ldapuglist.1m (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

ldapuglist(1M) ldapuglist(1M)

NAME

ldapuglist - display and enumerate POSIX-like account and group entries in an LDAP directory server

SYNOPSIS

ldapuglist [options ][-t type ][

-h hostname ][-p port ][-b base ][

-s scope ]

[

-n name |{-f

|-F} ﬁlter ][-N maxcount ][attr ...]

DESCRIPTION

ldapuglist is a command-line tool used to display and enumerate POSIX-like account and group

entries that reside in an LDAP directory server.

Although

ldapuglist provides similar output as compared with the

ldapsearch command, it has

been provided to meet a few speciﬁc feature requirements. These features allow applications to discover

and evaluate account and group information stored in an LDAP directory server, without requiring inti-

mate knowledge of the methods used retrieve and evaluate that information in the LDAP directory

server.

Except for the optional trailing attr list, all parameters speciﬁed above are not positional dependent.

•

ldapuglist uses the existing ldapux (5) conﬁguration, requiring minimal command-line options to

discover where to search for account/group information, such as which directory server(s) to contact

and proper search ﬁlters for ﬁnding accounts and groups. This tool provides command options that

allow you to alter these conﬁguration parameters.

•

ldapuglist uses the existing ldapux (5) authentication conﬁguration to determine how to bind to

the LDAP directory server.

•

ldapuglist supports attribute mapping as conﬁgured by ldapux (5). Fields returned from

ldapuglist will use a consistent format, similar to that deﬁned by RFC2307, even when different

attributes are actually used to store the information in the directory server.

Note, that although that format is similar to LDIF, it is not LDIF. Major differences include:

• Objectclasses will not be displayed.

• By default only POSIX-related attributes will be displayed by

ldapuglist, unless an attribute

list is speciﬁcally requested on the command line.

• Output lines will not be broken after 80 columns.

Options

-m When -m is speciﬁed, ldapuglist will expose the names of the mapped attributes when

returning results. Normally ldapuglist will return results as:

ﬁeldname

: value

where:

fieldname is one of the pre-deﬁned RFC2307 attribute names.

value is the resulting value for that ﬁeld, after attribute mapping has been applied.

With

-m, the actual attribute name will be exposed as follows:

ﬁeldname[attributename]

: value

For example, if the RFC2307 attribute gecos has been mapped to the cn, l (location), and

telephoneNumber attributes, without the

-m option, the output of the gecos ﬁeld would appear

as:

gecos

: value-of-cn,value-of-l ,value-of-telephoneNumber,

When -m is used, and assuming the same conditions as above, the output representing the gecos

ﬁeld would appear as:

gecos[cn]

: value-of-cn

gecos[l]: value-of-l

gecos[telephoneNumber]: value-of-telephoneNumber

Note that when a ﬁeld has been mapped to multiple attributes, those attributes will appear in

the order as deﬁned in the ldapux (5) conﬁguration.

The

-m option does not apply if the -L option is speciﬁed.

HP-UX 11i v3: June 2010 Web Release − 1 − Hewlett-Packard Company 1

Summary of content (10 pages)

