'\" te .\" Copyright (C) 2002, Sun Microsystems, Inc. All Rights Reserved .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] .TH LDAPADDENT 8 "May 13, 2017" .SH NAME ldapaddent \- create LDAP entries from corresponding /etc files .SH SYNOPSIS .LP .nf \fBldapaddent\fR [\fB-cpv\fR] [\fB-a\fR \fIauthenticationMethod\fR] [\fB-b\fR \fIbaseDN\fR] \fB-D\fR \fIbindDN\fR [\fB-w\fR \fIbind_password\fR] [\fB-j\fR \fIpasswdFile\fR] [\fB-f\fR \fIfilename\fR] \fIdatabase\fR .fi .LP .nf \fBldapaddent\fR [\fB-cpv\fR] \fB-a\fR sasl/GSSAPI [\fB-b\fR \fIbaseDN\fR] [\fB-f\fR \fIfilename\fR] \fIdatabase\fR .fi .LP .nf \fBldapaddent\fR \fB-d\fR [\fB-v\fR] [\fB-a\fR \fIauthenticationMethod\fR] [\fB-D\fR \fIbindDN\fR] [\fB-w\fR \fIbind_password\fR] [\fB-j\fR \fIpasswdFile\fR] \fIdatabase\fR .fi .LP .nf \fBldapaddent\fR [\fB-cpv\fR] \fB-h\fR \fILDAP_server\fR[:\fIserverPort\fR] [\fB-M\fR \fIdomainName\fR] [\fB-N\fR \fIprofileName\fR] [\fB-P\fR \fIcertifPath\fR] [\fB-a\fR \fIauthenticationMethod\fR] [\fB-b\fR \fIbaseDN\fR] \fB-D\fR \fIbindDN\fR [\fB-w\fR \fIbind_password\fR] [\fB-f\fR \fIfilename\fR] [\fB-j\fR \fIpasswdFile\fR] \fIdatabase\fR .fi .LP .nf \fBldapaddent\fR [\fB-cpv\fR] \fB-h\fR \fILDAP_server\fR[:\fIserverPort\fR] [\fB-M\fR \fIdomainName\fR] [\fB-N\fR \fIprofileName\fR] [\fB-P\fR \fIcertifPath\fR] [\fB-a\fR \fIauthenticationMethod\fR] [\fB-b\fR \fIbaseDN\fR] [\fB-f\fR \fIfilename\fR] \fIdatabase\fR .fi .LP .nf \fBldapaddent\fR \fB-d\fR [\fB-v\fR] \fB-h\fR \fILDAP_server\fR[:\fIserverPort\fR] [\fB-M\fR \fIdomainName\fR] [\fB-N\fR \fIprofileName\fR] [\fB-P\fR \fIcertifPath\fR] [\fB-a\fR \fIauthenticationMethod\fR] [\fB-b\fR \fIbaseDN\fR] \fB-D\fR \fIbindDN\fR [\fB-w\fR \fIbind_password\fR] [\fB-j\fR \fIpasswdFile\fR] \fIdatabase\fR .fi .SH DESCRIPTION .LP \fBldapaddent\fR creates entries in LDAP containers from their corresponding \fB/etc\fR files. This operation is customized for each of the standard containers that are used in the administration of Solaris systems. The \fIdatabase\fR argument specifies the type of the data being processed. Legal values for this type are one of \fBaliases\fR, \fBauto_*\fR, \fBbootparams\fR, \fBethers\fR, \fBgroup\fR, \fBhosts\fR (including both IPv4 and IPv6 addresses), \fBipnodes\fR (alias for \fBhosts\fR), \fBnetgroup\fR, \fBnetmasks\fR, \fBnetworks\fR, \fBpasswd\fR, \fBshadow\fR, \fBprotocols\fR, \fBpublickey\fR, \fBrpc\fR, and \fBservices\fR. In addition to the preceding, the \fIdatabase\fR argument can be one of the RBAC-related files (see \fBrbac\fR(7)): .RS +4 .TP .ie t \(bu .el o \fB/etc/user_attr\fR .RE .RS +4 .TP .ie t \(bu .el o \fB/etc/security/auth_attr\fR .RE .RS +4 .TP .ie t \(bu .el o \fB/etc/security/prof_attr\fR .RE .RS +4 .TP .ie t \(bu .el o \fB/etc/security/exec_attr\fR .RE .sp .LP By default, \fBldapaddent\fR reads from the standard input and adds this data to the LDAP container associated with the database specified on the command line. An input file from which data can be read is specified using the \fB-f\fR option. .sp .LP If you specify the \fB-h\fR option, \fBldapaddent\fR establishes a connection to the server indicated by the option in order to obtain a \fBDUAProfile\fR specified by the \fB-N\fR option. The entries will be stored in the directory described by the configuration obtained. .sp .LP By default (if the \fB-h\fR option is not specified), entries