6253 F_GETLK doesn't always return lock owner

[illumos-gate.git] / usr / src / man / man1m / ldapaddent.1m

'\" te
.\" Copyright (C) 2002, Sun Microsystems, Inc. All Rights Reserved
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
.\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
.\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH LDAPADDENT 1M "May 4, 2009"
.SH NAME
ldapaddent \- create LDAP entries from corresponding /etc files
.SH SYNOPSIS
.LP
.nf
\fBldapaddent\fR [\fB-cpv\fR] [\fB-a\fR \fIauthenticationMethod\fR] [\fB-b\fR \fIbaseDN\fR]
     \fB-D\fR \fIbindDN\fR [\fB-w\fR \fIbind_password\fR] [\fB-j\fR \fIpasswdFile\fR] [\fB-f\fR \fIfilename\fR]
     \fIdatabase\fR
.fi

.LP
.nf
\fBldapaddent\fR [\fB-cpv\fR] \fB-a\fR sasl/GSSAPI [\fB-b\fR \fIbaseDN\fR] [\fB-f\fR \fIfilename\fR]
     \fIdatabase\fR
.fi

.LP
.nf
\fBldapaddent\fR \fB-d\fR [\fB-v\fR] [\fB-a\fR \fIauthenticationMethod\fR] [\fB-D\fR \fIbindDN\fR]
     [\fB-w\fR \fIbind_password\fR] [\fB-j\fR \fIpasswdFile\fR] \fIdatabase\fR
.fi

.LP
.nf
\fBldapaddent\fR [\fB-cpv\fR] \fB-h\fR \fILDAP_server\fR[:\fIserverPort\fR] [\fB-M\fR \fIdomainName\fR]
     [\fB-N\fR \fIprofileName\fR]  [\fB-P\fR \fIcertifPath\fR] [\fB-a\fR \fIauthenticationMethod\fR]
     [\fB-b\fR \fIbaseDN\fR] \fB-D\fR \fIbindDN\fR [\fB-w\fR \fIbind_password\fR] [\fB-f\fR \fIfilename\fR]
     [\fB-j\fR \fIpasswdFile\fR] \fIdatabase\fR
.fi

.LP
.nf
\fBldapaddent\fR [\fB-cpv\fR] \fB-h\fR \fILDAP_server\fR[:\fIserverPort\fR] [\fB-M\fR \fIdomainName\fR]
     [\fB-N\fR \fIprofileName\fR]  [\fB-P\fR \fIcertifPath\fR] [\fB-a\fR \fIauthenticationMethod\fR]
     [\fB-b\fR \fIbaseDN\fR] [\fB-f\fR \fIfilename\fR] \fIdatabase\fR
.fi

.LP
.nf
\fBldapaddent\fR \fB-d\fR [\fB-v\fR] \fB-h\fR \fILDAP_server\fR[:\fIserverPort\fR] [\fB-M\fR \fIdomainName\fR]
     [\fB-N\fR \fIprofileName\fR]  [\fB-P\fR \fIcertifPath\fR] [\fB-a\fR \fIauthenticationMethod\fR]
     [\fB-b\fR \fIbaseDN\fR] \fB-D\fR \fIbindDN\fR [\fB-w\fR \fIbind_password\fR] [\fB-j\fR \fIpasswdFile\fR]
     \fIdatabase\fR
.fi

