LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
In addition, comments are allowed. Comments are on a separate line and the first character is the
# (hash) character.
Guidelines for template files
Use the following guidelines when creating template files:
• Use the first line of the template file to define the distinguished name (DN) of the new entry.
Because each DN is unique, the first component of the DN (the relative distinguished name
or RDN) must be able to construct a unique value for each new entry. Define the RDN using
a ${<name>} construct. Typically, you can use the cn or uid attribute in the RDN for new
user entries and the cn attribute for new group entries.
• Define each template file for only one entry in the LDAP directory server.
• Each template file can be built using custom attributes and values. Customized attribute values
are defined using the ${<name>} construct. However, for each nonRFC 2307 attribute used,
you must specify each of those attributes on the command line with an “<attr>=<value>”
pair argument when using ldapugadd to create a new entry.
For example, the following command adds the nonRFC 2307 addtribute and value pair,
sn=Michael, with the UID name Mhu to a new user entry based on the default template file,
ug_passwd_default.tmpl:
ldapugadd -t passwd -f "Michael Hu" Mhu -c "an example user entry" "sn=Michael"
• Each template file can contain comment lines. Each comment line must begin with the “#”
character.
• Do not specify the userPassword attribute in the template file. Use the -PP option or the
LDAP_UGCRED environment variable to specify an initial password of the user or group being
created.
• You cannot specify the memberUid attribute in the template file, because the number of
eventual members of a group can not be statically defined when the group is newly created.
The ldapugadd tool ignores the memberUid attribute if specified in the template file.
9.3.5.6.4 Multi-valued attributes in template files
LDAP-UX supports multi-valued attributes defined in a template file. This means that the same attribute
name or value may be specified more than once in the template file.
For example, in the following template file, secondaryTeams is a multi-valued attribute that may
be specified twice for each new posixAccount entry created. In this case, ldapugadd will fill each
attribute value in order specified in the template file based on the order that those attributes are
specified on the command line. If not enough attribute values are specified on the command line
to fill the attribute values used in the template file, ldapugadd returns an error.
dn: uid=${uid},ou=people,${basedn}
objectclass: person
objectclass: myOrg
objectclass: posixAccount
sn: ${sn}
primaryTeam: ${primaryTeam}
secondaryTeams: ${secondaryTeams}
secondaryTeams: ${secondaryTeams}
${posixProfile}
9.3.5.7 Security considerations
The following are security considerations when using ldapugadd:
• Use of ldapugadd requires permissions of an LDAP administrator when it performs its
operations on the directory server. The rights for creation of new LDAP directory entries under
9.3 LDAP user and group management tools 309