xref: /titanic_52/usr/src/man/man1m/ldapaddent.1m (revision f5c2e7ea56aaa46a9976476fb0cb1f02b9426f07)
te
Copyright (C) 2002, Sun Microsystems, Inc. All Rights Reserved
The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
LDAPADDENT 1M "May 4, 2009"
NAME
ldapaddent - create LDAP entries from corresponding /etc files
SYNOPSIS

ldapaddent [-cpv] [-a authenticationMethod] [-b baseDN]
 -D bindDN [-w bind_password] [-j passwdFile] [-f filename]
 database

ldapaddent [-cpv] -a sasl/GSSAPI [-b baseDN] [-f filename]
 database

ldapaddent -d [-v] [-a authenticationMethod] [-D bindDN]
 [-w bind_password] [-j passwdFile] database

ldapaddent [-cpv] -h LDAP_server[:serverPort] [-M domainName]
 [-N profileName] [-P certifPath] [-a authenticationMethod]
 [-b baseDN] -D bindDN [-w bind_password] [-f filename]
 [-j passwdFile] database

ldapaddent [-cpv] -h LDAP_server[:serverPort] [-M domainName]
 [-N profileName] [-P certifPath] [-a authenticationMethod]
 [-b baseDN] [-f filename] database

ldapaddent -d [-v] -h LDAP_server[:serverPort] [-M domainName]
 [-N profileName] [-P certifPath] [-a authenticationMethod]
 [-b baseDN] -D bindDN [-w bind_password] [-j passwdFile]
 database
DESCRIPTION

ldapaddent creates entries in LDAP containers from their corresponding /etc files. This operation is customized for each of the standard containers that are used in the administration of Solaris systems. The database argument specifies the type of the data being processed. Legal values for this type are one of aliases, auto_*, bootparams, ethers, group, hosts (including both IPv4 and IPv6 addresses), ipnodes (alias for hosts), netgroup, netmasks, networks, passwd, shadow, protocols, publickey, rpc, and services. In addition to the preceding, the database argument can be one of the RBAC-related files (see rbac(5)):

By default, ldapaddent reads from the standard input and adds this data to the LDAP container associated with the database specified on the command line. An input file from which data can be read is specified using the -f option.

If you specify the -h option, ldapaddent establishes a connection to the server indicated by the option in order to obtain a DUAProfile specified by the -N option. The entries will be stored in the directory described by the configuration obtained.

By default (if the -h option is not specified), entries will be stored in the directory based on the client's configuration. To use the utility in the default mode, the Solaris LDAP client must be set up in advance.

The location where entries are to be written can be overridden by using the -b option.

If the entry to be added exists in the directory, the command displays an error and exits, unless the -c option is used.

Although, there is a shadow database type, there is no corresponding shadow container. Both the shadow and the passwd data is stored in the people container itself. Similarly, data from networks and netmasks databases are stored in the networks container.

The user_attr and audit_user data is stored by default in the people container. The prof_attr and exec_attr data is stored by default in the SolarisProfAttr container.

You must add entries from the passwd database before you attempt to add entries from the shadow database. The addition of a shadow entry that does not have a corresponding passwd entry will fail.

The passwd database must precede both the user_attr and audit_user databases.

For better performance, the recommended order in which the databases should be loaded is as follows:

passwd database followed by shadow database

networks database followed by netmasks database

bootparams database followed by ethers database

Only the first entry of a given type that is encountered will be added to the LDAP server. The ldapaddent command skips any duplicate entries.

OPTIONS

The ldapaddent command supports the following options: -a authenticationMethod

Specify authentication method. The default value is what has been configured in the profile. The supported authentication methods are:

simple

tls:simple

Selecting simple causes passwords to be sent over the network in clear text. Its use is strongly discouraged. Additionally, if the client is configured with a profile which uses no authentication, that is, either the credentialLevel attribute is set to anonymous or authenticationMethod is set to none, the user must use this option to provide an authentication method. If the authentication method is sasl/GSSAPI, bindDN and bindPassword is not required and the hosts and ipnodes fields of /etc/nsswitch.conf must be configured as:
hosts: dns files
ipnodes: dns files
See nsswitch.conf(4).
-b baseDN

Create entries in the baseDN directory. baseDN is not relative to the client's default search base, but rather. it is the actual location where the entries will be created. If this parameter is not specified, the first search descriptor defined for the service or the default container will be used.

