Novell is now a part of Micro Focus

Tips for Using ldapsearch and ldapmodify

Novell Cool Solutions: Tip

Digg This - Slashdot This

Posted: 3 Feb 2005

You can use ldapsearch and ldapmodify to see who are members of a group, and be able to add and remove users from a group. This is pretty straightforward to do. Or, you can also use Novell's ICE tool for the same purpose.

The big caveat here is that both the user and the group change when you add or delete members from the group. There are four attribute changes per group modification. If you do an ldapsearch before and after the group modification on the user and group object, this will show you what needs to be included the LDIF files you use.

The four attribute changes that need to be made are the following:

  1. Add the User to the Member attribute of the Group object
  2. Add the User to the Equivalent To Me attribute of the Group object
  3. Add the Group to the Group Membership attribute of the User object
  4. Add the Group to the Security Equals attribute of the User object

Note that when you make the fourth change (Security Equals), the operation may appear to fail, returning a message that the Group is already created. That's because some client library versions "help" you by adding this for you in the background. Your best bet is to leave the Add command in your LDIF file and ignore the error if you get one.

For syntax and explanations of the ldapsearch, ldapmodify, and ldapdelete commands, see the following resources:


System admin docs from Caltech University -

Sun Microsystems documentation -

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates