1ldapaddent(1M) System Administration Commands ldapaddent(1M)
2
3
4
6 ldapaddent - create LDAP entries from corresponding /etc files
7
9 ldapaddent [-cpv] [-a authenticationMethod] [-b baseDN]
10 -D bindDN [-w bind_password] [-j passwdFile] [-f filename]
11 database
12
13
14 ldapaddent [-cpv] -a sasl/GSSAPI [-b baseDN] [-f filename]
15 database
16
17
18 ldapaddent -d [-v] [-a authenticationMethod] [-D bindDN]
19 [-w bind_password] [-j passwdFile] database
20
21
22 ldapaddent [-cpv] -h LDAP_server[:serverPort] [-M domainName]
23 [-N profileName] [-P certifPath] [-a authenticationMethod]
24 [-b baseDN] -D bindDN [-w bind_password] [-f filename]
25 [-j passwdFile] database
26
27
28 ldapaddent [-cpv] -h LDAP_server[:serverPort] [-M domainName]
29 [-N profileName] [-P certifPath] [-a authenticationMethod]
30 [-b baseDN] [-f filename] database
31
32
33 ldapaddent -d [-v] -h LDAP_server[:serverPort] [-M domainName]
34 [-N profileName] [-P certifPath] [-a authenticationMethod]
35 [-b baseDN] -D bindDN [-w bind_password] [-j passwdFile]
36 database
37
38
40 ldapaddent creates entries in LDAP containers from their corresponding
41 /etc files. This operation is customized for each of the standard con‐
42 tainers that are used in the administration of Solaris systems. The
43 database argument specifies the type of the data being processed. Legal
44 values for this type are one of aliases, auto_*, bootparams, ethers,
45 group, hosts (including both IPv4 and IPv6 addresses), ipnodes (alias
46 for hosts), netgroup, netmasks, networks, passwd, shadow, protocols,
47 publickey, rpc, and services. In addition to the preceding, the data‐
48 base argument can be one of the RBAC-related files (see rbac(5)):
49
50 o /etc/user_attr
51
52 o /etc/security/auth_attr
53
54 o /etc/security/prof_attr
55
56 o /etc/security/exec_attr
57
58
59 By default, ldapaddent reads from the standard input and adds this data
60 to the LDAP container associated with the database specified on the
61 command line. An input file from which data can be read is specified
62 using the -f option.
63
64
65 If you specify the -h option, ldapaddent establishes a connection to
66 the server indicated by the option in order to obtain a DUAProfile
67 specified by the -N option. The entries will be stored in the directory
68 described by the configuration obtained.
69
70
71 By default (if the -h option is not specified), entries will be stored
72 in the directory based on the client's configuration. To use the util‐
73 ity in the default mode, the Solaris LDAP client must be set up in
74 advance.
75
76
77 The location where entries are to be written can be overridden by using
78 the -b option.
79
80
81 If the entry to be added exists in the directory, the command displays
82 an error and exits, unless the -c option is used.
83
84
85 Although, there is a shadow database type, there is no corresponding
86 shadow container. Both the shadow and the passwd data is stored in the
87 people container itself. Similarly, data from networks and netmasks
88 databases are stored in the networks container.
89
90
91 The user_attr and audit_user data is stored by default in the people
92 container. The prof_attr and exec_attr data is stored by default in the
93 SolarisProfAttr container.
94
95
96 You must add entries from the passwd database before you attempt to add
97 entries from the shadow database. The addition of a shadow entry that
98 does not have a corresponding passwd entry will fail.
99
100
101 The passwd database must precede both the user_attr and audit_user
102 databases.
103
104
105 For better performance, the recommended order in which the databases
106 should be loaded is as follows:
107
108 o passwd database followed by shadow database
109
110 o networks database followed by netmasks database
111
112 o bootparams database followed by ethers database
113
114
115 Only the first entry of a given type that is encountered will be added
116 to the LDAP server. The ldapaddent command skips any duplicate entries.
117
119 The ldapaddent command supports the following options:
120
121 -a authenticationMethod
122
123 Specify authentication method. The default value is what has been
124 configured in the profile. The supported authentication methods
125 are:
126
127 o simple
128
129 o sasl/CRAM-MD5
130
131 o sasl/DIGEST-MD5
132
133 o sasl/GSSAPI
134
135 o tls:simple
136
137 o tls:sasl/CRAM-MD5
138
139 o tls:sasl/DIGEST-MD5
140 Selecting simple causes passwords to be sent over the network in
141 clear text. Its use is strongly discouraged. Additionally, if the
142 client is configured with a profile which uses no authentication,
143 that is, either the credentialLevel attribute is set to anonymous
144 or authenticationMethod is set to none, the user must use this
145 option to provide an authentication method. If the authentication
146 method is sasl/GSSAPI, bindDN and bindPassword is not required and
147 the hosts and ipnodes fields of /etc/nsswitch.conf must be config‐
148 ured as:
149
150 hosts: dns files
151 ipnodes: dns files
152
153 See nsswitch.conf(4).
154
155
156 -b baseDN
157
158 Create entries in the baseDN directory. baseDN is not relative to
159 the client's default search base, but rather. it is the actual
160 location where the entries will be created. If this parameter is
161 not specified, the first search descriptor defined for the service
162 or the default container will be used.
163
164
165 -c
166
167 Continue adding entries to the directory even after an error.
168 Entries will not be added if the directory server is not responding
169 or if there is an authentication problem.
170
171
172 -D bindDN
173
174 Create an entry which has write permission to the baseDN. When used
175 with -d option, this entry only needs read permission.
