Manualshelf

LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
191192193194195196197198199200
Table Of Contents
Each template file can be built using custom attributes and values. Customized attribute
values are defined using the ${<name>} construct. However, for each non-RFC2307 attribute
used, you must specify each of those attributes on the command line with an
<attr>=<value>” pair argument when using ldapugadd to create a new entry.
For example, the following command adds the non-RFC2307 addtribute and value pair,
sn=Michael, with the uid name Mhu to a new user entry based on the default template file,
ug_passwd_default.tmpl:
ldapugadd -t passwd -f "Michael Hu" Mhu -c "an example user entry" "sn=Michael"
Each template file can contain comment lines. Each comment line must begin with the “#”
character.
Do not specify the userPassword attribute in the template file. Use the -PP option or the
LDAP_UGCRED environment variable to specify an initial password of the user or group
being created.
You cannot specify the memberUid attribute in the template file, because the number of
eventual members of a group can not be statically defined when the group is newly created.
The ldapugadd tool ignores the memberUid attribute if specified in the template file.
Multi-Valued Attributes in Template Files
LDAP-UX supports multi-valued attributes defined in a template file. This means that the same
attribute name and/or value can be specified more than once in the template file.
For example, in the following template file, secondaryTeams is a multi-valued attribute that
can be specified twice for each new posixAccount entry created. In this case, ldapugadd will
fill each attribute value in order specified in the template file based on the order that those
attributes are specified on the command line. If not enough attribute values are specified on the
command line to fill the attribute values used in the template file, ldapugadd returns an error.
dn: uid=${uid},ou=people,${basedn}
objectclass: person
objectclass: posixAccount
sn: ${sn}
primaryTeam: ${primaryTeam}
secondaryTeams: ${secondaryTeams}
secondaryTeams: ${secondaryTeams}
${posixProfile}
Security Considerations
The following are security considerations when using ldapugadd:
Use of ldapugadd requires permissions of an LDAP administrator when it performs its
operations on the directory server. The rights for creation of new LDAP directory entries
under the requested subtree, along with creation of the required attributes in that entry must
be granted to the LDAP administrator identity when executing ldapugadd.
As with any POSIX-type identity, the HP-UX operating system uses the specified user and
group ID number to determine rights and capabilities in the OS as well as in the file system.
For example, the root user ID 0, typically has unlimited OS administration and file access
rights. Before creating a new entry, you must be aware of the selected user and group ID
number and any policy that may be associated with that ID.
If you use ldapugadd to randomly assign a user or group ID number, it only checks for ID
collisions found in the LDAP directory server, and not other policy repositories. When you
set user and group ID number ranges by using the -D -u or -D -g option, you must set a
range that is not used by other user or group ID repositories, and ensure that collisions will
not occur with existing users or groups that exist in other repositories.
Modification of this identity repository will likely have impacts as defined by the
organization’s security policy. Users of ldapugadd are expected to have full knowledge of
the impact to the organization’s security policy when adding new identity information to
that identity repository.
LDAP User and Group Management Tools 197