LDAPADDENT(8) Maintenance Commands and Procedures LDAPADDENT(8)
NAME
ldapaddent - create LDAP entries from corresponding /etc files
SYNOPSIS
ldapaddent [
-cpv] [
-a authenticationMethod] [
-b baseDN]
-D bindDN [
-w bind_password] [
-j passwdFile] [
-f filename]
database ldapaddent [
-cpv]
-a sasl/GSSAPI [
-b baseDN] [
-f filename]
database ldapaddent -d [
-v] [
-a authenticationMethod] [
-D bindDN]
[
-w bind_password] [
-j passwdFile]
database ldapaddent [
-cpv]
-h LDAP_server[:
serverPort] [
-M domainName]
[
-N profileName] [
-P certifPath] [
-a authenticationMethod]
[
-b baseDN]
-D bindDN [
-w bind_password] [
-f filename]
[
-j passwdFile]
database ldapaddent [
-cpv]
-h LDAP_server[:
serverPort] [
-M domainName]
[
-N profileName] [
-P certifPath] [
-a authenticationMethod]
[
-b baseDN] [
-f filename]
database ldapaddent -d [
-v]
-h LDAP_server[:
serverPort] [
-M domainName]
[
-N profileName] [
-P certifPath] [
-a authenticationMethod]
[
-b baseDN]
-D bindDN [
-w bind_password] [
-j passwdFile]
databaseDESCRIPTION
ldapaddent creates entries in LDAP containers from their
corresponding
/etc files. This operation is customized for each of
the standard containers that are used in the administration of
Solaris systems. The
database argument specifies the type of the data
being processed. Legal values for this type are one of
aliases,
auto_*,
bootparams,
ethers,
group,
hosts (including both IPv4 and
IPv6 addresses),
ipnodes (alias for
hosts),
netgroup,
netmasks,
networks,
passwd,
shadow,
protocols,
publickey,
rpc, and
services. In
addition to the preceding, the
database argument can be one of the
RBAC-related files (see
rbac(7)):
o
/etc/user_attr o
/etc/security/auth_attr o
/etc/security/prof_attr o
/etc/security/exec_attr By default,
ldapaddent reads from the standard input and adds this
data to the LDAP container associated with the database specified on
the command line. An input file from which data can be read is
specified using the
-f option.
If you specify the
-h option,
ldapaddent establishes a connection to
the server indicated by the option in order to obtain a
DUAProfile specified by the
-N option. The entries will be stored in the
directory described by the configuration obtained.
By default (if the
-h option is not specified), entries will be
stored in the directory based on the client's configuration. To use
the utility in the default mode, the Solaris LDAP client must be set
up in advance.
The location where entries are to be written can be overridden by
using the
-b option.
If the entry to be added exists in the directory, the command
displays an error and exits, unless the
-c option is used.
Although, there is a
shadow database type, there is no corresponding
shadow container. Both the
shadow and the
passwd data is stored in
the
people container itself. Similarly, data from
networks and
netmasks databases are stored in the
networks container.
The
user_attr data is stored by default in the
people container. The
prof_attr and
exec_attr data is stored by default in the
SolarisProfAttr container.
You must add entries from the
passwd database before you attempt to
add entries from the
shadow database. The addition of a
shadow entry
that does not have a corresponding
passwd entry will fail.
The
passwd database must precede the
user_attr database.
For better performance, the recommended order in which the databases
should be loaded is as follows:
o
passwd database followed by
shadow database
o
networks database followed by
netmasks database
o
bootparams database followed by
ethers database
Only the first entry of a given type that is encountered will be
added to the LDAP server. The
ldapaddent command skips any duplicate
entries.
OPTIONS
The
ldapaddent command supports the following options:
-a authenticationMethod Specify authentication method. The default value is what has been
configured in the profile. The supported authentication methods
are:
o
simple o
sasl/CRAM-MD5 o
sasl/DIGEST-MD5 o
sasl/GSSAPI o
tls:simple o
tls:sasl/CRAM-MD5 o
tls:sasl/DIGEST-MD5 Selecting
simple causes passwords to be sent over the network in
clear text. Its use is strongly discouraged. Additionally, if the
client is configured with a profile which uses no authentication,
that is, either the
credentialLevel attribute is set to
anonymous or
authenticationMethod is set to
none, the user must use this
option to provide an authentication method. If the authentication
method is
sasl/GSSAPI,
bindDN and
bindPassword is not required
and the
hosts and
ipnodes fields of
/etc/nsswitch.conf must be
configured as:
hosts: dns files
ipnodes: dns files
See
nsswitch.conf(5).
