 |
» |
|
|
|
NAMEldapugdel — remove existing accounts or groups from an LDAP directory server SYNOPSISldapugdel
[options]
[-t
type]
[-h
hostname]
[-p
port]
[-O
[protAttr[,...]]]
{-D DN |
uid_name | group_name} DESCRIPTIONldapugdel
is used to remove POSIX related user or group entries from the
directory server.
With the
-O
option,
ldapugdel
can be used to remove POSIX related attributes and objectclasses from user
or group entries, without removing the entry itself. Options- -P
Prompt for the administrators bind identity (typically LDAP DN or
kerberos principal) and bind password.
Without
-P
ldapugdel
will discover the bind identity and password from the environment
variable
LDAP_BINDDN
and
LDAP_BINDCRED.
If the
LDAP_BINDDN
or
LDAP_BINDCRED
environment variable has not been specified,
ldapugdel
will follow the bind configuration specified in the LDAP-UX
configuration profile. If LDAP-UX
has specified "proxy" bind, the bind credential will be read from either the
/etc/opt/ldapux/acred
or
/etc/opt/ldapux/pcred
file.
The
acred
file will only be used by users that have sufficient administrative privilege
to read that file.
Refer to
Binding to the Directory Server
below for additional details. - -S
Upon successful completion, displays the DN of the deleted or updated entry. - -x
Used only with the
-O
option,
forces
ldapugdel
to remove the
uid,
cn,
and
description
attributes for either a user or group entry, respectively. Because use of
-x
removes common attributes typically used by other LDAP-enabled applications,
use of it is rarely recommended when removing
posixAccount
or
posixGroup
related attributes.
If removal of the
uid,
cn,
or
description
would cause an objectclass violation, a warning message would be generated.
-x
will try to remove as many attributes as allowed by the directory server. - -y
Used only with the combined with
-O
and the
-t passwd
options, forces
ldapugdel
to remove the
userPassword
attribute from the user entry. Use of
-y
is rarely recommended when removing
posixAccount
related attributes. - -Z
Requires an SSL connection to the directory server, even if the
LDAP-UX configuration does not require the use of SSL. Use of
-Z
requires either a valid server or CA certificate be defined in the
/etc/opt/ldapux/cert8.db
file.
An error will occur if the SSL connection could not be established. - -ZZ
Attempt a TLS connection to the directory server, even if the
LDAP-UX configuration does not require the use of TLS.
If a TLS connection is unable to be established a non-TLS and non-SSL
connection will be established. Use of
-ZZ
is not recommended unless alternative methods are used to protect from
network eavesdropping.
Use of
-ZZ
requires either a valid server or CA certificate be defined in the
/etc/opt/ldapux/cert8.db
file.
Refer to
Binding to the Directory Server
below for additional details. - -ZZZ
Requires a TLS connection to the directory server, even if the
LDAP-UX configuration does not require the use of TLS.
Use of
-ZZZ
requires either a valid server or CA certificate be defined in the
/etc/opt/ldapux/cert8.db
file.
An error will occur if the TLS connection could not be established.
Refer to
Binding to the Directory Server
below for additional details.
Arguments- -h hostname
Specifies the host name and optional port number
(hostname:port)
of the directory server.
This option overrides the server list configured by LDAP-UX. The
hostname
field also supports specification of IPv4 and IPv6 addresses.
Note that when a port is specified for an IPv6 address, the IPv6 address
must be specified in square-bracketed form.
If the optional
port
is unspecified, the port number is assumed to be 389 or 636 for SSL
connections
(-Z).
Refer to
Binding to the Directory Server
below for additional details. - -p port
Specifies the port number of the directory server to contact.
This option is ignored if the port number is specified in the
hostname
as part of the
-h
option.
Refer to
Binding to the Directory Server
below for additional details. - -t type
Specifies the service type of entry to be deleted.
The service
type
can be either
passwd
or
group,
where:
- passwd
implies
posixAccount-type
entries and, - group
implies
posixGroup-type
entries.
If unspecified,
ldapugdel
defaults to
passwd. Note: to be consistent with the Name Service Switch (see
switch(4)),
the term
passwd
is used to represent LDAP user entries which contain POSIX account-related
information. - -O[protAttr[,...]]
