HP-UX Reference (11i v2 07/12) - 1M System Administration Commands A-M (vol 3)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

471

472

473

474

475

476

477

478

479

480

ldapugdel(1M) ldapugdel(1M)

administrator identity that is speciﬁed when executing

ldapugdel.

• As would occur in any identity repository, modiﬁcation of this repository will likely have impacts as

deﬁned by the organization’s security policy. Users of

ldapugdel are expected to have full knowledge

of the organizations security policy and the impact of deleting identity information from that identity

repository.

• Removal of a POSIX account will not automatically remove that account’s membership in groups, unless

that capability is intrinsically provided by the directory server.

Note some directory servers have a feature called "referential integrity" which does perform

modiﬁcation/removal of DN-type attributes if the speciﬁed DN is either changed or removed.

• Never use

ldapugdel as part of a modiﬁcation process on a user or group entry (deleting and re-

adding the entry as a method used to modify that entry.) User and group entries in an LDAP directory

will often contain information about the user or group that is outside the POSIX information model.

Deleting and re-adding an entry will delete all information about the user or group. When the entry is

re-added, recovery of the non-POSIX information may not be possible.

• In order to support non-interactive use of the

ldapugdel command, speciﬁcation of the LDAP

administrator’s credentials is required through use of the

LDAP_BINDDN and LDAP_BINDCRED

environment variables. To prevent exposure of these environment variables, they should be unset after

use.

Note also that

shells command history log may contain copies of the executed commands that show

setting of these variables. Access to a shell’s history ﬁle must be protected. Speciﬁcation of the LDAP

administrator’s credentials on the command line is not allowed since information about the currently

running processes can be exposed externally from the session.

Use of the -P eliminates the need to set the mentioned environment variables by interactively prompt-

ing for the required credentials.

LDAP-UX PROFILE

ldapugdel makes use of the LDAP-UX conﬁguration proﬁle to determine the information model used in

the directory server to store POSIX attributes. Please refer to the LDAP-UX Client Services

Administrator’s Guide for additional information about the conﬁguration proﬁle.

RETURN VALUE

Upon exit,

ldapugdel returns the following:

0 Success. ldapugdel exits with no errors or with one or more warnings.

<>0 ldapugdel returns with a non-zero exit status if it encounters an error, and messages will be

logged to stderr.

Messages will follow the below format:

ERROR: code

message

WARNING: code

message

Leading extra white space may be inserted to improve readability and follow 80 column screen for-

matting.

code will be a programmatically parsable error key-string, while

message will be human-readable. Refer to the LDAP-UX Client Services Administrator’s Guide

for a list of possible error codes generated by the LDAP user and group management

tools.

EXTERNAL INFLUENCES

Environment Variables

LDAP_BINDDN Speciﬁed the DN of a user with sufﬁcient directory server privilege to delete users

and/or groups in the LDAP directory server. While this variable is optional, if

LDAP_BINDDN is speciﬁed, LDAP_BINDCRED must also be speciﬁed.

HP-UX 11i Version 2: December 2007 Update − 4 − Hewlett-Packard Company 477