LDIF file (as shown below) named melody.ldif:

dn: uid=mhunter, ou=People, o=airius.com
givenname: Melody
telephonenumber: +1 412 555 8234
sn: Hunter
userpassword: {MD4}yLYn5mv9vZ1kq/hHfuiFCg==
ou: Human Resources
ou: People
l: Butler
roomnumber: 1213
manager: uid=jhunter, ou=People, o=airius.com
mail: mhunter@airius.com
facsimiletelephonenumber: +1 412 555 8235
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: mhunter
cn: Melody Hunter
title: VP, Operations

Assuming the host for the directory server is named alex and running on port 389, you can use the following to add the above entry:

# ldapadd -v -D "cn=orcladmin" -w "welcome" -p 389 -h alex -f melody.ldif
add givenname:
        Melody
add telephonenumber:
        +1 412 555 8234
add sn:
        Hunter
add userpassword:
        {MD4}yLYn5mv9vZ1kq/hHfuiFCg==
add ou:
        Human Resources
        People
add l:
        Butler
add roomnumber:
        1213
add manager:
        uid=jhunter, ou=People, o=airius.com
add mail:
        mhunter@airius.com
add facsimiletelephonenumber:
        +1 412 555 8235
add objectclass:
        top
        person
        organizationalPerson
        inetOrgPerson
add uid:
        mhunter
add cn:
        Melody Hunter
add title:
        VP, Operations
adding new entry uid=mhunter, ou=People, o=airius.com
modify complete

Using a Here Document

You can also use the ldapadd without having to first create the file by using a here document as follows:
# ldapadd -D "cn=orcladmin" -w "welcome" -p 389 -h alex <<EOF
> dn: uid=mhunter, ou=People, o=airius.com
> givenname: Melody
> telephonenumber: +1 412 555 8234
> sn: Hunter
> userpassword: {MD4}yLYn5mv9vZ1kq/hHfuiFCg==
> ou: Human Resources
> ou: People
> l: Butler
> roomnumber: 1213
> manager: uid=jhunter, ou=People, o=airius.com
> mail: mhunter@airius.com
> facsimiletelephonenumber: +1 412 555 8235
> objectclass: top
> objectclass: person
> objectclass: organizationalPerson
> objectclass: inetOrgPerson
> uid: mhunter
> cn: Melody Hunter
> title: VP, Operations
> EOF

adding new entry uid=mhunter, ou=People, o=airius.com

NOTE: Keep the following in mind when attempting to add an entry to your LDAP directory:
  • You cannot enter any operational attributes (i.e. orclguid, creatorsname, modifiersname, createtimestamp, modifytimestamp, pwdchangedtime) when attempting to add an entry.

  • They -v command-line option specifies verbose mode which simply means to give a detailed output from the command.

  • You cannot add a new entry (a non-first level entry) without a parent. Attempting to do so will result in an error. If I try to add, for example, an entry to ou=People2, o=airius.com (which does not exist), I will get the following error:
    adding new entry uid=mhunter, ou=People2, o=airius.com
    ldap_add_s: No such object

Searching for an Entry
Now that we have successfully added an entry, I want to search for it. For this, we can use the command-line tool ldapsearch. Here is the general syntax for the ldapsearch command that is included with Oracle Internet Directory:
ldapsearch [options] filter [attributes...]


In the following query, I want to search for the entry we just added and include all of the attributes:

# ldapsearch -v -D "cn=orcladmin" -w "welcome" -h alex -p 389 -s sub -b "o=airius.com" "uid=mhunter"
ldap_init( alex, 389 )
filter pattern: uid=mhunter
returning: ALL
filter is: (uid=mhunter)
uid=mhunter, ou=People, o=airius.com
givenname=Melody
telephonenumber=+1 412 555 8234
sn=Hunter
userpassword={MD4}yLYn5mv9vZ1kq/hHfuiFCg==
ou=Human Resources
ou=People
l=Butler
roomnumber=1213
manager=uid=jhunter, ou=People, o=airius.com
mail=mhunter@airius.com
facsimiletelephonenumber=+1 412 555 8235
objectclass=top
objectclass=person
objectclass=organizationalPerson
objectclass=inetOrgPerson
uid=mhunter
cn=Melody Hunter
title=VP, Operations
1 matches


Now, I want to perform the same search, but this time not include the verbose option (-v) and only include several of the attributes for the output:

# ldapsearch -D "cn=orcladmin" -w "welcome" -h alex -p 389 -s sub -b "o=airius.com" "uid=mhunter" dn cn uid
uid=mhunter, ou=People, o=airius.com
cn=Melody Hunter
uid=mhunter


