ldapugadd.1m (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

ldapugadd(1M) ldapugadd(1M)

NAME

ldapugadd - add new accounts or groups to an LDAP directory server

SYNOPSIS

ldapugadd [-t passwd][options ][

-h hostname ][-p port ][-b base][

-u uid_number ]

[

-g group/gid][

-f full_name ][-x domain][-G group/gid[

,...] [-s login_shell ]

[

-d home_directory][

-I gecos ][-c

comment][-m [-k skel_dir ]] [-T template_ﬁle] uid_name

[[attr

=value][...]]

ldapugadd -t group [options ][

-h hostname ][-p port ][-b base ][-g

gid_number]

[

-x domain][-M

member[,...]] [-c comment][-T template_ﬁle] group_name

[[attr

=value][...]]

ldapugadd -D [-d default_home ][

-s default_shell][

-g default_gid ][-u min_uid:max_uid]

[

-g min_gid:max_gid]

DESCRIPTION

ldapugadd allows HP-UX administrators to add new POSIX accounts or groups to an LDAP directory

server (see ﬁrst and second syntaxes in SYNOPSIS above). Furthermore,

ldapugadd can be used to

modify the

/etc/opt/ldapux/ldapug.conf

ﬁle to set defaults for creation of new users or groups

(see the third syntax in the SYNOPSIS above).

ldapugadd makes use of user and group template ﬁles that allow ldapugadd to conform to the infor-

mation model used for the types of entries being created. Users of ldapugadd are required to provide

LDAP administrator credentials that have sufﬁcient privilege to perform the user or group add operation

in the LDAP directory server.

Options

-P Prompt for the administrators bind identity (typically LDAP DN or kerberos principal) and bind

password.

Without

-P, ldapugadd will discover the bind identity and password from the environment

variables LDAP_BINDDN and LDAP_BINDCRED

. If either the LDAP_BINDDN or

LDAP_BINDCRED environment variable has not been speciﬁed, ldapugadd will follow the bind

conﬁguration speciﬁed in the ldapux conﬁguration proﬁle (see ldapux (5)).

ldapux has speciﬁed "proxy" bind, the bind credential will be read from either the

/etc/opt/ldapux/acred

or /etc/opt/ldapux/pcred ﬁle. The acred ﬁle will only be

used by users that have sufﬁcient administrative privileges to read that ﬁle. Refer to Binding to

the Directory Server below for additional details.

-PP Prompt for the password of the user or group being created. Also, if ldapUX (5) attributed map-

ping for the userPassword attribute has not been deﬁned or set to

*NULL*, ldapugadd will

create new passwords in the userPassword attribute. To assure accuracy, the user will be

prompted twice for the password.

ldapugadd relies on the directory server for setting of pass-

word policy, such as user-must-change-password-at-ﬁrst-login.

-PW Set the user or group password attribute. Also, if ldapux (5) attributed mapping for the user-

Password attribute has not been deﬁned or set to *NULL*, ldapugadd will create new pass-

words in the userPassword attribute. If -PW is speciﬁed, either the LDAP_UGCRED environment

variable or the -PP option must be speciﬁed.

-Z Requires an SSL connection to the directory server, even if the ldapux(5) conﬁguration does not

require the use of SSL. Use of -Z requires either a valid server or CA certiﬁcate be deﬁned in

the /etc/opt/ldapux/cert8.db ﬁle. An error will occur if the SSL connection could not be

established. Refer to Binding to the Directory Server below for additional details.

-ZZ Attempt a TLS connection to the directory server, even if the ldapux (5) conﬁguration does not

require the use of TLS. If a TLS connection is unable to be established a non-TLS and non-SSL

connection will be established. Use of -ZZ is not recommended unless alternative methods are

used to protect from network eavesdropping. Use of -ZZ requires either a valid server or CA

certiﬁcate be deﬁned in the /etc/opt/ldapux/cert8.db ﬁle. Refer to Binding to the Direc-

tory Server below for additional details.

-ZZZ Requires a TLS connection to the directory server, even if the ldapux (5) conﬁguration does not

require the use of TLS. Use of -ZZZ requires either a valid server or CA certiﬁcate be deﬁned in

the /etc/opt/ldapux/cert8.db ﬁle. An error will occur if the TLS connection could not be

established. Refer to Binding to the Directory Server below for additional details.

