ldapaddent(1M) System Administration Commands ldapaddent(1M)NAMEldapaddent - create LDAP entries from corresponding /etc files
SYNOPSISldapaddent [-cpv] [-a authenticationMethod] [-b baseDN]
-D bindDN [-w bind_password] [-j passwdFile] [-f filename]
database
ldapaddent [-cpv] -a sasl/GSSAPI [-b baseDN] [-f filename]
database
ldapaddent-d [-v] [-a authenticationMethod] [-D bindDN]
[-w bind_password] [-j passwdFile] database
ldapaddent [-cpv] -h LDAP_server[:serverPort] [-M domainName]
[-N profileName] [-P certifPath] [-a authenticationMethod]
[-b baseDN] -D bindDN [-w bind_password] [-f filename]
[-j passwdFile] database
ldapaddent [-cpv] -h LDAP_server[:serverPort] [-M domainName]
[-N profileName] [-P certifPath] [-a authenticationMethod]
[-b baseDN] [-f filename] database
ldapaddent-d [-v] -h LDAP_server[:serverPort] [-M domainName]
[-N profileName] [-P certifPath] [-a authenticationMethod]
[-b baseDN] -D bindDN [-w bind_password] [-j passwdFile]
database
DESCRIPTIONldapaddent creates entries in LDAP containers from their corresponding
/etc files. This operation is customized for each of the standard con‐
tainers that are used in the administration of Solaris systems. The
database argument specifies the type of the data being processed. Legal
values for this type are one of aliases, auto_*, bootparams, ethers,
group, hosts (including both IPv4 and IPv6 addresses), ipnodes (alias
for hosts), netgroup, netmasks, networks, passwd, shadow, protocols,
publickey, rpc, and services. In addition to the preceding, the data‐
base argument can be one of the RBAC-related files (see rbac(5)):
o /etc/user_attr
o /etc/security/auth_attr
o /etc/security/prof_attr
o /etc/security/exec_attr
By default, ldapaddent reads from the standard input and adds this data
to the LDAP container associated with the database specified on the
command line. An input file from which data can be read is specified
using the -f option.
If you specify the -h option, ldapaddent establishes a connection to
the server indicated by the option in order to obtain a DUAProfile
specified by the -N option. The entries will be stored in the directory
described by the configuration obtained.
By default (if the -h option is not specified), entries will be stored
in the directory based on the client's configuration. To use the util‐
ity in the default mode, the Solaris LDAP client must be set up in
advance.
The location where entries are to be written can be overridden by using
the -b option.
If the entry to be added exists in the directory, the command displays
an error and exits, unless the -c option is used.
Although, there is a shadow database type, there is no corresponding
shadow container. Both the shadow and the passwd data is stored in the
people container itself. Similarly, data from networks and netmasks
databases are stored in the networks container.
The user_attr and audit_user data is stored by default in the people
container. The prof_attr and exec_attr data is stored by default in the
SolarisProfAttr container.
You must add entries from the passwd database before you attempt to add
entries from the shadow database. The addition of a shadow entry that
does not have a corresponding passwd entry will fail.
The passwd database must precede both the user_attr and audit_user
databases.
For better performance, the recommended order in which the databases
should be loaded is as follows:
o passwd database followed by shadow database
o networks database followed by netmasks database
o bootparams database followed by ethers database
Only the first entry of a given type that is encountered will be added
to the LDAP server. The ldapaddent command skips any duplicate entries.
OPTIONS
The ldapaddent command supports the following options:
-a authenticationMethod
Specify authentication method. The default value is what has been
configured in the profile. The supported authentication methods
are:
o simple
o sasl/CRAM-MD5
o sasl/DIGEST-MD5
o sasl/GSSAPI
o tls:simple
o tls:sasl/CRAM-MD5
o tls:sasl/DIGEST-MD5
Selecting simple causes passwords to be sent over the network in
clear text. Its use is strongly discouraged. Additionally, if the
client is configured with a profile which uses no authentication,
that is, either the credentialLevel attribute is set to anonymous
or authenticationMethod is set to none, the user must use this
option to provide an authentication method. If the authentication
method is sasl/GSSAPI, bindDN and bindPassword is not required and
the hosts and ipnodes fields of /etc/nsswitch.conf must be config‐
ured as:
hosts: dns files
ipnodes: dns files
See nsswitch.conf(4).
-b baseDN
Create entries in the baseDN directory. baseDN is not relative to
the client's default search base, but rather. it is the actual
location where the entries will be created. If this parameter is
not specified, the first search descriptor defined for the service
or the default container will be used.
-c
Continue adding entries to the directory even after an error.
