Seth Woolley's Man Viewer

cpu-ldap(8) - cpu - a user administration tool for LDAP backends - man 8 cpu-ldap

([section] manual, -k keyword, -K [section] search, -f whatis)
man plain no title

CPU-LDAP(8)                                                        CPU-LDAP(8)



NAME
       cpu(5,8,8 cpu-ldap) - a user administration tool for LDAP backends

SYNOPSIS
       cpu(5,8,8 cpu-ldap) user{add,del,mod} [options] login(1,3,5)

       cpu(5,8,8 cpu-ldap) group{add,del,mod} [options] group

       cpu(5,8,8 cpu-ldap) cat


DESCRIPTION
       The  ldap(3,5,n)  module for cpu(5,8,8 cpu-ldap) provides a means for administering groups and
       users(1,5) being stored on an LDAP backend. Complete compatibility with  the
       GNU/Linux  versions  of  the shadow(3,5) utils has tried to be maintained in(1,8)
       terms of command  line  options.  This  module  also  supports  several
       options that traditional user utilities do not such as; selecting which
       hash to use for the user, generating random(3,4,6) or linear uid's  and  gid's
       and  pulling  information  for a user from existing password and shadow(3,5)
       files.


LDAP OPTIONS
       The LDAP options are options that are used specifically  for  the  LDAP
       server.  They may be combined with any of the cpu(5,8,8 cpu-ldap) functions.

       -2, --2
              Use LDAPv2 instead of LDAPv3

       -a file(1,n), --addfile=file(1,n)
              If  a  filename  is  given, it will be parsed and any additional
              ldap(3,5,n) attributes specified in(1,8) this file(1,n) will be added along  with
              the  user  or group. This file(1,n) should not contain any attributes
              that CPU requires or that you have already specified in(1,8) the con-
              figuration  file.  If you do this the modification/addition will
              fail or create multivalued attributes. The format  of  the  file(1,n)
              should be:

               <attrdesc>: <attrvalue>
               <attrdesc>: <attrvalue>
               <attrdesc>:: <base64-encoded-value>
               ...

       -A cn, --cn=cn
              This  options specifies for a user what the dn should look(1,8,3 Search::Dict) like.
              If you specify -A foo for some user, their  dn  will  look(1,8,3 Search::Dict)  like
              foo=username,... This can be specified in(1,8) the configuration file(1,n)
              with USER_CN_STRING

       -B base, --groupbase=base
              This is the base to search for groups in. This is  required  for
              useradd  and  for  any  group  functions. This should be a fully
              qualified base such  as  ou=groups,o=company,c=us.  This  corre-
              sponds to the GROUP_BASE configuration option.

       -D bind_dn, --binddn=bind_dn
              The  bind_dn  should  be  a DN with adequate credentials for the
              operation that you  are  requesting.  This  corresponds  to  the
              BIND_DN configuration file(1,n) option.

       -F[file(1,n)], --passfile[=file(1,n)]
              If  an argument is provided, that file(1,n) should be of a Unix style
              password format. If no argument is provided,  the  configuration
              file(1,n)  variable  PASSWORD_FILE  will be used. Please be sure that
              the switch(1,n) (-F or --passfile) has  no  trailing  whitespace,  it
              should  be immediately followed by the argument. The information
              associated with the user will be used for populating their  LDAP
              entry (uid, gid, gecos, home directory, shell).

       -H hash, --hash=hash
              Hash  should  be one of sha1, md5(1,3,1 dgst), ssha1, smd5, crypt, or clear.
              This corresponds to the HASH configuration file(1,n) variable. Select
              the hash that is being used at your site.

       -N hostname, --hostname=hostname
              Hostname  should  be  the hostname that is running the LDAP ser-
              vice. This may be an IP address or hostname. This corresponds to
              the LDAP_HOST variable in(1,8) the configuration file.

       -o, --nonposix
              Violate  POSIX naming standards and allow characters in(1,8) user and
              group names not in(1,8) the character  set(7,n,1 builtins)  [A-Za-z0-9._-].  This  is
              useful for things like adding Samba machine accounts.

       -P port, --port=port
              Port  should  be  the port that the LDAP server is listening on.
              This corresponds to the LDAP_PORT option  in(1,8)  the  configuration
              file.

       -R length, --random=random(3,4,6)
              length  should be the length that you would like a randomly gen-
              erated password to be. This password will be  displayed  to  the
              user.

