ldapugmod(1M)ldapugmod(1M)NAMEldapugmod - modify existing POSIX accounts or groups in an LDAP direc‐
tory server
SYNOPSIS
[options] hostname] port] full_name] name] uidNumber] group/gid]
login_shell] home_directory gecos] comment] attrval] [...]]
attrval] [...]]
[options] hostname] port] new_name] gidNumber] comment] attrval] [...]]
DESCRIPTION
allows HP-UX administrators to modify existing POSIX accounts or groups
in an LDAP directory server.
When using extended options, can also be used to modify arbitrary
attributes for user or group entries.
Users of are required to provide LDAP administrator credentials that
have sufficient privilege to perform the user or group modify opera‐
tions in the LDAP directory server.
Options
Prompt for the administrator's bind identity (typically LDAP DN or
kerberos principal) and bind password.
Without will discover the bind identity and password from the
environment variables and If either the or environment vari‐
ables have not been specified, will follow the bind configura‐
tion specified in the ldapux(5) configuration profile.
If ldapux(5) has specified "proxy" bind, the bind credential
will be read from either the or file. The file will only be
used by users that have sufficient administrative privilege to
read that file.
Refer to below for additional details.
Prompt for the password of the user or group being modified.
If the option is not specified, the password for the modified
user or group will be retrieved from the environment variable
if the option is specified.
Use of implies the use of
Change the user or group password attribute.
Also, if ldapux(5) attributed mapping for the userPassword
attribute has not been defined or set to will create new pass‐
words in the userPassword attribute.
If is specified, either the environment variable or the option
must be specified.
With it is possible to extend posixAccount and posixGroup attributes
to a user or group entry that does not already contain the
posixAccount or posixGroup object class. This ability requires
use of the option. With will add the posixAccount or posix‐
Group object class and respective attributes (depending on if
the or option) to the entry being modified.
Note that when used with Active Directory service, if the user
or group entry is built using the abstract "User" or "Group"
class. will assume that the abstract class already includes
the required MS SFU attributes, and thus will not add the
posixAccount or posixGroup objectclass to the entry.
Requires an SSL connection to the directory server, even if the
ldapux(5) configuration does not require the use of SSL. Use
of requires either a valid server or CA certificate be defined
in the file.
An error will occur if the SSL connection could not be estab‐
lished. Refer to below for additional details.
Attempt a TLS connection to the directory server, even if the
ldapux(5) configuration does not require the use of TLS. If a
TLS connection is unable to be established a non-TLS and non-
SSL connection will be established.
Use of is not recommended unless alternative methods are used
to protect from network eavesdropping. Use of requires either
a valid server or CA certificate be defined in the file. Refer
to below for additional details.
Requires a TLS connection to the directory server, even if the
ldapux(5) configuration does not require the use of TLS.
Use of requires either a valid server or CA certificate be
defined in the file. An error will occur if the TLS connection
could not be established. Refer to below for additional
details.
Allows renaming of the RDN (Relative Distinguished Name) of an LDAP
directory entry. In some cases, when an attribute is modified,
it may be the same attribute that is used in the RDN portion of
the entry's distinguished name. Changing the attribute and
value that is used in the RDN requires changing the RDN.
For example, suppose an entry in the directory server is named:
If the cn attribute is changed to then the DN would also need
to change to:
Modification of an RDN is generally discouraged since the DN is
often used as a unique way to identify the entry in the direc‐
tory server. Often the DN is used to define membership in a
group. So to prevent accidental changing of the DN, the option
must be specified to allow changing of the RDN. When the DN of
an entry changes, the group membership information for this
entry may become inconsistent.
However, most directory servers have the inherent ability to
update all entries that refer to the updated DN of a changed
entry. So will not attempt to perform modifications to other
entries in the directory server that refer to this entry by its
DN.
NOTE: will not allow renaming of multi-valued RDNs; for exam‐
ple, an RDN of is not supported.
Force modification of the user or group entry even if particular error
conditions occur. The error conditions that can be overridden
are:
· The changed user name or group name already exists in the
directory server.
· The changed user id or group id number already exists in the
directory server.
