Chapter 4 User Authentication
» Table of Contents |  | | » Glossary | | | » Index | | |
| | |
| ||
| ||
Table of Contents
- Managing the LDAP Module for System Authentication
- Configuring the LDAP Module for System Authentication
- Importing and Exporting Users from /etc/passwd
- Utilities for Maintaining User Information in the LDAP Directory Server
- Checking the LDAP Server Configuration
- Extracting Users from the /etc/passwd File
- Adding a User Entry
- Deleting a User Entry
- Retrieving a User Entry
- Synchronizing with a Password File
- Adding a Group Entry
- Maintaining Group Membership
- Deleting a Group Entry
- Retrieving a Group Entry
- Setting a User's Password in the LDAP Directory Server
- Starting the ldapcd Daemon
- Stopping the ldapcd Daemon
- Maintaining the LDAP Directory Server Using LDAP Commands
- Overview of the LDAP Client
The Internet Express Administration utility lets you set up and manage user authentication with the LDAP Module for System Authentication, which serves as a central repository of user information, for identifying and authenticating individual users
This chapter describes the following:
The LDAP Module for System Authentication is a loadable authentication mechanism based on the Tru64 UNIX Security Integration Architecture. It intercepts security-related system calls and extracts the information from an LDAP Directory server. This allows you to use LDAP authentication without making any changes to application source code or recompiling.
The Lightweight Directory Access Protocol (LDAP) is an Internet standard directory service protocol that runs over TCP/IP. An LDAP server manages entries in a directory, and makes the information available to users and applications across the network. An LDAP server can be used as a central repository of user information to identify and authenticate individuals. When used in this way, an LDAP server is similar to Network Information Services (NIS), also known as yellow pages. When compared to NIS, an LDAP server offers the following advantages:
An LDAP directory is highly scalable
LDAP directories are dynamically updated, saving administrators time because it is not necessary to rebuild maps and push them onto the network. Also, changes are available virtually immediately.
An LDAP directory database can be used to centralize management of user related information
The ability to modify an attribute can be controlled at the attribute level. Users can be allowed to modify noncritical information (such as their preferred login shell or mail forwarding address) on their own. Modifications to more sensitive information (such as UID, GID, or a user's home directory) can be restricted to authorized directory managers only.
You can set up multiple LDAP servers to make the data in the directory highly available. Through a process called replication, you can ensure that all LDAP servers have identical copies of the directory. The LDAP servers bind to one another and through standard LDAP commands, propagate changes to the directory.
When you install and enable the LDAP Module for System Authentication subset, user and group authentication takes place through an LDAP server. For example, an LDAP server transparently provides authentication information for login (rlogin, ftp, telnet) and mail (POP and IMAP). For users not found in the LDAP directory, authentication will automatically fall back to using the local authentication mechanism (/etc/passwd) and/or NIS, if it is configured.
When the LDAP Module for System Authentication is installed on your system, the Administration utility for Internet Express provides the following capabilities:
You can configure the LDAP Module for System Authentication and test changes to the configuration (see Section : Configuring the LDAP Module for System Authentication)
When you create any user account (captive or noncaptive, named or generic), you can elect to have the account information stored in an LDAP database (if you are using an LDAP directory server in your environment)
You can enable and disable the LDAP Module for System Authentication to authenticate users through LDAP or through traditional UNIX methods, respectively
Chapter 11 describes how to administer Internet Express-provided Directory servers.
Internet Express configures the security matrix in the/etc/sia/matrix.conf file to use the LDAP Module for System Authentication. The security matrix consists of a list of security-related system calls and the library to be used for each call. As shown in Example 4-1, the siad_ses_authent and siad_ses_estab calls are configured to use the libsialdap.so library first. If that library is not available, or if the requested information is not found in the LDAP server's directory, then the libc.so library is used.
See the siacfg(8) and matrix.conf(4) reference pages for more information about configuring security methods.
Example 4-1 Security Matrix Enabled for LDAP
|
⋮ . . . siad_getgrgid=(BSD,libc.so) (LDAP,/usr/shlib/libsialdap.so) siad_setpwent=(BSD,libc.so) (LDAP,/usr/shlib/libsialdap.so) . . . |
|
When you install the LDAP Module for System Authentication, the installation procedure checks the validity of the configuration information you supplied, and tries to connect to the LDAP server you specified during the installation, then enables the LDAP Module for System Authentication. If the connection fails, or if the required schema attributes are not found, the LDAP Module for System Authentication is not enabled and you must use the LDAP Module for System Authentication Administration menu to enable it (after correcting the problems) or use the /usr/internet/ldap_tools/ldap_enable utility. Check the attribute values in the Distinguished Name, Password, System Name, Port Number, and the Search Base fields (see Section ).