HP-UX 11i v3: June 2010 Web Release − 1 − Hewlett-Packard Company 1

Summary of content (12 pages)

PAGE 1
ldapugadd(1M) ldapugadd(1M) NAME ldapugadd - add new accounts or groups to an LDAP directory server SYNOPSIS ldapugadd [-t passwd] [options ] [-h hostname ] [-p port ] [-b base ] [-u uid_number ] [-g group /gid] [-f full_name ] [-x domain ] [-G group/gid[,...] [-s login_shell ] [-d home_directory] [-I gecos ] [-c comment ] [-m [-k skel_dir ]] [-T template_file ] uid_name [[attr =value][...]] ldapugadd -t group [options ] [-h hostname ] [-p port ] [-b base ] [-g gid_number ] domain ] [-M [-x member[,...
PAGE 2
ldapugadd(1M) -F ldapugadd(1M) Force creation of new user or group entries even if particular error conditions occur. These are: • The user name or group name already exists in the directory server. • The user id or group id number already exists in the directory server • The shell specified with the -s option does not exist on the local system or is not an executable. • Adding a member to a group when that member is not defined in the LDAP directory.
PAGE 3
ldapugadd(1M) ldapugadd(1M) the specified end values. The colon character (:) will be used to indicate a range has been specified, instead of the default_gid specified above. -u min_uid :max_uid Sets new default minimum and maximum ranges that ldapugadd will use when provisioning an uid number for newly created user entries. The uid range is inclusive of the specified end values. Arguments Applicable to ’-t passwd’ -u uid_number Specifies the user’s numeric ID number.
PAGE 4
ldapugadd(1M) ldapugadd(1M) If this argument is not specified, the user will not be added to alternate groups. -s login_shell Specifies the full path name to the executable that will be used to handle login sessions for this user. If this argument is not specified, the default, as configured by ldapugadd -D -s default_shell, will be used. -d home_directory Specifies the full path name (including the user name) of the user’s home directory.
PAGE 5
ldapugadd(1M) ldapugadd(1M) uid_name is a required parameter, and it must follow all command-line options and must precede the attr =value parameters (if provided). -m Create a new home directory for the defined user. User and group ownership of the newly created directory will be assigned to the user and his/her primary login group.
PAGE 6
ldapugadd(1M) ldapugadd(1M) Use of -F is not recommended, and will not succeed if the directory server does not support the memberUid attribute. ldapugadd will follow the same membership syntax as defined by ldapux (5) attribute mapping. Specifically, if ldapux (5) has mapped the RFC2307 group membership attribute (memberUid ) to a DN-based membership attribute such as member or uniqueMember , then ldapugadd will define membership using the DN of the specified user.
PAGE 7
ldapugadd(1M) ldapugadd(1M) dn: cn=${cn},ou=users,${basedn} objectclass: group ${posixProfile} sAMAccountName: ${cn} msSFU30NisDomain: ${domain} Each template file must follow the LDIF data format and also allow for substitution of values from the ldapugadd command. Two default template files (for user and group entries) for standard directory servers, along with two default template files for ADS are provided under /etc/opt/ldapux/ug_templates.
PAGE 8
ldapugadd(1M) ldapugadd(1M) ${name } construct. Typically the cn or uid attribute would be used in the RDN for new passwd entries and the cn attribute would be used for new group entries. • The userPassword attribute can not be specified in the template file. See the -PP option for additional information about specifying an initial user or group password.
PAGE 9
ldapugadd(1M) ldapugadd(1M) All LDAP-UX default template files will be stored in the /etc/opt/ldapux/ug_templates directory. A full or relative path name must begin with either the slash (/) or dot (.) characters. If unspecified, either of the following default template file will be used: • • /etc/opt/ldapux/ug_templates/ug_passwd_default.tmpl, or /etc/opt/ldapux/ug_templates/ug_group_default.tmpl.
PAGE 10
ldapugadd(1M) ldapugadd(1M) Note also that shells (4) command history log may contain copies of the executed commands that show setting of these variables. Access to a shell’s history file must be protected. Specification of the LDAP administrator’s credentials on the command line is not allowed since information about the currently running processes can be exposed externally from the session.
PAGE 11
ldapugadd(1M) ldapugadd(1M) RETURN VALUE Upon exit, ldapugadd returns the following: 0 <>0 Success. ldapugadd exits with no errors or with one or more warnings. ldapugadd returns with a non-zero exit status if it encounters an error, and messages will be logged to stderr. Messages will follow the below format: code message ERROR: or WARNING: code message Leading extra white space may be inserted to improve readability and follow 80 column screen formatting.
PAGE 12
(Notes) A (Notes) lA 12 Hewlett-Packard Company −1− HP-UX 11i v3: June 2010 Web Release