ldapuglist.1m (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

ldapuglist(1M) ldapuglist(1M)

As with ldapux (5), ldapuglist will attempt to contact the ﬁrst available directory server as deﬁned in

the ldapux (5) host list. As soon as a connection is established, further directory servers on the host list

will not be contacted.

Once connected,

ldapuglist will ﬁrst determine if the environment variables

LDAP_BINDDN and

LDAP_BINDCRED

have been speciﬁed. If so, then ldapuglist will attempt to bind to the directory

server using the speciﬁed credentials and conﬁgured LDAP-UX authentication method.

If the above mentioned environment variables have not been speciﬁed, then

ldapuglist will determine

if the conﬁgured credential type is "proxy" and if so, attempt to bind to the directory server using the

conﬁgured LDAP-UX proxy credential. If conﬁgured, the acred proxy credential will be used for adminis-

trative users (determined if the user running

ldapuglist has enough privilege to read the

/etc/opt/ldapux/acred

ﬁle). Otherwise the credential conﬁgured in

/etc/opt/ldapux/pcred

will be used.

Note: to prevent discovery of the LDAP administrator’s credentials, the LDAP user DN and password

may not be speciﬁed as command-line options to the

ldapuglist utility.

Security Considerations

In order to support non-interactive use of the

ldapuglist command, speciﬁcation of the LDAP

administrator’s credentials is required through use of the

LDAP_BINDDN and

LDAP_BINDCRED environ-

ment variables. To prevent exposure of these environment variables, they should be unset after use.

Note also that shells (4) command history log may contain copies of the executed commands that show set-

ting of these variables. Access to a shell’s history ﬁle must be protected. Speciﬁcation of the LDAP

administrator’s credentials on the command line is not allowed since information about the currently run-

ning processes can be exposed externally from the session.

Use of the

-P eliminates the need to set the mentioned environment variables by interactively prompting

for the required credentials.

LDAP-UX PROFILE

ldapuglist makes use of the LDAP-UX conﬁguration proﬁle to determine the information model used

in the directory server to store POSIX attributes. Please refer to the LDAP-UX Client Services

Administrator’s Guide for additional information about the conﬁguration proﬁle.

OUTPUT FORMAT

Output from

ldapuglist will follow a consistent format, regardless of which attributes are used to

deﬁne information in an LDAP directory. The output format is:

: dn1

ﬁeld1: value1

ﬁeld2: value2

ﬁeld3:: base64-encodeded-value3

dn: dn2

ﬁeld1: value1

ﬁeld2: value2

Each entry will be preceded by a DN, followed by one or more ﬁeld-value pairs. The DN and each ﬁeld-

value pair will be on a separate line, separated by a carriage-return and line-feed character. The ﬁeld

and value will be separated by a colon and space character. And each entry will be separated by a blank

line.

In the case when an unencodable character is encountered (carriage-return or line-feed for example) in a

value string, the whole value will be base64 encoded and the ﬁeld-value separator will change to two

colons and a space character. See Unencodable Characters below. When the

-t passwd option is

speciﬁed, the following ﬁelds will be returned:

uid

userPassword

uidNumber

gidNumber

homeDirectory

loginShell

gecos

HP-UX 11i v3: June 2010 Web Release − 5 − Hewlett-Packard Company 5