| Skip Navigation Links | |
| Exit Print View | |
 | man pages section 1M: System Administration Commands Oracle Solaris 11 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
| man pages section 1M: System Administration Commands Oracle Solaris 11 Information Library |
- create LDAP entries from corresponding /etc files
ldapaddent [-cpv] [-aauthenticationMethod] [-bbaseDN]-DbindDN [-wbind_password] [-jpasswdFile] [-ffilename]database
ldapaddent [-cpv]-a sasl/GSSAPI [-bbaseDN] [-ffilename]database
ldapaddent-d [-v] [-aauthenticationMethod] [-DbindDN] [-wbind_password] [-jpasswdFile]database
ldapaddent [-cpv]-hLDAP_server[:serverPort] [-MdomainName] [-NprofileName] [-PcertifPath] [-aauthenticationMethod] [-bbaseDN]-DbindDN [-wbind_password] [-ffilename] [-jpasswdFile]database
ldapaddent [-cpv]-hLDAP_server[:serverPort] [-MdomainName] [-NprofileName] [-PcertifPath] [-aauthenticationMethod] [-bbaseDN] [-ffilename]database
ldapaddent-d [-v]-hLDAP_server[:serverPort] [-MdomainName] [-NprofileName] [-PcertifPath] [-aauthenticationMethod] [-bbaseDN]-DbindDN [-wbind_password] [-jpasswdFile]database
ldapaddent creates entries in LDAP containers from their corresponding/etc files. Thisoperation is customized for each of the standard containers that are usedin the administration of Solaris systems. Thedatabase argument specifies the type ofthe data being processed. Legal values for this type are one ofaliases,auto_*,bootparams,ethers,group,hosts (including both IPv4 and IPv6 addresses),ipnodes (alias forhosts),netgroup,netmasks,networks,passwd,shadow,protocols,publickey,rpc,andservices. In addition to the preceding, thedatabase argument can beone of the RBAC-related files (seerbac(5)):
/etc/user_attr
/etc/security/auth_attr
/etc/security/prof_attr
/etc/security/exec_attr
By default,ldapaddent reads from the standard input and adds this datato the LDAP container associated with the database specified on the commandline. An input file from which data can be read is specifiedusing the-f option.
If you specify the-h option,ldapaddent establishes a connection to theserver indicated by the option in order to obtain aDUAProfile specifiedby the-N option. The entries will be stored in the directorydescribed by the configuration obtained.
By default (if the-h option is not specified), entries will bestored in the directory based on the client's configuration. To use theutility in the default mode, the Solaris LDAP client must be setup in advance.
The location where entries are to be written can be overridden byusing the-b option.
If the entry to be added exists in the directory, the commanddisplays an error and exits, unless the-c option is used.
Although, there is ashadow database type, there is no correspondingshadowcontainer. Both theshadow and thepasswd data is stored in thepeople container itself. Similarly, data fromnetworks andnetmasks databases are storedin thenetworks container.
Theuser_attr data is stored by default in thepeople container. Theprof_attr andexec_attr data is stored by default in theSolarisProfAttr container.
You must add entries from thepasswd database before you attempt toadd entries from theshadow database. The addition of ashadow entrythat does not have a correspondingpasswd entry will fail.
Thepasswd database must precede theuser_attr database.
For better performance, the recommended order in which the databases should beloaded is as follows:
passwd database followed byshadow database
networks database followed bynetmasks database
bootparams database followed byethers database
Only the first entry of a given type that is encountered willbe added to the LDAP server. Theldapaddent command skips any duplicateentries.
Theldapaddent command supports the following options:
Specify authentication method. The default value is what has been configured in the profile. The supported authentication methods are:
simple
sasl/CRAM-MD5
sasl/DIGEST-MD5
sasl/GSSAPI
tls:simple
tls:sasl/CRAM-MD5
tls:sasl/DIGEST-MD5
Selectingsimple causes passwords to be sent over the network in clear text. Its use is strongly discouraged. Additionally, if the client is configured with a profile which uses no authentication, that is, either thecredentialLevel attribute is set toanonymous orauthenticationMethod is set tonone, the user must use this option to provide an authentication method. If the authentication method issasl/GSSAPI,bindDN andbindPassword is not required and thehosts andipnodes fields of/etc/nsswitch.conf must be configured as:
hosts: dns filesipnodes: dns files
Seensswitch.conf(4).
