Posted on Thu 28 May 2020

how to make mass modifications in LDAP

In the spirit of “the best way to get a correct answer is to post an obviously wrong answer on USENET”, I hereby present the most efficient method of mass-alteration of LDAP user entities I can think of.

You probably shouldn’t do this.

As you know, LDAP is a terrible protocol for getting basic user information and handling authentication of them. You also probably know that it is a well-established standard, and so it is likely to be among (or the sole) method of getting authentication in your new application without maintaining yet another username/password database. Also, the replacements for LDAP tend to want to use LDAP as a source of knowledge.

There is, effectively, one open-source LDAP server: OpenLDAP, also called slapd. There are effective but non-powerful tools to manipulate the data: ldapsearch and ldapmodify. Do not be deceived by the existence of ldapadd and ldapdelete: those are ldapmodify in disguise.

When setting up users in that tenuous space between four and many – if there are four, you can probably ask them all to come sit down and type in a password, whereas many is the number where that just isn’t feasible – I have found that the best plan is as follows:

  • Construct an ldif file for your users with the help of migrationtools, which is probably in a package of that name.

  • Edit the ldif file with the help of vim or emacs, whichever makes you happiest. Use lots of regexps.

  • For example, the form:

s/cn: \(\a*\) \(\a*\)/cn: \1 \2\rgn: \1/

That looks for common names (Maeve Binghy), separates them by the first space, and writes the given name field on the next line. You can do a similar thing with sn: \2 to get the surname field. There are falsehoods you should know about names, and this violates several of them – but it gets you going.

  • Then make careful edits.

  • Then delete all the dn’s that you no longer care about and re-insert them. If you grep the dn: field out of your ldif into a new one, then remove the prefix dn:, ldapdelete will take that. Make sure you have blank lines separating them.

There, I told you it was awful.

UPDATE: Apparently I’m not the only one. apt show ldapvi:

Package: ldapvi
Version: 1.7-10+b3
Section: text
Maintainer: Rhonda D'Vine <>
APT-Sources: buster/main amd64 Packages
Description: perform an LDAP search and update results using a text editor
 From a first glance ldapvi looks like ldapsearch: You search for entries in
 the ldap database. But the results get opened in your preferred editor, and
 you can change, add or delete entries from there. After you are done you quit
 the editor and ldapvi offers you several options: View your changes as LDIF,
 commit changes or discard them.

I rest my case.

© -dsr-. Send feedback or comments via email — by continuing to use this site you agree to certain terms and conditions.

Built using Pelican. Derived from the svbhack theme by Giulio Fidente on github.