-b baseDN Create entries in the
baseDN directory.
baseDN is not relative to
the client's default search base, but rather. it is the actual
location where the entries will be created. If this parameter is
not specified, the first search descriptor defined for the
service or the default container will be used.
-c Continue adding entries to the directory even after an error.
Entries will not be added if the directory server is not
responding or if there is an authentication problem.
-D bindDN Create an entry which has write permission to the
baseDN. When
used with
-d option, this entry only needs read permission.
-d Dump the LDAP container to the standard output in the appropriate
format for the given database.
-f filename Indicates input file to read in an
/etc/ file format.
-h LDAP_server[:
serverPort]
Specify an address (or a name) and an optional port of the LDAP
server in which the entries will be stored. The current naming
service specified in the
nsswitch.conf file is used. The default
value for the port is
389, except when TLS is specified as the
authentication method. In this case, the default LDAP server port
number is
636.
-j passwdFile Specify a file containing the password for the bind DN or the
password for the SSL client's key database. To protect the
password, use this option in scripts and place the password in a
secure file. This option is mutually exclusive of the
-w option.
-M domainName The name of a domain served by the specified server. If not
specified, the default domain name will be used.
-N profileName Specify the
DUAProfile name. A profile with such a name is
supposed to exist on the server specified by
-h option.
Otherwise, a default
DUAProfile will be used. The default value
is
default.
-P certifPath The certificate path for the location of the certificate
database. The value is the path where security database files
reside. This is used for TLS support, which is specified in the
authenticationMethod and
serviceAuthenticationMethod attributes.
The default is
/var/ldap.
-p Process the
password field when loading password information from
a file. By default, the
password field is ignored because it is
usually not valid, as the actual password appears in a
shadow file.
-w bindPassword Password to be used for authenticating the
bindDN. If this
parameter is missing, the command will prompt for a password.
NULL passwords are not supported in LDAP.
When you use
-w bindPassword to specify the password to be used
for authentication, the password is visible to other users of the
system by means of the
ps command, in script files or in shell
history.
If you supply "
-" (hyphen) as a password, you will be prompted to
enter a password.
-v Verbose.
OPERANDS
The following operands are supported:
database The name of the database or service name. Supported values are:
aliases,
auto_*,
bootparams,
ethers,
group,
hosts (including IPv6
addresses),
netgroup,
netmasks,
networks,
passwd,
shadow,
protocols,
publickey,
rpc, and
services. Also supported are
auth_attr,
prof_attr,
exec_attr,
user_attr, and
projects.
EXAMPLES
Example 1: Adding Password Entries to the Directory Server
The following example shows how to add password entries to the
directory server:
example#
ldapaddent -D "cn=directory manager" -w secret \ -f /etc/passwd passwd Example 2: Adding Group Entries
The following example shows how to add
group entries to the directory
server using
sasl/CRAM-MD5 as the authentication method:
example#
ldapaddent -D "cn=directory manager" -w secret \ -a "sasl/CRAM-MD5" -f /etc/group group Example 3: Adding auto_master Entries
The following example shows how to add
auto_master entries to the
directory server:
example#
ldapaddent -D "cn=directory manager" -w secret \ -f /etc/auto_master auto_master Example 4: Dumping passwd Entries from the Directory to File
The following example shows how to dump
password entries from the
directory to a file
foo:
example#
ldapaddent -d passwd > foo Example 5: Adding Password Entries to a Specific Directory Server
The following example shows how to add password entries to a
directory server that you specify:
example#
ldapaddent -h 10.10.10.10:3890 \ -M another.domain.name -N special_duaprofile \ -D "cn=directory manager" -w secret \ -f /etc/passwd passwdEXIT STATUS
The following exit values are returned:
0 Successful completion.
>0 An error occurred.
FILES
/var/ldap/ldap_client_file /var/ldap/ldap_client_cred Files containing the LDAP configuration of the client. These
files are not to be modified manually. Their content is not
guaranteed to be human readable. Use
ldapclient(8) to update
these files.
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Committed |
+--------------------+-----------------+
SEE ALSO
ldap(1),
ldaplist(1),
ldapmodify(1),
ldapmodrdn(1),
ldapsearch(1),
nsswitch.conf(5),
attributes(7),
idsconfig(8),
ldapclient(8)CAUTION
Currently StartTLS is not supported by
libldap.so.5, therefore the
port number provided refers to the port used during a TLS open,
rather than the port used as part of a StartTLS sequence. For
example:
-h foo:1000 -a tls:simple
The preceding refers to a raw TLS open on host
foo port 1000, not an
open, StartTLS sequence on an unsecured port 1000. If port 1000 is
unsecured the connection will not be made.
May 13, 2017 LDAPADDENT(8)
