ldapaddent(1m)

1ldapaddent(1M)          System Administration Commands          ldapaddent(1M)
2
3
4

NAME

6       ldapaddent - create LDAP entries from corresponding /etc files
7

SYNOPSIS

9       ldapaddent [-cpv] [-a authenticationMethod] [-b baseDN]
10            -D bindDN [-w bind_password] [-j passwdFile] [-f filename]
11            database
12
13
14       ldapaddent [-cpv] -a sasl/GSSAPI [-b baseDN] [-f filename]
15            database
16
17
18       ldapaddent -d [-v] [-a authenticationMethod] [-D bindDN]
19            [-w bind_password] [-j passwdFile] database
20
21
22       ldapaddent [-cpv] -h LDAP_server[:serverPort] [-M domainName]
23            [-N profileName]  [-P certifPath] [-a authenticationMethod]
24            [-b baseDN] -D bindDN [-w bind_password] [-f filename]
25            [-j passwdFile] database
26
27
28       ldapaddent [-cpv] -h LDAP_server[:serverPort] [-M domainName]
29            [-N profileName]  [-P certifPath] [-a authenticationMethod]
30            [-b baseDN] [-f filename] database
31
32
33       ldapaddent -d [-v] -h LDAP_server[:serverPort] [-M domainName]
34            [-N profileName]  [-P certifPath] [-a authenticationMethod]
35            [-b baseDN] -D bindDN [-w bind_password] [-j passwdFile]
36            database
37
38

DESCRIPTION

40       ldapaddent  creates entries in LDAP containers from their corresponding
41       /etc files. This operation is customized for each of the standard  con‐
42       tainers  that  are  used  in the administration of Solaris systems. The
43       database argument specifies the type of the data being processed. Legal
44       values  for  this  type are one of aliases, auto_*, bootparams, ethers,
45       group, hosts (including both IPv4 and IPv6 addresses),  ipnodes  (alias
46       for  hosts),  netgroup,  netmasks, networks, passwd, shadow, protocols,
47       publickey, rpc, and services. In addition to the preceding,  the  data‐
48       base argument can be one of the RBAC-related files (see rbac(5)):
49
50           o      /etc/user_attr
51
52           o      /etc/security/auth_attr
53
54           o      /etc/security/prof_attr
55
56           o      /etc/security/exec_attr
57
58
59       By default, ldapaddent reads from the standard input and adds this data
60       to the LDAP container associated with the  database  specified  on  the
61       command  line.  An  input file from which data can be read is specified
62       using the -f option.
63
64
65       If you specify the -h option, ldapaddent establishes  a  connection  to
66       the  server  indicated  by  the  option in order to obtain a DUAProfile
67       specified by the -N option. The entries will be stored in the directory
68       described by the configuration obtained.
69
70
71       By  default (if the -h option is not specified), entries will be stored
72       in the directory based on the client's configuration. To use the  util‐
73       ity  in  the  default  mode,  the Solaris LDAP client must be set up in
74       advance.
75
76
77       The location where entries are to be written can be overridden by using
78       the -b option.
79
80
81       If  the entry to be added exists in the directory, the command displays
82       an error and exits, unless the -c option is used.
83
84
85       Although, there is a shadow database type, there  is  no  corresponding
86       shadow  container. Both the shadow and the passwd data is stored in the
87       people container itself. Similarly, data  from  networks  and  netmasks
88       databases are stored in the networks container.
89
90
91       The  user_attr  and  audit_user data is stored by default in the people
92       container. The prof_attr and exec_attr data is stored by default in the
93       SolarisProfAttr container.
94
95
96       You must add entries from the passwd database before you attempt to add
97       entries from the shadow database. The addition of a shadow  entry  that
98       does not have a corresponding passwd entry will fail.
99
100
101       The  passwd  database  must  precede  both the user_attr and audit_user
102       databases.
103
104
105       For better performance, the recommended order in  which  the  databases
106       should be loaded is as follows:
107
108           o      passwd database followed by shadow database
109
110           o      networks database followed by netmasks database
111
112           o      bootparams database followed by ethers database
113
114
115       Only  the first entry of a given type that is encountered will be added
116       to the LDAP server. The ldapaddent command skips any duplicate entries.
117