       -S[file(1,n)], --shadfile[=file(1,n)]
              If  an argument is provided, that file(1,n) should be of a Unix style
              shadow(3,5) format. If no argument  is  provided,  the  configuration
              file(1,n)  variable SHADOW_FILE will be used. Please be sure that the
              switch(1,n) (-S or --shadfile) has no trailing whitespace, it  should
              be immediately followed by the argument. The information associ-
              ated with the user will be used for populating their LDAP  entry
              (password,   sp_lstchg,   sp_min,   sp_max,  sp_warn,  sp_inact,
              sp_expire).

       -t timeout(1,3x,3x cbreak), --timeout=timeout(1,3x,3x cbreak)
              This value is used to specify how long (in(1,8) seconds) before  LDAP
              operations should time(1,2,n) out. The corresponding configuration file(1,n)
              is TIMEOUT.

       -U base, --userbase=base
              This is the base to search for users(1,5) in. This  is  required  for
              any  user  functions. This should be a fully qualified base such
              as ou=users(1,5),o=company,c=us. This corresponds  to  the  USER_BASE
              configuration option.

       -w[pass], --bindpass[=pass]
              If an argument is provided, that value will be used for the bind(2,n,1 builtins)
              password. If no argument is provided, the user will be  prompted
              for  a  password.  This  option can be omitted by specifying the
              password in(1,8) the configuration file(1,n) with the option BIND_PASS. If
              a value is specified at the command line, the switch(1,n) should have
              no whitespace following it.


       The following options can be used for populating LDAP attributes.


       -f name, --firstname=name
              Name is used in(1,8) possible combination with lastname in(1,8)  order  to
              have  a more complete CN. This value is also used for the given-
              Name (gn) attribute. This value is not required by RFC2307.

       -E name, --lastname=name
              Name is used in(1,8) possible combination with firstname in(1,8) order  to
              have a more complete CN. This value is also used for the surname
              (sn) attribute. This value is not required by RFC2307.

       -e address, --email=address
              The value address is used to populate the mail(1,8)  attribute.  This
              attribute  is  not required by RFC2307 for posixAccount but many
              people's LDAP schemas do require it. inetOrgPerson is one object
              that contains it.


       The following options are not LDAP specific.


       -y, --yes
              Reply yes to any questions (such as whether it is ok to remove a
              directory)

       -h, --help
              Display help.

       -v, --verbose
              Turn the verbose level up.

       -V, --version
              Display the version(1,3,5) of the module.


cpu(5,8,8 cpu-ldap) cat
       The cat command will cause any users(1,5) and  groups  stored  in(1,8)  the  LDAP
       directory  to  be  displayed  in(1,8)  a  Unix style format. cat requires no
       options.


cpu(5,8,8 cpu-ldap) useradd [options] login(1,3,5)
       The useradd function is used to add new users(1,5) to an LDAP directory. The
       options  are similar to those used by traditional GNU/Linux user admin-
       istration utilities.

       -c comment, --gecos=comment
              The value specified is used to populate the gecos attribute. You
              can  specify a default value in(1,8) the configuration file(1,n) using the
              GECOS variable. This is not required by RFC2307. This  can  also
              be populated using the -F option (see above).

       -d home_dir, --directory=home_dir
              The new user will be created using home_dir as the value for the
              user's login(1,3,5) directory.  The  default  is  to  append  login(1,3,5)  to
              HOME_DIRECTORY (from the configuration file(1,n)) and use that as the
              login(1,3,5) directory name. This is required by RFC2307.

       -g initial_group, --gid=initial_group
              The group id or name of the  user's  initial  login(1,3,5)  group.  The
              group  should  exist  but  does not have to. CPU will search the
              LDAP directory and warn you if(3,n) that group does not exist. If the
              group does exist, the users(1,5) gidNumber will be set(7,n,1 builtins) to the gidNum-
              ber of that group. This is required by RFC2307.  If  unspecified
              CPU  will  search  for the next unused GID. This behavior can be
              adjusted by  MAX_GIDNUMBER,  MIN_GIDNUMBER,  ID_MAX_PASSES,  and
              RANDOM in(1,8) the configuration file.

       -G group,[...] --sgroup=group,[...]
              A  list  of supplementary groups which the user is also a member
              of. Each group is separated from the next by a  comma,  with  no
              intervening  whitespace. CPU will search the directory for these
              groups, and if(3,n) found, add the user to those groups. The  default
              is for the user to belong only to the initial group.

       -k[skeleton_dir] --skel[=skeleton_dir]
              This  option  is  only  useful  is  specified  along with the -m
              option.  If both are specified,  the  contents  of  skeleton_dir
              will  be copied to the users(1,5) new home directory. If skeleton_dir
              is specified it should have no whitespace  between  the  command
              line  switch.  If  skeleton_dir  is  not specified, the value of
              SKEL_DIR as specified in(1,8) the configuration file(1,n) will be used.

