~--- ../tmp/ldapaddent.1m.txt Fri Apr 4 11:24:22 2008
+++ ldapaddent.1m.txt.standalone Fri Apr 25 19:23:48 2008
@@ -1,306 +1,406 @@
System Administration Commands ldapaddent(1M)
NAME
ldapaddent - create LDAP entries from corresponding /etc
files
SYNOPSIS
ldapaddent [-cpv] [-a authenticationMethod] [-b baseDN]
- -D bindDN -w bind_password [-f filename] database
+ -D bindDN [-w bindPassword] [-j passwdFile] [-f filename]
+ database
ldapaddent [-cpv] -asasl/GSSAPI [-b baseDN] [-f filename]
database
ldapaddent -d [-v] [-a authenticationMethod] [-D bindDN]
- [-w bind_password] database
+ [-w bindPassword] [-j passwdFile] database
+ ldapaddent [-cpv] -h LDAP_server[:serverPort] [-M domainName]
+ [-N profileName] [-P certifPath] [-a authenticationMethod]
+ [-b baseDN] -D bindDN [-w bindPassword] [-f filename]
+ [-j passwdFile] database
+ ldapaddent [-cpv] -h LDAP_server[:serverPort] [-M domainName]
+ [-N profileName] [-P certifPath] -asasl/GSSAPI [-b baseDN]
+ [-f filename] database
+
+ ldapaddent -d [-v] -h LDAP_server[:serverPort] [-M domainName]
+ [-N profileName] [-P certifPath] [-a authenticationMethod]
+ [-b baseDN] -D bindDN [-w bindPassword] [-j passwdFile]
+ database
+
+
DESCRIPTION
ldapaddent creates entries in LDAP containers from their
corresponding /etc files. This operation is customized for
each of the standard containers that are used in the
administration of Solaris systems. The database argument
specifies the type of the data being processed. Legal values
for this type are one of aliases, auto_*, bootparams, eth-
ers, group, hosts (including both IPv4 and IPv6 addresses),
ipnodes (alias for hosts), netgroup, netmasks, networks,
passwd, shadow, protocols, publickey, rpc, and services. In
addition to the preceding, the database argument can be one
of the RBAC-related files (see rbac(5)):
o /etc/user_attr
o /etc/security/auth_attr
o /etc/security/prof_attr
o /etc/security/exec_attr
By default, ldapaddent reads from the standard input and
adds this data to the LDAP container associated with the
database specified on the command line. An input file from
which data can be read is specified using the -f option.
+ If -h option is specified, ldapaddent establishes a connection
+ to the server pointed to by the option in order to
+ obtain a DUAProfile specified by -N option. The entries
+ will be stored in the directory described by the
+ configuration obtained.
- The entries will be stored in the directory based on the
- client's configuration, thus the client must be configured
- to use LDAP naming services. The location where entries are
- to be written can be overridden by using the -b option.
+ By default (if the -h option is not specified), the entries
+ will be stored in the directory based on the client's
+ configuration. In order to use the utility in the default
+ mode, the Solaris LDAP client must be set up in advance.
+ The location where entries are to be written can be
+ overridden by using the -b option.
If the entry to be added exists in the directory, the com-
mand displays an error and exits, unless the -c option is
used.
Although, there is a shadow database type, there is no
corresponding shadow container. Both the shadow and the
passwd data is stored in the people container itself. Simi-
larly, data from networks and netmasks databases are stored
in the networks container.
The user_attr and audit_user data is stored by default in
the people container. The prof_attr and exec_attr data is
stored by default in the SolarisProfAttr container.
You must add entries from the passwd database before you
attempt to add entries from the shadow database. The addi-
tion of a shadow entry that does not have a corresponding
passwd entry will fail.
The passwd database must precede both the user_attr and
audit_user databases.
For better performance, the recommended order in which the
databases should be loaded is as follows:
o passwd database followed by shadow database
o networks database followed by netmasks database
o bootparams database followed by ethers database
Only the first entry of a given type that is encountered
will be added to the LDAP server. The ldapaddent command
skips any duplicate entries.
OPTIONS
The ldapaddent command supports the following options:
-a authenticationMethod Specify authentication method.
The default value is what has
been configured in the profile.
The supported authentication
methods are:
o simple
o sasl/CRAM-MD5
o sasl/DIGEST-MD5
o sasl/GSSAPI
o tls:simple
o tls:sasl/CRAM-MD5
o tls:sasl/DIGEST-MD5
Selecting simple causes passwords
to be sent over the network in
clear text. Its use is strongly
discouraged. Additionally, if the
client is configured with a pro-
file which uses no authentica-
tion, that is, either the creden-
tialLevel attribute is set to
anonymous or authenticationMethod
is set to none, the user must use
this option to provide an authen-
tication method. If the authen-
tication method is sasl/GSSAPI,
- bindDN and bind_password is not
+ bindDN and bindPassword is not
required and the hosts and
ipnodes fields of
/etc/nsswitch.conf must be con-
figured as:
hosts: dns files
ipnodes: dns files
See nsswitch.conf(4).
-b baseDN Create entries in the baseDN
directory. baseDN is not relative
to the client's default search
base, but rather. it is the
actual location where the entries
will be created. If this parame-
ter is not specified, the first
search descriptor defined for the
service or the default container
will be used.
-c Continue adding entries to the
directory even after an error.
Entries will not be added if the
directory server is not
responding or if there is an
authentication problem.
-D bindDN Create an entry which has write
permission to the baseDN. When
used with -d option, this entry
only needs read permission.
