ldapugadd(1M)

Prompt for the administrators bind identity (typically LDAP DN or kerberos principal) and bind password.

Without -P, ldapugadd will discover the bind identity and password from the environment variables LDAP_BINDDN and LDAP_BINDCRED. If either the LDAP_BINDDN or LDAP_BINDCRED environment variable has not been specified, ldapugadd will follow the bind configuration specified in the ldapux configuration profile (see ldapux(5)).

If ldapux has specified "proxy" bind, the bind credential will be read from either the /etc/opt/ldapux/acred or /etc/opt/ldapux/pcred file. The acred file will only be used by users that have sufficient administrative privileges to read that file. Refer to Binding to the Directory Server below for additional details.

Prompt for the password of the user or group being created. Also, if LDAP-UX attributed mapping for the userPassword attribute has not been defined or set to *NULL*, ldapugadd will create new passwords in the userPassword attribute. To assure accuracy, the user will be prompted twice for the password. ldapugadd relies on the directory server for setting of password policy, such as user-must-change-password-at-first-login.

Set the user or group password attribute. Also, if LDAP-UX attributed mapping for the userPassword attribute has not been defined or set to *NULL*, ldapugadd will create new passwords in the userPassword attribute. If -PW is specified, either the LDAP_UGCRED environment variable or the -PP option must be specified.

Requires an SSL connection to the directory server, even if the LDAP-UX configuration does not require the use of SSL. Use of -Z requires either a valid server or CA certificate be defined in the /etc/opt/ldapux/cert8.db file. An error will occur if the SSL connection could not be established. Refer to Binding to the Directory Server below for additional details.

Attempt a TLS connection to the directory server, even if the LDAP-UX configuration does not require the use of TLS. If a TLS connection is unable to be established a non-TLS and non-SSL connection will be established. Use of -ZZ is not recommended unless alternative methods are used to protect from network eavesdropping. Use of -ZZ requires either a valid server or CA certificate be defined in the /etc/opt/ldapux/cert8.db file. Refer to Binding to the Directory Server below for additional details.

Requires a TLS connection to the directory server, even if the LDAP-UX configuration does not require the use of TLS. Use of -ZZZ requires either a valid server or CA certificate be defined in the /etc/opt/ldapux/cert8.db file. An error will occur if the TLS connection could not be established. Refer to Binding to the Directory Server below for additional details.

Force creation of new user or group entries even if particular error conditions occur. These are:

Note that some directory servers perform their own attribute uniqueness checks. In this case, even if the -F option is specified; ldapugadd will be unable to add the new entry.

Display the DN of the newly created entry.

Specifies the host name and optional port number (hostname:port) of the directory server. This option overrides the server list configured by LDAP-UX. The hostname field also supports specification of IPv4 and IPv6 addresses.

Note that when a port is specified for an IPv6 address, the IPv6 address must be specified in square-bracketed form. If the optional port is unspecified, the port number is assumed to be 389 or 636 for SSL connections (-Z). Refer to Binding to the Directory Server below for additional details.

Specifies the port number of the directory server to contact. This option is ignored if the port number is specified in the hostname as part of the -h option. Refer to Binding to the Directory Server below for additional details.

This option overrides value of the ${basedn} substitution construct used in the respective template file. Instead of discovering the ${basedn} value from the LDAP-UX configuration profile, the value defined in base will be used. Please refer to Template Files below for additional information. base is expected to be an LDAP distinguished name.

Specifies on which service type ldapugadd will operate. The service type can be either passwd or group, where

The command-line arguments that are applicable will depend on the service specified. If unspecified, ldapugadd defaults to passwd.

Note: to be consistent with the Name Service Switch (see switch(4)), the term passwd is used to represent LDAP user entries which contain POSIX account-related information.

Used to permanently alter local host defaults which are used by ldapugadd when creating new user or group entries in the LDAP directory. Configuration changes made using the -D options will appear in the /etc/opt/ldapux/ldapug.conf file. Please refer to the LDAP-UX Client Services Administrator's Guide for an example of the ldapug.conf file.

Specifies the parent directory that will be used when creating new user home directories.

Specifies the default login shell that will be used when creating user entries.

Specifies the default group ID number used when creating new user entries. To avoid warning messages displayed by ldapugadd, this group ID should represent a POSIX-style group stored in the LDAP directory.

If this group ID is not defined in the LDAP directory, ldapugadd will display a warning message every time a new user is added using this default group, since ldapugadd will be unable to add the user as a member of that group.

Sets new default minimum and maximum ranges that ldapugadd will use when provisioning a group ID number for newly created group entries. The gid range is inclusive of the specified end values. The colon character (:) will be used to indicate a range has been specified, instead of the default_gid specified above.

Sets new default minimum and maximum ranges that ldapugadd will use when provisioning an uid number for newly created user entries. The uid range is inclusive of the specified end values.

Specifies the user's numeric ID number. If the specified uidNumber already exists in the directory server, ldapugadd will not add the new entry and return an error exit status, unless the -F option is specified.