The LDAP Module for System Authentication gets its information from the LDAP server by way of the ldapcd caching daemon (see Figure 4-1). This daemon runs at all times and is started by the following entry in the /etc/inittab file:
|
ldapcd:34:respawn:/usr/sbin/ldapcd -D > /dev/console 2>&1 |
|
Configuration information, used by the LDAP caching daemon and the provided tools, use a the configuration file, /etc/ldapcd.conf. This file provides information on how to connect to the LDAP directory server, the attribute mappings for the password and group entries, and caching parameters. This file must contain a clear text password that allows the utilities to connect to the directory server, and should always be read-only by root. The configuration file is shown in Example 4-2. HP recommends that you use the Administration utility to modify the /etc/ldapcd.conf file. To validate the configuration file, use the /usr/internet/ldap_tools/ldap_check utility.
Example 4-2 LDAP Caching Daemon Configuration File
|
|
| 1 | Host name of the LDAP directory server to be used for user authentication. |
| 2 | The root of the branch in the directory server's database where user information is stored. |
| 3 | The default directory server port; this must match the port you are using for the directory server. |
| 4 | Maximum number of open connections to the directory server maintained by the ldapcd caching daemon. |
| 5 | Maximum number of threads maintained by the ldapcd caching daemon. Each thread handles one connection to a local program. Allowing a higher number of threads may enable better response from the LDAP caching daemon, but requires more memory. If you are running a service that requires a large number of connections (for example, a mail service), set the maximum number of threads to 64 or greater (if your system has sufficient memory). |
| 6 | The value of pw_cachesize determines how many individual passwd entries are allowed to be cached. The value of pw_expirecache determines the maximum length of time that the ldapcd caching daemon will check the cache for an individual passwd entry. When the value of pw_expirecache is exceeded, the ldapcd daemon returns to the server to look for the requested passwd entry. The values for gr_cachesize and gr_expirecache work similarly to pw_cachesize and pw_expirecache, but they work for group entries. |
| 7 | The value of machine_dn is the distinguished name by which the ldapcd caching daemon binds to the directory to do searches and retrievals of information from the directory. By requiring each system to use a particular DN, you can determine which machines are accessing the directory and for what purpose. Further, you can also control read and search access to the directory on a machine-account basis. |
| 8 | The name for the object class that defines the attributes for a UNIX account in the extended schema on your server (see Section : Extended LDAP Schema for UNIX Account Information). |
| 9 | LDAP attribute names (on the right) are mapped to fields (on the left) in the passwd structure returned by a call to getpwent. |
| 10 | Only the encrypted password is stored in the userPassword attribute. |
| 11 | The name for the object class that defines the attributes for a UNIX group in the extended schema defined on your server (see Section : Extended LDAP Schema for UNIX Account Information). |
| 12 | LDAP attribute names (on the right) are mapped to fields (on the left) in the group structure returned by a call to getgrent(3). |
| |
| |
| |
 | Note: HP recommends you use the Administration utility to modify the ldapcd.conf file. |
| |
| |
| |
By creating branches, you can organize an LDAP directory tree into meaningful categories of information, each with its own search base. The use of branches can improve the performance of an LDAP server by allowing queries to be confined to the branch that contains the information of interest. For example, you might create a separate branch to contain user information. To create a user information branch on the directory server, follow these steps:
Find the following information in the /etc/ldapcd.conf file:
Value of searchbase
Value of machine_dn
Value of machine_pass
Decide on a name for a new branch; for example, accounts.
Create a file containing the following, substituting the value you found in step 1 for searchbase:
dn: ou=accounts,o=searchbase objectclass: top objectclass: organizationalUnit ou: accounts description: description
Run the following command, substituting the values you found in step 1 for searchbase, machine_dn, and machine_pass, and specify the name of the file you created in step 3 with the -f option:
/usr/local/bin/ldapmodify -add \ -D "machine_dn" -w "machine_pass" \ -f fileVerify that the accounts branch works by entering the following command, substituting the values you found in step 1 for searchbase, machine_dn, and machine_pass:
/usr/local/bin/ldapsearch \ -D "machine_dn" -w "machine_pass" \ -b "searchbase" \ ou=accountsUse the Administration utility (or manually edit the /etc/ldapcd.conf file) to add the following entry, substituting the value you found in step 1 for searchbase:
userbranch: ou=accounts,searchbase
| |
| |
| |
| Note: After you add a default user or group branch to the /etc/ldapcd.conf file, the Administration utility and the LDAP utilities in /usr/internet/ldap_tools use this branch by default. As a result, other entries that were created before you added the group or user branch might be masked. |
| |
| |
| |
Internet Express depends on the existence of certain object classes and attributes being present in the directory server. These items are defined by RFC 2307 and are present when you use a directory server installed by Internet Express.