· Adding a member to a group when that member is not defined
in the LDAP directory. In this case, membership will always
be defined using the memberUid attribute, regardless of
attribute mapping defined for group membership.
· When modifying the group of a user with a group ID that can
not be found in any name service repository. In this case,
the group ID number must be specified.
Note that some directory servers perform their own attribute
and RDN uniqueness checks. In this case, even if the option is
specified, if the directory server detects a collision will be
unable to modify the specified entry.
Upon successful completion, display the DN of the updated entry.
Arguments
Specifies if the command-line arguments are applicable to modifying
user
or group. type is expected to be either or If unspeci‐
fied, defaults to
Note: to be consistent with the Name Service Switch (see
switch(4)), the term (instead of user) is used to repre‐
sent LDAP user entries which contain POSIX account-
related information.
Specifies the host name and optional port number
of the directory server. This option overrides the
server list configured by ldapux(5).
The hostname field also supports specification of IPv4
and IPv6 addresses. Note that when a port is specified
for an IPv6 address, the IPv6 address must be specified
in square-bracketed form.
If the optional port is unspecified, the port number is
assumed to be 389 or 636 for SSL connections Refer to
below for additional details.
Specifies the port number of the directory server to contact.
This option is ignored if the port number is specified
in the hostname as part of the option. Refer to below
for additional details.
Specifies the new name of the user or group.
This option will replace the uid attribute for user
entries and the cn attribute for group entries, or the
mapped attribute if attribute mapping has been specified
for that attribute.
Use of is the same as replacing the corresponding
attribute. For example, assuming no attribute mapping:
is the same as:
Specifies an attribute and value to be added to an entry.
The format of where attribute is the name of the
attribute to add, and value is the specific instance of
that attribute.
The option is used when working with multi-valued
attributes, to add a new value for a multi-valued
attribute, without removing already existing values for
that attribute.
Note that use of the option interacts with the optional
parameters. See below. The option may be specified
more than once per command line. The value portion of
attrval may be an empty string.
Specifies an attribute or specific values of an attribute to be removed
from the entry. The format of where attribute is the
name of the attribute to remove, and value is the spe‐
cific instance of that attribute, if the attribute is
multi-valued.
Note that use of the option interacts with the optional
parameters. See below. The option may be specified
more than once per command line.
Normally will search for the named user or group using the search
rules described by the service search descriptor in the
ldapux(5) configuration profile. With the exact DN of
the entry being modified may be specified.
If the option is specified, the uid_name or group_name
parameter should not be specified.
Options Applicable to '-t passwd'
Replaces the user's full name.
If full_name is an empty string (a pair of double
quotes: ""), will remove the cn (or mapped) attribute.
Note, refer to the section below for impacts when using
this option.
Replaces the user's numeric id number
If uidNumber is an empty string (a pair of double
quotes: ""), will remove the uidNumber (or mapped)
attribute. If the specified uidNumber already exists in
the directory server, will not modify the entry and
return an error exit status, unless the option is speci‐
fied.
Note, refer to the section below for impacts when using
this option.
Replace the user's primary login group id number.
If group/gid is an empty string, will remove the gidNum‐
ber (or mapped) attribute.
In order to support numeric group names, treats the
argument to as a group name. If a numeric group name
can not be found that matches the argument specified,
checks to see if the value is numeric and then checks to
see if the group ID number specified exists. If not,
will exit with an error, unless the option has been
specified.
Note, does not modify the user's group membership when
chaining the primary group ID. Adding the user as a
member of the new group, and possibly removing the mem‐
ber from the previous group, must be done with separate
operations.
Refer to the section below for additional impacts when
using this option.
Replaces the full path name to the executable that will be used to han‐
dle
login sessions for this user. If login_shell is an
empty string, will remove the loginShell (or mapped)
attribute. will issue a WARNING if the specified login
shell does not exist on the local system.
Note, refer to the section below for impacts when using
this option.
Replaces the full path name (including the user name) of the user's
home
directory. If home_directory is an empty string, will
remove the homeDirectory (or mapped) attribute.
Note, refer to the section below for impacts when using
this option.