.SH DESCRIPTION
.sp
.LP
\fBldapaddent\fR creates entries in LDAP containers from their corresponding
\fB/etc\fR files. This operation is customized for each of the standard
containers that are used in the administration of Solaris systems. The
\fIdatabase\fR argument specifies the type of the data being processed. Legal
values for this type are one of \fBaliases\fR, \fBauto_*\fR, \fBbootparams\fR,
\fBethers\fR, \fBgroup\fR, \fBhosts\fR (including both IPv4 and IPv6
addresses), \fBipnodes\fR (alias for \fBhosts\fR), \fBnetgroup\fR,
\fBnetmasks\fR, \fBnetworks\fR, \fBpasswd\fR, \fBshadow\fR, \fBprotocols\fR,
\fBpublickey\fR, \fBrpc\fR, and \fBservices\fR. In addition to the preceding,
the \fIdatabase\fR argument can be one of the RBAC-related files (see
\fBrbac\fR(5)):
.RS +4
.TP
.ie t \(bu
.el o
\fB/etc/user_attr\fR
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fB/etc/security/auth_attr\fR
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fB/etc/security/prof_attr\fR
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fB/etc/security/exec_attr\fR
.RE
.sp
.LP
By default, \fBldapaddent\fR reads from the standard input and adds this data
to the LDAP container associated with the database specified on the command
line. An input file from which data can be read is specified using the \fB-f\fR
option.
.sp
.LP
If you specify the \fB-h\fR option, \fBldapaddent\fR establishes a connection
to the server indicated by the option in order to obtain a \fBDUAProfile\fR
specified by the \fB-N\fR option. The entries will be stored in the directory
described by the configuration obtained.
.sp
.LP
By default (if the \fB-h\fR option is not specified), entries will be stored in
the directory based on the client's configuration. To use the utility in the
default mode, the Solaris LDAP client must be set up in advance.
.sp
.LP
The location where entries are to be written can be overridden by using the
\fB-b\fR option.
.sp
.LP
If the entry to be added exists in the directory, the command displays an error
and exits, unless the \fB-c\fR option is used.
.sp
.LP
Although, there is a \fBshadow\fR database type, there is no corresponding
\fBshadow\fR container. Both the \fBshadow\fR and the \fBpasswd\fR data is
stored in the \fBpeople\fR container itself. Similarly, data from
\fBnetworks\fR and \fBnetmasks\fR databases are stored in the \fBnetworks\fR
container.
.sp
.LP
The \fBuser_attr\fR and \fBaudit_user\fR data is stored by default in the
\fBpeople\fR container. The \fBprof_attr\fR and \fBexec_attr\fR data is stored
by default in the \fBSolarisProfAttr\fR container.
.sp
.LP
You must add entries from the \fBpasswd\fR database before you attempt to add
entries from the \fBshadow\fR database. The addition of a \fBshadow\fR entry
that does not have a corresponding \fBpasswd\fR entry will fail.
.sp
.LP
The \fBpasswd\fR database must precede both the \fBuser_attr\fR and
\fBaudit_user\fR databases.
.sp
.LP
For better performance, the recommended order in which the databases should be
loaded is as follows:
.RS +4
.TP
.ie t \(bu
.el o
\fBpasswd\fR database followed by \fBshadow\fR database
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fBnetworks\fR database followed by \fBnetmasks\fR database
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fBbootparams\fR database followed by \fBethers\fR database
.RE
.sp
.LP
Only the first entry of a given type that is encountered will be added to the
LDAP server. The \fBldapaddent\fR command skips any duplicate entries.
.SH OPTIONS
.sp
.LP
The \fBldapaddent\fR command supports the following options:
.sp
.ne 2
.na
\fB\fB-a\fR \fIauthenticationMethod\fR\fR
.ad
.sp .6
.RS 4n
Specify authentication method. The default value is what has been configured in
the profile. The supported authentication methods are:
.RS +4
.TP
.ie t \(bu
.el o
\fBsimple\fR
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fBsasl/CRAM-MD5\fR
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fBsasl/DIGEST-MD5\fR
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fBsasl/GSSAPI\fR
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fBtls:simple\fR
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fBtls:sasl/CRAM-MD5\fR
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fBtls:sasl/DIGEST-MD5\fR
.RE
Selecting \fBsimple\fR causes passwords to be sent over the network in clear
text. Its use is strongly discouraged. Additionally, if the client is
configured with a profile which uses no authentication, that is, either the
\fBcredentialLevel\fR attribute is set to \fBanonymous\fR or
\fBauthenticationMethod\fR is set to \fBnone\fR, the user must use this option
to provide an authentication method. If the authentication method is
\fBsasl/GSSAPI\fR, \fIbindDN\fR and \fIbindPassword\fR is not required and the
\fBhosts\fR and \fBipnodes\fR fields of \fB/etc/nsswitch.conf\fR must be
configured as:
.sp
.in +2
.nf
hosts: dns files
ipnodes: dns files
.fi
.in -2

See \fBnsswitch.conf\fR(4).
.RE

.sp
.ne 2
.na
\fB\fB-b\fR\ \fIbaseDN\fR\fR
.ad
.sp .6
.RS 4n
Create entries in the \fIbaseDN\fR directory. \fIbaseDN\fR is not relative to
the client's default search base, but rather. it is the actual location where
the entries will be created. If this parameter is not specified, the first
search descriptor defined for the service or the default container will be
used.
.RE

