LDAP-UX Client Services B.04.15 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

151

152

153

154

155

156

157

158

159

160

When you specify the -t group option, ldapuglist displays the following fields for a group

entry:

• cn

• userPassword

• gidNumber

• memberUid

When you specify the -m option, the output format for both users and groups is changed to the

following:

dn: dn1 field1[attribute1]:

value1 field2[attribute2]: value2 field3[attribute3]:: base64-encodeded-value3

...

6.3.4.5 Special Considerations for Output Format

This section describes special considerations for the output format from ldapuglist that you

may need to be aware of.

6.3.4.5.1 Multi-Values Attributes

Although some of the attributes used in LDAP directory servers are multi-valued attributes, the

ldapuglist tool displays only the first value discovered for each RFC 2307 attribute for each

entry, because these fields appear only once in a POSIX account or group. For non-RFC 2307

attributes (those specified via the <attr> argument list), if the attribute is multi-valued,

ldapuglist displays multiple values. This rule does not apply to the memberUid field because

POSIX groups can have multiple members.

Because the gecos attribute can be mapped to multiple attributes, the gecos field can appear

multiple times in an entry if you use the -m option, once for each mapped attribute. For example,

if the gecos attribute is mapped to cn, l and telephoneNumber, ldapuglist displays once

for each mapped attribute as follows:

gecos[cn]: Bill Hu gecos[l]: Building 6A gecos[telephoneNUmber]:

+1-555-555-4321

6.3.4.5.2 Non-POSIX Accounts and Groups

If you use ldapuglist with the -F option, ldapuglist displays users and groups that are

not posixAccounts or posixGroups. Thus, these entries may not contain the required fields that

store POSIX account and group information (such as the uidNumber attribute). When displaying

these entries, the specified fields are missing from the output. As non-POSIX accounts and groups

are not required to contain POSIX attributes, use of the -L option may result in unexpected

output. Data between the “:” characters may be empty, such as ”::x:::”.

6.3.4.5.3 Encoding of the DN

ldapuglist displays DN strings according to the encoding rules defined in RFC4514. The

escape character “\” precedes special characters, which may be the character itself or a 2 digit

hex representation of the character.

6.3.4.5.4 Passwords

In some cases, ldapuglist cannot access the user or group password fields. This can occur in

the following cases:

• The ldapuglist tool has insufficient privilege to access the password field.

• The passwords are not used to authenticate users (such as when X.500 certificates are used).

• The password is not stored in the LDAP directory server. The password might be stored in

a third-party repository such as a Kerberos Key Domain Controller.

• The password is stored in a format that cannot be parsed by HP-UX (such as {SSHA}, the

Salted Secure Hash Algorithm).

154 Command and Tool Reference