Modern directory servers like OpenDJ can handle a high load of write requests, replicating changes quickly both on the LAN and over the WAN. For a complete example corresponding to the excerpts shown below, see ShortLife.java, one of the OpenDJ LDAP SDK examples.

The four basic CRUD operations — create, read, update, and delete — correspond to the LDAP operations add, search, modify (or modify DN), and delete.The LDAP bind operation can potentially result in an update. Some directory servers can be configured to write time stamps in order to track successful or failed binds for password policy reasons. Adds Modifications Renames Deletes Authorizations An add request is used to create a new entry in an LDAP directory. The entry must have a unique distinguished name that belongs under a base DN served by the directory. The entry must have a list of attributes that are valid according to the directory schema. Search requests are described in the chapter on Searching & Comparing Directory Data. A modify request is used to add, delete, or replace attribute values on an entry in an LDAP directory. The resulting entry must be valid according to the directory schema. A modify DN request is used to rename or move a directory entry. In both cases the distinguished name changes. Renaming involves changing the relative distinguished name, for example from cn=Bob,ou=People,dc=example,dc=com to cn=Ted,ou=People,dc=example,dc=com. Moving involves changing the container where the entry is found, for example from cn=Barbara Jensen,ou=People,dc=Old Company,dc=com to cn=Barbara Jensen,ou=People,dc=New Company,dc=com. Although they are both considered modify DN operations, renaming a leaf entry is generally much simpler than moving a container entry that has child entries. A delete request is used to remove an entry from an LDAP directory. Directory servers can restrict deletes to leaf entries, so that you cannot remove an entry that has other child entries. For example, you have to delete uid=bjensen,ou=People,dc=example,dc=com and other peer entries before you delete ou=People,dc=example,dc=com unless you send a subtree delete request control. As a rule, your client application must be authorized to create, update, and delete directory data. Therefore to prepare to change directory data, you first get a connection, and then bind on that connection as a user who is authorized to make the changes you plan to request.

Adds The Connection.add() methods let you provide the entry to add as an AddRequest, an Entry, or as LDIF. If the changes to make are already expressed in LDIF, then you can also use ChangeRecordReaders, ChangeRecords, and ChangeRecordWriters to handle the changes. The following excerpt demonstrates how to add a simple user entry under ou=People,dc=example,dc=com. [jcp:org.forgerock.opendj.examples.ShortLife:--- JCite add ---]

Modifications The Connection.modify() methods let you add, replace, and delete attributes values on an entry. Either the modifications are expressed in LDIF, or you build a ModifyRequest to express the changes. To build a ModifyRequest, you can either specify individual changes, or derive the modifications from the differences between the original entry and a modified copy, as in the following excerpt. This is not always a particularly efficient method, but it can be easy to use in some cases. [jcp:org.forgerock.opendj.examples.ShortLife:--- JCite modify ---] Especially when working with large entries, a more efficient choice is to construct a ModifyRequest without copying the entire entry, but instead by specifying individual changes. See a demonstration of this technique in . Passwords You can also construct a ModifyRequest for example to change a user password in Active Directory, as demonstrated in the following excerpt. When working with OpenDJ directory server, consider using the LDAP Password Modify extended operation instead as shown in the section, Password Modify Extended Operation. [jcp:org.forgerock.opendj.examples.PasswordResetForAD:--- JCite main ---] To make the modification, the example connects to Active Directory over LDAPS, and provides the password value in UTF-16LE format. [jcp:org.forgerock.opendj.examples.PasswordResetForAD:--- JCite encodePassword ---] If the modifications are easier to construct in LDIF, you can write the LDIF to the directory server as shown in the chapter, Working With LDIF.

Renames The Connection.modifyDN() methods serve to rename entries and to move them around. The following excerpt demonstrates how to rename an entry. [jcp:org.forgerock.opendj.examples.ShortLife:--- JCite rename ---] If you must move rather than rename entries, have a look at the methods for ModifyDNRequest. You can get a new request by using Requests static methods.

Deletes The following excerpt demonstrates how to delete an entry with DN cn=Ted,ou=People,dc=example,dc=com. [jcp:org.forgerock.opendj.examples.ShortLife:--- JCite delete ---] If you must delete an entire branch of entries instead of a single leaf entry, build a DeleteRequest that includes the SubtreeDeleteRequestControl, as described in the section, Subtree Delete Request Control.

Modifications Static groups Static groups enumerate user entries. Static groups can grow large. For an example, see the group entry at the end of big-group.ldif: dn: cn=Static,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupofnames cn: Static member: uid=user.0,ou=People,dc=example,dc=com member: uid=user.1,ou=People,dc=example,dc=com member: uid=user.2,ou=People,dc=example,dc=com ... member: uid=user.10000,ou=People,dc=example,dc=com To update a static group, you either add members or remove members. For sample code, see UpdateGroup.java, one of the OpenDJ LDAP SDK examples. The UpdateGroup example checks that the directory server supports the Permissive Modify control. With directory servers such as OpenDJ that support the LDAP Permissive Modify control, you can use the control to avoid having to determine whether a given member is already in the group before performing the operation. Instead you can simply request an add or a delete modification for the member. [jcp:org.forgerock.opendj.examples.UpdateGroup:--- JCite permissive ---] If the directory server does not support the Permissive Modify control, then the example checks whether the member is present in the group by using an LDAP compare operation. If a member to be added does not yet belong to the group, the example requests an add modification. If a member to be deleted does belong to the group, the example requests a delete modification. [jcp:org.forgerock.opendj.examples.UpdateGroup:--- JCite without permissive ---] You can change multiple member values with a single modification. The final argument of this form of the ModifyRequest.addModification() method takes a series of one or more values. So if you have multiple group members to add or delete, you can loop over your list to perform compare individual compare requests, then construct a single modify request to add or delete the group members. In other words, if you have three members to add, you can list the three member DNs as arguments of addModification. String member1 = "uid=user1,ou=people,dc=example,dc=com"; String member2 = "uid=user1,ou=people,dc=example,dc=com"; String member3 = "uid=user1,ou=people,dc=example,dc=com"; final ModifyRequest addMember = Requests.newModifyRequest(groupDN) .addModification(modType, "member", member1, member2, member3); connection.modify(addMember); To try the example, download and import big-group.ldif into your directory server, and then run the sample. For example, if OpenDJ is set up to with directory manager as cn=Directory Manager, password password listening on localhost port 1389, and you run the example with arguments localhost 1389 cn=Static,ou=Groups,dc=example,dc=com uid=user.5150,ou=People,dc=example,dc=com del, the resulting output is The entry with DN uid=user.5150,ou=People,dc=example,dc=com has been deleted from the group with DN cn=Static,ou=Groups,dc=example,dc=com..