Do not delete the entire user or group entry.
Instead delete only the
posixAccount
or
posixGroup
objectclass and associated attributes. With the
-t passwd
option,
ldapugdel
will remove the
posixAccount
objectclass and the following attributes:
With the
-t group
option,
ldapugdel
will remove the
posixGroup
objectclass and the following attributes:
The
protAttr
list is of one or more of the above attribute names separated by commas
with no white-space.
If specified,
ldapugdel
will not remove the specified attribute(s). Special notes for using the
-O
option:
Since mapped attributes are often attributes that are shared with other
LDAP-enabled applications, attribute mapping is not supported with
ldapugdel. For example,
if
uidNumber
has been mapped to
employeeNumber,
ldapugdel
will still attempt to remove the
uidNumber
attribute and not the
employeeNumber
attribute. Since the
uid,
cn,
and
description
attributes, for user entries, and the
cn
and
description
attributes, for group entries, are commonly used by other objectclasses or
as naming attributes,
ldapugdel
will not attempt to remove the
uid,
cn,
or
description
attributes, unless failure to remove those attributes would cause an
objectclass violation (because the remaining object classes for that
entry would not be able to contain those attributes). Use of
-x
will force removal of those attributes if allowed by the remaining object
classes for that entry. Since the
userPassword
attribute is often used by other user-related objectclasses,
ldapugdel
will not attempt to remove the
userPassword
attribute when removing user entries. Use of
-y
will override this option, if allowed by the remaining object classes
in that entry. ldapugdel
will attempt to remove the
posixAccount
and
posixGroup
objectclasses only if they are present.
In some cases, when a user or group entry is built using an abstract class,
the
posixAccount
and
posixGroup
entries may not be present in the entry. Since Active Directory schema and RFC2307 schema conflict in the shared
definition of the
homeDirectory
attribute,
ldapugdel
will never remove the
homeDirectory
attribute if
ldapugdel
determines the entry being modified is stored on an Active Directory server. Since the Microsoft Services for Unix schema does not use RFC2307
standard attributes, use of
-O
will not function, since attribute mapping is not allowed in
ldapugdel.
-O
will function properly with Windows 2003 R2, since standard RFC2307
attributes are used, with the exception of the
homeDirectory,
described above.
- -D DN
Normally
ldapugdel
will search for the named user or group using the search rules described
by the service search descriptor in the LDAP-UX configuration profile.
With
-D,
the exact DN of the entry being modified may be specified. Only one of
-D,
uid_name
or
group_name
may be specified on the command line. - uid_name
Specifies the name of the user entry to remove.
Note that
ldapugdel
uses the configured LDAP search filter to discover the entry to be removed,
such as: (&(objectclass=posixAccount)(uid=name)). If there is more than one entry that matches this search filter, only the
first entry discovered entry will be removed. Only one of
-D,
uid_name,
or
group_name
may be specified on the command line. - group_name
Specifies the name of the group entry to remove.
Note that
ldapugdel
uses the configured LDAP search filter to discover the entry to be removed,
such as: (&(objectclass=posixgroup)(cn=name)). If there is more than one entry that matches this search filter, only the
first entry discovered entry will be removed. Only one of
-D,
uid_name,
or
group_name
may be specified on the command line.
Binding to the Directory Serverldapugdel
has been designed to take advantage of the existing LDAP-UX
configuration for determining to which directory server to bind and how
to perform the bind operation.
ldapugdel
will consult the LDAP-UX
configuration profile for the following information:
The list of LDAP directory server hosts. The authentication method (simple passwords, SASL Digest MD5, etc.).
If either of the environment variable
LDAP_BINDDN
or
LDAP_BINDCRED
has not been specified,
ldapugdel
will consult the LDAP-UX configuration for additional information:
The type of credential (user, proxy or anonymous) to use. The credential used for binding as a proxy user (either
/etc/opt/ldapux/acred
for administrative users or
/etc/opt/ldapux/pcred
for non-privileged users).
As with LDAP-UX,
ldapugdel
will attempt to contact the first available directory server as defined in the
LDAP-UX host list.