PAGE 1
ldapuglist(1M) ldapuglist(1M) NAME ldapuglist - display and enumerate POSIX-like account and group entries in an LDAP directory server SYNOPSIS ldapuglist [options ] [-t type ] [-h hostname ] [-p port ] [-b base ] [-s scope ] [-n name | {-f|-F} filter ] [-N maxcount ] [attr ...] DESCRIPTION ldapuglist is a command-line tool used to display and enumerate POSIX-like account and group entries that reside in an LDAP directory server.
PAGE 2
ldapuglist(1M) -L ldapuglist(1M) Display the password or group output in the following formats: /etc/passwd format: uid:userPasswd:uidNumbr :gidNumbr :gecos :homeDirectory:loginShell /etc/group format: cn:userPasswd:gidNumber ,memberUid ,... The -m option is ignored when the -L option is specified. The attr parameter list is invalid when the -L option is specified. -P Prompt for the bind identity (typically LDAP DN or Kerberos principal) and bind password.
PAGE 3
ldapuglist(1M) -n name ldapuglist(1M) Provides a simplified method for discovering a single account or group. Use of -n is the same as -f"(uid=name)" for accounts and -f"(cn=cname)" for groups. -F and -f may not be specified on the command line if -n is used. -b base This option overrides the search base as defined in the ldapux (5) configuration. base is a distinguished name (DN) that describes the highest location in the directory tree where to start the search.
PAGE 4
ldapuglist(1M) ldapuglist(1M) Service for the list of attributes that may be mapped. • -F filter Specifying -n and -f on the same command line will result in an error. Similar to -f, except that filter is assumed to be immutable, and neither the ldapux (5) user nor group filter from the configuration profile will be amended to the specified filter, nor will attribute mapping apply to the filter .
PAGE 5
ldapuglist(1M) ldapuglist(1M) As with ldapux (5), ldapuglist will attempt to contact the first available directory server as defined in the ldapux (5) host list. As soon as a connection is established, further directory servers on the host list will not be contacted. Once connected, ldapuglist will first determine if the environment variables LDAP_BINDDN and LDAP_BINDCRED have been specified.
PAGE 6
ldapuglist(1M) ldapuglist(1M) When the -t group option is specified, the following fields will be returned: cn userPassword gidNumber memberUid Note that when the -m option is specified, the output format will change (for both users and groups) to: dn : dn1 field1[attribute1 ] : value1 field2[attribute2 ] : value2 field3[attribute3 ] :: base64-encodeded-value3 Special Considerations for Output Format Multi-Valued Attributes Although some of the attributes used in LDAP directory servers are considered mult
PAGE 7
ldapuglist(1M) ldapuglist(1M) • The password is not stored in the LDAP directory server. The password might be stored in a thirdparty repository such as a Kerberos KDC. • The password is stored in a format un-parsable by HP-UX (such as SSHA, the Salted Secure Hash Algorithm). If the password is not available to ldapuglist, the userPassword field will not be displayed. If the -L option is specified, the password field will contain the "x" character.
PAGE 8
ldapuglist(1M) ldapuglist(1M) # export LDAP_BINDDN="cn=Directory Manager" # export LDAP_BINDCRED="password" # ldapuglist -u -m -f "(uidd=apierce)" dn: cn=Alan Pierce,ou=people,ou=IT,dc=FutureWidget,dc=com cn[cn]: Alan Pierce uid[uid]: apierce uidNumber[employeeNumber]: 22014 gidNumber[gidNumber]: 318 homeDirectory[homeDirectory]: /home/apierce loginShell: /usr/bin/ksh gecos[cn]: Alan Pierce gecos[l]: San Francisco gecos[telephoneNumber]: +1 505-555-6525 Listing all POSIX accounts held by users in San Fran
PAGE 9
ldapuglist(1M) gidNumber: memberUid: memberUid: memberUid: ... ldapuglist(1M) 542 mdiaz apierce bjones Listing posixGroups which have Mike Diaz (uid=mdiaz) as a member defined using memberUid syntax. # ldapuglist -t group -f "(memberUid=mdiaz)" dn: cn=mygroup1,ou=groups,ou=IT,dc=FutureWidges,dc=com cn: mygroup1 gidNumber: 542 memberUid: mdiaz memberUid: apierce memberUid: bjones ...
PAGE 10
ldapuglist(1M) ldapuglist(1M) LIMITATIONS • ldapuglist will not support enumeration of members of a dynamic group, such as those defined by the attributes: memberUrl , nxSearchFilter, msDS-AzLDAPQuery, etc. • ldapuglist will not perform conversion of the locale character set to/from the UTF-8 character set. • ldapuglist will not display attributes to which it does not have access rights in the LDAP directory server.