Move the user's home directory to the location specified with the
option. requires the option be specified. If the spec‐
ified home_directory already exists, the user's current
home directory does not exist or the user running does
not have sufficient permissions to move the directory,
will return an error.
Replaces the GECOS field(s) for the user.
If gecos is an empty string, will remove the gecos (or
mapped) attribute(s). Typically the GECOS contains four
fields which represent (in order):
· The user's full name
· The user's work location
· The user's work telephone number
· The user's home telephone number (often omitted)
Each field in the gecos must be separated by a comma.
Although each field value specified within the gecos can
contain white space (such as "Bill Smith,Building
6,555-1234"), white space should not be used between the
each field and the separating commas (such as "Bill
Smith, Building 6, 555-1234").
Note that LDAP-UX supports mapping of the gecos field to
multiple attributes. If attribute mapping has been
specified in the LDAP-UX configuration profile, each
field will be mapped to its representative attribute, in
the order specified.
WARNING: If the option is specified and attribute map‐
ping has been defined for the gecos attribute, be care‐
ful not to specify the same attributes and values in the
command line that are also used in the gecos map. For
example, suppose the gecos has been mapped to cn, l and
telephoneNumber. The following command might produce
unpredictable results:
In the above example, because of the gecos attribute
mapping, the cn and telePhoneNumbers are specified twice
and will result an error when the same attribute and
value are added to the directory server. can be used to
determine gecos attribute mapping configuration.
If gecos is an empty string, will remove the gecos or
implied mapped, attributes. Note that this use of the
option is discouraged, since the gecos attribute is
often mapped to required attributes.
Since the gecos attribute may be mapped to one or sev‐
eral attributes, the number of values specified with
(between the commas) should, but is not required to,
match the number of mapped attributes. If there are
more mapped attributes than specified values in then
trailing mapped attributes will be removed from the
directory server. If there are more values that mapped
attributes, extra values will be combined in the last
mapped attribute.
Note, refer to the section below for impacts when using
this option.
Replaces the comment that will be stored in the description attribute,
as defined by RFC2307. Attribute mapping is not defined
for the description attribute.
Note, refer to the section below for impacts when using
this option.
uid_name Contains the POSIX-style textual login name of the user
entry to modify. This user name should conform to HP-UX
login name requirements. Please refer to passwd(4) for
login name requirements. The uid_name is a required
parameter unless the option is specified.
Allows modification of arbitrary LDAP attributes and values.
value may be an empty string. However this usage will
not remove attributes and their values from the direc‐
tory server. Instead, use the option to remove arbi‐
trary attributes.
Note, refer to the section below for impacts when using
this option.
Options Applicable to '-t group'
Replaces the group's numberic id number.
If the specified gidNumber already exists in the direc‐
tory server, will not modify the entry and return an
error exit status, unless the option is specified.
Note, refer to the section below for impacts when using
this option.
Adds one or more members to the specified group.
will follow the same membership syntax as defined by
ldapux(5) attribute mapping. Specifically, if ldapux(5)
has mapped the RFC2307 group membership attribute (mem‐
berUid) to a DN-based membership attribute such as mem‐
ber or uniqueMember, then will define membership using
the DN of the specified user.
When specifying a list of members, the list must be
comma separated with no white-space. Even though lda‐
pux(5) supports mapping of the memberUid attribute to
multiple attributes simultaneously. will only use the
first mapped attribute when defining membership in the
group. If the specified member does not exist in the
LDAP directory, must be used to define the member, and
only the memberUid attribute syntax will be used.
only supports membership defined using static group mem‐
bership structures, such as memberUid, member, unique‐
Member. Dynamic group membership, such as represented
by memberUrl, is not supported by
Removes one or more members from the specified group.
will search for membership in the group defined using
the memberUid, member, uniqueMember, and
msSFU30posixMember attributes and remove all values that
represent the specified user (either DN or uid name).
consults the ldapux(5) configuration profile for
attribute mapping to determine which attributes should
be modified to remove the user's membership. When spec‐
ifying a list of members, the list must be comma sepa‐
rated with no white-space.
