ldapugadd man page on HP-UX

Man page or keyword search:  
man Server   10987 pages
apropos Keyword Search (all sections)
Output format
HP-UX logo
[printable version]

ldapugadd(1M)							 ldapugadd(1M)

NAME
       ldapugadd - add new accounts or groups to an LDAP directory server

SYNOPSIS
       [options]  hostname]  port]  base]  uid_number]	group/gid]  full_name]
	      domain] login_shell] home_directory] gecos] comment]  skel_dir]]
	      template_file] uid_name

       [options]  hostname]  port]  base]  gid_number]	domain]	 comment] tem‐
	      plate_file] group_name

       default_home] default_shell] default_gid]

DESCRIPTION
       allows HP-UX administrators to add new POSIX accounts or groups	to  an
       LDAP  directory	server (see first and second syntaxes in above).  Fur‐
       thermore, can be used to modify the file to set defaults	 for  creation
       of new users or groups (see the third syntax in the above).

       makes use of user and group template files that allow to conform to the
       information model used for the types of entries being  created.	 Users
       of  are	required  to  provide LDAP administrator credentials that have
       sufficient privilege to perform the user or group add operation in  the
       LDAP directory server.

   Options
       Prompt for the administrators bind identity (typically LDAP DN or
	       kerberos principal) and bind password.

	       Without	will  discover the bind identity and password from the
	       environment variables and If either the or environment variable
	       has  not	 been  specified,  will	 follow the bind configuration
	       specified in the configuration profile (see ldapux(5)).

	       If has specified "proxy" bind, the bind credential will be read
	       from  either  the or file.  The file will only be used by users
	       that have sufficient administrative  privileges	to  read  that
	       file.  Refer to below for additional details.

       Prompt for the password of the user or group being created.
	       Also,  if  ldapUX(5)  attributed	 mapping  for the userPassword
	       attribute has not been defined or set to will create new	 pass‐
	       words  in  the userPassword attribute.  To assure accuracy, the
	       user will be prompted twice for the password.   relies  on  the
	       directory  server for setting of password policy, such as user-
	       must-change-password-at-first-login.

       Set the user or group password attribute.
	       Also, if ldapux(5)  attributed  mapping	for  the  userPassword
	       attribute  has not been defined or set to will create new pass‐
	       words in the userPassword attribute.  If is  specified,	either
	       the environment variable or the option must be specified.

       Requires an SSL connection to the directory server, even if the
	       ldapux(5)  configuration	 does not require the use of SSL.  Use
	       of requires either a valid server or CA certificate be  defined
	       in  the	file.  An error will occur if the SSL connection could
	       not be established.  Refer to below for additional details.

       Attempt a TLS connection to the directory server, even if the
	       ldapux(5) configuration does not require the use of TLS.	 If  a
	       TLS  connection	is unable to be established a non-TLS and non-
	       SSL connection will be established.  Use of is not  recommended
	       unless  alternative  methods  are  used to protect from network
	       eavesdropping.  Use of requires either a	 valid	server	or  CA
	       certificate  be	defined in the file.  Refer to below for addi‐
	       tional details.

       Requires a TLS connection to the directory server, even if the
	       ldapux(5) configuration does not require the use of  TLS.   Use
	       of  requires either a valid server or CA certificate be defined
	       in the file.  An error will occur if the TLS  connection	 could
	       not be established.  Refer to below for additional details.

       Force creation of new user or group entries even if particular error
	       conditions occur.  These are:

	       ·  The  user name or group name already exists in the directory
		  server.

	       ·  The user id or group id number already exists in the	direc‐
		  tory server

	       ·  The  shell  specified	 with the option does not exist on the
		  local system or is not an executable.

	       ·  Adding a member to a group when that member is  not  defined
		  in the LDAP directory.

	       Note  that  some	 directory servers perform their own attribute
	       uniqueness checks.  In this case, even if the option is	speci‐
	       fied; will be unable to add the new entry.

       Display the DN of the newly created entry.

   Arguments
       Specifies the host name and optional port number
		      of  the  directory  server.   This  option overrides the
		      server list configured by ldapux(5).  The hostname field
		      also supports specification of IPv4 and IPv6 addresses.