If you are planning on using a directory server not installed by Internet Express, you will need to verify that required schema elements are present. The required schema elements are documented in RFC 2307. This RFC can be found at:
|
http://www.faqs.org |
|
If you want to use schema objects other than those defined in RFC 2307, and are planning on using the Internet Express LDAP authentication module, you will have to change the default configuration to recognize your custom objects and attributes. The needed changes can be made using the Internet Express system administration user interface (see Section : Default Configuration for the LDAP Module for System Authentication).
The Internet Express kit includes LDAP utilities that work with the RFC 2307 schema objects supplied by Internet Express. See Section : Utilities for Maintaining User Information in the LDAP Directory Server for information on these utilities. Note that these LDAP tools are sensitive to the directory servers schema and so will not be able to support a schema that differs greatly from the RFC 2307 definition. A provided tool, /usr/internet/ldap_tools/ldap_check, can be used to verify the schema once the configuration changes have been made.
The LDAP utilities require the userPassword attribute that can store and return unchanged the supplied value which is in the form:
where {crypt} is a keyword or phrase used to indicate the type of password encryption for the passwd file and crypted-string is the encrypted password.
Directory servers provided by Internet Express properly handle this feature. Other directory servers, such as Oracle's Internet Directory will interpret the supplied string as a password to be encrypted and will return a value that is not compatible with the standard BSD crypt mechanism. When using such a directory server, it is necessary to create a schema object similar to the RFC 2307 unixAccount object, except with another attribute substituted for the standard attribute userPassword. This substitute attribute should be of the type case exact string. Be sure to use the substituted attribute name in the LDAP Caching Daemon Configuration File.
Example 4-3 shows sample user and group object class definitions.
Example 4-3 Sample RFC 2307 User and Group Object Class Definitions
|
#
# Partial RFC 2307 schema.
#
# The OIDs are derived from iso(1) org(3) dod(6)
# internet(1) directory(1) nisSchema(1).
#
# Attribute types from RFC 2307
#
attribute uidNumber 1.3.6.1.1.1.1.0 int single
attribute gidNumber 1.3.6.1.1.1.1.1 int single
attribute gecos 1.3.6.1.1.1.1.2 cis single
attribute homeDirectory 1.3.6.1.1.1.1.3 ces single
attribute loginShell 1.3.6.1.1.1.1.4 ces single
attribute memberUid 1.3.6.1.1.1.1.12 ces
#
# ojectclass from rfc2307
#
# posixAccount is an auxiliary class. You may use account as a structural
# class.
objectclass posixAccount
oid
1.3.6.1.1.1.2.0
requires
objectClass,
cn,
uid,
uidNumber,
gidNumber,
homeDirectory
allows
userPassword,
loginShell,
gecos,
description
objectclass posixGroup
oid
1.3.6.1.1.1.2.2
superior
top
requires
objectClass,
cn,
gidNumber
allows
userPassword,
memberUid,
description
|
|
Directory servers use indexes to aid in searching the directory. Directory server indexes greatly improve the performance of searches in the directory databases, but they do so at the cost of potentially slower database modification and entry creation operations. Indexes will also cost more in terms of system resources, especially in disk-space use.
The directory server maintains five distinct types of indexes, as described in Table 4-1.
Table 4-1 LDAP Database Index Types
| Index Type | Description |
|---|---|
| pres | Presence index. Allows for searches that return every entry that contains the indexed attribute. |
| eq | Equality index. Allows for searches that return the entries containing an attribute that is set to a specific value. |
| approx | Approximate index. Used only for string values such as commonName or givenName. Allows for phonetic searching. |
| sub | Substring index. Allows for searches that return entries containing a specified substring. |
| matching rule | International index. Allows for searches that return entries that are sorted according to a specified collation order. |
To index attributes for your directory server using OpenLDAP, follow these steps:
For more information about adding indexing with OpenLDAP, see:
|
http://www.openldap.org |
|
When you install the LDAP Module for System Authentication subset, you can use the Administration utility to perform the following tasks:
Modify the configuration of the LDAP Module for System Authentication (see Section : Modifying the LDAP Module Configuration)
Test the configuration of the LDAP Module for System Authentication (see Section : Testing the LDAP Module Configuration)
Enable or disable the LDAP Module for System Authentication (see Section : Enabling and Disabling the LDAP Module)
| ||||
| | |||
| ||||
| Notes: After you configure the LDAP Module for System Authentication, you must import users (unless you are using an existing LDAP server). For instructions on importing or exporting users and groups to and from the LDAP directory server, see Section : Importing and Exporting Users from /etc/passwd. Statically linked clients and executables (which do not use shared libraries) cannot take advantage of the LDAP Module for System Authentication loadable architecture. For example, the /sbin/ls command (which is typically the default for root) is statically linked. On a system using the LDAP Module for System Authentication to authenticate user names, the output from the /sbin/ls -l command resembles the following:
Note that the owner is shown as a number instead of a name. (If groups were defined in the LDAP database rather than the /etc/group file, the output would have shown a number in place of group name, as well.) In general, use the system tools in /usr/bin when the LDAP Module for System Authentication is enabled. | |||
| ||||
| | |||
| ||||
You can use the Administration utility to configure the following attributes of the LDAP Module for System Authentication:
System parameters (see Section : Defining LDAP System Parameters)
Password attributes (see Section : Configuring LDAP Password Attributes)
Group attributes (see Section : Configuring LDAP Group Attributes
The default configuration parameters for the Group attributes are correct for most LDAP servers. Do not modify these fields unless you are very familiar with LDAP schemas and the schemas used by your server. The Internet Express installation and configuration utilities correctly configure the Internet Express-supplied LDAP servers to work with ldapcd. HP strongly recommends that you do not change these values.
