modattr - Modify an attribute for one or more LDAP entries
modattr [-adnvW] -b base -h host -D bind DN -w pwd -P cert attr=value filter
This command line utility can be used to modify one attribute for one or more LDAP entries. As simple as this sounds, this turns out to be a very common operation. For instance, let's say you want to change "mailHost" for all users on a machine named dredd, to be judge. With this script all you have to do is
modattr mailHost=judge '(mailHost=dredd)'
There are four primary operations that can be made with this utility:
Set an attribute to a (single) specified value.
Add a value to an attribute (for multi-value attributes).
Delete a value from an attribute. If it's the last value (or if it's a single value), this will remove the entire attribute.
Delete an entire attribute, even if it has multiple values.
The first three requires an option of the form attr=value, while the last one only takes the name of the attribute as the option. The last argument is always an LDAP search filter, specifying which entries the operation should be applied to.
All but the first two command line options for this tool are standard LDAP options, to set parameters for the LDAP connection. The two new options are -a and -d to add and remove attribute values.
Without either of these two options specified (they are both optional), the default action is to set the attribute to the specified value. That will effectively remove any existing values for this attribute.
Specify that the operation is an add, to add a value to the attribute. If there is no existing value for this attribute, we'll create a new attribute, otherwise we add the new value if it's not already there.
Delete the attribute value, or the entire attribute if there's no value specified. As you can see this option has two forms, and it's function depends on the last arguments. Be careful here, if you forget to specify the value to delete, you will remove all of them.
Name of the LDAP server to connect to.
TCP port for the LDAP connection.
Base DN for the search
User (DN) to bind as. We support a few convenience shortcuts here, like root, user and repl.
This specifies the password to use when connecting to the LDAP server. This is strongly discouraged, and without this option the script will ask for the password interactively.
Search scope, default is sub, the other possible values are base and one. You can also specify the numeric scopes, 0, 1 or 2.
Use SSL for the LDAP connection, using the specified cert.db file for certificate information.
Don't do anything, only show the changes that would have been made. This is very convenient, and can save you from embarrassing mistakes.
Verbose output.
The last two arguments are special for this script. The first argument specifies the attribute (and possibly the value) to operate on, and the last argument is a properly formed LDAP search filter.
We'll give one example for each of the four operations this script can currently handle. Since the script itself is quite flexible, you'll probably find you can use this script for a lot of other applications, or call it from other scripts. Note that we don't specify any LDAP specific options here, we assume you have configured your defaults properly.
To set the description attribute for user "leif", you would do
modattr 'description=Company Swede' '(uid=leif)'
The examples shows how to use this command without either of the -a or the -d argument. To add an e-mail alias (alternate address) to the same user, you would do
modattr -a 'mailAlternateAddress=theSwede@netscape.com' '(uid=leif)'
To remove an object class from all entries which uses it, you could do
modattr -d 'objectclass=dummyClass' '(objectclass=dummyClass)'
This example is not great, since unless you've assured that no entries uses any of the attributes in this class, you'll get schema violations. But don't despair, you can use this tool to clean up all entries first! To completely remove all usage of an attribute named dummyAttr, you'd simply do
modattr -d dummyAttr '(dummyAttr=*)'
This shows the final format of this command, notice how we don't specify a value, to assure that the entire attribute is removed. This is potentially dangerous, so again be careful.
In order to use this script, you'll need Perl version 5.004 or later, the LDAP SDK, and also the LDAP Perl module (aka PerLDAP). Once you've installed these packages, just copy this file to where you keep your admin binaries, e.g. /usr/local/bin.
In order to get good performance, you should make sure you have indexes on the attributes you typically use with this script. Our experience has been that in most cases the standard indexes in the Directory Server are sufficient, e.g. CN, UID and MAIL.
This package can be retrieved from a number of places, including:
http://www.mozilla.org/directory/ Your local CPAN server
This little tool was developed internally at Netscape, by Leif Hedstrom.
None, of course...
Mozilla::LDAP::API and Perl
To install Mozilla::LDAP::API, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Mozilla::LDAP::API
CPAN shell
perl -MCPAN -e shell install Mozilla::LDAP::API
For more information on module installation, please visit the detailed CPAN module installation guide.