-c

Continue adding entries to the directory even after an error. Entries will not be added if the directory server is not responding or if there is an authentication problem.

-D bindDN

Create an entry which has write permission to the baseDN. When used with -d option, this entry only needs read permission.

-d

Dump the LDAP container to the standard output in the appropriate format for the given database.

-f filename

Indicates input file to read in an /etc/ file format.

-h LDAP_server[:serverPort]

Specify an address (or a name) and an optional port of the LDAP server in which the entries will be stored. The current naming service specified in the nsswitch.conf file is used. The default value for the port is 389, except when TLS is specified as the authentication method. In this case, the default LDAP server port number is 636.

-j passwdFile

Specify a file containing the password for the bind DN or the password for the SSL client's key database. To protect the password, use this option in scripts and place the password in a secure file. This option is mutually exclusive of the -w option.

-M domainName

The name of a domain served by the specified server. If not specified, the default domain name will be used.

-N profileName

Specify the DUAProfile name. A profile with such a name is supposed to exist on the server specified by -h option. Otherwise, a default DUAProfile will be used. The default value is default.

-P certifPath

The certificate path for the location of the certificate database. The value is the path where security database files reside. This is used for TLS support, which is specified in the authenticationMethod and serviceAuthenticationMethod attributes. The default is /var/ldap.

-p

Process the password field when loading password information from a file. By default, the password field is ignored because it is usually not valid, as the actual password appears in a shadow file.

-w bindPassword

Password to be used for authenticating the bindDN. If this parameter is missing, the command will prompt for a password. NULL passwords are not supported in LDAP. When you use -w bindPassword to specify the password to be used for authentication, the password is visible to other users of the system by means of the ps command, in script files or in shell history. If you supply "-" (hyphen) as a password, you will be prompted to enter a password.

-v

Verbose.

OPERANDS

The following operands are supported: database

The name of the database or service name. Supported values are: aliases, auto_*, bootparams, ethers, group, hosts (including IPv6 addresses), netgroup, netmasks, networks, passwd, shadow, protocols, publickey, rpc, and services. Also supported are auth_attr, prof_attr, exec_attr, user_attr, and projects.

EXAMPLES

Example 1 Adding Password Entries to the Directory Server

The following example shows how to add password entries to the directory server:

example# ldapaddent -D "cn=directory manager" -w secret \e
 -f /etc/passwd passwd

Example 2 Adding Group Entries

The following example shows how to add group entries to the directory server using sasl/CRAM-MD5 as the authentication method:

example# ldapaddent -D "cn=directory manager" -w secret \e
 -a "sasl/CRAM-MD5" -f /etc/group group

Example 3 Adding auto_master Entries

The following example shows how to add auto_master entries to the directory server:

example# ldapaddent -D "cn=directory manager" -w secret \e
 -f /etc/auto_master auto_master

Example 4 Dumping passwd Entries from the Directory to File

The following example shows how to dump password entries from the directory to a file foo:

example# ldapaddent -d passwd > foo

Example 5 Adding Password Entries to a Specific Directory Server

The following example shows how to add password entries to a directory server that you specify:

example# ldapaddent -h 10.10.10.10:3890 \e
-M another.domain.name -N special_duaprofile \e
-D "cn=directory manager" -w secret \e
-f /etc/passwd passwd
EXIT STATUS

The following exit values are returned: 0

Successful completion.

>0

An error occurred.

FILES
/var/ldap/ldap_client_file

/var/ldap/ldap_client_cred

Files containing the LDAP configuration of the client. These files are not to be modified manually. Their content is not guaranteed to be human readable. Use ldapclient(1M) to update these files.

ATTRIBUTES

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE ATTRIBUTE VALUE
Interface Stability Committed
SEE ALSO

ldap(1), ldaplist(1), ldapmodify(1), ldapmodrdn(1), ldapsearch(1), idsconfig(1M), ldapclient(1M), suninstall(1M), nsswitch.conf(4), attributes(5)

CAUTION

Currently StartTLS is not supported by libldap.so.5, therefore the port number provided refers to the port used during a TLS open, rather than the port used as part of a StartTLS sequence. For example:

-h foo:1000 -a tls:simple

The preceding refers to a raw TLS open on host foo port 1000, not an open, StartTLS sequence on an unsecured port 1000. If port 1000 is unsecured the connection will not be made.