       -m, --makehome
              The user's home directory will be created if(3,n) it does not  exist.
              The  files  contained in(1,8) skeleton_dir will be copied to the home
              directory if(3,n) the -k option is used. The -k option is only  valid
              in(1,8) conjunction with the -m options. The default is to not create
              the directory and to not copy any files.

       -p[passwd(1,5)] --password[=password]
              The encrypted or unencrypted password. If no argument is  given,
              the  user  is  prompted to enter a password. If CPU was compiled
              with libcrack, the password will be checked for weakness. If the
              password is encrypted, hash should be the value of the hash type
              that was used. If not specified at the command line or found  in(1,8)
              the shadow(3,5) file(1,n) (if(3,n) -S was used) * is used which should lock the
              account.

       -s shell, --shell=shell
              The name of the user's login(1,3,5) shell. If not specified at the com-
              mand  line  one can specify it with the DEFAULT_SHELL configura-
              tion file(1,n) option. This is not required by RFC2307.

       -u uid, --uid=uid
              The numerical value of the user's ID. This value must be unique,
              the  value  must be non-negative. If unspecified CPU will search
              for an unused UID. This behavior can be adjusted by  MAX_UIDNUM-
              BER,  MIN_UIDNUMBER, ID_MAX_PASSES, and RANDOM in(1,8) the configura-
              tion file.

       -X script, --exec=script
              After the user has successfully been  added  to  the  directory,
              execute  this  script.  The  script is passed the login(1,3,5) name. If
              this option is not supplied,  the  configuration  file(1,n)  will  be
              checked for ADD_SCRIPT.


cpu(5,8,8 cpu-ldap) usermod [options] login(1,3,5)
       All  options that apply to useradd also apply to usermod except for -k.

       -l login_name, --newusername=login_name
              The name of the user will be changed from login(1,3,5)  to  login_name.
              The  LDAP  attributes  cn and uid are changed to login_name, the
              users(1,5) rdn is also modified. If specified in(1,8) conjunction with the
              -m  switch(1,n),  the users(1,5) old home directory will be copied the the
              appropriate new location (see -d  switch(1,n) for behavior).

       -L, --lock
              Lock the given user account

       -U, --unlock
              Unlock the given user account


cpu(5,8,8 cpu-ldap) userdel [options] login(1,3,5)
       The userdel command modifies the LDAP directory, deleting  all  entries
       that refer to login(1,3,5). The named(5,8) user must exist. The options which apply
       to the userdel command are:

       -r, --removehome
              Files in(1,8) the user's home directory will be  removed  along  with
              the  home directory itself. The users(1,5) mail(1,8) spool is not deleted.
              Files located in(1,8) other file(1,n) systems will have to be searched for
              and deleted manually.

       -X script, --exec=script
              After the user has successfully been removed from the directory,
              execute this script. The script is passed  the  login(1,3,5)  name.  If
              this  option  is  not  supplied,  the configuration file(1,n) will be
              checked for DEL_SCRIPT.


cpu(5,8,8 cpu-ldap) groupadd [options] group
       The groupadd command creates a new group account using the values spec-
       ified on the command line and the default values from the configuration
       file. The new group will be entered into the LDAP directory as  needed.
       The options which apply to the groupadd command are

       -g gid, --gid=gid
              The  numerical  value  of  the  group's ID. This value should be
              unique. The value must be non-negative. A new gid can be  gener-
              ated by not specifying this option. This generation can be modi-
              fied by changing the configuration file.


cpu(5,8,8 cpu-ldap) groupmod [options] group
       The groupmod command modifies the group specified at the command  line.
       The options which apply to the groupmod command are

       -g gid, --gid=gid
              The  numerical  value  of  the  group's ID. This value should be
              unique. The value must be non-negative.

       -n group_name, --newgroupname=group_name
              The name of the group will be changed from group to  group_name.
              The cn and rdn will also be modified.


cpu(5,8,8 cpu-ldap) groupdel [options] group
       The  groupdel  command  removes the group specified at the command line
       from the LDAP directory.


SEE ALSO
       cpu.conf(5) cpu(5,8,8 cpu-ldap)(8)

AUTHORS
       Blake Matheny <bmatheny@purdue.edu>

       The  current  version(1,3,5)  of  this  software  is   always   available   at
       http://cpu.sourceforge.net

BUGS
       To report a bug or problem, please e-mail:

       cpu-users@lists.sourceforge.net


TODO
       See  TODO  file(1,n)  that  accompanied  software. Please e-mail us with any
       additional suggestions.



                               17 February 2003                    CPU-LDAP(8)

References for this manual (incoming links)