ldapugmod(1M)

Prompt for the administrator's bind identity (typically LDAP DN or kerberos principal) and bind password.

Without -P ldapugmod will discover the bind identity and password from the environment variables LDAP_BINDDN and LDAP_BINDCRED. If either the LDAP_BINDDN or LDAP_BINDCRED environment variables have not been specified, ldapugmod will follow the bind configuration specified in the LDAP-UX configuration profile.

If LDAP-UX has specified "proxy" bind, the bind credential will be read from either the /etc/opt/ldapux/acred or /etc/opt/ldapux/pcred file. The acred file will only be used by users that have sufficient administrative privilege to read that file.

Refer to Binding to the Directory Server below for additional details.

Prompt for the password of the user or group being modified. If the -PP option is not specified, the password for the modified user or group will be retrieved from the LDAP_UGCRED environment variable if the -PW option is specified.

Use of -PP implies the use of -PW.

Change the user or group password attribute.

Also, if LDAP-UX attributed mapping for the userPassword attribute has not been defined or set to *NULL*, ldapugmod will create new passwords in the userPassword attribute.

If -PW is specified, either the LDAP_UGCRED environment variable or the -PP option must be specified.

With ldapugmod, it is possible to extend posixAccount and posixGroup attributes to a user or group entry that does not already contain the posixAccount or posixGroup object class. This ability requires use of the -D option. With -O, ldapugmod will add the posixAccount or posixGroup object class and respective attributes (depending on if the -t passwd or -t group option) to the entry being modified.

Note that when used with Active Directory service, if the user or group entry is built using the abstract "User" or "Group" class. ldapugmod will assume that the abstract class already includes the required MS SFU attributes, and thus will not add the posixAccount or posixGroup objectclass to the entry.

Requires an SSL connection to the directory server, even if the LDAP-UX configuration does not require the use of SSL. Use of -Z requires either a valid server or CA certificate be defined in the /etc/opt/ldapux/cert8.db file.

An error will occur if the SSL connection could not be established. Refer to Binding to the Directory Serve below for additional details.

Attempt a TLS connection to the directory server, even if the LDAP-UX configuration does not require the use of TLS. If a TLS connection is unable to be established a non-TLS and non-SSL connection will be established.

Use of -ZZ is not recommended unless alternative methods are used to protect from network eavesdropping. Use of -ZZ requires either a valid server or CA certificate be defined in the /etc/opt/ldapux/cert8.db file. Refer to Binding to the Directory Server below for additional details.

Requires a TLS connection to the directory server, even if the LDAP-UX configuration does not require the use of TLS.

Use of -ZZZ requires either a valid server or CA certificate be defined in the /etc/opt/ldapux/cert8.db file. An error will occur if the TLS connection could not be established. Refer to Bindingg to the Directory Server below for additional details.

Allows renaming of the RDN (Relative Distinguished Name) of an LDAP directory entry. In some cases, when an attribute is modified, it may be the same attribute that is used in the RDN portion of the entry's distinguished name. Changing the attribute and value that is used in the RDN requires changing the RDN.

For example, suppose an entry in the directory server is named:

cn=Robert Smith,ou=Marketing,dc=acme,dc=com

If the cn attribute is changed to cn=Bob Smith then the DN would also need to change to:

cn=Bob Smith,ou=Marketing,dc=acme,dc=com

Modification of an RDN is generally discouraged since the DN is often used as a unique way to identify the entry in the directory server. Often the DN is used to define membership in a group. So to prevent accidental changing of the DN, the -N option must be specified to allow changing of the RDN. When the DN of an entry changes, the group membership information for this entry may become inconsistent.

However, most directory servers have the inherent ability to update all entries that refer to the updated DN of a changed entry. So ldapugmod will not attempt to perform modifications to other entries in the directory server that refer to this entry by its DN.

NOTE: ldapugmod will not allow renaming of multi-valued RDNs; for example, an RDN of cn=test1+cn=test2 is not supported.

Force modification of the user or group entry even if particular error conditions occur. The error conditions that can be overridden are:

Note that some directory servers perform their own attribute and RDN uniqueness checks. In this case, even if the -F option is specified, if the directory server detects a collision ldapugmod will be unable to modify the specified entry.

Upon successful completion, display the DN of the updated entry.

Specifies if the command-line arguments are applicable to modifying user or group. type is expected to be either passwd or group. If unspecified, ldapugmod defaults to passwd.

Note: to be consistent with the Name Service Switch (see switch(4)), the term passwd (instead of user) is used to represent LDAP user entries which contain POSIX account-related information.

