ldapugdel(1M)ldapugdel(1M)NAMEldapugdel - remove existing accounts or groups from an LDAP directory
server
SYNOPSIS
[options] type] hostname] port] uid_name | group_name}
DESCRIPTION
is used to remove POSIX related user or group entries from the direc‐
tory server. With the option, can be used to remove POSIX related
attributes and objectclasses from user or group entries, without remov‐
ing the entry itself.
Options
Prompt for the administrators bind identity (typically LDAP DN or
kerberos principal) and bind password. Without will discover
the bind identity and password from the environment variable
and If the or environment variable has not been specified, will
follow the bind configuration specified in the ldapux(5) con‐
figuration profile.
If ldapux(5) has specified "proxy" bind, the bind credential
will be read from either the or file. The file will only be
used by users that have sufficient administrative privilege to
read that file. Refer to below for additional details.
Used only with the
option, forces to remove the uid, cn, and description
attributes for either a user or group entry, respectively.
Because use of removes common attributes typically used by
other LDAP-enabled applications, use of it is rarely recom‐
mended when removing posixAccount or posixGroup related
attributes. If removal of the uid, cn, or description would
cause an objectclass violation, a warning message would be gen‐
erated. will try to remove as many attributes as allowed by
the directory server.
Used only with the combined with
and the options, forces to remove the userPassword attribute
from the user entry.
Use of is rarely recommended when removing posixAccount related
attributes.
Requires an SSL connection to the directory server, even if the
ldapux(5) configuration does not require the use of SSL.
Use of requires either a valid server or CA certificate be
defined in the file. An error will occur if the SSL connection
could not be established.
Attempt a TLS connection to the directory server, even if the
ldapux(5) configuration does not require the use of TLS. If a
TLS connection is unable to be established a non-TLS and non-
SSL connection will be established.
Use of is not recommended unless alternative methods are used
to protect from network eavesdropping. Use of requires either
a valid server or CA certificate be defined in the file. Refer
to below for additional details.
Requires a TLS connection to the directory server, even if the
ldapux(5) configuration does not require the use of TLS. Use
of requires either a valid server or CA certificate be defined
in the file. An error will occur if the TLS connection could
not be established. Refer to below for additional details.
Upon successful completion, displays the DN of the deleted/updated
entry.
Arguments
Specifies the host name and optional port number
of the directory server. This option overrides the
server list configured by ldapux(5).
The hostname field also supports specification of IPv4
and IPv6 addresses. Note that when a port is specified
for an IPv6 address, the IPv6 address must be specified
in square-bracketed form. If the optional port is
unspecified, the port number is assumed to be 389 or 636
for SSL connections Refer to below for additional
details.
Specifies the port number of the directory server to contact.
This option is ignored if the port number is specified
in the hostname as part of the option. Refer to below
for additional details.
Specifies the service type of entry to be deleted.
The service type can be either or where:
implies posixAccount-type entries and,
implies posixGroup-type entries.
If unspecified, defaults to
Note: to be consistent with the Name Service Switch (see
switch(4)), the term is used to represent LDAP user
entries which contain POSIX account-related information.
Do not delete the entire user or group entry.
Instead delete only the posixAccount or posixGroup
objectclass and associated attributes.
With the option, will remove the posixAccount object‐
class and the following attributes:
· uidNumber
· gidNumber
· homeDirectory
· loginShell
· gecos
With the option, will remove the posixGroup objectclass
and the following attributes:
· gidNumber
· memberUid
· userPassword
The protAttr list is of one or more of the above
attribute names separated by commas with no white-space.
If specified, will not remove the specified
attribute(s).
Special notes for using the option:
· Since mapped attributes are often attributes that are
shared with other LDAP-enabled applications,
attribute mapping is not supported with
For example, if uidNumber has been mapped to employ‐
eeNumber, will still attempt to remove the uidNumber
attribute and not the employeeNumber attribute.
· Since the uid, cn, and description attributes, for
user entries, and the cn and description attributes,
for group entries, are commonly used by other object‐
classes or as naming attributes, will not attempt to
remove the uid, cn, or description attributes, unless
failure to remove those attributes would cause an
objectclass violation (because the remaining object
classes for that entry would not be able to contain
those attributes).
Use of will force removal of those attributes if
allowed by the remaining object classes for that
entry.
· Since the userPassword attribute is often used by
other user-related objectclasses, will not attempt to
remove the userPassword attribute when removing user
entries.
Use of will override this option, if allowed by the
remaining object classes in that entry.
· will attempt to remove the posixAccount and posix‐
Group objectclasses only if they are present. In
some cases, when a user or group entry is built using
an abstract class, the posixAccount and posixGroup
entries may not be present in the entry.
· Since Active Directory schema and RFC2307 schema con‐
flict in the shared definition of the homeDirectory
attribute, will never remove the homeDirectory
attribute if determines the entry being modified is
stored on an Active Directory server.
· Since the Microsoft Services for Unix schema does not
use RFC2307 standard attributes, use of will not
function, since attribute mapping is not allowed in
will function properly with Windows 2003 R2, since
standard RFC2307 attributes are used, with the excep‐
tion of the homeDirectory, described above.
Normally will search for the named user or group using the search
rules described by the service search descriptor in the
ldapux(5) configuration profile. With the exact DN of
the entry being modified may be specified.
