2 .\" Copyright (C) 2002, Sun Microsystems, Inc. All Rights Reserved
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
4 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
5 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH LDAPADDENT 1M "May 4, 2009"
8 ldapaddent \- create LDAP entries from corresponding /etc files
12 \fBldapaddent\fR [\fB-cpv\fR] [\fB-a\fR \fIauthenticationMethod\fR] [\fB-b\fR \fIbaseDN\fR]
13 \fB-D\fR \fIbindDN\fR [\fB-w\fR \fIbind_password\fR] [\fB-j\fR \fIpasswdFile\fR] [\fB-f\fR \fIfilename\fR]
19 \fBldapaddent\fR [\fB-cpv\fR] \fB-a\fR sasl/GSSAPI [\fB-b\fR \fIbaseDN\fR] [\fB-f\fR \fIfilename\fR]
25 \fBldapaddent\fR \fB-d\fR [\fB-v\fR] [\fB-a\fR \fIauthenticationMethod\fR] [\fB-D\fR \fIbindDN\fR]
26 [\fB-w\fR \fIbind_password\fR] [\fB-j\fR \fIpasswdFile\fR] \fIdatabase\fR
31 \fBldapaddent\fR [\fB-cpv\fR] \fB-h\fR \fILDAP_server\fR[:\fIserverPort\fR] [\fB-M\fR \fIdomainName\fR]
32 [\fB-N\fR \fIprofileName\fR] [\fB-P\fR \fIcertifPath\fR] [\fB-a\fR \fIauthenticationMethod\fR]
33 [\fB-b\fR \fIbaseDN\fR] \fB-D\fR \fIbindDN\fR [\fB-w\fR \fIbind_password\fR] [\fB-f\fR \fIfilename\fR]
34 [\fB-j\fR \fIpasswdFile\fR] \fIdatabase\fR
39 \fBldapaddent\fR [\fB-cpv\fR] \fB-h\fR \fILDAP_server\fR[:\fIserverPort\fR] [\fB-M\fR \fIdomainName\fR]
40 [\fB-N\fR \fIprofileName\fR] [\fB-P\fR \fIcertifPath\fR] [\fB-a\fR \fIauthenticationMethod\fR]
41 [\fB-b\fR \fIbaseDN\fR] [\fB-f\fR \fIfilename\fR] \fIdatabase\fR
46 \fBldapaddent\fR \fB-d\fR [\fB-v\fR] \fB-h\fR \fILDAP_server\fR[:\fIserverPort\fR] [\fB-M\fR \fIdomainName\fR]
47 [\fB-N\fR \fIprofileName\fR] [\fB-P\fR \fIcertifPath\fR] [\fB-a\fR \fIauthenticationMethod\fR]
48 [\fB-b\fR \fIbaseDN\fR] \fB-D\fR \fIbindDN\fR [\fB-w\fR \fIbind_password\fR] [\fB-j\fR \fIpasswdFile\fR]
55 \fBldapaddent\fR creates entries in LDAP containers from their corresponding
56 \fB/etc\fR files. This operation is customized for each of the standard
57 containers that are used in the administration of Solaris systems. The
58 \fIdatabase\fR argument specifies the type of the data being processed. Legal
59 values for this type are one of \fBaliases\fR, \fBauto_*\fR, \fBbootparams\fR,
60 \fBethers\fR, \fBgroup\fR, \fBhosts\fR (including both IPv4 and IPv6
61 addresses), \fBipnodes\fR (alias for \fBhosts\fR), \fBnetgroup\fR,
62 \fBnetmasks\fR, \fBnetworks\fR, \fBpasswd\fR, \fBshadow\fR, \fBprotocols\fR,
63 \fBpublickey\fR, \fBrpc\fR, and \fBservices\fR. In addition to the preceding,
64 the \fIdatabase\fR argument can be one of the RBAC-related files (see
76 \fB/etc/security/auth_attr\fR
82 \fB/etc/security/prof_attr\fR
88 \fB/etc/security/exec_attr\fR
92 By default, \fBldapaddent\fR reads from the standard input and adds this data
93 to the LDAP container associated with the database specified on the command
94 line. An input file from which data can be read is specified using the \fB-f\fR
98 If you specify the \fB-h\fR option, \fBldapaddent\fR establishes a connection
99 to the server indicated by the option in order to obtain a \fBDUAProfile\fR
100 specified by the \fB-N\fR option. The entries will be stored in the directory
101 described by the configuration obtained.
104 By default (if the \fB-h\fR option is not specified), entries will be stored in
105 the directory based on the client's configuration. To use the utility in the
106 default mode, the Solaris LDAP client must be set up in advance.