		      Note  that when a port is specified for an IPv6 address,
		      the IPv6 address must be specified  in  square-bracketed
		      form.   If  the  optional	 port is unspecified, the port
		      number is assumed to be 389 or 636 for  SSL  connections
		      Refer to below for additional details.

       Specifies the port number of the directory server to contact.
		      This  option  is ignored if the port number is specified
		      in the hostname as part of the option.  Refer  to	 below
		      for additional details.

       This option overrides value of the
		      substitution  construct  used in the respective template
		      file.  Instead of discovering the value  from  the  lda‐
		      pux(5)  configuration profile, the value defined in base
		      will be used.  Please  refer  to	below  for  additional
		      information.   base  is  expected	 to be an LDAP distin‐
		      guished name.

       Specifies on which service type
		      will operate.  The service type can be either or where

		      implies	posixAccount-type entries, and
		      implies	posixGroup-type entries.

		      The command-line	arguments  that	 are  applicable  will
		      depend   on  the	service	 specified.   If  unspecified,
		      defaults to

		      Note:  to be consistent with  the	 Name  Service	Switch
		      (see switch(4)), the term is used to represent LDAP user
		      entries which contain POSIX account-related information.

   Arguments Applicable to -D
       Used to permanently alter local host defaults which are used by
		      when creating new user or	 group	entries	 in  the  LDAP
		      directory.  Configuration changes made using the options
		      will appear in the file.	Please refer  to  the  for  an
		      example of the file.

       Specifies the parent directory that will be used when creating
		      new user home directories.

       Specifies the default login shell that will be used when creating
		      user entries.

       Specifies  the  default	group  ID  number  used when creating new user
       entries.
		      To avoid warning messages displayed  by  this  group  ID
		      should  represent a POSIX-style group stored in the LDAP
		      directory.

		      If this group ID is not defined in the  LDAP  directory,
		      will  display a warning message every time a new user is
		      added using this default group, since will be unable  to
		      add the user as a member of that group.

       Sets new default minimum and maximum ranges that
		      will  use	 when provisioning a group ID number for newly
		      created group entries.  The gid range  is	 inclusive  of
		      the  specified  end values.  The colon character will be
		      used to indicate a range has been specified, instead  of
		      the default_gid specified above.

       Sets new default minimum and maximum ranges that
		      will  use when provisioning an uid number for newly cre‐
		      ated user entries.  The uid range is  inclusive  of  the
		      specified end values.

   Arguments Applicable to '-t passwd'
       Specifies the user's numeric ID number.
		      If  the specified uidNumber already exists in the direc‐
		      tory server, will not add the new entry  and  return  an
		      error exit status, unless the option is specified.

		      If  this argument is not specified, a new user ID number
		      will be provisioned by randomly selecting a  value  from
		      the  uidNumber  range specified by If randomly selects a
		      uidNumber that  is  already  in  use  on	the  directory
		      server,  will  randomly select another uidNumber and try
		      again until it finds an  unused  uidNumber  or  exhausts
		      retry  attempts.	 Retry attempts will be limited to 90%
		      of the range of available uidNumbers (specified with and
		      described above).

       Specifies the user's primary login group name or id number.
		      After  creating  the user entry will also attempt to add
		      the user as a member of the specified  group  using  the
		      command.

		      Note:   to  support  numeric  group  names,  will always
		      attempt to resolve the specified	argument  as  a	 group
		      name (even if it is a numeric string).  If the specified
		      argument is not found as a group name, will check to see
		      if  the argument is a numeric string and if so, use that
		      as the group ID number.  If that numeric group  can  not
		      be  found	 in  any  active name service repository, will
		      issue an ERROR message.  If the specific argument is not
		      numeric  and  can not be found in an active name service
		      repository, will exit with an ERROR and not  create  the
		      new entry.

		      If  this argument is not specified, the user will become
		      a member of default login group,	as  specified  by  the
		      command.

       This option is only required for the
		      service and is used to specify the user's full name.  If
		      undefined, the user's full  name	will  default  to  the
		      account name.