will be stored in the directory based on the client's configuration. To use the utility in the default mode, the Solaris LDAP client must be set up in advance. .sp .LP The location where entries are to be written can be overridden by using the \fB-b\fR option. .sp .LP If the entry to be added exists in the directory, the command displays an error and exits, unless the \fB-c\fR option is used. .sp .LP Although, there is a \fBshadow\fR database type, there is no corresponding \fBshadow\fR container. Both the \fBshadow\fR and the \fBpasswd\fR data is stored in the \fBpeople\fR container itself. Similarly, data from \fBnetworks\fR and \fBnetmasks\fR databases are stored in the \fBnetworks\fR container. .sp .LP The \fBuser_attr\fR data is stored by default in the \fBpeople\fR container. The \fBprof_attr\fR and \fBexec_attr\fR data is stored by default in the \fBSolarisProfAttr\fR container. .sp .LP You must add entries from the \fBpasswd\fR database before you attempt to add entries from the \fBshadow\fR database. The addition of a \fBshadow\fR entry that does not have a corresponding \fBpasswd\fR entry will fail. .sp .LP The \fBpasswd\fR database must precede the \fBuser_attr\fR database. .sp .LP For better performance, the recommended order in which the databases should be loaded is as follows: .RS +4 .TP .ie t \(bu .el o \fBpasswd\fR database followed by \fBshadow\fR database .RE .RS +4 .TP .ie t \(bu .el o \fBnetworks\fR database followed by \fBnetmasks\fR database .RE .RS +4 .TP .ie t \(bu .el o \fBbootparams\fR database followed by \fBethers\fR database .RE .sp .LP Only the first entry of a given type that is encountered will be added to the LDAP server. The \fBldapaddent\fR command skips any duplicate entries. .SH OPTIONS .LP The \fBldapaddent\fR command supports the following options: .sp .ne 2 .na \fB\fB-a\fR \fIauthenticationMethod\fR\fR .ad .sp .6 .RS 4n Specify authentication method. The default value is what has been configured in the profile. The supported authentication methods are: .RS +4 .TP .ie t \(bu .el o \fBsimple\fR .RE .RS +4 .TP .ie t \(bu .el o \fBsasl/CRAM-MD5\fR .RE .RS +4 .TP .ie t \(bu .el o \fBsasl/DIGEST-MD5\fR .RE .RS +4 .TP .ie t \(bu .el o \fBsasl/GSSAPI\fR .RE .RS +4 .TP .ie t \(bu .el o \fBtls:simple\fR .RE .RS +4 .TP .ie t \(bu .el o \fBtls:sasl/CRAM-MD5\fR .RE .RS +4 .TP .ie t \(bu .el o \fBtls:sasl/DIGEST-MD5\fR .RE Selecting \fBsimple\fR causes passwords to be sent over the network in clear text. Its use is strongly discouraged. Additionally, if the client is configured with a profile which uses no authentication, that is, either the \fBcredentialLevel\fR attribute is set to \fBanonymous\fR or \fBauthenticationMethod\fR is set to \fBnone\fR, the user must use this option to provide an authentication method. If the authentication method is \fBsasl/GSSAPI\fR, \fIbindDN\fR and \fIbindPassword\fR is not required and the \fBhosts\fR and \fBipnodes\fR fields of \fB/etc/nsswitch.conf\fR must be configured as: .sp .in +2 .nf hosts: dns files ipnodes: dns files .fi .in -2 See \fBnsswitch.conf\fR(5). .RE .sp .ne 2 .na \fB\fB-b\fR\ \fIbaseDN\fR\fR .ad .sp .6 .RS 4n Create entries in the \fIbaseDN\fR directory. \fIbaseDN\fR is not relative to the client's default search base, but rather. it is the actual location where the entries will be created. If this parameter is not