To define system parameters for the LDAP Module for System Authentication, follow these steps:
From the Administration utility Main menu, choose Manage Components.
From the Manage Components menu, under Users, choose LDAP Module for System Authentication.
From the LDAP Module for System Authentication Administration menu, choose Modify Configuration.
From the Modify Configuration menu, choose Define System Parameters.
When the Define System Parameters form is displayed, the default values shown are those stored in the /etc/ldapcd.conf file.
Specify a Distinguished Name and Password. The Distinguished Name and Password are what you will use to bind to the directory server. These values are set when you initially configure the directory server during installation. Typically, you use the root distinguished name and password as specified in the directory server's configuration file (sladpd.conf). For the OpenLDAP Directory Server, the installation procedure initially sets the Root Distinguished Name to cn=root,o=<hostname>. The OpenLDAP Directory Server uses the password specified to access the iass login account and the administration servers for the initial Root DN Password.
The System Name is the name of the system on which the LDAP directory server is running or a comma-separated list of names of systems on which replicated directory servers are running.
Search Base is the top level of the branch in the LDAP database containing user information (see Section : Creating Branches).
The Port Number value must match the port you are using for the directory server. The default port for the directory server is 389.
The Active Connections value specifies the maximum number of open connections maintained by ldapcd caching daemon (see Figure 4-1).
The Thread Maximum value specifies the maximum number of threads maintained by ldapcd caching daemon (see Figure 4-1). Each thread handles one connection to a local program. Allowing a higher number of threads enables better response from the LDAP caching daemon, but requires more memory. If you are running a service that requires a large number of connections (for example, a mail service), set the maximum number of threads to 64 or greater (if your system has sufficient memory).
The value of Password Entries in Cache determines how many individual passwd entries are allowed to be cached. The value of Password Expire Cache determines the maximum length of time that the ldapcd caching daemon will check the cache for an individual passwd entry. When the value of Password Expire Cache is exceeded, the ldapcd daemon returns to the server to look for the requested passwd entry.
The values for Group Entries in Cache and Group Expire Cache work similarly to Password Entries in Cache and Password Expire Cache, respectively, but apply to group entries.
Click on Submit.
If the ldapcd.conf file was successfully updated, the Define System Parameters form is redisplayed with the Success icon at the top.
To configure LDAP password attributes, follow these steps:
From the Administration utility Main menu, choose Manage System.
From the Manage System menu, choose Configure LDAP Module for System Authentication.
From the LDAP Module for System Authentication Administration menu, choose Modify Configuration.
From the Modify Configuration menu, choose Configure Password Attributes.
When the Configure Password Attributes form is displayed, the default values shown are those stored in the /etc/ldapcd.conf file.
Using the Configure Password Attributes form, you can modify the mapping between LDAP attributes and the fields in the passwd structure returned by a call to getpwent. By default, the getpwent fields are mapped to the attribute names defined by the Internet Express extended schema (see Section : Extended LDAP Schema for UNIX Account Information).
The Object Class Name field represents the object class for the password structure in the LDAP schema. Only change this field if you are using an object class other than the default (posixPassword). The object class chosen must contain attributes for all of the components of a passwd entry. See the passwd(4) reference page for more information about passwd entries.
The Password Branch Name field is used as the starting point in the LDAP directory for password entries. Branches are used to partition a directory into smaller, easier to manage sections and are not required.
The remaining fields allow you to change the name of the LDAP attribute within the Object Class selected for the Password structure. The name of each attribute must be a member of the object class specified in the Object Class Name field.
The Login Name field represents the name of the LDAP attribute to be used within the Password Object Class to store the name of a UNIX login (user) name. The default value is uid.