Only one of uid_name or group_name may be specified on
the command line.
uid_name Specifies the name of the user entry to remove. Note
that uses the configured LDAP search filter to discover
the entry to be removed, such as:
If there is more than one entry that matches this search
filter, only the first entry discovered entry will be
removed.
Only one of uid_name, or group_name may be specified on
the command line.
group_name Specifies the name of the group entry to remove. Note
that uses the configured LDAP search filter to discover
the entry to be removed, such as:
If there is more than one entry that matches this search
filter, only the first entry discovered entry will be
removed.
Only one of uid_name, or group_name may be specified on
the command line.
Binding to the Directory Server
has been designed to take advantage of the existing ldapux(5) configu‐
ration for determining to which directory server to bind and how to
perform the bind operation. will consult the ldapux(5) configuration
profile for the following information:
· The list of LDAP directory server hosts.
· The authentication method (simple passwords, SASL Digest MD5, etc.).
If either of the environment variable or has not been specified, will
consult the ldapux(5) configuration for additional information:
· The type of credential (user, proxy or anonymous) to use.
· The credential used for binding as a proxy user (either for adminis‐
trative users or for non-privileged users).
As with ldapux(5), will attempt to contact the first available direc‐
tory server as defined in the ldapux(5) host list. As soon as a con‐
nection is established, further directory servers on the host list will
not be contacted.
Once connected, will first determine if the environment variable or has
been specified. If so, then will attempt to bind to the directory
server using the specified credentials and configured LDAP-UX authenti‐
cation method.
If the above mentioned environment variables have not been specified,
then will determine if the configured credential type is "proxy" and if
so, attempt to bind to the directory server using the configured LDAP-
UX proxy credential.
If configured, the acred proxy credential will be used for administra‐
tive users (determined if the user running has enough privilege to read
the file). Otherwise the credential configured in will be used.
Note: to prevent discovery of the LDAP administrator's credentials,
the LDAP user DN and password may not be specified as command-line
options to the utility.
Security Considerations
· Use of requires permissions of an LDAP administrator when it per‐
forms its operations on the directory server. The rights to delete
or modify existing LDAP directory entries under the requested sub‐
tree, along with removal of the required attributes in that entry
must be granted to the administrator identity that is specified when
executing
· As would occur in any identity repository, modification of this
repository will likely have impacts as defined by the organization's
security policy. Users of are expected to have full knowledge of
the organizations security policy and the impact of deleting iden‐
tity information from that identity repository.
· Removal of a POSIX account will not automatically remove that
account's membership in groups, unless that capability is intrinsi‐
cally provided by the directory server.
Note some directory servers have a feature called "referential
integrity" which does perform modification/removal of DN-type
attributes if the specified DN is either changed or removed.
· Never use as part of a modification process on a user or group entry
(deleting and re-adding the entry as a method used to modify that
entry.) User and group entries in an LDAP directory will often con‐
tain information about the user or group that is outside the POSIX
information model. Deleting and re-adding an entry will delete all
information about the user or group. When the entry is re-added,
recovery of the non-POSIX information may not be possible.
· In order to support non-interactive use of the command, specifica‐
tion of the LDAP administrator's credentials is required through use
of the and environment variables. To prevent exposure of these
environment variables, they should be unset after use.
Note also that shells(4) command history log may contain copies of
the executed commands that show setting of these variables. Access
to a shell's history file must be protected. Specification of the
LDAP administrator's credentials on the command line is not allowed
since information about the currently running processes can be
exposed externally from the session.
Use of the eliminates the need to set the mentioned environment
variables by interactively prompting for the required credentials.
LDAP-UX PROFILE
makes use of the LDAP-UX configuration profile to determine the infor‐
mation model used in the directory server to store POSIX attributes.
Please refer to the for additional information about the configuration
profile.
RETURN VALUE
Upon exit, returns the following:
0 Success. exits with no errors or with one or more warnings.
<>0 returns with a non-zero exit status if it encounters an error,
and messages will be logged to stderr.
Messages will follow the below format:
code
message
or
code
message
Leading extra white space may be inserted to improve readabil‐
ity and follow 80 column screen formatting.
code will be a programmatically parsable error key-string,
while
message will be human-readable. Refer to the for a list of
possible error codes generated by the LDAP user and
group management tools.
EXTERNAL INFLUENCES
Environment Variables
Specified the DN of a user with sufficient directory server privilege
to delete users and/or groups in the LDAP directory server. While this
variable is optional, if is specified, must also be specified.
A password or other type of credential used for the user specified by
the
While this variable is optional, if is specified, must also be
specified.
Refer to for important security impacts when these environment vari‐
ables are used.
LIMITATIONS
· Since LDAP directories require data be stored according to the UTF-8
(RFC3629) character encoding method, all characters provided to are
assumed to be UTF-8 and part of the ISO-10646 character set. will
not perform conversion of the locale character set to/from the UTF-8
character set.
· Refer to limitations described under above in reference to interop‐
erability with Microsoft Services for Unix.
SEE ALSOldapcfinfo(1M), ldapugadd(1M), ldapuglist(1M), ldapugmod(1M), lda‐
pux(5).
ldapugdel(1M)