Replaces the comment that will be stored in the description attribute,
as defined by RFC2307. Attribute mapping is not defined
for the description attribute. If comment is an empty
string, will remove the description (or mapped)
attribute.
Note, refer to the section below for impacts when using
this option.
group_name Contains the POSIX-style textual group name for the
group entry to modify. This name should conform to HP-
UX group name requirements. Please refer to group(4)
for group name requirements. group_name is a required
parameter when used with the group option. The
group_name should not be specified if the option is
specified.
Allows modification of arbitrary LDAP attributes and values.
Refer to in the section above for additional informa‐
tion.
Note, refer to the section below for impacts when using
this option.
Binding to the Directory Server
has been designed to take advantage of the existing ldapux(5) configu‐
ration for determining to which directory server to bind and how to
perform the bind operation. will consult the ldapux(5) configuration
profile for the following information:
· The list of LDAP directory server hosts.
· The authentication method (simple passwords, SASL Digest MD5, etc.)
If either of the environment variables or have not been specified, will
also consult the ldapux(5) configuration for additional information:
· The type of credential (user, proxy or anonymous) to use.
· The credential used for binding as a proxy user (either for adminis‐
trative users or for non-privileged users.)
As with ldapux(5), will attempt to contact the first available direc‐
tory server as defined in the ldapux(5) host list. As soon as a con‐
nection is established, further directory servers on the host list will
not be contacted.
Once connected, will first determine if the environment variables and
have been specified. If so, then will attempt to bind to the directory
server using the specified credentials and configured LDAP-UX authenti‐
cation method. If the above mentioned environment variables have not
been specified, then will determine if the configured credential type
is "proxy" and if so, attempt to bind to the directory server using the
configured LDAP-UX proxy credential.
If configured, the acred proxy credential will be used for administra‐
tive users (determined if the user running has enough privilege to read
the file). Otherwise the credential configured in will be used.
Note, to prevent discovery of the LDAP administrator's credentials, the
LDAP user DN and password may not be specified as command-line options
to the utility.
Security Considerations
· Use of requires permissions of an LDAP administrator when it per‐
forms its operations on the directory server. The rights to modify
existing LDAP directory entries under the requested subtree, along
with creation, modification and removal of the required attributes
in that entry must be granted to the administrator identity that is
specified when executing
· Note that as with any POSIX-type identity, the user and group ID
number specified is used by the HP-UX operating system to determine
rights and capabilities in the OS as well as in the file system.
For example, a the root user ID 0, typically has unlimited OS admin‐
istration and file access rights. Before modifying an entry, be
aware of the selected user and group ID number and any policy that
may be associated with that ID.
· Modification (renaming) of a POSIX account will not automatically
modify that account's membership in groups, unless that capability
is intrinsically provided by the directory server.
Note some directory servers have a feature known as "referential
integrity," which does perform modification/removal of DN-type
attributes if the specified DN is either changed or removed.
· As would occur in any identity repository, modification of this
repository will likely have impacts as defined by the organizations
security policy. Users of are expected to have full knowledge of
the organizations security policy the impact of modifying identity
information in that identity repository.
· As would occur in any identity repository, modification of this
repository will likely have impacts as defined by the organization's
security policy.
For example, adding a new user with an user ID number shared with
that of a secured application may impact the security of that appli‐
cation. Users of are expected to have full knowledge of the organi‐
zations security policy the impact of modifying identity information
in that identity repository.
· In order to support non-interactive use of the command, specifica‐
tion of the LDAP administrator's credentials is required through use
of the and environment variables. To prevent exposure of these
environment variables, they should be unset after use.
Note also that shells(4) command history log may contain copies of
the executed commands that show setting of these variables. Access
to a shell's history file must be protected. Specification of the
LDAP administrator's credentials on the command line is not allowed
since information about the currently running processes can be
exposed externally from the session.
Use of the eliminates the need to set the mentioned environment
variables by interactively prompting for the required credentials.
LDAP-UX PROFILE
makes use of the LDAP-UX configuration profile to determine the infor‐
mation model used in the directory server to store POSIX attributes.
Please refer to the for additional information about the configuration
profile.