OPTIONS

119       The ldapaddent command supports the following options:
120
121       -a authenticationMethod
122
123           Specify authentication method. The default value is what  has  been
124           configured  in  the  profile.  The supported authentication methods
125           are:
126
127               o      simple
128
129               o      sasl/CRAM-MD5
130
131               o      sasl/DIGEST-MD5
132
133               o      sasl/GSSAPI
134
135               o      tls:simple
136
137               o      tls:sasl/CRAM-MD5
138
139               o      tls:sasl/DIGEST-MD5
140           Selecting simple causes passwords to be sent over  the  network  in
141           clear  text.  Its use is strongly discouraged. Additionally, if the
142           client is configured with a profile which uses  no  authentication,
143           that  is,  either the credentialLevel attribute is set to anonymous
144           or authenticationMethod is set to none,  the  user  must  use  this
145           option  to  provide an authentication method. If the authentication
146           method is sasl/GSSAPI, bindDN and bindPassword is not required  and
147           the  hosts and ipnodes fields of /etc/nsswitch.conf must be config‐
148           ured as:
149
150             hosts: dns files
151             ipnodes: dns files
152
153           See nsswitch.conf(4).
154
155
156       -b baseDN
157
158           Create entries in the baseDN directory. baseDN is not  relative  to
159           the  client's  default  search  base,  but rather. it is the actual
160           location where the entries will be created. If  this  parameter  is
161           not  specified, the first search descriptor defined for the service
162           or the default container will be used.
163
164
165       -c
166
167           Continue adding entries to  the  directory  even  after  an  error.
168           Entries will not be added if the directory server is not responding
169           or if there is an authentication problem.
170
171
172       -D bindDN
173
174           Create an entry which has write permission to the baseDN. When used
175           with -d option, this entry only needs read permission.
176
177
178       -d
179
180           Dump  the  LDAP container to the standard output in the appropriate
181           format for the given database.
182
183
184       -f filename
185
186           Indicates input file to read in an /etc/ file format.
187
188
189       -h LDAP_server[:serverPort]
190
191           Specify an address (or a name) and an optional  port  of  the  LDAP
192           server in which the entries will be stored. The current naming ser‐
193           vice specified in the nsswitch.conf file is used. The default value
194           for  the port is 389, except when TLS is specified as the authenti‐
195           cation method. In this case, the default LDAP server port number is
196           636.
197
198
199       -j passwdFile
200
201           Specify a file containing the password for the bind DN or the pass‐
202           word for the SSL client's key database. To  protect  the  password,
203           use this option in scripts and place the password in a secure file.
204           This option is mutually exclusive of the -w option.
205
206
207       -M domainName
208
209           The name of a domain served by the specified server. If not  speci‐
210           fied, the default domain name will be used.
211
212
213       -N profileName
214
215           Specify the DUAProfile name. A profile with such a name is supposed
216           to exist on the server specified by -h option. Otherwise, a default
217           DUAProfile will be used. The default value is default.
218
219
220       -P certifPath
221
222           The  certificate path for the location of the certificate database.
223           The value is the path where security database files reside. This is
224           used  for  TLS  support,  which is specified in the authentication‐
225           Method and serviceAuthenticationMethod attributes. The  default  is
226           /var/ldap.
227
228
229       -p
230
231           Process the password field when loading password information from a
232           file. By default, the password field is ignored because it is  usu‐
233           ally not valid, as the actual password appears in a shadow file.
234
235
236       -w bindPassword
237
238           Password  to be used for authenticating the bindDN. If this parame‐
239           ter is missing, the command will prompt for a password. NULL  pass‐
240           words are not supported in LDAP.
241
242           When you use -w bindPassword to specify the password to be used for
243           authentication, the password is visible to other users of the  sys‐
244           tem  by  means  of the ps command, in script files or in shell his‐
245           tory.
246
247           If you supply "-" (hyphen) as a password, you will be  prompted  to
248           enter a password.
249
250
251       -v
252
253           Verbose.
254
255