Specifies the host name and optional port number (hostname:port) of the directory server. This option overrides the server list configured by LDAP-UX.

The hostname field also supports specification of IPv4 and IPv6 addresses. Note that when a port is specified for an IPv6 address, the IPv6 address must be specified in square-bracketed form.

If the optional port is unspecified, the port number is assumed to be 389 or 636 for SSL connections (-Z). Refer to Binding to the Directory Server below for additional details.

Specifies the port number of the directory server to contact. This option is ignored if the port number is specified in the hostname as part of the -h option. Refer to Binding to the Directory Server below for additional details.

Specifies the new name of the user or group. This option will replace the uid attribute for user entries and the cn attribute for group entries, or the mapped attribute if attribute mapping has been specified for that attribute.

Use of -n is the same as replacing the corresponding attribute. For example, assuming no attribute mapping:

ldapugmod -t passwd -n newuid olduid

is the same as:

ldapugmod -t passwd olduid uid=newuid

Specifies an attribute and value to be added to an entry. The format of attribute=value, where attribute is the name of the attribute to add, and value is the specific instance of that attribute.

The -A option is used when working with multi-valued attributes, to add a new value for a multi-valued attribute, without removing already existing values for that attribute.

Note that use of the -A option interacts with the optional attr=value parameters. See attr=value below. The -A option may be specified more than once per command line. The value portion of attrval may be an empty string.

Specifies an attribute or specific values of an attribute to be removed from the entry. The format of attribute[=value], where attribute is the name of the attribute to remove, and value is the specific instance of that attribute, if the attribute is multi-valued.

Note that use of the -R option interacts with the optional attr=value parameters. See attr=value below. The -R option may be specified more than once per command line.

Normally ldapugmod will search for the named user or group using the search rules described by the service search descriptor in the LDAP-UX configuration profile. With -D the exact DN of the entry being modified may be specified.

If the -D option is specified, the uid_name or group_name parameter should not be specified.

Replaces the user's full name. If full_name is an empty string (a pair of double quotes: ""), ldapugmod will remove the cn (or mapped) attribute.

Note, refer to the WARNING section below for impacts when using this option.

Replaces the user's numeric id number If uidNumber is an empty string (a pair of double quotes: ""), ldapugmod will remove the uidNumber (or mapped) attribute. If the specified uidNumber already exists in the directory server, ldapugmod will not modify the entry and return an error exit status, unless the -F option is specified.

Note, refer to the WARNING section below for impacts when using this option.

Replace the user's primary login group id number. If group/gid is an empty string, ldapugmod will remove the gidNumber (or mapped) attribute.

In order to support numeric group names, ldapugmod treats the argument to -g as a group name. If a numeric group name can not be found that matches the argument specified, ldapugmod checks to see if the value is numeric and then checks to see if the group ID number specified exists. If not, ldapugmod will exit with an error, unless the -F option has been specified.

Note, ldapugmod does not modify the user's group membership when chaining the primary group ID. Adding the user as a member of the new group, and possibly removing the member from the previous group, must be done with separate ldapudmod operations.

Refer to the WARNING section below for additional impacts when using this option.

Replaces the full path name to the executable that will be used to handle login sessions for this user. If login_shell is an empty string, ldapugmod will remove the loginShell (or mapped) attribute. ldapudmod will issue a WARNING if the specified login shell does not exist on the local system.

Note, refer to the WARNING section below for impacts when using this option.

Replaces the full path name (including the user name) of the user's home directory. If home_directory is an empty string, ldapugmod will remove the homeDirectory (or mapped) attribute.

Note, refer to the WARNING section below for impacts when using this option.

Move the user's home directory to the location specified with the -d option. -m requires the -d option be specified. If the specified home_directory already exists, the user's current home directory does not exist or the user running ldapugmod does not have sufficient permissions to move the directory, ldapugmod will return an error.

Replaces the GECOS field(s) for the user. If gecos is an empty string, ldapugmod will remove the gecos (or mapped) attribute(s). Typically the GECOS contains four fields which represent (in order):

Each field in the gecos must be separated by a comma. Although each field value specified within the gecos can contain white space (such as "Bill Smith,Building 6,555-1234"), white space should not be used between the each field and the separating commas (such as "Bill Smith, Building 6, 555-1234").

Note that LDAP-UX supports mapping of the gecos field to multiple attributes. If attribute mapping has been specified in the LDAP-UX configuration profile, each field will be mapped to its representative attribute, in the order specified.