EXTERNAL INFLUENCES
Environment Variables
When used in combination with the option, specifies the password of a
user or group which need to be modified.
Note, use of passwords for groups is not recommended.
Also, if ldapux(5) attributed mapping for the userPassword
attribute has not been defined or set to will modify passwords
in the userPassword attribute.
Specified the DN of a user with sufficient directory server privilege
to create new users and/or groups in the LDAP directory server.
While this variable is optional, if is specified, must also be
specified.
A password or other type of credential used for the user specified by
the
While this variable is optional, if is specified, must also be
specified.
Refer to for important security impacts when these environment vari‐
ables are used.
RETURN VALUE
Upon exit, returns the following:
0 Success. exits with no errors or with one or more warnings.
<>0 returns with a non-zero exit status if it encounters an error,
and messages will be logged to stderr.
Messages will follow the below format:
code
message
or
code
message
Leading extra white space may be inserted to improve readabil‐
ity and follow 80 column screen formatting.
code will be a programmatically parsable error key-string,
while
message will be human-readable. Refer to the for a list of
possible error codes generated by the LDAP user and
group management tools.
WARNINGS
Under common usage, uses the LDAP replace operation when changing val‐
ues of an attribute in an entry. This feature can impact attributes
that have multiple values, by removing all occurrences of an attribute
value and replacing it with the one specified on the command line.
For example, if the argument is used to specify a new name for a posix‐
Group, all occurrences of the cn attributete will be replaced by the
value specified for the argument. This mode of operation applies to
all command argument specified values, including and
When the parameter is used to modify an existing attribute, the command
will also use the LDAP replace operation. The replace operation will
remove all occurrences of the specified attribute for an entry and
replace it with the value specified. If there are multiple values for
a single attribute in an entry, the use of a single parameter will
replace all values with the single value specified on the command line.
Note that it is possible to specify more than one occurrence of the
same attribute on the command line, if that attribute is multi-valued.
In which case, both values will be created in the entry.
Use of or changes this behavior (for both the above-listed command
arguments and the parameters).
Any attribute specified as an argument to the or option will cause to
perform an LDAP add operation instead of an LDAP replace operation.
Example: Suppose an entry in an LDAP directory appears as follows:
dn: uid=mwolters,ou=people,ou=IT,dc=FutureWidget,dc=com
cn: Manuel Wolters
cn: Manny Wolters
uid: mwolters
uidNumber: 2284
gidNumber: 212
homeDirectory: /home/mwolters
loginShell: /usr/bin/ksh
gecos: Manuel Wolters,San Francisco, +1 505-555-5072
Performing the following
replaces all instances of cn:
dn: uid=mwolters,ou=people,ou=IT,dc=FutureWidget,dc=com
cn: M. Wolters
uid: mwolters
uidNumber: 2284
gidNumber: 212
homeDirectory: /home/mwolters
loginShell: /usr/bin/ksh
gecos: Manuel Wolters,San Francisco, +1 505-555-5072
Assuming the entry as originally specified, if the following command is
issued:
The resulting entry would be:
dn: uid=mwolters,ou=people,ou=IT,dc=FutureWidget,dc=com
cn: Manuel Wolters
cn: M. Wolters
uid: mwolters
uidNumber: 2284
gidNumber: 212
homeDirectory: /home/mwolters
loginShell: /usr/bin/ksh
gecos: Manuel Wolters,San Francisco,+1 505-555-5072
As a general rule, be cautions before using to change multi-valued
attributes.
Also note, use of the same attribute and value pair more than once,
either specified as part of or or from other command line options (for
example where gecos is mapped to some other attributes) is not allowed.
will exit with error status before send any conflicting modification
request to the directory server.
LIMITATIONS
Since LDAP directories require data be stored according to the UTF-8
(RFC3629) character encoding method, all characters displayed by will
be UTF-8, and assumed to be part of the ISO-10646 character set. will
not perform conversion of the locale character set to/from the UTF-8
character set.
SEE ALSOldapcfinfo(1M), ldapugadd(1M), ldapugdel(1M), ldapuglist(1M), lda‐
pux(5).
ldapugmod(1M)
