2 .\" Copyright (C) 2002, Sun Microsystems, Inc. All Rights Reserved
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
4 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
5 .\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH LDAPADDENT 8 "May 13, 2017"
8 ldapaddent \- create LDAP entries from corresponding /etc files
12 \fBldapaddent\fR [\fB-cpv\fR] [\fB-a\fR \fIauthenticationMethod\fR] [\fB-b\fR \fIbaseDN\fR]
13 \fB-D\fR \fIbindDN\fR [\fB-w\fR \fIbind_password\fR] [\fB-j\fR \fIpasswdFile\fR] [\fB-f\fR \fIfilename\fR]
19 \fBldapaddent\fR [\fB-cpv\fR] \fB-a\fR sasl/GSSAPI [\fB-b\fR \fIbaseDN\fR] [\fB-f\fR \fIfilename\fR]
25 \fBldapaddent\fR \fB-d\fR [\fB-v\fR] [\fB-a\fR \fIauthenticationMethod\fR] [\fB-D\fR \fIbindDN\fR]
26 [\fB-w\fR \fIbind_password\fR] [\fB-j\fR \fIpasswdFile\fR] \fIdatabase\fR
31 \fBldapaddent\fR [\fB-cpv\fR] \fB-h\fR \fILDAP_server\fR[:\fIserverPort\fR] [\fB-M\fR \fIdomainName\fR]
32 [\fB-N\fR \fIprofileName\fR] [\fB-P\fR \fIcertifPath\fR] [\fB-a\fR \fIauthenticationMethod\fR]
33 [\fB-b\fR \fIbaseDN\fR] \fB-D\fR \fIbindDN\fR [\fB-w\fR \fIbind_password\fR] [\fB-f\fR \fIfilename\fR]
34 [\fB-j\fR \fIpasswdFile\fR] \fIdatabase\fR
39 \fBldapaddent\fR [\fB-cpv\fR] \fB-h\fR \fILDAP_server\fR[:\fIserverPort\fR] [\fB-M\fR \fIdomainName\fR]
40 [\fB-N\fR \fIprofileName\fR] [\fB-P\fR \fIcertifPath\fR] [\fB-a\fR \fIauthenticationMethod\fR]
41 [\fB-b\fR \fIbaseDN\fR] [\fB-f\fR \fIfilename\fR] \fIdatabase\fR
46 \fBldapaddent\fR \fB-d\fR [\fB-v\fR] \fB-h\fR \fILDAP_server\fR[:\fIserverPort\fR] [\fB-M\fR \fIdomainName\fR]
47 [\fB-N\fR \fIprofileName\fR] [\fB-P\fR \fIcertifPath\fR] [\fB-a\fR \fIauthenticationMethod\fR]
48 [\fB-b\fR \fIbaseDN\fR] \fB-D\fR \fIbindDN\fR [\fB-w\fR \fIbind_password\fR] [\fB-j\fR \fIpasswdFile\fR]
54 \fBldapaddent\fR creates entries in LDAP containers from their corresponding
55 \fB/etc\fR files. This operation is customized for each of the standard
56 containers that are used in the administration of Solaris systems. The
57 \fIdatabase\fR argument specifies the type of the data being processed. Legal
58 values for this type are one of \fBaliases\fR, \fBauto_*\fR, \fBbootparams\fR,
59 \fBethers\fR, \fBgroup\fR, \fBhosts\fR (including both IPv4 and IPv6
60 addresses), \fBipnodes\fR (alias for \fBhosts\fR), \fBnetgroup\fR,
61 \fBnetmasks\fR, \fBnetworks\fR, \fBpasswd\fR, \fBshadow\fR, \fBprotocols\fR,
62 \fBpublickey\fR, \fBrpc\fR, and \fBservices\fR. In addition to the preceding,
63 the \fIdatabase\fR argument can be one of the RBAC-related files (see
75 \fB/etc/security/auth_attr\fR
81 \fB/etc/security/prof_attr\fR
87 \fB/etc/security/exec_attr\fR
91 By default, \fBldapaddent\fR reads from the standard input and adds this data
92 to the LDAP container associated with the database specified on the command
93 line. An input file from which data can be read is specified using the \fB-f\fR
97 If you specify the \fB-h\fR option, \fBldapaddent\fR establishes a connection
98 to the server indicated by the option in order to obtain a \fBDUAProfile\fR
99 specified by the \fB-N\fR option. The entries will be stored in the directory
100 described by the configuration obtained.
103 By default (if the \fB-h\fR option is not specified), entries will be stored in
104 the directory based on the client's configuration. To use the utility in the
105 default mode, the Solaris LDAP client must be set up in advance.
