Overview#
The LDAP Data Interchange Format (LDIF) is a data exchange format for encoding LDAP data for data exchange.LDAP Data Interchange Format is defined in RFC 2849 and describes a format not only for representing LDAP data but also a mechanism for making changes to that data.
LDAP Data Interchange Format is often part of a Data Extraction Transformation process.
In general, an LDIF record consists of a series of name-value pairs. The name can be followed by a single colon, zero or more spaces, and associated value, or it can be followed by two colons, zero or more spaces, and the Base64 Encoding representation of the value. Each name-value pair is given on a separate line, and long lines may be wrapped onto two or more lines using an end-of-line character followed by exactly one space at the beginning of the next line. LDIF records should be separated from each other by at least one blank line. Any line that begins with an octothorpe ("#") character will be treated as a comment and ignored.
For an LDIF representation of an LDAP Entry, the first line should contain the DN of the LDAP Entry. The remaining lines of the LDIF record will represent the AttributeTypes of the LDAP Entry, with the attributeTypes used as the name. Multivalued attributes will be represented with a separate line per value.
The following provides an example of a user LDAP Entry represented in the LDAP Data Interchange Format:
dn: uid=john.doe,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: john.doe
givenName: John
sn: Doe
cn: John Doe
mail: john.doe@example.com
userCertificate;binary:: MIIB5TCCAU6gAwIBAgIERloIajANBgkqhkiG9w0BAQUFADA3M
QswCQYDVQQGEwJVUzEVMBMGA1UEChMMRXhhbXBsZSBDb3JwMREwDwYDVQQDEwhKb2huIERvZT
AeFw0wNzA1MjcyMjM4MzRaFw0wNzA4MjUyMjM4MzRaMDcxCzAJBgNVBAYTAlVTMRUwEwYDVQQ
KEwxFeGFtcGxlIENvcnAxETAPBgNVBAMTCEpvaG4gRG9lMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQCWNZB4qs1UvjYgvGvB9udmiUi4X4DeaSm3o0p8PSwpOFxSqgWdSwKgUugZ1EJVy
YoakljDFsJ0GVown+dIB24V4ozNs6wa0YotIKTV2AcySQkmzzP3e+OnE9Aa1wlB/PVnh1CFLg
k1UOoruLE10bac5HA8QiAmfNMorU26AwFTcwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAGrzMKN
bBRWn+LIfYTfqKYUc258XVbhFri1OV0oF82vyvciYWZzyxLc52EPDsymLmcDh+CdWxy3bVkjd
Mg1WEtMGr1GsxOVi/vWe+kT4tPhinnB4Fowf8zgqiUKo9/FJN26y7Fpvy1IODiBInDrKZRvNf
qemCf7o3+Cp00OmF5ey
userPassword: {SSHA}s4Bd9M0tCpRDr8/U+IXetRcAbd8bJY3AFKsn+A==
To represent an Add Request in LDIF, the format is exactly the same as to represent an entry, with the exception that the line immediately after the DN should indicate a "changeType" of "add", like:
dn: uid=john.doe,ou=People,dc=example,dc=com changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: john.doe givenName: John sn: Doe cn: John Doe mail: john.doe@example.com userCertificate;binary:: MIIB5TCCAU6gAwIBAgIERloIajANBgkqhkiG9w0BAQUFADA3M QswCQYDVQQGEwJVUzEVMBMGA1UEChMMRXhhbXBsZSBDb3JwMREwDwYDVQQDEwhKb2huIERvZT AeFw0wNzA1MjcyMjM4MzRaFw0wNzA4MjUyMjM4MzRaMDcxCzAJBgNVBAYTAlVTMRUwEwYDVQQ KEwxFeGFtcGxlIENvcnAxETAPBgNVBAMTCEpvaG4gRG9lMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQCWNZB4qs1UvjYgvGvB9udmiUi4X4DeaSm3o0p8PSwpOFxSqgWdSwKgUugZ1EJVy YoakljDFsJ0GVown+dIB24V4ozNs6wa0YotIKTV2AcySQkmzzP3e+OnE9Aa1wlB/PVnh1CFLg k1UOoruLE10bac5HA8QiAmfNMorU26AwFTcwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAGrzMKN bBRWn+LIfYTfqKYUc258XVbhFri1OV0oF82vyvciYWZzyxLc52EPDsymLmcDh+CdWxy3bVkjd Mg1WEtMGr1GsxOVi/vWe+kT4tPhinnB4Fowf8zgqiUKo9/FJN26y7Fpvy1IODiBInDrKZRvNf qemCf7o3+Cp00OmF5ey userPassword: password
To represent an Delete Request in LDIF, the format is simply a line containing the DN of the entry followed by a line indicating a "changeType" of "delete", like:
dn: uid=john.doe,ou=People,dc=example,dc=com changetype: delete
To represent an Modify Request in LDIF, the format is a little more complex. The first line should contain the DN of the entry, and the second should contain a "changeType" of "modify". The third line should specify the attribute LDAP ModifyRequest Operations followed by the AttributeType, and there may be additional lines that specify specific values for that change, with the name portion being the AttributeType and the value being the corresponding attribute value. There may be multiple attribute modifications described in a single modify change record, with each of them separated by a line containing only a dash. For example:
dn: uid=john.doe,ou=People,dc=example,dc=com changetype: modify replace: userPassword userPassword: newpassword - replace: description description: This is the first description value description: This is the second description value
To represent an ModifyDNRequest in LDIF, the first line should contain the DN of the LDAP Entry, and the second line should contain a "changeType" of "moddn". The third line should have a name of "NewRDN" with a value equal to the new RDN to assign to the LDAP Entry, and the fourth should have a name of "DeleteOldRDN" followed by a value of either 1 (if the DeleteOldRDN flag should be "true") or 0 (if it should be false). There may optionally be a fifth line with a name of "NewSuperior" and a value of the new superior DN if one is included in the request. For example:
dn: uid=john.doe,ou=People,dc=example,dc=com changetype: moddn newrdn: uid=johnathan.doe deleteoldrdn: 1
We do note some char definitions as they relate to LDAP:
More Information#
There might be more information for this subject on one of the following:- Add
- Audit Log
- Back-end
- Best Practices For LDAP Naming Attributes
- Changetype
- Control
- Data Extraction Transformation
- Delete
- Deleteoldrdn
- Glossary Of LDAP And Directory Terminology
- Increment
- LDAP Data Interchange Format
- LDAP Modify-Increment Extension
- LDIF
- LDIF Export
- LDIF Files
- LDIF Import
- Moddn
- Modify
- Modify Request
- RFC 2849
- SAFE-CHAR
- SAFE-INIT-CHAR
- SAFE-INIT-UTF8-CHAR
- SAFE-UTF8-CHAR
- Version