-d Dump the LDAP container to the
standard output in the appropri-
ate format for the given data-
base.
-f filename Indicates input file to read in
an /etc/ file format.
-p Process the password field when
loading password information from
a file. By default, the password
field is ignored because it is
usually not valid, as the actual
password appears in a shadow
file.
+ -w bindPassword Password to be used for authenti-
+ cating the bindDN. If this param-
+ eter is missing, the command will
+ prompt for a password. NULL pass-
+ words are not supported in LDAP.
- -w bind_password Password to be used for authenti-
- cating the bindDN. If this param-
- eter is missing, the command will
- prompt for a password. NULL pass-
- words are not supported in LDAP.
+ When you use -w bindPassword to
+ specify the password to be used
+ for authentication, the password
+ is visible to other users of the
+ system by means of the ps com-
+ mand, in script files or in shell
+ history.
- When you use -w bind_password to
- specify the password to be used
- for authentication, the password
- is visible to other users of the
- system by means of the ps com-
- mand, in script files or in shell
- history.
+ If the value of "-" is supplied
+ as a password, the command will
+ prompt for a password.
-v Verbose.
+ -h LDAP_server[:serverPort] An address (or a name) and a port
+ of the LDAP server in which the
+ entries will be stored. The
+ current naming service specified
+ in the nsswitch.conf file is
+ used. The default value for the
+ port is 389, except when TLS is
+ specified in the authentication
+ method. In this case, the default
+ LDAP server port number is 636.
+
+
+ -M domainName The name of a domain served by
+ the specified server. If not
+ specified, the default domain
+ name will be used.
+
+ -N profileName Specify the DUAProfile name. A
+ profile with such a name is
+ supposed to exist on the server
+ specified by -h option.
+ Otherwise, a default DUAProfile
+ will be used. The default value
+ is default.
+
+
+ -P certifPath The certificate path for the
+ location of the certificate
+ database. The value is the path
+ where security database files
+ reside. This is used for TLS
+ support, which is specified in
+ the authenticationMethod and
+ serviceAuthen- ticationMethod
+ attributes. The default is
+ /var/ldap.
+
+ -j passwdFile Specify a file containing the
+ password for the bind DN or the
+ password for the SSL client's key
+ database. To protect the
+ password, use this option in
+ scripts and place the password in
+ a secure file. This option is
+ mutually exclusive of the -w opt-
+ ion.
+
OPERANDS
The following operands are supported:
database The name of the database or service name. Sup-
ported values are: aliases, auto_*, bootparams,
ethers, group, hosts (including IPv6 addresses),
netgroup, netmasks, networks, passwd, shadow,
protocols, publickey, rpc, and services. Also
supported are auth_attr, prof_attr, exec_attr,
and user_attr.
EXAMPLES
Example 1 Adding Password Entries to the Directory Server
- The following example show how to add password entries to
+ The following example shows how to add password entries to
the directory server:
example# ldapaddent -D "cn=directory manager" -w secret \
-f /etc/passwd passwd
Example 2 Adding Group Entries
The following example shows how to add group entries to the
directory server using sasl/CRAM-MD5 as the authentication
method:
example# ldapaddent -D "cn=directory manager" -w secret \
-a "sasl/CRAM-MD5" -f /etc/group group
Example 3 Adding auto_master Entries
The following example shows how to add auto_master entries
to the directory server:
- example# dapaddent -D "cn=directory manager" -w secret \
+ example# ldapaddent -D "cn=directory manager" -w secret \
-f /etc/auto_master auto_master
Example 4 Dumping password Entries from the Directory to
File
- The following examples shows how to dump password entries
+ The following example shows how to dump password entries
from the directory to a file foo:
example# ldapaddent -d passwd > foo
+ Example 5 Adding Password Entries to a Directory Server
+ specified explicitly
+ The following example shows how to add password entries to
+ the directory server specified by the user:
+ example# ldapaddent -h 10.10.10.10:3890 \
+ -M another.domain.name -N special_duaprofile \
+ -D "cn=directory manager" -w secret \
+ -f /etc/passwd passwd
+
+
EXIT STATUS
The following exit values are returned:
0 Successful completion.
>0 An error occurred.
FILES
/var/ldap/ldap_client_file Files containing the LDAP con-
/var/ldap/ldap_client_cred figuration of the client.
These files are not to be
modified manually. Their con-
tent is not guaranteed to be
human readable. Use
ldapclient(1M) to update these
files.
+CAVEATS
+
+
+ Currently StartTLS is not supported by libldap.so.5,
+ therefore the port number provided refers to the port
+ used during a TLS open, versus the port used as part
+ of a StartTLS sequence.
+
+ Example
+
+ -h foo:1000 -a tls:simple
+
+ Refers to a raw TLS open on host foo port 1000, not a
+ open, StartTLS sequence on an unsecured port 1000.
+ If port 1000 is unsecured the connection will not
+ be made.
+
+
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
{{{____________________________________________________________}}}
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|{{{_____________________________}}}|{{{_____________________________}}}|
| Availability | SUNWnisu |
|{{{_____________________________}}}|{{{_____________________________}}}|
- | Interface Stability | Evolving |
+ | Interface Stability | Committed |
|{{{_____________________________}}}|{{{_____________________________}}}|
SEE ALSO
ldap(1), ldaplist(1), ldapmodify(1), ldapmodrdn(1), ldap-
search(1), idsconfig(1M), ldapclient(1M), suninstall(1M),
nsswitch.conf(4), attributes(5)
