HP-UX Reference (11i v2 07/12) - 1M System Administration Commands A-M (vol 3)
l
ldapugdel(1M) ldapugdel(1M)
Directory server.
• Since the Microsoft Services for Unix schema does not use RFC2307 standard attributes,
use of -O will not function, since attribute mapping is not allowed in
ldapugdel. -O
will function properly with Windows 2003 R2, since standard RFC2307 attributes are
used, with the exception of the homeDirectory, described above.
-D DN Normally ldapugdel will search for the named user or group using the search rules
described by the service search descriptor in the LDAP-UX configuration profile. With
-D,
the exact DN of the entry being modified may be specified.
Only one of
-D, uid_name or group_name may be specified on the command line.
uid_name Specifies the name of the user entry to remove. Note that
ldapugdel uses the
configured LDAP search filter to discover the entry to be removed, such as:
(&(objectclass=posixAccount)(uid=
name)).
If there is more than one entry that matches this search filter, only the first entry
discovered entry will be removed.
Only one of -D, uid_name,orgroup_name may be specified on the command line.
group_name Specifies the name of the group entry to remove. Note that ldapugdel uses the
configured LDAP search filter to discover the entry to be removed, such as:
(&(objectclass=posixgroup)(cn=
name)).
If there is more than one entry that matches this search filter, only the first entry
discovered entry will be removed.
Only one of -D, uid_name,orgroup_name may be specified on the command line.
Binding to the Directory Server
ldapugdel has been designed to take advantage of the existing LDAP-UX configuration for determining
to which directory server to bind and how to perform the bind operation. ldapugdel will consult the
LDAP-UX configuration profile for the following information:
• The list of LDAP directory server hosts.
• The authentication method (simple passwords, SASL Digest MD5, etc.).
If either of the environment variable LDAP_BINDDN or LDAP_BINDCRED
has not been specified,
ldapugdel will consult the LDAP-UX configuration for additional information:
• The type of credential (user, proxy or anonymous) to use.
• The credential used for binding as a proxy user (either /etc/opt/ldapux/acred
for administra-
tive users or
/etc/opt/ldapux/pcred
for non-privileged users).
As with LDAP-UX,
ldapugdel will attempt to contact the first available directory server as defined in
the LDAP-UX host list. As soon as a connection is established, further directory servers on the host list will
not be contacted.
Once connected, ldapugdel will first determine if the environment variable LDAP_BINDDN or
LDAP_BINDCRED has been specified. If so, then ldapugdel will attempt to bind to the directory server
using the specified credentials and configured LDAP-UX authentication method.
If the above mentioned environment variables have not been specified, then ldapugdel will determine if
the configured credential type is "proxy" and if so, attempt to bind to the directory server using the
configured LDAP-UX proxy credential.
If configured, the acred proxy credential will be used for administrative users (determined if the user run-
ning ldapugdel has enough privilege to read the /etc/opt/ldapux/acred file). Otherwise the
credential configured in
/etc/opt/ldapux/pcred will be used.
Note: to prevent discovery of the LDAP administrator’s credentials, the LDAP user DN and password may
not be specified as command-line options to the ldapugdel utility.
Security Considerations
• Use of ldapugdel requires permissions of an LDAP administrator when it performs its operations on
the directory server. The rights to delete or modify existing LDAP directory entries under the
requested subtree, along with removal of the required attributes in that entry must be granted to the
476 Hewlett-Packard Company − 3 − HP-UX 11i Version 2: December 2007 Update