This tool allows you to modify a large list of LDAP entries in batch mode. You can add new attributes/object classes, remove attributes and set attributes to a specific value.
At the beginning, you need to specify where the entries are stored that should be changed. You can select an account suffix, the tree suffix or enter your own DN by selecting "Other".
Next, enter an additional LDAP filter to limit the entries that should be changed. E.g. use "(objectclass=inetOrgPerson)" to filter for users. You may also enter e.g. "(!(objectClass=passwordSelfReset))" to match all accounts that do not yet have the password self reset feature.
Now, it is time to define the changes that should be done. The following operations are possible:
Add: Adds an attribute value if not yet existing. Please do not use for single-value attributes that already have a value.
Modify: Sets an attribute to the given value. If the attribute does not yet exist then it is added. If the attribute has multiple values then all other values are removed.
Delete: Deletes the specified value from this attribute. If you leave the value field blank then all attribute values are removed.
Please note that all actions are run as separate LDAP commands. You cannot add an object class and a required attribute at the same time.
You can use the following wildcards to use existing attribute data of the entries:
%attribute%: attribute value
@attribute@: first character of attribute
?attribute?: first character of attribute in lower case
!attribute!: first character of attribute in upper case
??attribute??: attribute in lower case
!!attribute!!: attribute in upper case
((attribute)): space if attribute is set
§attribute|;§; attribute values separated by ";" (you can set other separators if you want)
Examples for attributes gn="Steve", sn="Miller" and memberUid=("user1", "user2") (specified value -> resulting LDAP value):
Table 5.1.
| Value | Resulting LDAP value |
|---|---|
| my value | my value |
| %gn% | Steve |
| %gn%((gn))%sn% | Steve Miller (would be "Miller" if gn is empty) |
| §memberUid|, § | user1, user2 |
Dry run
You should always start with a dry run. It will not do any changes to your LDAP directory but print out all modifications that will be done. You will also be able to download the changes in LDIF format to use with ldapmodify. This is useful if you want to adjust some actions manually.
Apply changes
This will run the actions against your LDAP directory. You will see which accounts are edited in the progress area and also if any errors occurred.