Comment Field represents the name of the attribute used to store an optional comment for each user. The default value is description.
The User Password Name field represents the name of the attribute used to store the user's password. The default value is userpassword.
The Gecos field represents the name of the attribute used to store user gecos information (full name, phone number, and so on). The default value is gecos.
The User ID field represents the name of the attribute used to store the UID number. The default value is uidNumber.
The Home Directory Name field represent the attribute used to store the users home directory information. The default value is homedirectory.
The Group ID field represents the name of the attribute used to store the GID number of a users default group. The default value is uidNumber.
The Login Shell field represents the name of the attribute used to store the users default login shell. The default value is loginshell.
Click on Submit.
If the ldapcd.conf file was successfully updated, the Configure Password Attributes form is redisplayed with the Success icon at the top.
To configure LDAP group attributes, follow these steps:
From the Administration utility Main menu, choose Manage Components.
From the Manage Components menu, under Users, choose LDAP Module for System Authentication.
From the LDAP Module for System Authentication Administration menu, choose Modify Configuration.
From the Modify Configuration menu, choose Configure Group Attributes.
When the Configure Group Attributes form is displayed, the default values shown are those stored in the /etc/ldapcd.conf file.
Using the Configure Group Attributes form, you can modify the mapping between LDAP attributes and the fields in the group structure returned by a call to getgrent(3). By default, the getgrent fields are mapped to the attribute names defined by the Internet Express extended schema (see Section : Extended LDAP Schema for UNIX Account Information).
The Object Class Name field represents the object class for the group structure in the LDAP schema. Only change this field if you are using an object class other than the default (posixGroup). The object class chosen must contain attributes for all of the components of a group(4) entry. Refer to the group(4) reference page for more information about group components.
The Group Branch Name field is used as the starting point in the LDAP directory for Group entries. Branches are used to partition a directory into smaller, easier to manage sections and are not required.
The remaining fields allow you to change the name of the LDAP attribute within the Object Class selected for the Group structure. The name of each attribute must be a member of the object class specified in the Object Class Name field.
The Group Name field represents the name of the LDAP attribute to be used within the Group Object Class to store the name of a UNIX user group. The default value is cn.
The Group ID Name field represents the name of the LDAP attribute to be used within the Group Object Class to store the Group ID (gid) number. The default value is gidNumber.
The Password Name field is the name of the attribute to be used for storing Group Password entries. The default value is userPassword.
The Group Members Name field represents the name of the attribute to be used to store the member IDs belonging to groups. The default value is MemberUID.
Click on Submit.
If the ldapcd.conf file was successfully updated, the Configure Group Attributes form is redisplayed with the Success icon at the top.
When you choose Test Configuration from the LDAP Module for System Authentication Module Administration menu, the Administration utility performs the following tasks:
Reads the ldapcd.conf file and verifies its contents
Connects to the directory server specified in ldapcd.conf
Verifies that you can use the distinguished name and password in the ldapcd.conf file to bind to the directory server
Checks that the attributes that are mapped to the passwd and group structures are in the schema
You can enable or disable the LDAP Module for System Authentication as follows:
From the Administration utility Main menu, choose Manage Components.
From the Manage Components menu, under Users, choose LDAP Module for System Authentication.
From the LDAP Module for System Authentication Administration menu, choose Enable/Disable Module.
The current status of the LDAP Module for System Authentication is displayed at the top of the form.
If the module is currently enabled, you can disable or restart the module.
If the module is currently disabled, you can enable it by clicking on Start.
| |
| |
| |
| Note: Whenever you enable or disable the LDAP Module for System Authentication, you must reboot the system. Otherwise, some applications (such as cron and Advanced Server for UNIX) will not detect the change in authentication method. |
| |
| |
| |
The following sections describe how to import users into, and export users from, the directory server.
To import users from the /etc/passwd file and store them in the LDAP database, follow these steps:
Configure the LDAP server to use extended LDAP schema for UNIX account information (see Section : Extended LDAP Schema for UNIX Account Information).
Verify through either of the following methods that the server is running and that you can connect to it:
Use the Test the LDAP Configuration function in the Administration utility (see Section : Testing the LDAP Module Configuration).
Edit the /etc/ldapcd.conf file and run the /usr/internet/ldap_tools/ldap_check utility.
Identify the users that you want to put into the LDAP directory and extract user information from the /etc/passwd file. Use the passwd_extract utility (see Section ) with the -f option to extract users from /etc/passwd and store the records (formatted as passwd entries) in a file. For example,
# usr/internet/ldap_tools/passwd_extract -f /tmp/ldapusers user1 user2 ...Note: Processing a large number of users may take a while.
