CPU-LDAP(8)CPU-LDAP(8)NAME
cpu - a user administration tool for LDAP backends
SYNOPSIS
cpu user{add,del,mod} [options] login
cpu group{add,del,mod} [options] group
cpu cat
DESCRIPTION
The ldap module for cpu provides a means for administering groups and
users being stored on an LDAP backend. Complete compatibility with the
GNU/Linux versions of the shadow utils has tried to be maintained in
terms of command line options. This module also supports several
options that traditional user utilities do not such as; selecting which
hash to use for the user, generating random or linear uid's and gid's
and pulling information for a user from existing password and shadow
files.
LDAP OPTIONS
The LDAP options are options that are used specifically for the LDAP
server. They may be combined with any of the cpu functions.
-2, --2
Use LDAPv2 instead of LDAPv3
-a file, --addfile=file
If a filename is given, it will be parsed and any additional
ldap attributes specified in this file will be added along with
the user or group. This file should not contain any attributes
that CPU requires or that you have already specified in the con‐
figuration file. If you do this the modification/addition will
fail or create multivalued attributes. The format of the file
should be:
<attrdesc>: <attrvalue>
<attrdesc>: <attrvalue>
<attrdesc>:: <base64-encoded-value>
...
-A cn, --cn=cn
This options specifies for a user what the dn should look like.
If you specify -A foo for some user, their dn will look like
foo=username,... This can be specified in the configuration file
with USER_CN_STRING
-B base, --groupbase=base
This is the base to search for groups in. This is required for
useradd and for any group functions. This should be a fully
qualified base such as ou=groups,o=company,c=us. This corre‐
sponds to the GROUP_BASE configuration option.
-D bind_dn, --binddn=bind_dn
The bind_dn should be a DN with adequate credentials for the
operation that you are requesting. This corresponds to the
BIND_DN configuration file option.
-F[file], --passfile[=file]
If an argument is provided, that file should be of a Unix style
password format. If no argument is provided, the configuration
file variable PASSWORD_FILE will be used. Please be sure that
the switch (-F or --passfile) has no trailing whitespace, it
should be immediately followed by the argument. The information
associated with the user will be used for populating their LDAP
entry (uid, gid, gecos, home directory, shell).
-H hash, --hash=hash
Hash should be one of sha1, md5, ssha1, smd5, crypt, or clear.
This corresponds to the HASH configuration file variable. Select
the hash that is being used at your site.
-N hostname, --hostname=hostname
Hostname should be the hostname that is running the LDAP ser‐
vice. This may be an IP address or hostname. This corresponds to
the LDAP_HOST variable in the configuration file.
-o, --nonposix
Violate POSIX naming standards and allow characters in user and
group names not in the character set [A-Za-z0-9._-]. This is
useful for things like adding Samba machine accounts.
-P port, --port=port
Port should be the port that the LDAP server is listening on.
This corresponds to the LDAP_PORT option in the configuration
file.
-R length, --random=random
length should be the length that you would like a randomly gen‐
erated password to be. This password will be displayed to the
user.
-S[file], --shadfile[=file]
If an argument is provided, that file should be of a Unix style
shadow format. If no argument is provided, the configuration
file variable SHADOW_FILE will be used. Please be sure that the
switch (-S or --shadfile) has no trailing whitespace, it should
be immediately followed by the argument. The information associ‐
ated with the user will be used for populating their LDAP entry
(password, sp_lstchg, sp_min, sp_max, sp_warn, sp_inact,
sp_expire).
-t timeout, --timeout=timeout
This value is used to specify how long (in seconds) before LDAP
operations should time out. The corresponding configuration file
is TIMEOUT.
-U base, --userbase=base
This is the base to search for users in. This is required for
any user functions. This should be a fully qualified base such
as ou=users,o=company,c=us. This corresponds to the USER_BASE
configuration option.
-w[pass], --bindpass[=pass]
If an argument is provided, that value will be used for the bind
password. If no argument is provided, the user will be prompted
for a password. This option can be omitted by specifying the
password in the configuration file with the option BIND_PASS. If
a value is specified at the command line, the switch should have
no whitespace following it.
The following options can be used for populating LDAP attributes.
-f name, --firstname=name
Name is used in possible combination with lastname in order to
have a more complete CN. This value is also used for the given‐
Name (gn) attribute. This value is not required by RFC2307.
-E name, --lastname=name
Name is used in possible combination with firstname in order to
have a more complete CN. This value is also used for the surname
(sn) attribute. This value is not required by RFC2307.
-e address, --email=address
The value address is used to populate the mail attribute. This
attribute is not required by RFC2307 for posixAccount but many
people's LDAP schemas do require it. inetOrgPerson is one object
that contains it.
The following options are not LDAP specific.
-y, --yes
Reply yes to any questions (such as whether it is ok to remove a
directory)
-h, --help
Display help.
-v, --verbose
Turn the verbose level up.
-V, --version
Display the version of the module.
cpu cat
The cat command will cause any users and groups stored in the LDAP
directory to be displayed in a Unix style format. cat requires no
options.
cpu useradd [options] login
The useradd function is used to add new users to an LDAP directory. The
options are similar to those used by traditional GNU/Linux user admin‐
istration utilities.
