Delete an LDAP object using ldapmodify

Posted December 9, 2003 by Quinn McHenry in Database

Using ldpamodify to manipulate a directory server from the command line enables rapid changes (quicker than loading a GUI in some cases) and allows commands to be scripted for automation.

Any recipe with the word delete in the title must be used with caution. Please backup your directory server before doing this.

To delete an object, you must know it’s distinguished name (dn). Consider the following object to be deleted:

uid:qmchenry, ou=people, dc=tech-recipes, dc=com

ldpamodify takes commands from the standard input. These commands are in a format called LDIF (lightweight directory interchange format). Once you start ldapmodify and authenticate, it will expect LDIF input without prompting you. The LDIF commands to delete the above object is:

ldapmodify -D "cn=Directory Manager"
Bind password:
dn: uid:qmchenry, ou=people, dc=tech-recipes, dc=com
changetype: delete

After the LDIF code, there are two blank lines. The first carriage return after the changetype line ends the actions on the current object. A status line will indicate the results of the action indicating success or pointing to the cause of failure. The second carraige return ends the LDIF file and will terminate the ldapmodify command.

The -D “cn=Directory Manager” option in the ldapmodify command line specifies the LDAP entity to bind to the directory as to make the change. Directory Manager is typically a special entity that exists outside of the directory server. The distinguished name of any entity within the directory with authority to make the desired change can be substituted. Without the -w option, ldapmodify will prompt you for the password of the entity specified with -D. The parameter following -w is interpreted as the password. Be careful using the -w password option from the command line as this could save the password in clear text in a shell history file or make it visible with a ps command. If you use ldapmodify from a shell script and include the password, make sure the file is not readable by everyone.

Note: this command syntax has been validated with the ldapmodify command in Solaris against the SunONE Directory Server.


About Quinn McHenry

Quinn was one of the original co-founders of Tech-Recipes. He is currently crafting iOS applications as a senior developer at Small Planet Digital in Brooklyn, New York.
View more articles by Quinn McHenry

The Conversation

Follow the reactions below and share your own thoughts.