Use the passwd_extract utility again, this time, replace -f with -r.
Use the ldap_add_user utility (see Section ) to populate the LDAP directory with the extracted user records in the file created in step 3.
Move the remainder file created in step 4 to /etc/passwd and run the mkpasswd utility, or, manually remove the users with the vipw utility (see vipw(8)).
To import users from NIS, follow these steps:
Use ypcat to fetch the user information from the NIS server, and then use the passwd_extract utility. For example:
# ypcat passwd | /usr/internet/ldap_tools/passwd_extract -f /tmp/ldapusers [user1 user2 ...]Use the ldap_add_user utility (see Section : Adding a User Entry) to populate the LDAP directory with the extracted user records in the file created in step1.
To export users from the directory server, follow these steps:
Use the ldap_get_users -f output-file command to extract user records from the LDAP database.
Merge the file created in step 1 with the /etc/passwd file. See the vipw(8) reference page.
There is an additional step required when you have C2 security enabled. For each system into which you wish the user to be able to login, you must add an edauth entry. The entry should be of the form:
|
echo "<username>:u_name=<username>:u_id#<uid>:u_oldcrypt#3:u_lock@:chkent:"\ | /usr/tcb/bin/eduath -s |
|
By default, users defined in the LDAP database are able to log into every system which uses that database in conjunction with the LDAP Module for System Authentication. If you want to limit user access to specific systems, use the access control files /etc/ldapusers.deny and /etc/ldapusers.allow.
A default /etc/ldapusers.deny file is provided at installation time. Included are all of the standard system users: root, bin, daemon, and so on. If you want to deny access to a user, add that user's name to the /etc/ldapusers.deny file.
If you want to disallow access to all but a few users, use the /etc/ldapusers.allow file. If the /etc/ldapusers.allow file exists on a system, only users listed in that file are allowed to log in using LDAP authentication. Note that this is true even if /etc/ldapusers.allow is empty — its very existence invokes the stricter access control rules.
The Internet Express software kit includes several utilities that you can use to maintain the extended LDAP directory server shipped with Internet Express. The following utilities, summarized in Table 4-2, are installed in the /usr/internet/ldap_tools directory:
passwd_extract—Section : Extracting Users from the /etc/passwd File
ldap_add_user—Section : Adding a User Entry
ldap_del_user—Section : Deleting a User Entry
ldap_get_user—Section : Retrieving a User Entry
ldap_sync_user—Section : Synchronizing with a Password File
ldap_add_group—Section : Adding a Group Entry
ldap_mod_group—Section : Maintaining Group Membership
ldap_del_group—Section : Deleting a Group Entry
ldap_get_group—Section : Retrieving a Group Entry
ldap_enable—Section : Starting the ldapcd Daemon
ldap_disable—Section : Stopping the ldapcd Daemon
Table 4-2 LDAP Database Utilities
| Program Name | Options | Description |
|---|---|---|
| ldap_check | None | Checks either ./ldapcd.conf or /etc/ldapcd.conf against the listing of directory servers in the conf file. Validates all entries related to the directory server. Diagnostics are printed to stdout; when the exit code is greater than 0, a problem was encountered. |
| ldap_add_user | -b branch—Branch to add users to; should be a full distinguished name, including the search base. -f input-file – Specifies the name of the file containing user records to add to the directory server. -m – Modify existing record. -n – Do not submit. -v – Verbose output. | Adds a user to the LDAP directory server. Users can be specified on the command line, in a file, or from stdin (with -f -). |
| ldap_del_user | -b branch – Branch to delete users from. -f input-file – Specifies an input file containing login names. -n – Do not submit. -v – Verbose output. | Deletes a user from the LDAP directory server. You can specify users on the command line, in a file, or from stdin (with -f -). |
| ldap_get_user | -b branch – Branch to get users from. -s searchfilter – Specifies an optional LDAP search filter to select the password entries to output. -S searchfilter – Specifies an optional LDAP search filter to select the password entries to output. Differs from the -s option in that the provided filter is wrapped within a filter that adds an object class restriction on the query. -R start[-end] – Specifies a range of user IDs to be retrieved, including the endpoints. If you do not specify the -end portion of the range, then all users greater than or equal to the start value are retrieved. -f output-file – Specifies the name of the output file in which to store search results (default is stdout). | Retrieves entries selected from the LDAP directory server for specified users. By default, this program selects all users on the default user branch or search base. |
| ldap_sync_user | -b branch – Branch to add users to; should be a full distinguished name, including the search base -n – Do not submit -v – Verbose output. -C – Do not create/modify the CN attribute | Synchronizes the users in the directory server with the provided input which is in passwd format. |
| ldap_add_group | -b branch – Branch to which to add group. -n – Do not submit. -m – Modify existing entry. -v – Verbose output. | Adds a group to the LDAP directory server. Can be used on the command line, from a file, or from stdin. |