.sp
.ne 2
.na
\fB\fB-c\fR\fR
.ad
.sp .6
.RS 4n
Continue adding entries to the directory even after an error. Entries will not
be added if the directory server is not responding or if there is an
authentication problem.
.RE

.sp
.ne 2
.na
\fB\fB-D\fR\ \fIbindDN\fR\fR
.ad
.sp .6
.RS 4n
Create an entry which has write permission to the \fIbaseDN\fR. When used with
\fB-d\fR option, this entry only needs read permission.
.RE

.sp
.ne 2
.na
\fB\fB-d\fR\fR
.ad
.sp .6
.RS 4n
Dump the LDAP container to the standard output in the appropriate format for
the given database.
.RE

.sp
.ne 2
.na
\fB\fB-f\fR \fIfilename\fR\fR
.ad
.sp .6
.RS 4n
Indicates input file to read in an \fB/etc/\fR file format.
.RE

.sp
.ne 2
.na
\fB\fB-h\fR \fILDAP_server\fR[:\fIserverPort\fR]\fR
.ad
.sp .6
.RS 4n
Specify an address (or a name) and an optional port of the LDAP server in which
the entries will be stored. The current naming service specified in the
\fBnsswitch.conf\fR file is used. The default value for the port is \fB389\fR,
except when TLS is specified as the authentication method. In this case, the
default LDAP server port number is \fB636\fR.
.RE

.sp
.ne 2
.na
\fB\fB-j\fR\ \fIpasswdFile\fR\fR
.ad
.sp .6
.RS 4n
Specify a file containing the password for the bind DN or the password for the
SSL client's key database. To protect the password, use this option in scripts
and place the password in a secure file. This option is mutually exclusive of
the \fB-w\fR option.
.RE

.sp
.ne 2
.na
\fB\fB-M\fR\ \fIdomainName\fR\fR
.ad
.sp .6
.RS 4n
The name of a domain served by the specified server. If not specified, the
default domain name will be used.
.RE

.sp
.ne 2
.na
\fB\fB-N\fR\ \fIprofileName\fR\fR
.ad
.sp .6
.RS 4n
Specify the \fBDUAProfile\fR name. A profile with such a name is supposed to
exist on the server specified by \fB-h\fR option. Otherwise, a default
\fBDUAProfile\fR will be used. The default value is \fBdefault\fR.
.RE

.sp
.ne 2
.na
\fB\fB-P\fR\ \fIcertifPath\fR\fR
.ad
.sp .6
.RS 4n
The certificate path for the location of the certificate database. The value is
the path where security database files reside. This is used for TLS support,
which is specified in the \fBauthenticationMethod\fR and
\fBserviceAuthenticationMethod\fR attributes. The default is \fB/var/ldap\fR.
.RE

.sp
.ne 2
.na
\fB\fB-p\fR\fR
.ad
.sp .6
.RS 4n
Process the \fBpassword\fR field when loading password information from a file.
By default, the \fBpassword\fR field is ignored because it is usually not
valid, as the actual password appears in a \fBshadow\fR file.
.RE

.sp
.ne 2
.na
\fB\fB-w\fR\ \fIbindPassword\fR\fR
.ad
.sp .6
.RS 4n
Password to be used for authenticating the \fIbindDN\fR. If this parameter is
missing, the command will prompt for a password. \fBNULL\fR passwords are not
supported in LDAP.
.sp
When you use \fB-w\fR\ \fIbindPassword\fR to specify the password to be used
for authentication, the password is visible to other users of the system by
means of the \fBps\fR command, in script files or in shell history.
.sp
If you supply "\fB-\fR" (hyphen) as a password, you will be prompted to enter a
password.
.RE