108 The location where entries are to be written can be overridden by using the
112 If the entry to be added exists in the directory, the command displays an error
113 and exits, unless the \fB-c\fR option is used.
116 Although, there is a \fBshadow\fR database type, there is no corresponding
117 \fBshadow\fR container. Both the \fBshadow\fR and the \fBpasswd\fR data is
118 stored in the \fBpeople\fR container itself. Similarly, data from
119 \fBnetworks\fR and \fBnetmasks\fR databases are stored in the \fBnetworks\fR
123 The \fBuser_attr\fR data is stored by default in the
124 \fBpeople\fR container. The \fBprof_attr\fR and \fBexec_attr\fR data is stored
125 by default in the \fBSolarisProfAttr\fR container.
128 You must add entries from the \fBpasswd\fR database before you attempt to add
129 entries from the \fBshadow\fR database. The addition of a \fBshadow\fR entry
130 that does not have a corresponding \fBpasswd\fR entry will fail.
133 The \fBpasswd\fR database must precede the \fBuser_attr\fR database.
136 For better performance, the recommended order in which the databases should be
137 loaded is as follows:
142 \fBpasswd\fR database followed by \fBshadow\fR database
148 \fBnetworks\fR database followed by \fBnetmasks\fR database
154 \fBbootparams\fR database followed by \fBethers\fR database
158 Only the first entry of a given type that is encountered will be added to the
159 LDAP server. The \fBldapaddent\fR command skips any duplicate entries.
162 The \fBldapaddent\fR command supports the following options:
166 \fB\fB-a\fR \fIauthenticationMethod\fR\fR
170 Specify authentication method. The default value is what has been configured in
171 the profile. The supported authentication methods are:
188 \fBsasl/DIGEST-MD5\fR
206 \fBtls:sasl/CRAM-MD5\fR
212 \fBtls:sasl/DIGEST-MD5\fR
214 Selecting \fBsimple\fR causes passwords to be sent over the network in clear
215 text. Its use is strongly discouraged. Additionally, if the client is
216 configured with a profile which uses no authentication, that is, either the
217 \fBcredentialLevel\fR attribute is set to \fBanonymous\fR or
218 \fBauthenticationMethod\fR is set to \fBnone\fR, the user must use this option
219 to provide an authentication method. If the authentication method is
220 \fBsasl/GSSAPI\fR, \fIbindDN\fR and \fIbindPassword\fR is not required and the
221 \fBhosts\fR and \fBipnodes\fR fields of \fB/etc/nsswitch.conf\fR must be
231 See \fBnsswitch.conf\fR(4).
237 \fB\fB-b\fR\ \fIbaseDN\fR\fR
241 Create entries in the \fIbaseDN\fR directory. \fIbaseDN\fR is not relative to
242 the client's default search base, but rather. it is the actual location where
243 the entries will be created. If this parameter is not specified, the first
244 search descriptor defined for the service or the default container will be
255 Continue adding entries to the directory even after an error. Entries will not
256 be added if the directory server is not responding or if there is an
257 authentication problem.
263 \fB\fB-D\fR\ \fIbindDN\fR\fR
267 Create an entry which has write permission to the \fIbaseDN\fR. When used with
268 \fB-d\fR option, this entry only needs read permission.
278 Dump the LDAP container to the standard output in the appropriate format for
285 \fB\fB-f\fR \fIfilename\fR\fR
289 Indicates input file to read in an \fB/etc/\fR file format.
295 \fB\fB-h\fR \fILDAP_server\fR[:\fIserverPort\fR]\fR
299 Specify an address (or a name) and an optional port of the LDAP server in which
300 the entries will be stored. The current naming service specified in the
301 \fBnsswitch.conf\fR file is used. The default value for the port is \fB389\fR,
302 except when TLS is specified as the authentication method. In this case, the
303 default LDAP server port number is \fB636\fR.
309 \fB\fB-j\fR\ \fIpasswdFile\fR\fR
313 Specify a file containing the password for the bind DN or the password for the
314 SSL client's key database. To protect the password, use this option in scripts
315 and place the password in a secure file. This option is mutually exclusive of
322 \fB\fB-M\fR\ \fIdomainName\fR\fR
326 The name of a domain served by the specified server. If not specified, the
327 default domain name will be used.
333 \fB\fB-N\fR\ \fIprofileName\fR\fR
337 Specify the \fBDUAProfile\fR name. A profile with such a name is supposed to
338 exist on the server specified by \fB-h\fR option. Otherwise, a default
339 \fBDUAProfile\fR will be used. The default value is \fBdefault\fR.