-c comment, --gecos=comment
The value specified is used to populate the gecos attribute. You
can specify a default value in the configuration file using the
GECOS variable. This is not required by RFC2307. This can also
be populated using the -F option (see above).
-d home_dir, --directory=home_dir
The new user will be created using home_dir as the value for the
user's login directory. The default is to append login to
HOME_DIRECTORY (from the configuration file) and use that as the
login directory name. This is required by RFC2307.
-g initial_group, --gid=initial_group
The group id or name of the user's initial login group. The
group should exist but does not have to. CPU will search the
LDAP directory and warn you if that group does not exist. If the
group does exist, the users gidNumber will be set to the gidNum‐
ber of that group. This is required by RFC2307. If unspecified
CPU will search for the next unused GID. This behavior can be
adjusted by MAX_GIDNUMBER, MIN_GIDNUMBER, ID_MAX_PASSES, and
RANDOM in the configuration file.
-G group,[...] --sgroup=group,[...]
A list of supplementary groups which the user is also a member
of. Each group is separated from the next by a comma, with no
intervening whitespace. CPU will search the directory for these
groups, and if found, add the user to those groups. The default
is for the user to belong only to the initial group.
-k[skeleton_dir] --skel[=skeleton_dir]
This option is only useful is specified along with the -m
option. If both are specified, the contents of skeleton_dir
will be copied to the users new home directory. If skeleton_dir
is specified it should have no whitespace between the command
line switch. If skeleton_dir is not specified, the value of
SKEL_DIR as specified in the configuration file will be used.
-m, --makehome
The user's home directory will be created if it does not exist.
The files contained in skeleton_dir will be copied to the home
directory if the -k option is used. The -k option is only valid
in conjunction with the -m options. The default is to not create
the directory and to not copy any files.
-p[passwd] --password[=password]
The encrypted or unencrypted password. If no argument is given,
the user is prompted to enter a password. If CPU was compiled
with libcrack, the password will be checked for weakness. If the
password is encrypted, hash should be the value of the hash type
that was used. If not specified at the command line or found in
the shadow file (if -S was used) * is used which should lock the
account.
-s shell, --shell=shell
The name of the user's login shell. If not specified at the com‐
mand line one can specify it with the DEFAULT_SHELL configura‐
tion file option. This is not required by RFC2307.
-u uid, --uid=uid
The numerical value of the user's ID. This value must be unique,
the value must be non-negative. If unspecified CPU will search
for an unused UID. This behavior can be adjusted by MAX_UIDNUM‐
BER, MIN_UIDNUMBER, ID_MAX_PASSES, and RANDOM in the configura‐
tion file.
-X script, --exec=script
After the user has successfully been added to the directory,
execute this script. The script is passed the login name. If
this option is not supplied, the configuration file will be
checked for ADD_SCRIPT.
cpu usermod [options] login
All options that apply to useradd also apply to usermod except for -k.
-l login_name, --newusername=login_name
The name of the user will be changed from login to login_name.
The LDAP attributes cn and uid are changed to login_name, the
users rdn is also modified. If specified in conjunction with the
-m switch, the users old home directory will be copied the the
appropriate new location (see -d switch for behavior).
-L, --lock
Lock the given user account
-U, --unlock
Unlock the given user account
cpu userdel [options] login
The userdel command modifies the LDAP directory, deleting all entries
that refer to login. The named user must exist. The options which apply
to the userdel command are:
-r, --removehome
Files in the user's home directory will be removed along with
the home directory itself. The users mail spool is not deleted.
Files located in other file systems will have to be searched for
and deleted manually.
-X script, --exec=script
After the user has successfully been removed from the directory,
execute this script. The script is passed the login name. If
this option is not supplied, the configuration file will be
checked for DEL_SCRIPT.
cpu groupadd [options] group
The groupadd command creates a new group account using the values spec‐
ified on the command line and the default values from the configuration
file. The new group will be entered into the LDAP directory as needed.
The options which apply to the groupadd command are
-g gid, --gid=gid
The numerical value of the group's ID. This value should be
unique. The value must be non-negative. A new gid can be gener‐
ated by not specifying this option. This generation can be modi‐
fied by changing the configuration file.
cpu groupmod [options] group
The groupmod command modifies the group specified at the command line.
The options which apply to the groupmod command are
-g gid, --gid=gid
The numerical value of the group's ID. This value should be
unique. The value must be non-negative.
-n group_name, --newgroupname=group_name
The name of the group will be changed from group to group_name.
The cn and rdn will also be modified.
cpu groupdel [options] group
The groupdel command removes the group specified at the command line
from the LDAP directory.
SEE ALSOcpu.conf(5)cpu(8)AUTHORS
Blake Matheny <bmatheny@purdue.edu>
The current version of this software is always available at
http://cpu.sourceforge.net
BUGS
To report a bug or problem, please e-mail:
cpu-users@lists.sourceforge.net
TODO
See TODO file that accompanied software. Please e-mail us with any
additional suggestions.
17 February 2003 CPU-LDAP(8)