For this search, I want to limit the amount of entries being returned. To do this, I can use the -z parameter. If I were to search for all entries with Jeff as part of the command name (cn:), I would have 4 records. For this example, I want to limit the search to only two records:

# ldapsearch -D "cn=orcladmin" -w "welcome" -h alex -p 389 -s sub -b "o=airius.com" -z 2 "cn=Jeff*" dn cn uid
uid=jcampai2, ou=People, o=airius.com
cn=Jeffrey Campaigne
uid=jcampai2

uid=jmuffly, ou=People, o=airius.com
cn=Jeff Muffly
uid=jmuffly
ldap_search: Sizelimit exceeded
Modifying an Entry
The Oracle Internet Directory includes the ldapmodify utility that, like its name suggests, is used to modify entries stored within the LDAP directory. Although a book could be written on just using the ldapmodify command, I will provide a few examples that will give you a feel for how this command can be used.


To start off, here is an example that adds an optional attribute to the entry we added in the ldapadd example above. Let's add the departmentNumber attribute by first creating an LDIF file (shown below) named melody_modify.ldif:

dn: uid=mhunter, ou=People, o=airius.com
changetype: modify
add: departmentNumber
departmentNumber: HR-342

Assuming the host for the directory server is named alex and running on port 389, you can use the following to modify the above entry in order to add the departmentNumber attribute:

# ldapmodify -D "cn=orcladmin" -w "welcome" -p 389 -h alex -f melody_modify.ldif
modifying entry uid=mhunter, ou=People, o=airius.com


Now let's use the delete option for ldapmodify in order to remove the optional attribute we just added: departmentNumber. Just like above, we create an LDIF file named melody_modify.ldif and use the ldapmodify command as follows:

dn: uid=mhunter, ou=People, o=airius.com
changetype: modify
delete: departmentNumber

# ldapmodify -D "cn=orcladmin" -w "welcome" -p 389 -h alex -f melody_modify.ldif
modifying entry uid=mhunter, ou=People, o=airius.com


For a last example, let's use the replace option of the ldapmodify command. For this example, I want to replace the title from "VP, Operations" to "VP, Human Resources" as follows:

dn: uid=mhunter, ou=People, o=airius.com
changetype: modify
replace: title
title: VP, Human Resources

# ldapmodify -D "cn=orcladmin" -w "welcome" -p 389 -h alex -f melody_modify.ldif
modifying entry uid=mhunter, ou=People, o=airius.com
Deleting an Entry
One of the last type of operations you would typically want to perform on an LDAP entry is to delete it. This is where the ldapdelete command-line tool can come in handy. Keep in mind, however, that you can only delete non-leaf entries. If you try to delete a non-leaf entry, the operation will fail. Let's know delete the entry we created in the ldapadd section of this document:
# ldapdelete -D "cn=orcladmin" -w "welcome" -p 389 -h alex -v "uid=mhunter, ou=People, o=airius.com"
deleting entry uid=mhunter, ou=People, o=airius.com
delete completed
Modify RDN / DN Operations
One of the last commands I will be covering in this article is the ldapmoddn command. You can use this command to modify any RDN or DN entry you have access to.


For this first example, I will modify an RDN of the following entry: "uid=mlott, ou=People, o=airius.com".

# ldapmoddn -D "cn=orcladmin" -w "welcome" -p 389 -h alex -b "uid=mlott, ou=People, o=airius.com" -R "uid=mikelott"
uid=mlott, ou=People, o=airius.com renamed successfully.


Now, for a more complex example. I want to change (or better said, move the RDN "ahunter") the entry "uid=ahunter, ou=People, o=airius.com" to "uid=ahunter, ou=People, dc=idevelopment, dc=info":

# ldapmoddn -D "cn=orcladmin" -w "welcome" -p 389 -h alex -b "uid=ahunter, ou=People, o=airius.com" -R "uid=ahunter" -N "ou=People, dc=idevelopment, dc=info"
uid=ahunter, ou=People, o=airius.com renamed successfully.


Copyright (c) 1998-2017 Jeffrey M. Hunter. All rights reserved.

All articles, scripts and material located at the Internet address of http://www.idevelopment.info is the copyright of Jeffrey M. Hunter and is protected under copyright laws of the United States. This document may not be hosted on any other site without my express, prior, written permission. Application to host any of the material elsewhere can be made by contacting me at jhunter@idevelopment.info.

I have made every effort and taken great care in making sure that the material included on my web site is technically accurate, but I disclaim any and all responsibility for any loss, damage or destruction of data or any other property which may arise from relying on it. I will in no case be liable for any monetary damages arising from such loss, damage or destruction.

Last modified on
Friday, 08-Aug-2003 00:00:00 EDT
Page Count: 7766