       Specifies the user's domain name.  This variable is used to specify the
		      value  that  can	be used in the template file.  If this
		      value is not specified, the domain name will be  created
		      by using the first "dc" component of the new user's dis‐
		      tinguished name.	If the	distinguished  name  does  not
		      contain  any "dc" components, and the variable is speci‐
		      fied in the template file, will generate an error.

       Specifies the user's alternate group memberships.
		      group/gid is expected to be the POSIX  textual  name  of
		      the group or the group ID number.	 That group must exist
		      in the directory server (not the file).

		      If the specified group name is invalid or does not exist
		      in  the  directory  server, will issue a warning message
		      for each invalid group.  To support numeric group names,
		      will always attempt to resolve the specified argument as
		      a group name (even if it is a numeric string).   If  the
		      specified	 argument  is  not found as a group name, will
		      check to see if the argument is a numeric string and  if
		      so, use that as the group ID number.

		      After the user's entry is successfully created (and only
		      if), will call (see ldapugmod(1M)) for each group speci‐
		      fied, to add the user to listed groups.

		      If  more	than  one  group is specified, each group name
		      must be separated by a comma.  No whitespace is  allowed
		      between or within group names.  If fails to add the user
		      as a member of a particular group, will issue a  warning
		      message  and  continue  to  add  the  user  to the other
		      remaining groups specified.

		      If this argument is not specified, the user will not  be
		      added to alternate groups.

       Specifies the full path name to the executable that will be used to
		      handle  login  sessions for this user.  If this argument
		      is not specified, the default, as configured by will  be
		      used.

       Specifies the full path name (including the user name) of the user's
		      home  directory.	If this argument is not specified, the
		      combination of the default base directory, as configured
		      by  and  the  user's account name, will be used.	If you
		      wish to also create the home directory on	 this  system,
		      the option must specified.

       Specifies GECOS fields for the user.
		      Typically the GECOS contains four fields which represent
		      (in order):

		      ·	 The user's full name
		      ·	 The user's work location
		      ·	 The user's work telephone number
		      ·	 The user's home telephone number (often omitted)

		      Each field in the gecos should be separated by a	comma.
		      If  the  data  within the gecos field contains any white
		      space or other characters that might be  parsed  by  the
		      shell,  the entire string must be protected by enclosing
		      quotes.  White space should not  be  used	 between  each
		      field and the separating commas.

		      Note that LDAP-UX supports mapping of the gecos field to
		      multiple attributes.   If	 attribute  mapping  has  been
		      specified	 in  the  LDAP-UX  configuration profile, each
		      field will be mapped to its representative attribute, in
		      the order specified.

		      If  is not specified, the gecos attribute(s) will not be
		      added to the user's entry.

		      WARNING: If the option is specified and  attribute  map‐
		      ping  has been defined for the gecos attribute, be care‐
		      ful not to specify the same attributes  in  the  command
		      line  that are also used in the gecos map.  For example,
		      suppose the gecos has been mapped to cn, l and  telepho‐
		      neNumber.	  Because  below  represents  the cn attribute
		      when creating new user account  entries,	the  following
		      command  might produce unpredictable results since cn is
		      specified by both and by the gecos mapping:

       In the above example, because of the
		      gecos attribute mapping, the cn and telephoneNumbers are
		      specified	 twice	and will result an error when the same
		      attribute and value are added to	the  directory	server
		      can be used to determine gecos attribute mapping config‐
		      uration.

		      NOTE: Since the gecos attribute may be mapped to one  or
		      several  attributes, the number of values specified with
		      (between the commas) should, but	is  not	 required  to,
		      match  the  number  of  mapped attributes.  If there are
		      more mapped attributes than  specified  values  in  then
		      trailing	mapped	attributes  will  not  be added to the
		      directory server.	 If there are more values than	mapped
		      attributes,  extra  values  will be combined in the last
		      mapped attribute.

       Specifies a comment that will be stored in the
		      description attribute, as defined by RFC2307.  Attribute
		      mapping  is  not	defined for the description attribute.
		      If unspecified, the description attribute	 will  not  be
		      added  to	 the  user's  entry.   Since the comment field
		      often contains white-space, be sure to protect  it  from
		      shell parsing with enclosing quote characters.