Create entries in thebaseDN directory.baseDN is not relative to the client's default search base, but rather. it is the actual location where the entries will be created. If this parameter is not specified, the first search descriptor defined for the service or the default container will be used.
Continue adding entries to the directory even after an error. Entries will not be added if the directory server is not responding or if there is an authentication problem.
Create an entry which has write permission to thebaseDN. When used with-d option, this entry only needs read permission.
Dump the LDAP container to the standard output in the appropriate format for the given database.
Indicates input file to read in an/etc/ file format.
Specify an address (or a name) and an optional port of the LDAP server in which the entries will be stored. The current naming service specified in thensswitch.conf file is used. The default value for the port is389, except when TLS is specified as the authentication method. In this case, the default LDAP server port number is636.
The format to specify the address and port number for an IPv6 address is:
[ipv6_addr]:port
To specify the address and port number for an IPv4 address, use the following format:
ipv4_addr:port
If the host name is specified, use the format:
host_name:port
Specify a file containing the password for the bind DN or the password for the SSL client's key database. To protect the password, use this option in scripts and place the password in a secure file. This option is mutually exclusive of the-w option.
The name of a domain served by the specified server. If not specified, the default domain name will be used.
Specify theDUAProfile name. A profile with such a name is supposed to exist on the server specified by-h option. Otherwise, a defaultDUAProfile will be used. The default value isdefault.
The certificate path for the location of the certificate database. The value is the path where security database files reside. This is used for TLS support, which is specified in theauthenticationMethod andserviceAuthenticationMethod attributes. The default is/var/ldap.
Process thepassword field when loading password information from a file. By default, thepassword field is ignored because it is usually not valid, as the actual password appears in ashadow file.
Password to be used for authenticating thebindDN. If this parameter is missing, the command will prompt for a password.NULL passwords are not supported in LDAP.
When you use-w bindPassword to specify the password to be used for authentication, the password is visible to other users of the system by means of theps command, in script files or in shell history.
If you supply “-” (hyphen) as a password, you will be prompted to enter a password.
Verbose.
The following operands are supported:
The name of the database or service name. Supported values are:aliases,auto_*,bootparams,ethers,group,hosts (including IPv6 addresses),netgroup,netmasks,networks,passwd,shadow,protocols,publickey,rpc, andservices. Also supported areauth_attr,prof_attr,exec_attr,user_attr, andprojects.
Example 1 Adding Password Entries to the Directory Server
The following example shows how to add password entries to the directoryserver:
example#ldapaddent -D "cn=directory manager" -w secret \ -f /etc/passwd passwd
Example 2 Adding Group Entries
The following example shows how to addgroup entries to the directoryserver usingsasl/CRAM-MD5 as the authentication method:
example#ldapaddent -D "cn=directory manager" -w secret \ -a "sasl/CRAM-MD5" -f /etc/group group
Example 3 Addingauto_master Entries
The following example shows how to addauto_master entries to the directoryserver:
example#ldapaddent -D "cn=directory manager" -w secret \ -f /etc/auto_master auto_master
Example 4 Dumpingpasswd Entries from the Directory to File
The following example shows how to dumppassword entries from the directoryto a filefoo:
example#ldapaddent -d passwd > foo
Example 5 Adding Password Entries to a Specific Directory Server
The following example shows how to add password entries to a directoryserver that you specify:
example#ldapaddent -h 10.10.10.10:3890 \ -M another.domain.name -N special_duaprofile \ -D "cn=directory manager" -w secret \ -f /etc/passwd passwd
The following exit values are returned:
Successful completion.
An error occurred.
Files containing the LDAP configuration of the client. These files are not to be modified manually. Their content is not guaranteed to be human readable. Useldapclient(1M) to update these files.
Seeattributes(5) for descriptions of the following attributes:
|
ldaplist(1),ldapmodify(1),ldapmodrdn(1),ldapsearch(1),idsconfig(1M),ldapclient(1M),nsswitch.conf(4),attributes(5)
Oracle Solaris Administration: Security Services
Currently StartTLS is not supported bylibldap.so.5, therefore the port number providedrefers to the port used during a TLS open, rather than theport used as part of a StartTLS sequence. For example:
-h foo:1000 -a tls:simple
The preceding refers to a raw TLS open on hostfoo port1000, not an open, StartTLS sequence on an unsecured port 1000. Ifport 1000 is unsecured the connection will not be made.
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.Legal Notices |   |