| ldap_mod_group | -b branch – Branch in which groups to be modified reside. -r – Remove login names from specified group. -R – Remove login names from all groups. | Assigns the listed login names to the specified group. Use the -r option to remove the specified login names from the group or the -R option to remove login names from all groups. |
| ldap_del_group | -b branch – Branch from which to delete groups. -n – Do not submit. -v – Verbose output. | Deletes a group from the LDAP directory server. Can be used on the command line, from a file, or from stdin. |
| ldap_get_group | -b branch – Branch to get groups from. -f output-file – Specifies the name of the output file in which to store search results (the default is stdout). -s searchfilter – Specifies an optional LDAP search filter to select the group entries to output. -S searchfilter – Specifies an optional LDAP search filter to select the group entries to output. Differs from the -s option in that the provided filter is wrapped within a filter that adds an object class restriction on the query. -R start[-end] – Specifies a range of group IDs to be retrieved, including the endpoints. If you do not specify the -end portion of the range, then all groups greater than or equal to the start value are retrieved. | Gets group entries from the LDAP directory server. By default, selects all groups on the default group branch or search base. Use the -s option to select a subset of group. |
| ldap_enable | None. | Starts the ldapcd daemon and configures SIA to use the LDAP authentication mechanism. |
| ldap_disable | None. | Stops the ldapcd daemon and configures SIA to not use the LDAP authentication mechanism. |
| passwd_extract [username ...] | -f output-file – Specifies the output file in which to store passwd entries that match the selection criteria (the default is stdout). -g range – Extracts passwd entries that match the specified range of GIDs. Use commas and/or hyphens to separate the range values (for example, 23, 40-49). -i input-file – Specifies the file from which to extract users (the default is /etc/passwd). -r output-file – Specifies the output file in which to store passwd entries that do not match the selection criteria (that is, the remaining passwdentries after extracting matching entries). -u range – Extracts passwd entries that match the specified range of UIDs. Use commas and/or hyphens to separate the range values (for example, 350, 400-1000). -v – Verbose output. | Extracts users from the specified input file (/etc/passwd is the default). Specify users to be extracted by name (as parameters to the passwd_extract command) or by using one or more options in any combination. |
The ldap_check utility validates the contents of the ./ldapcd.conf or /etc/ldapcd.conf file as follows:
Verifies that the specified directory servers are running and that connections to the servers can be made
Note: If any of the LDAP servers specified in the ldapcd.conf file fail the verification, the remaining servers are not checked and the entire verification fails.
Verifies that the search base (the top-level directory for searches) exists
If specified, verifies that user and group branches exist (see Section : Creating Branches)
Verifies that user and group object classes exist
Validates all object classes and attributes
If a problem is encountered during either of these checks, the ldap_check utility returns an exit code greater than 0.
Use the passwd_extract utility to extract users from the specified input file (/etc/passwd is the default) and store the extracted records in the specified output file (with the -f option). Optionally, you can use the -r option (with the -f option) to extract entries that do not match the selection criteria to a remainder file. The records in the output file and remainder file (if any) are formatted as passwd(4) entries.
You can extract users based on:
User name, specified by a space-separated parameter list:
passwd_extract hill susan mike cliff austin powers
Note that if no output file is specified, the default is stdout.
Any combination of individual UIDs or range of UIDs:
passwd_extract -u 500,624,700-800 -f output-file
Any combination of individual GIDs or range of GIDs:
passwd_extract -g 23,29-35,50 -f output-file
Any combination of names, UIDs and GIDs:
passwd_extract -e james bond -u 500,624,700-800 -g 23,29-35,50 -f output-file
To extract records from a file other than /etc/passwd, specify the input file name with the -i option. For example:
|
# passwd_extract larry curly moe -i myusers -f stooges |
|
The records in the input file must be formatted as passwd entries.
The ldap_add_user utility adds one or more user entries to the LDAP database. To use this utility on the command line, provide the following arguments:
|
ldap_add_user logname passwd uid gid gecos homedir shell |
|
The ldap_add_user utility adds users to the first directory server specified in the ldapcd.conf file. If multiple servers are listed, only the first is used, even if it is not operational. The distinguished name (DN) is constructed as follows:
|
logname_attribute=logname,branch |
|
The logname_attribute is replaced by the attribute name specified by the pw_username entry in the ldapcd.conf file. The logname is the user's login name. The branch is one of three possible values, taken in this order:
Value specified on the command line using the -b option
Value of the userbranch attribute in the ldapcd.conf file
Value of the searchbase attribute in the ldapcd.conf file
If a problem is encountered when adding a user to the LDAP database, the ldap_add_user utility returns an exit code greater than 0.