       Specifies  the  LDIF template file that will be used to create new user
       entries.
		      The template_file parameter may either be a full or rel‐
		      ative  path  name or a "short" name.  Refer to below for
		      additional information.

       uid_name	      Required Argument.   Contains  the  POSIX-style  textual
		      login  name  for	the  new  user	entry.	This user name
		      should conform to HP-UX login name requirements.	Please
		      refer to passwd(4) for login name requirements.

		      uid_name is a required parameter, and it must follow all
		      command-line options and must precede the parameters (if
		      provided).

       Create a new home directory for the defined user.
		      User  and group ownership of the newly created directory
		      will be assigned to the user and his/her	primary	 login
		      group.

		      If  is specified, the files and sub-directories found in
		      skel_dir will be copied to the  user's  home  directory,
		      and  user	 and  group  ownership	permissions altered as
		      specified above.	If is not  specified,  skeleton	 files
		      will be copied from

		      The option requires the user has sufficient privilege to
		      create the new home directory, copy skeleton  files  and
		      change  ownership	 of those files and directories.  will
		      create a user's home directory only  after  successfully
		      adding the user's entry in the directory server.

		      If  is  unable to properly create the user's home direc‐
		      tory, per the above process, the newly  created  changes
		      in  the directory server will not be removed.  See below
		      for more information.

       is ignored unless the
		      option is specified.   skel_dir  specifies  a  directory
		      which  contains  skeleton	 files	and  directories  that
		      should be copied into newly created user	home  directo‐
		      ries.  See above.

       Allows specification of arbitrary LDAP attributes and values.
		      Because  of  potential  objectclass  requirements, addi‐
		      tional information beyond the basic  POSIX  account  and
		      group  data may be need to be specified in order to cre‐
		      ate new entries in the directory server.

		      For example, if the "InetOrgPerson" objectclass is  used
		      as  a  structural	 class	for posixAccounts, then the sn
		      (surname) attribute must be specified in order to	 prop‐
		      erly  create  a  new entry.  This value would need to be
		      defined in the template file (see and would need	to  be
		      specified at the end of the command line.

		      The  parameter  is  generally used to specify attributes
		      required by the template file.  However, if an attribute
		      is  specified  which  is not defined in the defined tem‐
		      plate file, that attribute/value pair will be considered
		      as  an  optional	attribute/value which will be added to
		      the entry exactly as specified.

		      parameters are optional, but must be  specified  as  the
		      last parameters on the command line.

   Arguments Applicable to '-t group'
       Specifies the group's numeric id number.
		      If  the specified gidNumber already exists in the direc‐
		      tory server, will not add the new entry  and  return  an
		      error exit status, unless the option is specified.

		      If this argument is not specified, a new group ID number
		      will be provisioned by randomly selecting a  value  from
		      the  gidNumber  range specified by If randomly selects a
		      gidNumber that  is  already  in  use  on	the  directory
		      server,  will  randomly select another gidNumber and try
		      again until it finds an  unused  gidNumber  or  exhausts
		      retry  attempts.	 Retry attempts will be limited to 90%
		      of the range of available gidNumbers (specified with and
		      described above).

       Specifies  the  group's	domain name.  This variable is used to specify
       the
		      value that can be used in the template  file.   If  this
		      value  is not specified, the domain name will be created
		      by using the first "dc" component	 of  the  new  group's
		      distinguished  name.  If the distinguished name does not
		      contain any "dc" components, and the variable is	speci‐
		      fied in the template file, will generate an error.

       Defines	initial group membership by adding the specified user accounts
       as
		      members.	The members must be defined as	a  comma-sepa‐
		      rated list of account names, similar to the requirements
		      defined above.   Use  of	requires  that	the  specified
		      user's  account  already	be  defined  in	 the directory
		      server, unless the option is specified.

		      When the option is used, the users group membership will
		      be  defined using the memberUid attribute, regardless of
		      the attribute  mapping  configuration  defined  by  lda‐
		      pux(5).  Use of is not recommended, and will not succeed
		      if the directory server does not support	the  memberUid
		      attribute.

		      will  follow  the	 same  membership syntax as defined by
		      ldapux(5) attribute mapping.  Specifically, if ldapux(5)
		      has  mapped the RFC2307 group membership attribute (mem‐
		      berUid) to a DN-based membership attribute such as  mem‐
		      ber  or  uniqueMember, then will define membership using
		      the DN of the specified user.   If  memberUid  has  been
		      mapped  to  more	than  one attribute type, will use the
		      first attribute defined by the mapping.