.sp
.ne 2
.na
\fB\fB-v\fR\fR
.ad
.sp .6
.RS 4n
Verbose.
.RE

.SH OPERANDS
.sp
.LP
The following operands are supported:
.sp
.ne 2
.na
\fB\fIdatabase\fR\fR
.ad
.sp .6
.RS 4n
The name of the database or service name. Supported values are: \fBaliases\fR,
\fBauto_*\fR, \fBbootparams\fR, \fBethers\fR, \fBgroup\fR, \fBhosts\fR
(including IPv6 addresses), \fBnetgroup\fR, \fBnetmasks\fR, \fBnetworks\fR,
\fBpasswd\fR, \fBshadow\fR, \fBprotocols\fR, \fBpublickey\fR, \fBrpc\fR, and
\fBservices\fR. Also supported are \fBauth_attr\fR, \fBprof_attr\fR,
\fBexec_attr\fR, \fBuser_attr\fR, and \fBprojects\fR.
.RE

.SH EXAMPLES
.LP
\fBExample 1 \fRAdding Password Entries to the Directory Server
.sp
.LP
The following example shows how to add password entries to the directory
server:

.sp
.in +2
.nf
example# \fBldapaddent -D "cn=directory manager" -w secret \e
      -f /etc/passwd passwd\fR
.fi
.in -2
.sp

.LP
\fBExample 2 \fRAdding Group Entries
.sp
.LP
The following example shows how to add \fBgroup\fR entries to the directory
server using \fBsasl/CRAM-MD5\fR as the authentication method:

.sp
.in +2
.nf
example# \fBldapaddent -D "cn=directory manager" -w secret \e
     -a "sasl/CRAM-MD5" -f /etc/group group\fR
.fi
.in -2
.sp

.LP
\fBExample 3 \fRAdding \fBauto_master\fR Entries
.sp
.LP
The following example shows how to add \fBauto_master\fR entries to the
directory server:

.sp
.in +2
.nf
example# \fBldapaddent -D "cn=directory manager" -w secret \e
     -f /etc/auto_master auto_master\fR
.fi
.in -2
.sp

.LP
\fBExample 4 \fRDumping \fBpasswd\fR Entries from the Directory to File
.sp
.LP
The following example shows how to dump \fBpassword\fR entries from the
directory to a file \fBfoo\fR:

.sp
.in +2
.nf
example# \fBldapaddent -d passwd > foo\fR
.fi
.in -2
.sp

.LP
\fBExample 5 \fRAdding Password Entries to a Specific Directory Server
.sp
.LP
The following example shows how to add password entries to a directory server
that you specify:

.sp
.in +2
.nf
example# \fBldapaddent -h 10.10.10.10:3890 \e
-M another.domain.name -N special_duaprofile \e
-D "cn=directory manager" -w secret \e
-f /etc/passwd passwd\fR
.fi
.in -2
.sp

.SH EXIT STATUS
.sp
.LP
The following exit values are returned:
.sp
.ne 2
.na
\fB\fB0\fR\fR
.ad
.sp .6
.RS 4n
Successful completion.
.RE

.sp
.ne 2
.na
\fB>\fB0\fR\fR
.ad
.sp .6
.RS 4n
An error occurred.
.RE

.SH FILES
.sp
.ne 2
.na
\fB\fB/var/ldap/ldap_client_file\fR\fR
.ad
.br
.na
\fB\fB/var/ldap/ldap_client_cred\fR\fR
.ad
.sp .6
.RS 4n
Files containing the LDAP configuration of the client. These files are not to
be modified manually. Their content is not guaranteed to be human readable. Use
\fBldapclient\fR(1M) to update these files.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE  ATTRIBUTE VALUE
_
Interface Stability     Committed
.TE

.SH SEE ALSO
.sp
.LP
\fBldap\fR(1), \fBldaplist\fR(1), \fBldapmodify\fR(1), \fBldapmodrdn\fR(1),
\fBldapsearch\fR(1), \fBidsconfig\fR(1M), \fBldapclient\fR(1M),
\fBsuninstall\fR(1M), \fBnsswitch.conf\fR(4), \fBattributes\fR(5)
.sp
.LP
\fI\fR
.SH CAUTION
.sp
.LP
Currently StartTLS is not supported by \fBlibldap.so.5\fR, therefore the port
number provided refers to the port used during a TLS open, rather than the port
used as part of a StartTLS sequence. For example:
.sp
.in +2
.nf
-h foo:1000 -a tls:simple
.fi
.in -2
.sp

.sp
.LP
The preceding refers to a raw TLS open on host \fBfoo\fR port 1000, not an
open, StartTLS sequence on an unsecured port 1000. If port 1000 is unsecured
the connection will not be made.