If this argument is not specified, a new user ID number will be provisioned by randomly selecting a value from the uidNumber range specified by ldapugadd -D -u. If ldapugadd randomly selects a uidNumber that is already in use on the directory server, ldapugadd will randomly select another uidNumber and try again until it finds an unused uidNumber or exhausts retry attempts. Retry attempts will be limited to 90% of the range of available uidNumbers (specified with -D -u min_uid:max_uid and described above).

Specifies the user's primary login group name or id number. After creating the user entry ldapugadd will also attempt to add the user as a member of the specified group using the ldapugmod -t group command.

Note: to support numeric group names, ldapugadd will always attempt to resolve the specified argument as a group name (even if it is a numeric string). If the specified argument is not found as a group name, ldapugadd will check to see if the argument is a numeric string and if so, use that as the group ID number. If that numeric group can not be found in any active name service repository, ldapugadd will issue an ERROR message. If the specific argument is not numeric and can not be found in an active name service repository, ldapugadd will exit with an ERROR and not create the new entry.

If this argument is not specified, the user will become a member of default login group, as specified by the ldapugadd -D -g default_gid command.

This option is only required for the passwd service and is used to specify the user's full name. If undefined, the user's full name will default to the account name.

Specifies the user's domain name. This variable is used to specify the ${domain} value that can be used in the template file. If this value is not specified, the domain name will be created by using the first "dc" component of the new user's distinguished name. If the distinguished name does not contain any "dc" components, and the ${domain} variable is specified in the template file, ldapugadd will generate an error.

Specifies the user's alternate group memberships. group/gid is expected to be the POSIX textual name of the group or the group ID number. That group must exist in the directory server (not the /etc/group file).

If the specified group name is invalid or does not exist in the directory server, ldapugadd will issue a warning message for each invalid group. To support numeric group names, ldapugadd will always attempt to resolve the specified argument as a group name (even if it is a numeric string). If the specified argument is not found as a group name, ldapugadd will check to see if the argument is a numeric string and if so, use that as the group ID number.

After the user's entry is successfully created (and only if), ldapugadd will call ldapugmod -t group (see ldapugmod(1M)) for each group specified, to add the user to listed groups.

If more than one group is specified, each group name must be separated by a comma. No whitespace is allowed between or within group names. If ldapugadd fails to add the user as a member of a particular group, ldapugadd will issue a warning message and continue to add the user to the other remaining groups specified.

If this argument is not specified, the user will not be added to alternate groups.

Specifies the full path name to the executable that will be used to handle login sessions for this user. If this argument is not specified, the default, as configured by ldapugadd -D -s default_shell, will be used.

Specifies the full path name (including the user name) of the user's home directory. If this argument is not specified, the combination of the default base directory, as configured by ldapugadd -D -d default_home, and the user's account name, will be used. If you wish to also create the home directory on this system, the -m option must specified.

Specifies GECOS fields for the user. Typically the GECOS contains four fields which represent (in order):

Each field in the gecos should be separated by a comma. If the data within the gecos field contains any white space or other characters that might be parsed by the shell, the entire string must be protected by enclosing quotes. White space should not be used between each field and the separating commas.

Note that LDAP-UX supports mapping of the gecos field to multiple attributes. If attribute mapping has been specified in the LDAP-UX configuration profile, each field will be mapped to its representative attribute, in the order specified.

If -I is not specified, the gecos attribute(s) will not be added to the user's entry.

WARNING: If the -I option is specified and attribute mapping has been defined for the gecos attribute, be careful not to specify the same attributes in the command line that are also used in the gecos map. For example, suppose the gecos has been mapped to cn, l and telephoneNumber. Because -f below represents the cn attribute when creating new user account entries, the following command might produce unpredictable results since cn is specified by both -f and by the gecos mapping:

ldapugadd -f "Jim Smith" \

-I "Jim Smith,Boston,555-12354" \

jsmith "sn=Smith" "telePhoneNumber=555-1234"

In the above example, because of the gecos attribute mapping, the cn and telephoneNumbers are specified twice and will result an error when the same attribute and value are added to the directory server ldapcfinfo can be used to determine gecos attribute mapping configuration.

NOTE: Since the gecos attribute may be mapped to one or several attributes, the number of values specified with -I (between the commas) should, but is not required to, match the number of mapped attributes. If there are more mapped attributes than specified values in -I, then trailing mapped attributes will not be added to the directory server. If there are more values than mapped attributes, extra values will be combined in the last mapped attribute.

Specifies a comment that will be stored in the description attribute, as defined by RFC2307. Attribute mapping is not defined for the description attribute. If unspecified, the description attribute will not be added to the user's entry. Since the comment field often contains white-space, be sure to protect it from shell parsing with enclosing quote characters.

Specifies the LDIF template file that will be used to create new user entries. The template_file parameter may either be a full or relative path name or a "short" name. Refer to Template File Naming below for additional information.