		      Note that can only add members to a group that follow  a
		      static  membership  syntax  (like memberUid, member, and
		      uniqueMember).  will fail if the	only  mapping  defined
		      uses a dynamic group membership syntax (like memberUrl).

       Specifies a comment that will be stored in the
		      description attribute, as defined by RFC2307.  Attribute
		      mapping is not defined for  the  description  attribute.
		      If  unspecified,	the  description attribute will not be
		      added to the user's entry.

       Specifies the LDIF template file that will be used to create new	 group
       entries.
		      The template_file parameter may either be a full or rel‐
		      ative path name or a "short" name.  Refer to  below  for
		      additional information.

       group_name     Required	Argument.   Contains  the  POSIX-style textual
		      group name for the new group entry.   This  name	should
		      conform  to HP-UX group name requirements.  Please refer
		      to group(4) for group name requirements.	gid_name is  a
		      required parameter, must follow all command-line options
		      and must precede the parameters (if provided).

       Allows specification of arbitrary LDAP attributes and values.
		      Refer to in the section above  for  additional  informa‐
		      tion.  parameters are optional, but must be specified as
		      the last parameters on the command line.

   Template Files
       One of the benefits of LDAP directory servers  is  the  flexibility  to
       support	customized  data  models  to meet organizational requirements.
       This flexibility allows each directory deployment to define unique data
       models for users and groups.  Because of this, it's not possible for to
       be able to create new user or group entries in the directory server and
       also  follow  the  desired data model, without some description of that
       data model.

       Template files for  user	 and  group  entries  allow  to	 discover  the
       required	 data  models  for new user and group entries.	Template files
       define what data is required to create new user and group  entries  and
       allow  ldapugadd	 to  discover  required	 attributes  and data elements
       before creating the entries.

       To explain this concept, the below examples show the default  templates
       for a standard directory server for a passwd and group entry.  Samples,
       such as the one below, are delivered with  LDAP-UX,  including  samples
       for ADS.

       Below is a sample default template for standard directory server:

	      dn: uid=${uid},ou=people,${basedn}
	      objectclass: InetOrgPerson
	      objectclass: posixAccount
	      sn: ${Surname}
	      ${posixProfile}

	      dn: cn=${cn},ou=groups,${basedn}
	      objectclass: groupOfNames
	      objectclass: posixGroup
	      ${posixProfile}

       Below is a sample default template for Windows ADS:

	      dn: cn=${cn},cn=users,${basedn}
	      objectclass: user
	      ${posixProfile}
	      sAMAccountName: ${uid}
	      msSFU30NisDomain: ${domain}
	      #By default, ldapugadd creates disabled accounts.
	      #Change below to 544 to enable accounts by default.
	      userAccountControl: 546

	      dn: cn=${cn},ou=users,${basedn}
	      objectclass: group
	      ${posixProfile}
	      sAMAccountName: ${cn}
	      msSFU30NisDomain: ${domain}

       Each  template file must follow the LDIF data format and also allow for
       substitution of values from the command.	 Two  default  template	 files
       (for user and group entries) for standard directory servers, along with
       two default template files for ADS are  provided	 under	The  following
       guidelines can be used when creating template files.

       ·  Each template file is used for defining only one entry in the direc‐
	  tory server.

       ·  Each template file may contain comment  lines.   Each	 comment  line
	  must begin with the pound character.

       ·  Each	template file can be built using custom attributes and values.
	  Customized attribute values are defined using the  construct.	  How‐
	  ever, for each non-RFC2307 attribute used, when creates a new entry,
	  each one of those attributes must be specified on the	 command  line
	  as an pair.