specified, the first search descriptor defined for the service or the default container will be used. .RE .sp .ne 2 .na \fB\fB-c\fR\fR .ad .sp .6 .RS 4n Continue adding entries to the directory even after an error. Entries will not be added if the directory server is not responding or if there is an authentication problem. .RE .sp .ne 2 .na \fB\fB-D\fR\ \fIbindDN\fR\fR .ad .sp .6 .RS 4n Create an entry which has write permission to the \fIbaseDN\fR. When used with \fB-d\fR option, this entry only needs read permission. .RE .sp .ne 2 .na \fB\fB-d\fR\fR .ad .sp .6 .RS 4n Dump the LDAP container to the standard output in the appropriate format for the given database. .RE .sp .ne 2 .na \fB\fB-f\fR \fIfilename\fR\fR .ad .sp .6 .RS 4n Indicates input file to read in an \fB/etc/\fR file format. .RE .sp .ne 2 .na \fB\fB-h\fR \fILDAP_server\fR[:\fIserverPort\fR]\fR .ad .sp .6 .RS 4n Specify an address (or a name) and an optional port of the LDAP server in which the entries will be stored. The current naming service specified in the \fBnsswitch.conf\fR file is used. The default value for the port is \fB389\fR, except when TLS is specified as the authentication method. In this case, the default LDAP server port number is \fB636\fR. .RE .sp .ne 2 .na \fB\fB-j\fR\ \fIpasswdFile\fR\fR .ad .sp .6 .RS 4n Specify a file containing the password for the bind DN or the password for the SSL client's key database. To protect the password, use this option in scripts and place the password in a secure file. This option is mutually exclusive of the \fB-w\fR option. .RE .sp .ne 2 .na \fB\fB-M\fR\ \fIdomainName\fR\fR .ad .sp .6 .RS 4n The name of a domain served by the specified server. If not specified, the default domain name will be used. .RE .sp .ne 2 .na \fB\fB-N\fR\ \fIprofileName\fR\fR .ad .sp .6 .RS 4n Specify the \fBDUAProfile\fR name. A profile with such a name is supposed to exist on the server specified by \fB-h\fR option. Otherwise, a default \fBDUAProfile\fR will be used. The default value is \fBdefault\fR. .RE .sp .ne 2 .na \fB\fB-P\fR\ \fIcertifPath\fR\fR .ad .sp .6 .RS 4n The certificate path for the location of the certificate database. The value is the path where security database files reside. This is used for TLS support, which is specified in the \fBauthenticationMethod\fR and \fBserviceAuthenticationMethod\fR attributes. The default is \fB/var/ldap\fR. .RE .sp .ne 2 .na \fB\fB-p\fR\fR .ad .sp .6 .RS 4n Process the \fBpassword\fR field when loading password information from a file. By default, the \fBpassword\fR field is ignored because it is usually not valid, as the actual password appears in a \fBshadow\fR file. .RE .sp .ne 2 .na \fB\fB-w\fR\ \fIbindPassword\fR\fR .ad .sp .6 .RS 4n Password to be used for authenticating the \fIbindDN\fR. If this parameter is missing, the command will prompt for a password. \fBNULL\fR passwords are not supported in LDAP. .sp When you use \fB-w\fR\ \fIbindPassword\fR to specify the password to be used for authentication, the password is visible to other users of the system by means of the \fBps\fR command, in script files or in shell history. .sp If you supply "\fB-\fR" (hyphen) as a password, you will be prompted to enter a password. .RE .sp .ne 2 .na \fB\fB-v\fR\fR .ad .sp .6 .RS 4n Verbose. .RE .SH OPERANDS .LP The following operands are supported: .sp .ne 2 .na \fB\fIdatabase\fR\fR .ad .sp .6 .RS 4n The name of the database or service name. Supported values are: \fBaliases\fR, \fBauto_*\fR, \fBbootparams\fR, \fBethers\fR, \fBgroup\fR, \fBhosts\fR (including IPv6 addresses), \fBnetgroup\fR, \fBnetmasks\fR, \fBnetworks\fR, \fBpasswd\fR, \fBshadow\fR, \fBprotocols\fR, \fBpublickey\fR, \fBrpc\fR, and \fBservices\fR. Also supported are \fBauth_attr\fR, \fBprof_attr\fR, \fBexec_attr\fR, \fBuser_attr\fR, and \fBprojects\fR. .RE .SH EXAMPLES .LP \fBExample 1 \fRAdding Password Entries to the Directory Server .sp .LP The following example shows how to add password entries to the directory server: .sp .in +2 .nf example# \fBldapaddent -D "cn=directory manager" -w secret \e -f /etc/passwd passwd\fR .fi .in -2 .sp .LP \fBExample 2 \fRAdding Group Entries .sp .LP The following example shows how to add \fBgroup\fR entries to the directory server using \fBsasl/CRAM-MD5\fR as the authentication method: .sp .in +2 .nf example# \fBldapaddent -D "cn=directory manager" -w secret \e -a "sasl/CRAM-MD5" -f /etc/group group\fR .fi .in -2 .sp .LP \fBExample 3 \fRAdding \fBauto_master\fR Entries .sp .LP The following example shows how to add \fBauto_master\fR entries to the directory server: .sp .in +2 .nf example# \fBldapaddent -D "cn=directory manager" -w secret \e -f /etc/auto_master auto_master\fR .fi .in -2 .sp .LP \fBExample 4 \fRDumping \fBpasswd\fR Entries from the Directory to File .sp .LP The following example shows how to dump \fBpassword\fR entries from the directory to a file \fBfoo\fR: .sp .in +2 .nf example# \fBldapaddent -d passwd > foo\fR .fi .in -2 .sp .LP \fBExample 5 \fRAdding Password Entries to a Specific Directory Server .sp .LP The following example shows how to add password entries to a directory server that you specify: .sp .in +2 .nf example# \fBldapaddent -h 10.10.10.10:3890 \e -M another.domain.name -N special_duaprofile \e -D "cn=directory manager" -w secret \e -f /etc/passwd passwd\fR .fi .in -2 .sp .SH EXIT STATUS .LP The following exit values are returned: .sp .ne 2 .na \fB\fB0\fR\fR .ad .sp .6 .RS 4n Successful completion. .RE .sp .ne 2 .na \fB>\fB0\fR\fR .ad .sp .6 .RS 4n An error occurred. .RE .SH FILES .ne 2 .na \fB\fB/var/ldap/ldap_client_file\fR\fR .ad .br .na \fB\fB/var/ldap/ldap_client_cred\fR\fR .ad .sp .6 .RS 4n Files containing the LDAP configuration of the client. These files are not to be modified manually. Their content is not guaranteed to be human readable. Use \fBldapclient\fR(8) to update these files. .RE .SH ATTRIBUTES .LP See \fBattributes\fR(7) for descriptions of the following attributes: .sp .sp .TS box; c | c l | l . ATTRIBUTE TYPE ATTRIBUTE VALUE _ Interface Stability Committed .TE .SH SEE ALSO .LP .BR ldap (1), .BR ldaplist (1), .BR ldapmodify (1), .BR ldapmodrdn (1), .BR ldapsearch (1), .BR nsswitch.conf (5), .BR attributes (7), .BR idsconfig (8), .BR ldapclient (8) .sp .LP \fI\fR .SH CAUTION .LP Currently StartTLS is not supported by \fBlibldap.so.5\fR, therefore the port number provided refers to the port used during a TLS open, rather than the port used as part of a StartTLS sequence. For example: .sp .in +2 .nf -h foo:1000 -a tls:simple .fi .in -2 .sp .sp .LP The preceding refers to a raw TLS open on host \fBfoo\fR port 1000, not an open, StartTLS sequence on an unsecured port 1000. If port 1000 is unsecured the connection will not be made.