For a description of the options you can use with this utility, see Table 4-2.
To add one or more users from a file:
|
ldap_add_user -f input-file |
|
To add one or more users from stdin:
|
cat filename | ldap_add_user -f - |
|
| |
| |
| |
| Note: The input must be in passwd(4) format. |
| |
| |
| |
The ldap_del_user utility works in a similar fashion to ldap_add_user, except that users are removed, rather than added, to the directory server.
If a problem is encountered when deleting a user from the LDAP directory server, the ldap_del_user utility returns an exit code greater than 0.
For a description of the options you can use with this utility, see Table 4-2.
For example, to delete a user from the command line:
|
ldap_del_user logname [ logname ... ] |
|
To delete one or more user or users listed in a file:
|
ldap_del_user -f input-file |
|
To delete one or more users from stdin:
|
cat filename | ldap_del_user -f - |
|
| |
| |
| |
| Note: The input must be in passwd(4) format, but only the login name portion of each record is used. Anything beyond the first colon (:) in each input record is ignored. A list of names (one per line) is also acceptable as input. |
| |
| |
| |
Use the ldap_get_user utility to retrieve passwd entries for specified users in the LDAP directory server. Unless otherwise specified, the ldap_get_user utility selects all users on the default user branch or search base. Use the -s option to select a subset of users (see Table 4-2).
If a problem is encountered when retrieving a user from the LDAP directory server, the ldap_get_user utility returns an exit code greater than 0.
For a description of the options you can use with this utility, see Table 4-2.
|
ldap_get_user [ -b branch ] [ -f filename ] |
|
| |
| |
| |
| Note: In the following examples, the -b branch and -f output-file options (not shown) can also be used. |
| |
| |
| |
To use a search filter to find users:
|
ldap_get_user -s filter |
|
To use a search filter with object class restrictions added to the search:
|
ldap_get_user -S filter |
|
For example, a search filter might look like the following:
|
uid=bjensen (&(uidNumber>=10)(uidNumber<=20)) |
|
| |
| |
| |
| Note: You must quote the filter string according to your shell. |
| |
| |
| |
To retrieve a range of users (where start is the starting UID in the range and end is the optional ending UID in the range):
|
ldap_get_user -R start[-end] |
|
If you do not specify end, the search retrieves all users from the starting UID through the highest UID in the LDAP directory server.
|
ldap_get_user user [ user ...] |
|
Use the ldap_sync_user utility to synchronize the ldap directory entries for users with the contents of a passwd file. This utility adds, updates or deletes users as needed to ensure that the contents of the directory match the supplied entries. This utility is intended to provide easy synchronization of the directory server with an alternate source for login information (such as NIS), where the alternate source is considered the master source of the information.
If a problem is encountered , the ldap_sync_user utility returns an exit code greater than 0.
For a description of the options you can use with this utility, see Table 4-2.
Use the ldap_add_group utility to retrieve group(4) entries from the LDAP directory server. (Use the ldap_mod_group utility to add users to groups. See Section for more information.) The ldap_add_group utility adds groups to the first directory server specified in the ldapcd.conf file. If multiple servers are listed, only the first is used, even if it is not operational.
The ldap_add_group utility constructs the distinguished name (DN) as follows:
|
groupname_attribute=groupname,branch |
|
The groupname_attribute is replaced by the attribute name specified by the gr_name entry in the ldapcd.conf file. The groupname is the group name. The branch is one of three possible values, taken in this order:
Value specified on the command line using the -b option
Value of the userbranch attribute in the ldapcd.conf file
Value of the searchbase attribute in the ldapcd.conf file
If a problem is encountered when creating a group in the LDAP directory server, the ldap_add_group utility returns an exit code greater than 0.
For a description of the options you can use with this utility, see Table 4-2.
To add one or more groups from a file:
|
ldap_add_group -f input-file |
|
To add one or more groups from stdin:
|
cat filename | ldap_add_group -f - |
|
| |
| |
| |
| Note: The input must be in group(4) format. |
| |
| |
| |
Use the ldap_mod_group utility to add or remove users from groups in the LDAP database. The ldap_mod_group utility adds the specified login names to the specified group as group members. Use the -r option to remove the specified login names from the group member list.
If a problem is encountered when modifying group membership in the LDAP database, the ldap_mod_group utility returns an exit code greater than 0.
For a description of the options you can use with this utility, see Table 4-2.
For example, to add one or more users to a group:
|
ldap_mod_group group logname [ logname ...] |
|
To remove one or more users from a group:
|
ldap_mod_group -r group logname [ logname ...] |
|
To remove a user from all groups:
|
ldap_mod_group -R logname |