       ·  supports  several pre-defined substitution constructs, where name is
	  represented by:

	  posixProfile	 Represents all RFC2307-type attributes and values for
			 the particular name service (either passwd or group).
			 If ldapux(5) has defined attribute mapping  for  par‐
			 ticular  attributes,  the  mapped  attributes will be
			 substituted in its place.   When  used	 for  posixAc‐
			 count-type entries, the following attributes and val‐
			 ues will be added to the entry:

			 ·  cn
			 ·  uid
			 ·  userPassword
			 ·  uidNumber
			 ·  gidNumber
			 ·  gecos
			 ·  homeDirectory
			 ·  loginShell

			 When used with posixGroup-type entries, the following
			 attributes and values will be added to the entry:

			 ·  cn
			 ·  userPassword
			 ·  gidNumber
			 ·  memberUid

			 Note:	 Since	use of posixProfile supports attribute
			 mapping, if the above attributes have been mapped  as
			 configured  in the LDAP-UX configuration profile, the
			 mapped attributes and values will  be	added  to  the
			 entry instead of the RFC2307 defined attributes.  For
			 example, if the posixAccount attribute gecos has been
			 mapped	 to  cn l telephoneNumber then cn, l and tele‐
			 phoneNumber will be added to  the  entry  instead  of
			 gecos.	  And for another example with posixGroups, if
			 memberUid  has	 been  mapped  to  uniqueMember,  then
			 uniqueMember  will  be added (using the DN syntax) to
			 the entry instead of memberUid.

	  basedn	 Represents the	 distinguished	name  of  the  default
			 search	 base (defaultSearchBase) as obtained from the
			 ldapux(5) configuration profile.

	  uid		 Represents the user's account name  when  used	 in  a
			 passwd template file.

	  uidNumber	 Represents  the user's account ID number when used in
			 a passwd template file.

	  cn		 Represents the user's full name when used in a passwd
			 template  file.   Represents the group name when used
			 in a group template file.

	  gidNumber	 Represents the group ID number when used in  a	 group
			 template file.

       ·  The  first  line  of the template file is used to define the distin‐
	  guished name of the new entry.  Since each DN is unique,  the	 first
	  component of the DN (the Relative Distinguished Name or RDN) must be
	  able to construct a unique value for each new entry.	Thus  the  RDN
	  should  be  constructed  using a construct.  Typically the cn or uid
	  attribute would be used in the RDN for new passwd entries and the cn
	  attribute would be used for new group entries.

       ·  The  userPassword  attribute	can  not  be specified in the template
	  file.	 See the option for additional information about specifying an
	  initial user or group password.

       ·  The  memberUid  attribute can not be specified in the template file,
	  since the number of eventual members of a group can  not  be	stati‐
	  cally defined when the group is newly created.  will ignore the mem‐
	  berUid attribute if specified in the template file.

       As mentioned above, for each  non-pre-defined  substitution  construct,
       using the requires specification of the name attribute and value on the
       command line.  If a non-POSIX attribute is specified  in	 the  template
       file  (such as sn) and that attribute/value pair has not been specified
       on the command line will return an error.

       To assist with programmatic discovery of the required  attributes  when
       creating new entries, the has provided command line options to list the
       these attributes.  will display required attributes when	 creating  new
       passwd  entries.	  will	display	 required attributes when creating new
       group entries.

   Multi-Valued Attributes in Template Files
       Template files can support multi-valued attributes.   This  means  that
       the same attribute name and/or value can be specified more than once in
       the template file.  Example:

	      dn: uid=${uid},ou=people,${basedn}
	      objectclass: InetOrgPerson
	      objectclass: myOrg
	      objectclass: posixAccount
	      sn: ${Surname}
	      primaryTeam: ${primaryTeam}
	      secondaryTeams: ${secondaryTeams}
	      secondaryTeams: ${secondaryTeams}
	      ${posixProfile}

       In the above example we assume that secondaryTeams  is  a  multi-valued
       attribute  which should be specified at least twice for each new posix‐
       Account entry created.  In this case, will fill each attribute value in
       order  specified	 in  the  template  file based on the order that those
       attributes are specified on the	command	 line.	 Note  if  not	enough
       attribute  values  have	been specified on the command line to fill the
       attribute values used in the template file, will return an error.

   Template File Naming
       The default template files for new passwd and group entries are	stored
       in and are named and

       All  template files stored in the directory must follow a specific nam‐
       ing format.  To allow specification of template files  by  their	 short
       name  (see  below),  the template file name must begin with followed by
       the service name being supported.  Underbars are used to separate  sec‐
       tions  of  the  name.   The remainder of the name may be any keystring,
       followed by a extension.

