Manualshelf

LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
211212213214215216217218219220
Table Of Contents
The ldapugdel Tool
Use the ldapugdel tool to remove POSIX-related user or group entries from an LDAP directory
server. If you use ldapugdel with the -O option, ldapugdel removes the POSIX related
attributes and object classes from user or group entries, without removing the entire entry itself.
Removing Attributes Only
Because mapped attributes are attributes that are often shared with other LDAP-enabled
applications, ldapugdel does not support attribute mapping. For example, if the uidNumber
attribute has been mapped to the employeeNumber attribute, ldapugdel attempts to remove
uidNumber and not employeeNumber.
The usePassword, uid, cn, and description attributes are commonly used by most other
user and group schemas. With the -O option, the ldapugdel tool does not attempt to remove
these attributes. The uidNumber, gidNUmber, loginShell, homeDirectory, gecos, and
memberUid attributes are more unique to the POSIX schema, and are removed when the -O
option is specified.
The -O option functions properly with a Windows 2003 R2 ADS, because it uses standard RFC
2307 attributes with exception of the homeDirectory attribute. If ldapugdel is used to access
a Windows 2003 R2 ADS, the ldapugdel -t passwd -O command removes the
posixAccount object class and attributes, uidNumber, gidNumber, loginShell, and gecos.
The ldapugdel -t group -O command removes the posixGroup object class and the
gidNumber, memberUId, and userPassword attributes.
NOTE: The Microsoft Services for UNIX (SFU) schema does not use RFC 2307 standard attributes
and ldapugdel does not support attribute mapping, the -O option does not function when
ldapugdel is used to access a Windows ADS 2000/2003 with msSFU 2.0 or msSFU 3.0/3.5 schema
installed.
The ldapugdel tool also supports a <protAttr> list with the -O option that enables you to
tell ldapugdel not to remove specific attributes defined in the <protoAttr> list.
Using the -t -O -x option forces ldapugdel to remove the additional attributes, cn, uid or
description. Removal of these attributes only occurs if allowed by the remaining object classes
for that entry.
For detailed information, see the description of the -O, -x and -y arguments that follow.
Synopsis
ldapugdel [options] [-t <type>] [-h <hostname>] [-p <port>]
[-O [<protAttr>[,...]]] <-D <DN>|<uid_name>|<group_name>>
Options
The ldapugdel tool supports the following command options:
-P
Prompts for the administrator's bind identity (typically LDAP DN or Kerberos principal)
and bind password. If you do not specify the -P option, ldapugdel discovers the bind
identity and password from the environment variables LDAP_BINDDN and
LDAP_BINDCRED. If you do not specify the LDAP_BINDDN and LDAP_BINDCRED
environment variables, ldapugdel uses the bind configuration specified in the LDAP-UX
configuration profile. If the LDAP-UX configuration profile specifies the “proxy” bind,
ldapugdel reads the bind credential from either the /etc/opt/ldapux/acred or
the /etc/opt/ldapux/pcred file. The /etc/opt/ldapux/acred file is only used
by users who have sufficient administrative privilege to read this file.
-x Uses this option only with the -O option. Use -O -x -t passwd to force the ldapugdel
tool to remove the common uid, cn and description attributes from a user entry.
Use -O -x -t group to force the ldapugdel tool to remove the cn and description
attributes from a group entry. Because use of -x removes common attributes typically
used by other LDAP-enabled applications, HP rarely recommends you to use the -x
LDAP User and Group Management Tools 213