As soon as a connection is established, further directory servers on the
host list will not be contacted. Once connected,
ldapugdel
will first determine if the environment variable
LDAP_BINDDN
or
LDAP_BINDCRED
has been specified. If so, then
ldapugdel
will attempt to bind to the directory server using the specified credentials
and configured LDAP-UX authentication method. If the above mentioned environment variables have not been specified, then
ldapugdel
will determine if the configured credential type is "proxy"
and if so, attempt to bind to the directory server using the configured
LDAP-UX proxy credential. If configured, the acred proxy credential will be used for administrative
users (determined if the user running
ldapugdel
has enough privilege to read the
/etc/opt/ldapux/acred
file).
Otherwise the credential configured in
/etc/opt/ldapux/pcred
will be used. Note: to prevent discovery of the LDAP administrator's credentials, the
LDAP user DN and password may not be specified as command-line options
to the
ldapugdel
utility. Security ConsiderationsUse of
ldapugdel
requires permissions of an LDAP administrator when it performs its
operations on the directory server.
The rights to delete or modify existing LDAP directory entries under the
requested subtree, along with removal of the required attributes in that
entry must be granted to the administrator identity that is specified when
executing
ldapugdel. As would occur in any identity repository, modification of this
repository will likely have impacts as defined by the organization's
security policy.
Users of
ldapugdel
are expected to have full knowledge of the organizations security policy and
the impact of deleting identity information from that identity repository. Removal of a POSIX account will not automatically remove that account's
membership in groups, unless that capability is intrinsically provided by
the directory server. Note some directory servers have a feature called "referential integrity"
which does perform modification/removal of DN-type attributes if the
specified DN is either changed or removed. Never use
ldapugdel
as part of a modification process on a user or group entry (deleting
and re-adding the entry as a method used to modify that entry.)
User and group entries in an LDAP directory will often contain
information about the user or group that is outside the POSIX information
model.
Deleting and re-adding an entry will delete all information about the user or
group.
When the entry is re-added, recovery of the non-POSIX information may
not be possible. In order to support non-interactive use of the
ldapugdel
command,
specification of the LDAP administrator's credentials is required through
use of the
LDAP_BINDDN
and
LDAP_BINDCRED
environment variables.
To prevent exposure of these environment variables, they should be unset
after use. Note also that
shells
command history log may contain copies of the executed commands that show
setting of these variables.
Access to a shell's history file must be protected.
Specification of the LDAP administrator's credentials on the
command line is not allowed since information about the currently
running processes can be exposed externally from the session. Use of the
-P
eliminates the need to set the mentioned environment variables by
interactively prompting for the required credentials.
LDAP-UX PROFILEldapugdel
makes use of the LDAP-UX configuration profile to determine the
information model used in the directory server to store POSIX attributes.
Please refer to the
LDAP-UX Client Services Administrator's Guide
for additional information about the configuration profile. RETURN VALUEUpon exit,
ldapugdel
returns the following:
- 0
Success.
ldapugdel
exits with no errors or with one or more warnings. - <>0
ldapugdel
returns with a non-zero exit status if it
encounters an error, and messages will be logged to
stderr. Messages will follow the below format:
or
Leading extra white space may be inserted to improve readability and
follow 80 column screen formatting.
- code
will be a programmatically parsable error key-string, while - message
will be human-readable.
Refer to the
LDAP-UX Client Services Administrator's Guide
for a list of possible error codes generated by the LDAP user and group
management tools.
EXTERNAL INFLUENCESEnvironment Variables- LDAP_BINDDN
Specified the DN of a user with sufficient directory server privilege to
delete users and/or groups in the LDAP directory server.
While this variable is optional, if
LDAP_BINDDN
is specified,
LDAP_BINDCRED
must also be specified. - LDAP_BINDCRED
A password or other type of credential used for the user specified by the
LDAP_BINDDN.
While this variable is optional, if
LDAP_BINDCRED
is specified,
LDAP_BINDDN
must also be specified.
Refer to
Security Considerations
for important security impacts when these environment variables are used. LIMITATIONSSince LDAP directories require data be stored according to the
UTF-8 (RFC3629) character encoding method, all characters provided to
ldapugdel
are assumed to be UTF-8 and part of the ISO-10646 character set.
ldapugdel
will not perform conversion of the locale character set to/from
the UTF-8 character set. Refer to limitations described under
-O
above in reference to interoperability with Microsoft Services for Unix.
|