345 \fB\fB-P\fR\ \fIcertifPath\fR\fR
349 The certificate path for the location of the certificate database. The value is
350 the path where security database files reside. This is used for TLS support,
351 which is specified in the \fBauthenticationMethod\fR and
352 \fBserviceAuthenticationMethod\fR attributes. The default is \fB/var/ldap\fR.
362 Process the \fBpassword\fR field when loading password information from a file.
363 By default, the \fBpassword\fR field is ignored because it is usually not
364 valid, as the actual password appears in a \fBshadow\fR file.
370 \fB\fB-w\fR\ \fIbindPassword\fR\fR
374 Password to be used for authenticating the \fIbindDN\fR. If this parameter is
375 missing, the command will prompt for a password. \fBNULL\fR passwords are not
378 When you use \fB-w\fR\ \fIbindPassword\fR to specify the password to be used
379 for authentication, the password is visible to other users of the system by
380 means of the \fBps\fR command, in script files or in shell history.
382 If you supply "\fB-\fR" (hyphen) as a password, you will be prompted to enter a
398 The following operands are supported:
406 The name of the database or service name. Supported values are: \fBaliases\fR,
407 \fBauto_*\fR, \fBbootparams\fR, \fBethers\fR, \fBgroup\fR, \fBhosts\fR
408 (including IPv6 addresses), \fBnetgroup\fR, \fBnetmasks\fR, \fBnetworks\fR,
409 \fBpasswd\fR, \fBshadow\fR, \fBprotocols\fR, \fBpublickey\fR, \fBrpc\fR, and
410 \fBservices\fR. Also supported are \fBauth_attr\fR, \fBprof_attr\fR,
411 \fBexec_attr\fR, \fBuser_attr\fR, and \fBprojects\fR.
416 \fBExample 1 \fRAdding Password Entries to the Directory Server
419 The following example shows how to add password entries to the directory
425 example# \fBldapaddent -D "cn=directory manager" -w secret \e
426 -f /etc/passwd passwd\fR
432 \fBExample 2 \fRAdding Group Entries
435 The following example shows how to add \fBgroup\fR entries to the directory
436 server using \fBsasl/CRAM-MD5\fR as the authentication method:
441 example# \fBldapaddent -D "cn=directory manager" -w secret \e
442 -a "sasl/CRAM-MD5" -f /etc/group group\fR
448 \fBExample 3 \fRAdding \fBauto_master\fR Entries
451 The following example shows how to add \fBauto_master\fR entries to the
457 example# \fBldapaddent -D "cn=directory manager" -w secret \e
458 -f /etc/auto_master auto_master\fR
464 \fBExample 4 \fRDumping \fBpasswd\fR Entries from the Directory to File
467 The following example shows how to dump \fBpassword\fR entries from the
468 directory to a file \fBfoo\fR:
473 example# \fBldapaddent -d passwd > foo\fR
479 \fBExample 5 \fRAdding Password Entries to a Specific Directory Server
482 The following example shows how to add password entries to a directory server
488 example# \fBldapaddent -h 10.10.10.10:3890 \e
489 -M another.domain.name -N special_duaprofile \e
490 -D "cn=directory manager" -w secret \e
491 -f /etc/passwd passwd\fR
498 The following exit values are returned:
506 Successful completion.
522 \fB\fB/var/ldap/ldap_client_file\fR\fR
526 \fB\fB/var/ldap/ldap_client_cred\fR\fR
530 Files containing the LDAP configuration of the client. These files are not to
531 be modified manually. Their content is not guaranteed to be human readable. Use
532 \fBldapclient\fR(8) to update these files.
537 See \fBattributes\fR(5) for descriptions of the following attributes:
545 ATTRIBUTE TYPE ATTRIBUTE VALUE
547 Interface Stability Committed
552 \fBldap\fR(1), \fBldaplist\fR(1), \fBldapmodify\fR(1), \fBldapmodrdn\fR(1),
553 \fBldapsearch\fR(1), \fBidsconfig\fR(8), \fBldapclient\fR(8),
554 \fBnsswitch.conf\fR(4), \fBattributes\fR(5)
560 Currently StartTLS is not supported by \fBlibldap.so.5\fR, therefore the port
561 number provided refers to the port used during a TLS open, rather than the port
562 used as part of a StartTLS sequence. For example:
566 -h foo:1000 -a tls:simple
573 The preceding refers to a raw TLS open on host \fBfoo\fR port 1000, not an
574 open, StartTLS sequence on an unsecured port 1000. If port 1000 is unsecured
575 the connection will not be made.