176
177
178 -d
179
180 Dump the LDAP container to the standard output in the appropriate
181 format for the given database.
182
183
184 -f filename
185
186 Indicates input file to read in an /etc/ file format.
187
188
189 -h LDAP_server[:serverPort]
190
191 Specify an address (or a name) and an optional port of the LDAP
192 server in which the entries will be stored. The current naming ser‐
193 vice specified in the nsswitch.conf file is used. The default value
194 for the port is 389, except when TLS is specified as the authenti‐
195 cation method. In this case, the default LDAP server port number is
196 636.
197
198
199 -j passwdFile
200
201 Specify a file containing the password for the bind DN or the pass‐
202 word for the SSL client's key database. To protect the password,
203 use this option in scripts and place the password in a secure file.
204 This option is mutually exclusive of the -w option.
205
206
207 -M domainName
208
209 The name of a domain served by the specified server. If not speci‐
210 fied, the default domain name will be used.
211
212
213 -N profileName
214
215 Specify the DUAProfile name. A profile with such a name is supposed
216 to exist on the server specified by -h option. Otherwise, a default
217 DUAProfile will be used. The default value is default.
218
219
220 -P certifPath
221
222 The certificate path for the location of the certificate database.
223 The value is the path where security database files reside. This is
224 used for TLS support, which is specified in the authentication‐
225 Method and serviceAuthenticationMethod attributes. The default is
226 /var/ldap.
227
228
229 -p
230
231 Process the password field when loading password information from a
232 file. By default, the password field is ignored because it is usu‐
233 ally not valid, as the actual password appears in a shadow file.
234
235
236 -w bindPassword
237
238 Password to be used for authenticating the bindDN. If this parame‐
239 ter is missing, the command will prompt for a password. NULL pass‐
240 words are not supported in LDAP.
241
242 When you use -w bindPassword to specify the password to be used for
243 authentication, the password is visible to other users of the sys‐
244 tem by means of the ps command, in script files or in shell his‐
245 tory.
246
247 If you supply "-" (hyphen) as a password, you will be prompted to
248 enter a password.
249
250
251 -v
252
253 Verbose.
254
255
257 The following operands are supported:
258
259 database
260
261 The name of the database or service name. Supported values are:
262 aliases, auto_*, bootparams, ethers, group, hosts (including IPv6
263 addresses), netgroup, netmasks, networks, passwd, shadow, proto‐
264 cols, publickey, rpc, and services. Also supported are auth_attr,
265 prof_attr, exec_attr, user_attr, and projects.
266
267
269 Example 1 Adding Password Entries to the Directory Server
270
271
272 The following example shows how to add password entries to the direc‐
273 tory server:
274
275
276 example# ldapaddent -D "cn=directory manager" -w secret \
277 -f /etc/passwd passwd
278
279
280
281 Example 2 Adding Group Entries
282
283
284 The following example shows how to add group entries to the directory
285 server using sasl/CRAM-MD5 as the authentication method:
286
287
288 example# ldapaddent -D "cn=directory manager" -w secret \
289 -a "sasl/CRAM-MD5" -f /etc/group group
290
291
292
293 Example 3 Adding auto_master Entries
294
295
296 The following example shows how to add auto_master entries to the
297 directory server:
298
299
300 example# ldapaddent -D "cn=directory manager" -w secret \
301 -f /etc/auto_master auto_master
302
303
304
305 Example 4 Dumping passwd Entries from the Directory to File
306
307
308 The following example shows how to dump password entries from the
309 directory to a file foo:
310
311
312 example# ldapaddent -d passwd > foo
313
314
315
316 Example 5 Adding Password Entries to a Specific Directory Server
317
318
319 The following example shows how to add password entries to a directory
320 server that you specify:
321
322
323 example# ldapaddent -h 10.10.10.10:3890 \
324 -M another.domain.name -N special_duaprofile \
325 -D "cn=directory manager" -w secret \
326 -f /etc/passwd passwd
327
328
329
331 The following exit values are returned:
332
333 0
334
335 Successful completion.
336
337
338 >0
339
340 An error occurred.
341
342
344 /var/ldap/ldap_client_file
345 /var/ldap/ldap_client_cred
346
347 Files containing the LDAP configuration of the client. These files
348 are not to be modified manually. Their content is not guaranteed to
349 be human readable. Use ldapclient(1M) to update these files.
350
351
353 See attributes(5) for descriptions of the following attributes:
354
355
356
357
358 ┌─────────────────────────────┬─────────────────────────────┐
359 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
360 ├─────────────────────────────┼─────────────────────────────┤
361 │Availability │SUNWnisu │
362 ├─────────────────────────────┼─────────────────────────────┤
363 │Interface Stability │Committed │
364 └─────────────────────────────┴─────────────────────────────┘
365
367 ldap(1), ldaplist(1), ldapmodify(1), ldapmodrdn(1), ldapsearch(1),
368 idsconfig(1M), ldapclient(1M), suninstall(1M), nsswitch.conf(4),
369 attributes(5)
370
371
372
373
375 Currently StartTLS is not supported by libldap.so.5, therefore the port
376 number provided refers to the port used during a TLS open, rather than
377 the port used as part of a StartTLS sequence. For example:
378
379 -h foo:1000 -a tls:simple
380
381
382
383
384 The preceding refers to a raw TLS open on host foo port 1000, not an
385 open, StartTLS sequence on an unsecured port 1000. If port 1000 is
386 unsecured the connection will not be made.
387
388
389
390SunOS 5.11 4 May 2009 ldapaddent(1M)