WARNING: If the -I option is specified and attribute mapping has been defined for the gecos attribute, be careful not to specify the same attributes and values in the command line that are also used in the gecos map. For example, suppose the gecos has been mapped to cn, l and telephoneNumber. The following command might produce unpredictable results:

ldapugmod -I "Jim Smith,Boston,55-5-1234" jsmith \

"cn=Jim Smith" "sn=Smith" \

"telePhoneNumber=555=1234"

In the above example, because of the gecos attribute mapping, the cn and telePhoneNumbers are specified twice and will result an error when the same attribute and value are added to the directory server. ldapcfinfo can be used to determine gecos attribute mapping configuration.

If gecos is an empty string, ldapugmod will remove the gecos or implied mapped, attributes. Note that this use of the -I option is discouraged, since the gecos attribute is often mapped to required attributes.

Since the gecos attribute may be mapped to one or several attributes, the number of values specified with -I (between the commas) should, but is not required to, match the number of mapped attributes. If there are more mapped attributes than specified values in -I, then trailing mapped attributes will be removed from the directory server. If there are more values that mapped attributes, extra values will be combined in the last mapped attribute.

Note, refer to the WARNING section below for impacts when using this option.

Replaces the comment that will be stored in the description attribute, as defined by RFC2307. Attribute mapping is not defined for the description attribute.

Note, refer to the WARNING section below for impacts when using this option.

Contains the POSIX-style textual login name of the user entry to modify. This user name should conform to HP-UX login name requirements. Please refer to passwd(4) for login name requirements. The uid_name is a required parameter unless the -D option is specified.

Allows modification of arbitrary LDAP attributes and values. value may be an empty string. However this usage will not remove attributes and their values from the directory server. Instead, use the -R option to remove arbitrary attributes.

Note, refer to the WARNING section below for impacts when using this option.

Replaces the group's numberic id number. If the specified gidNumber already exists in the directory server, ldapugmod will not modify the entry and return an error exit status, unless the -F option is specified.

Note, refer to the WARNING section below for impacts when using this option.

Adds one or more members to the specified group. ldapugmod will follow the same membership syntax as defined by LDAP-UX attribute mapping. Specifically, if LDAP-UX has mapped the RFC2307 group membership attribute (memberUid) to a DN-based membership attribute such as member or uniqueMember, then ldapugmod will define membership using the DN of the specified user.

When specifying a list of members, the list must be comma separated with no white-space. Even though LDAP-UX supports mapping of the memberUid attribute to multiple attributes simultaneously. ldapugmod will only use the first mapped attribute when defining membership in the group. If the specified member does not exist in the LDAP directory, -F must be used to define the member, and only the memberUid attribute syntax will be used.

-a only supports membership defined using static group membership structures, such as memberUid, member, uniqueMember. Dynamic group membership, such as represented by memberUrl, is not supported by ldapugmod.

Removes one or more members from the specified group. ldapugmod will search for membership in the group defined using the memberUid, member, uniqueMember, and msSFU30posixMember attributes and remove all values that represent the specified user (either DN or uid name).

ldapugmod consults the LDAP-UX configuration profile for attribute mapping to determine which attributes should be modified to remove the user's membership. When specifying a list of members, the list must be comma separated with no white-space.

Replaces the comment that will be stored in the description attribute, as defined by RFC2307. Attribute mapping is not defined for the description attribute. If comment is an empty string, ldapugmod will remove the description (or mapped) attribute.

Note, refer to the WARNING section below for impacts when using this option.

Contains the POSIX-style textual group name for the group entry to modify. This name should conform to HP-UX group name requirements. Please refer to group(4) for group name requirements. group_name is a required parameter when used with the -t group option. The group_name should not be specified if the -D option is specified.

Allows modification of arbitrary LDAP attributes and values. Refer to attr=value in the section above for additional information.

Note, refer to the WARNING section below for impacts when using this option.

When used in combination with the -PW option, LDAP_UGCRED specifies the password of a user or group which need to be modified.

Note, use of passwords for groups is not recommended.

Also, if LDAP-UX attributed mapping for the userPassword attribute has not been defined or set to *NULL*, ldapugmod will modify passwords in the userPassword attribute.

Specified the DN of a user with sufficient directory server privilege to create new users and/or groups in the LDAP directory server. While this variable is optional, if LDAP_BINDDN is specified, LDAP_BINDCRED must also be specified.

A password or other type of credential used for the user specified by the LDAP_BINDDN. While this variable is optional, if LDAP_BINDCRED is specified, LDAP_BINDDN must also be specified.