Entries will not be added if the directory server is not responding
or if there is an authentication problem.
-D bindDN
Create an entry which has write permission to the baseDN. When used
with -d option, this entry only needs read permission.
-d
Dump the LDAP container to the standard output in the appropriate
format for the given database.
-f filename
Indicates input file to read in an /etc/ file format.
-h LDAP_server[:serverPort]
Specify an address (or a name) and an optional port of the LDAP
server in which the entries will be stored. The current naming ser‐
vice specified in the nsswitch.conf file is used. The default value
for the port is 389, except when TLS is specified as the authenti‐
cation method. In this case, the default LDAP server port number is
636.
The format to specify the address and port number for an IPv6
address is:
[ipv6_addr]:port
To specify the address and port number for an IPv4 address, use the
following format:
ipv4_addr:port
If the host name is specified, use the format:
host_name:port
-j passwdFile
Specify a file containing the password for the bind DN or the pass‐
word for the SSL client's key database. To protect the password,
use this option in scripts and place the password in a secure file.
This option is mutually exclusive of the -w option.
-M domainName
The name of a domain served by the specified server. If not speci‐
fied, the default domain name will be used.
-N profileName
Specify the DUAProfile name. A profile with such a name is supposed
to exist on the server specified by -h option. Otherwise, a default
DUAProfile will be used. The default value is default.
-P certifPath
The certificate path for the location of the certificate database.
The value is the path where security database files reside. This is
used for TLS support, which is specified in the authentication‐
Method and serviceAuthenticationMethod attributes. The default is
/var/ldap.
-p
Process the password field when loading password information from a
file. By default, the password field is ignored because it is usu‐
ally not valid, as the actual password appears in a shadow file.
-w bindPassword
Password to be used for authenticating the bindDN. If this parame‐
ter is missing, the command will prompt for a password. NULL pass‐
words are not supported in LDAP.
When you use -w bindPassword to specify the password to be used for
authentication, the password is visible to other users of the sys‐
tem by means of the ps command, in script files or in shell his‐
tory.
If you supply "-" (hyphen) as a password, you will be prompted to
enter a password.
-v
Verbose.
OPERANDS
The following operands are supported:
database
The name of the database or service name. Supported values are:
aliases, auto_*, bootparams, ethers, group, hosts (including IPv6
addresses), netgroup, netmasks, networks, passwd, shadow, proto‐
cols, publickey, rpc, and services. Also supported are auth_attr,
prof_attr, exec_attr, and user_attr.
EXAMPLES
Example 1 Adding Password Entries to the Directory Server
The following example shows how to add password entries to the direc‐
tory server:
example# ldapaddent-D "cn=directory manager" -w secret \
-f /etc/passwd passwd
Example 2 Adding Group Entries
The following example shows how to add group entries to the directory
server using sasl/CRAM-MD5 as the authentication method:
example# ldapaddent-D "cn=directory manager" -w secret \
-a "sasl/CRAM-MD5" -f /etc/group group
Example 3 Adding auto_master Entries
The following example shows how to add auto_master entries to the
directory server:
example# ldapaddent-D "cn=directory manager" -w secret \
-f /etc/auto_master auto_master
Example 4 Dumping passwd Entries from the Directory to File
The following example shows how to dump password entries from the
directory to a file foo:
example# ldapaddent-d passwd > foo
Example 5 Adding Password Entries to a Specific Directory Server
The following example shows how to add password entries to a directory
server that you specify:
example# ldapaddent-h 10.10.10.10:3890 \
-M another.domain.name -N special_duaprofile \
-D "cn=directory manager" -w secret \
-f /etc/passwd passwd
EXIT STATUS
The following exit values are returned:
0
Successful completion.
>0
An error occurred.
FILES
/var/ldap/ldap_client_file
/var/ldap/ldap_client_cred
Files containing the LDAP configuration of the client. These files
are not to be modified manually. Their content is not guaranteed to
be human readable. Use ldapclient(1M) to update these files.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWnisu │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Committed │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOldap(1), ldaplist(1), ldapmodify(1), ldapmodrdn(1), ldapsearch(1),
idsconfig(1M), ldapclient(1M), suninstall(1M), nsswitch.conf(4),
attributes(5)CAUTION
Currently StartTLS is not supported by libldap.so.5, therefore the port
number provided refers to the port used during a TLS open, rather than
the port used as part of a StartTLS sequence. For example:
-h foo:1000 -a tls:simple
The preceding refers to a raw TLS open on host foo port 1000, not an
open, StartTLS sequence on an unsecured port 1000. If port 1000 is
unsecured the connection will not be made.
SunOS 5.10 8 Apr 2011 ldapaddent(1M)