OPERANDS

257       The following operands are supported:
258
259       database
260
261           The  name  of  the  database or service name. Supported values are:
262           aliases, auto_*, bootparams, ethers, group, hosts  (including  IPv6
263           addresses),  netgroup,  netmasks,  networks, passwd, shadow, proto‐
264           cols, publickey, rpc, and services. Also supported  are  auth_attr,
265           prof_attr, exec_attr, user_attr, and projects.
266
267

EXAMPLES

269       Example 1 Adding Password Entries to the Directory Server
270
271
272       The  following  example shows how to add password entries to the direc‐
273       tory server:
274
275
276         example# ldapaddent -D "cn=directory manager" -w secret \
277               -f /etc/passwd passwd
278
279
280
281       Example 2 Adding Group Entries
282
283
284       The following example shows how to add group entries to  the  directory
285       server using sasl/CRAM-MD5 as the authentication method:
286
287
288         example# ldapaddent -D "cn=directory manager" -w secret \
289              -a "sasl/CRAM-MD5" -f /etc/group group
290
291
292
293       Example 3 Adding auto_master Entries
294
295
296       The  following  example  shows  how  to  add auto_master entries to the
297       directory server:
298
299
300         example# ldapaddent -D "cn=directory manager" -w secret \
301              -f /etc/auto_master auto_master
302
303
304
305       Example 4 Dumping passwd Entries from the Directory to File
306
307
308       The following example shows how  to  dump  password  entries  from  the
309       directory to a file foo:
310
311
312         example# ldapaddent -d passwd > foo
313
314
315
316       Example 5 Adding Password Entries to a Specific Directory Server
317
318
319       The  following example shows how to add password entries to a directory
320       server that you specify:
321
322
323         example# ldapaddent -h 10.10.10.10:3890 \
324         -M another.domain.name -N special_duaprofile \
325         -D "cn=directory manager" -w secret \
326         -f /etc/passwd passwd
327
328
329

EXIT STATUS

331       The following exit values are returned:
332
333       0
334
335           Successful completion.
336
337
338       >0
339
340           An error occurred.
341
342

FILES

344       /var/ldap/ldap_client_file
345       /var/ldap/ldap_client_cred
346
347           Files containing the LDAP configuration of the client. These  files
348           are not to be modified manually. Their content is not guaranteed to
349           be human readable. Use ldapclient(1M) to update these files.
350
351

ATTRIBUTES

353       See attributes(5) for descriptions of the following attributes:
354
355
356
357
358       ┌─────────────────────────────┬─────────────────────────────┐
359       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
360       ├─────────────────────────────┼─────────────────────────────┤
361       │Availability                 │SUNWnisu                     │
362       ├─────────────────────────────┼─────────────────────────────┤
363       │Interface Stability          │Committed                    │
364       └─────────────────────────────┴─────────────────────────────┘
365

CAUTION

375       Currently StartTLS is not supported by libldap.so.5, therefore the port
376       number  provided refers to the port used during a TLS open, rather than
377       the port used as part of a StartTLS sequence. For example:
378
379         -h foo:1000 -a tls:simple
380
381
382
383
384       The preceding refers to a raw TLS open on host foo port  1000,  not  an
385       open,  StartTLS  sequence  on  an  unsecured port 1000. If port 1000 is
386       unsecured the connection will not be made.
387
388
389
390SunOS 5.11                        4 May 2009                    ldapaddent(1M)