       For example might be used when creating new users of  the  "VPN"	 type.
       Template files stored outside of the directory need not follow any spe‐
       cific format.

       When specifying the name of a template file as part of  the  option  on
       the  command  line,  either  the exact file name or a short name may be
       used.  When specifying the file name, that name may be either a full or
       relative path name, but must begin with either the slash or dot charac‐
       ters.  That file name may exist anywhere in the file system.

       When specifying the short name, the file must exist under the directory
       and  must follow the format specified above.  For example would be used
       to specify the template file mentioned above:

       A short name is defined as the distinguishing portion of	 the  template
       file  name.   For  example,  for	 the passwd service, if the short name
       "operator" is specified, the resulting template file would be

       All LDAP-UX default template files will be stored in the directory.

       A full or relative path name must begin with either the	slash  or  dot
       characters.   If	 unspecified, either of the following default template
       file will be used:

	      ·	     or
	      ·

   Binding to the Directory Server
       has been designed to take advantage of the existing ldapux(5)  configu‐
       ration  for  determining	 to  which directory server to bind and how to
       perform the bind operation.  will consult the  ldapux(5)	 configuration
       profile for the following information:

       ·  The list of LDAP directory server hosts.
       ·  The authentication method (simple passwords, SASL Digest MD5, etc.)

       If either of the environment variables or have not been specified, will
       also consult the ldapux(5) configuration for additional information:

       ·  The type of credential (user, proxy or anonymous) to use.
       ·  The credential used for binding as a proxy user (either for adminis‐
	  trative users or for non-privileged users.)

       As  with	 ldapux(5), will attempt to contact the first available direc‐
       tory server as defined in the ldapux(5) host list.  As soon as  a  con‐
       nection is established, further directory servers on the host list will
       not be contacted.  Once connected, will first determine if the environ‐
       ment  variables	or  have  been specified.  If both are specified, then
       will attempt to bind to the directory server using the  specified  cre‐
       dentials and configured LDAP-UX authentication method.

       If  either  of  the above mentioned environment variables have not been
       specified, then will determine if the  configured  credential  type  is
       "proxy"	and  if	 so, attempt to bind to the directory server using the
       configured LDAP-UX proxy credential.  If configured,  the  acred	 proxy
       credential  will	 be  used  for administrative users (determined if the
       user running has enough privilege to read  the  file).	Otherwise  the
       credential configured in will be used.

       Note, to prevent discovery of the LDAP administrator's credentials, the
       LDAP user DN and password may not be specified as command-line  options
       to the utility.

   Security Considerations
       ·  Use  of  requires  permissions of an LDAP administrator when it per‐
	  forms its operations on the directory server.	 The rights to	create
	  new  LDAP  directory entries under the requested subtree, along with
	  creation of the required attributes in that entry must be granted to
	  the LDAP administrator identity that is specified when executing

       ·  As with any POSIX-type identity, the HP-UX operating system uses the
	  specified user and group ID number to determine rights and capabili‐
	  ties in the OS as well as in the file system.

	  For example, the root user ID 0, typically has unlimited OS adminis‐
	  tration and file access rights.  Before creating  a  new  entry,  be
	  aware	 of  the selected user and group ID number and any policy that
	  may be associated with that ID.

       ·  If is used to randomly assign a user or group	 ID  number,  it  only
	  checks for ID collisions found in the LDAP directory server, and not
	  other policy repositories.  When setting user and  group  ID	number
	  ranges option with either or be sure to set a range that is not used
	  by other user or group ID repositories, to assure  collisions	 would
	  not  occur with existing users or groups that exist in other reposi‐
	  tories.

       ·  As would occur in any	 identity  repository,	modification  of  this
	  repository will likely have impacts as defined by the organization's
	  security policy.  Users of are expected to have  full	 knowledge  of
	  the  impact  to  the	organization's security policy when adding new
	  identity information to that identity repository.

       ·  In order to support non-interactive use of the  command,  specifica‐
	  tion of the LDAP administrator's credentials is required through use
	  of the and environment variables.   To  prevent  exposure  of	 these
	  environment variables, they should be unset after use.

