Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Manual Reference Pages  -  LDAPFORM (1)


ldapform - prepare an LDIF form to update a given ldap entry.


See Also


ldapform [options] filter ldapform -e [options] filter ldapedit [options] filter


The ldapform utility creates a text file in ldif(5) format, which can be used to add or modify entries in an LDAP server. The ldapedit utility does the same, but also submits the changes back to that server.

Both utilities require read access to operational attributes of the top level subschema to obtain the objectclass and attribute definitions. This means that the authorized user should be able to get the info using the following command:

    % ldapsearch [authopts] -b cn=Subschema -s base ’(objectClass=*)’ +

If the above fails, check your ACLs.


-b base
  Specify the search base for the filter.
-C Use compact format. See FORMATS below.
-D dn Specify the distinguished name of the authenticating user for simple binds.
-f file
  Write output to file. When in edit mode, this flag will use file instead of a temporary file and the file will not be removed when submitted to the server.
-H uri Specify the URI of the ldap server. The options -h -and -p are ignored when using this option.
-h hostname
  Specify the hostname of the ldap server. If a uri is also specified (see -H ) this option is ignored.
-O props
  Specify security properties for SASL authentication as a comma-separated list. Refer to SASL_SECPROPS in ldap.conf(5) for more information.
-p port
  Specify the port to connect to. Default: 389. This option is ignored if -H is set.
-R realm
  Specify the realm for SASL authentication.
-s scope
  Specify the search scope for the filter. Can be one of
base Search base only.
one One level.
sub Base and all descendants (subtree).
children Children only. Requires LDAPv3 subordinate feature extension.
-U authcid Authentication ID for SASL authentication.
-v [v] Increase verbosity. When specified twice, trace information will be printed.
-W Prompt for password when using simple binds. Will fail if not using a tty, use -y instead.
-w password Specify the password for simple binds.
-X authzid Authorization ID for SASL authentication if different from authcid
-x Use simple binds.
-Y mech Specify the SASL authentication mechanism.
-y pwfile Specify the file containing the password for simple binds. Use '-' for stdin.
-Z [Z] Use the START TLS LDAP operation on a normal connection. If used twice, require it to succeed.


Standard format is meant for modifications. For each matching entry, a 'changetype' attribute is printed. For each 'objectClass' attribute a 'delete' attribute is printed. For all other attributes, an 'add' and 'delete' attribute are printed, along with the attribute and it’s value (if available). Each attribute is continued properly with a dash on a line by itself.

Compact format is meant for additions. For each matching entry all attributes are printed with it’s value (if available). This makes it easier to copy an entry to a different entry. Both formats preceed an attribute section with a comment describing the attribute, if one is available in the schema definition as stored by the server.


EX_USAGE Unknown option or using invalid combination of options.
EX_UNAVAILABLE Connection to the LDAP server or TLS negotiation failed. Diagnostics are printed on stderr.
EX_CANTCREAT The file argument to the -f option cannot be created.
EX_OK All went well.


The following files work as described in ldap.conf(5):


The variables LDAPRC and LDAPCONF work as described in ldap.conf(5). Additionally, the variables LDAP_USE_TLS and LDAP_REQUIRE_TLS work as -Z and -ZZ respectively. That is, when set they activate and may require TLS. These do not work for Openldap supplied tools.


  • SASL authentication is untested and may not work.
  • Edit mode is currently non existent.
  • If TLS negotiation fails, so will simple binds. As such, the net effect of -Z and -ZZ are identical. However, compatibility with Openldap tools is kept.
  • Portability framework not in place yet, so either have FreeBSD compatible interfaces available or use a VM.


ldapsearch(1), ldapmodify(1), ldif(5), ldap.conf(5)
Search for    or go to Top of page |  Section 1 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.