109 The location where entries are to be written can be overridden by using the
113 If the entry to be added exists in the directory, the command displays an error
114 and exits, unless the \fB-c\fR option is used.
117 Although, there is a \fBshadow\fR database type, there is no corresponding
118 \fBshadow\fR container. Both the \fBshadow\fR and the \fBpasswd\fR data is
119 stored in the \fBpeople\fR container itself. Similarly, data from
120 \fBnetworks\fR and \fBnetmasks\fR databases are stored in the \fBnetworks\fR
124 The \fBuser_attr\fR and \fBaudit_user\fR data is stored by default in the
125 \fBpeople\fR container. The \fBprof_attr\fR and \fBexec_attr\fR data is stored
126 by default in the \fBSolarisProfAttr\fR container.
129 You must add entries from the \fBpasswd\fR database before you attempt to add
130 entries from the \fBshadow\fR database. The addition of a \fBshadow\fR entry
131 that does not have a corresponding \fBpasswd\fR entry will fail.
134 The \fBpasswd\fR database must precede both the \fBuser_attr\fR and
135 \fBaudit_user\fR databases.
138 For better performance, the recommended order in which the databases should be
139 loaded is as follows:
144 \fBpasswd\fR database followed by \fBshadow\fR database
150 \fBnetworks\fR database followed by \fBnetmasks\fR database
156 \fBbootparams\fR database followed by \fBethers\fR database
160 Only the first entry of a given type that is encountered will be added to the
161 LDAP server. The \fBldapaddent\fR command skips any duplicate entries.
165 The \fBldapaddent\fR command supports the following options:
169 \fB\fB-a\fR \fIauthenticationMethod\fR\fR
173 Specify authentication method. The default value is what has been configured in
174 the profile. The supported authentication methods are:
191 \fBsasl/DIGEST-MD5\fR
209 \fBtls:sasl/CRAM-MD5\fR
215 \fBtls:sasl/DIGEST-MD5\fR
217 Selecting \fBsimple\fR causes passwords to be sent over the network in clear
218 text. Its use is strongly discouraged. Additionally, if the client is
219 configured with a profile which uses no authentication, that is, either the
220 \fBcredentialLevel\fR attribute is set to \fBanonymous\fR or
221 \fBauthenticationMethod\fR is set to \fBnone\fR, the user must use this option
222 to provide an authentication method. If the authentication method is
223 \fBsasl/GSSAPI\fR, \fIbindDN\fR and \fIbindPassword\fR is not required and the
224 \fBhosts\fR and \fBipnodes\fR fields of \fB/etc/nsswitch.conf\fR must be
234 See \fBnsswitch.conf\fR(4).
240 \fB\fB-b\fR\ \fIbaseDN\fR\fR
244 Create entries in the \fIbaseDN\fR directory. \fIbaseDN\fR is not relative to
245 the client's default search base, but rather. it is the actual location where
246 the entries will be created. If this parameter is not specified, the first
247 search descriptor defined for the service or the default container will be
258 Continue adding entries to the directory even after an error. Entries will not
259 be added if the directory server is not responding or if there is an
260 authentication problem.
266 \fB\fB-D\fR\ \fIbindDN\fR\fR
270 Create an entry which has write permission to the \fIbaseDN\fR. When used with
271 \fB-d\fR option, this entry only needs read permission.
281 Dump the LDAP container to the standard output in the appropriate format for
288 \fB\fB-f\fR \fIfilename\fR\fR
292 Indicates input file to read in an \fB/etc/\fR file format.
298 \fB\fB-h\fR \fILDAP_server\fR[:\fIserverPort\fR]\fR
302 Specify an address (or a name) and an optional port of the LDAP server in which
303 the entries will be stored. The current naming service specified in the
304 \fBnsswitch.conf\fR file is used. The default value for the port is \fB389\fR,
305 except when TLS is specified as the authentication method. In this case, the
306 default LDAP server port number is \fB636\fR.
312 \fB\fB-j\fR\ \fIpasswdFile\fR\fR
316 Specify a file containing the password for the bind DN or the password for the
317 SSL client's key database. To protect the password, use this option in scripts
318 and place the password in a secure file. This option is mutually exclusive of
325 \fB\fB-M\fR\ \fIdomainName\fR\fR
329 The name of a domain served by the specified server. If not specified, the
330 default domain name will be used.
336 \fB\fB-N\fR\ \fIprofileName\fR\fR
340 Specify the \fBDUAProfile\fR name. A profile with such a name is supposed to
341 exist on the server specified by \fB-h\fR option. Otherwise, a default
342 \fBDUAProfile\fR will be used. The default value is \fBdefault\fR.