Required Argument. Contains the POSIX-style textual login name for the new user entry. This user name should conform to HP-UX login name requirements. Please refer to passwd(4) for login name requirements.

uid_name is a required parameter, and it must follow all command-line options and must precede the attr=value parameters (if provided).

Create a new home directory for the defined user. User and group ownership of the newly created directory will be assigned to the user and his/her primary login group.

If -k is specified, the files and sub-directories found in skel_dir will be copied to the user's home directory, and user and group ownership permissions altered as specified above. If -k is not specified, skeleton files will be copied from /etc/skel.

The -m option requires the user has sufficient privilege to create the new home directory, copy skeleton files and change ownership of those files and directories. ldapugadd will create a user's home directory only after successfully adding the user's entry in the directory server.

If ldapugadd is unable to properly create the user's home directory, per the above process, the newly created changes in the directory server will not be removed. See Security Consideration below for more information.

-k is ignored unless the -m option is specified. skel_dir specifies a directory which contains skeleton files and directories that should be copied into newly created user home directories. See -m above.

Allows specification of arbitrary LDAP attributes and values. Because of potential objectclass requirements, additional information beyond the basic POSIX account and group data may be need to be specified in order to create new entries in the directory server.

For example, if the "InetOrgPerson" objectclass is used as a structural class for posixAccounts, then the sn (surname) attribute must be specified in order to properly create a new entry. This value would need to be defined in the template file (see Template Files), and would need to be specified at the end of the ldapugadd command line.

The attr=value parameter is generally used to specify attributes required by the template file. However, if an attribute is specified which is not defined in the defined template file, that attribute/value pair will be considered as an optional attribute/value which will be added to the entry exactly as specified.

attr=value parameters are optional, but must be specified as the last parameters on the command line.

Specifies the group's numeric id number. If the specified gidNumber already exists in the directory server, ldapugadd will not add the new entry and return an error exit status, unless the -F option is specified.

If this argument is not specified, a new group ID number will be provisioned by randomly selecting a value from the gidNumber range specified by ldapugadd -d -g min_gid:max_gid. If ldapugadd randomly selects a gidNumber that is already in use on the directory server, ldapugadd will randomly select another gidNumber and try again until it finds an unused gidNumber or exhausts retry attempts. Retry attempts will be limited to 90% of the range of available gidNumbers (specified with -D -g min_gid:max_gid and described above).

Specifies the group's domain name. This variable is used to specify the ${domain} value that can be used in the template file. If this value is not specified, the domain name will be created by using the first "dc" component of the new group's distinguished name. If the distinguished name does not contain any "dc" components, and the ${domain} variable is specified in the template file, ldapugadd will generate an error.

Defines initial group membership by adding the specified user accounts as members. The members must be defined as a comma-separated list of account names, similar to the -G requirements defined above. Use of -M requires that the specified user's account already be defined in the directory server, unless the -F option is specified.

When the -F option is used, the users group membership will be defined using the memberUid attribute, regardless of the attribute mapping configuration defined by LDAP-UX. Use of -F is not recommended, and will not succeed if the directory server does not support the memberUid attribute.

ldapugadd will follow the same membership syntax as defined by LDAP-UX attribute mapping. Specifically, if LDAP-UX has mapped the RFC2307 group membership attribute (memberUid) to a DN-based membership attribute such as member or uniqueMember, then ldapugadd will define membership using the DN of the specified user. If memberUid has been mapped to more than one attribute type, ldapugadd will use the first attribute defined by the mapping.

Note that ldapugadd can only add members to a group that follow a static membership syntax (like memberUid, member, and uniqueMember). ldapugadd will fail if the only mapping defined uses a dynamic group membership syntax (like memberUrl).

Specifies a comment that will be stored in the description attribute, as defined by RFC2307. Attribute mapping is not defined for the description attribute. If unspecified, the description attribute will not be added to the user's entry.

Specifies the LDIF template file that will be used to create new group entries. The template_file parameter may either be a full or relative path name or a "short" name. Refer to Template File Naming below for additional information.

Required Argument. Contains the POSIX-style textual group name for the new group entry. This name should conform to HP-UX group name requirements. Please refer to group(4) for group name requirements. gid_name is a required parameter, must follow all command-line options and must precede the attr=value parameters (if provided).

Allows specification of arbitrary LDAP attributes and values. Refer to attr=value in the section above for additional information. attr=value parameters are optional, but must be specified as the last parameters on the command line.

When used in combination with the -PW option, LDAP_UGCRED specifies the password of a newly created user or group.

Note, use of passwords for groups is not recommended.

Also, if LDAP-UX attributed mapping for the userPassword attribute has not been defined or set to *NULL*, ldapugadd will create new passwords in the userPassword attribute.

Specifies the DN of a user with sufficient directory server privilege to create new users and/or groups in the LDAP directory server.

While this variable is optional, if LDAP_BINDDN is specified, LDAP_BINDCRED must also be specified.

A password or other type of credential used for the user specified by the LDAP_BINDDN.

While this variable is optional, if LDAP_BINDCRED is specified, LDAP_BINDDN must also be specified.