	  Note	also  that shells(4) command history log may contain copies of
	  the executed commands that show setting of these variables.	Access
	  to  a	 shell's history file must be protected.  Specification of the
	  LDAP administrator's credentials on the command line is not  allowed
	  since	 information  about  the  currently  running  processes can be
	  exposed externally from the session.

	  Use of the eliminates the need  to  set  the	mentioned  environment
	  variables by interactively prompting for the required credentials.

LDAP-UX PROFILE
       makes  use of the LDAP-UX configuration profile to determine the infor‐
       mation model used in the directory server to  store  POSIX  attributes.
       Please  refer to the for additional information about the configuration
       profile.

LDAP UG CONFIGURATION FILE
       LDAP-UX supports a local configuration file, The tool uses the file  to
       manage  the  following  default values when creating new user and group
       entries in an LDAP directory server:

       ·  A default group ID for new users

       ·  The valid UID number range for new users

       ·  The valid GID number range for new groups

       ·  The base path for a new user's home directory.  By default,  LDAP-UX
	  appends  the user's account name to the base path to create the full
	  path name.

       ·  The default login shell for new users

       LDAP-UX provides the default file as follows:

	      # This file is used by the ldapugadd tool for management
	      # of default values for creating new user and group entries.
	      # This file can not be modified directly, but instead through
	      # the ldapugadd -D command.
	      #
	      uidNumber_range=100:20000
	      gidNumber_range=100:2000
	      default_gidNumber=20
	      default_homeDirectory=/home
	      default_loginShell=/usr/bin/sh

EXTERNAL INFLUENCES
   Environment Variables
       When used in combination with the option, specifies the password	 of  a
       newly created user or group.

	      Note, use of passwords for groups is not recommended.

	      Also,  if	 ldapux(5)  attributed	mapping	 for  the userPassword
	      attribute has not been defined or set to will create  new	 pass‐
	      words in the userPassword attribute.

       Specifies the DN of a user with sufficient directory server privilege
	      to create new users and/or groups in the LDAP directory server.

	      While  this  variable is optional, if is specified, must also be
	      specified.

       A password or other type of credential used for the user	 specified  by
       the

	      While  this  variable is optional, if is specified, must also be
	      specified.
       Refer to for important security impacts when  these  environment	 vari‐
       ables are used.

RETURN VALUE
       Upon exit, returns the following:

	 0     Success.	 exits with no errors or with one or more warnings.

       <>0     returns	with a non-zero exit status if it encounters an error,
	       and messages will be logged to stderr.

	       Messages will follow the below format:

	       code
			      message

	       or

	       code
			      message

	       Leading extra white space may be inserted to improve  readabil‐
	       ity and follow 80 column screen formatting.

	       code	 will be a programmatically parsable error key-string,
			 while

	       message	 will be human-readable.  Refer to the for a  list  of
			 possible  error  codes generated by the LDAP user and
			 group management tools.

LIMITATIONS
       ·  Since LDAP directories require data be stored according to the UTF-8
	  (RFC3629)  character encoding method, all characters passed into are
	  assumed to UTF-8, and part of the ISO-10646 character set.  does not
	  perform  conversion  of  the	locale character set to/from the UTF-8
	  character set.

       ·  Since calls functions to discover if groups exists before  adding  a
	  user	to  a  group,  it  is possible to encounter timing issues with
	  cached information.  For example, if an administrator wishes to  see
	  if  a group exists by using this group information will be cached by
	  both ldapclientd(1M) and pwgrd(1M).

	  If the group does not	 exist	when  calling  and  the	 administrator
	  shortly there after creates this group with the information that the
	  group still does not exist will still be cached.  Then, when	adding
	  a  new  user	and  specifying that this user is a member of the just
	  created group, an error will be generated to indicate the  user  can
	  not  be added to the group.  To resolve this, the and caches must be
	  flushed.

SEE ALSO
       ldapcfinfo(1M),	ldapugdel(1M),	ldapuglist(1M),	 ldapugmod(1M),	  lda‐
       pux(5).

								 ldapugadd(1M)
[top]

List of man pages available for HP-UX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net