348 \fB\fB-P\fR\ \fIcertifPath\fR\fR
352 The certificate path for the location of the certificate database. The value is
353 the path where security database files reside. This is used for TLS support,
354 which is specified in the \fBauthenticationMethod\fR and
355 \fBserviceAuthenticationMethod\fR attributes. The default is \fB/var/ldap\fR.
365 Process the \fBpassword\fR field when loading password information from a file.
366 By default, the \fBpassword\fR field is ignored because it is usually not
367 valid, as the actual password appears in a \fBshadow\fR file.
373 \fB\fB-w\fR\ \fIbindPassword\fR\fR
377 Password to be used for authenticating the \fIbindDN\fR. If this parameter is
378 missing, the command will prompt for a password. \fBNULL\fR passwords are not
381 When you use \fB-w\fR\ \fIbindPassword\fR to specify the password to be used
382 for authentication, the password is visible to other users of the system by
383 means of the \fBps\fR command, in script files or in shell history.
385 If you supply "\fB-\fR" (hyphen) as a password, you will be prompted to enter a
402 The following operands are supported:
410 The name of the database or service name. Supported values are: \fBaliases\fR,
411 \fBauto_*\fR, \fBbootparams\fR, \fBethers\fR, \fBgroup\fR, \fBhosts\fR
412 (including IPv6 addresses), \fBnetgroup\fR, \fBnetmasks\fR, \fBnetworks\fR,
413 \fBpasswd\fR, \fBshadow\fR, \fBprotocols\fR, \fBpublickey\fR, \fBrpc\fR, and
414 \fBservices\fR. Also supported are \fBauth_attr\fR, \fBprof_attr\fR,
415 \fBexec_attr\fR, \fBuser_attr\fR, and \fBprojects\fR.
420 \fBExample 1 \fRAdding Password Entries to the Directory Server
423 The following example shows how to add password entries to the directory
429 example# \fBldapaddent -D "cn=directory manager" -w secret \e
430 -f /etc/passwd passwd\fR
436 \fBExample 2 \fRAdding Group Entries
439 The following example shows how to add \fBgroup\fR entries to the directory
440 server using \fBsasl/CRAM-MD5\fR as the authentication method:
445 example# \fBldapaddent -D "cn=directory manager" -w secret \e
446 -a "sasl/CRAM-MD5" -f /etc/group group\fR
452 \fBExample 3 \fRAdding \fBauto_master\fR Entries
455 The following example shows how to add \fBauto_master\fR entries to the
461 example# \fBldapaddent -D "cn=directory manager" -w secret \e
462 -f /etc/auto_master auto_master\fR
468 \fBExample 4 \fRDumping \fBpasswd\fR Entries from the Directory to File
471 The following example shows how to dump \fBpassword\fR entries from the
472 directory to a file \fBfoo\fR:
477 example# \fBldapaddent -d passwd > foo\fR
483 \fBExample 5 \fRAdding Password Entries to a Specific Directory Server
486 The following example shows how to add password entries to a directory server
492 example# \fBldapaddent -h 10.10.10.10:3890 \e
493 -M another.domain.name -N special_duaprofile \e
494 -D "cn=directory manager" -w secret \e
495 -f /etc/passwd passwd\fR
503 The following exit values are returned:
511 Successful completion.
528 \fB\fB/var/ldap/ldap_client_file\fR\fR
532 \fB\fB/var/ldap/ldap_client_cred\fR\fR
536 Files containing the LDAP configuration of the client. These files are not to
537 be modified manually. Their content is not guaranteed to be human readable. Use
538 \fBldapclient\fR(1M) to update these files.
544 See \fBattributes\fR(5) for descriptions of the following attributes:
552 ATTRIBUTE TYPE ATTRIBUTE VALUE
554 Interface Stability Committed
560 \fBldap\fR(1), \fBldaplist\fR(1), \fBldapmodify\fR(1), \fBldapmodrdn\fR(1),
561 \fBldapsearch\fR(1), \fBidsconfig\fR(1M), \fBldapclient\fR(1M),
562 \fBsuninstall\fR(1M), \fBnsswitch.conf\fR(4), \fBattributes\fR(5)
569 Currently StartTLS is not supported by \fBlibldap.so.5\fR, therefore the port
570 number provided refers to the port used during a TLS open, rather than the port
571 used as part of a StartTLS sequence. For example:
575 -h foo:1000 -a tls:simple
582 The preceding refers to a raw TLS open on host \fBfoo\fR port 1000, not an
583 open, StartTLS sequence on an unsecured port 1000. If port 1000 is unsecured
584 the connection will not be made.