GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  LDAP2PW (1)

.ds Aq ’

NAME

ldap2pw - Synchronize local user database with LDAP directory

CONTENTS

SYNOPSIS

<B>ldap2pwB> [<B>-npvB>] [<B>-bB> base] [<B>-dB> domain] [<B>-hB> host] [<B>-PB> page size] [<B>-sB> servers] [<B>-uB> user[@domain]] [<B>-GB> group filter] [<B>-UB> user filter] [overrides]

DESCRIPTION

The <B>ldap2pwB> utility synchronizes the local user database with an LDAP directory. It is intended for systems where NSS modules cannot be used or access to the LDAP server is intermittent.

The <B>ldap2pwB> utility starts by searching the LDAP directory for user objects that have a UIDNumber attribute and group objects that have a GIDNumber attribute. Next, it reads the local user and group database. The users and groups obtained from both the LDAP directory and the local database are filtered according to the following criteria:
o Users with a UID below 1000 are ignored.
o Any user named <B>nobodyB> is ignored.
o If a user filter was specified, users whose names do not match the filter are ignored.
o Groups with a GID below 1000 are ignored.
o Any groups named <B>nobodyB> or <B>nogroupB> are ignored.
o If a group filter was specified, groups whose names do not match the filter are ignored.
Finally, the two lists are compared and the local database is updated as follows:
1. Groups which were found in the LDAP directory but not in the local database are created.
2. Users which were found in the LDAP directory but not in the local database are created.
3. Existing users whose attributes (UID, primary group, GECOS, home directory and shell) do not match those found in the LDAP directory are updated.
4. Existing groups whose attributed (GID and membership) do not match those found in the LDAP directory are updated.
5. Users and groups which were found in the local database but not in the LDAP directory are deleted, unless the <B>-pB> option was specified, in which case they are simply ignored.
The following options are available:
<B>-bB> base The search base for LDAP lookups. The default is derived from the LDAP domain.
<B>-dB> domain The LDAP domain. The default is derived from the host name.
<B>-GB> group filter Regular expression used to filter groups before comparing the local and remote databases.
<B>-hB> host The client’s host name. The default is whatever uname(3) returns.
<B>-nB> Perform all LDAP and local lookups, compare the lists, and show what would be done, but do not actually create, modify or delete any users or groups.
<B>-PB> page size The page size to use for LDAP requests. The default is 250.
<B>-pB> Preserve existing users and groups even if they are no longer found in the LDAP directory.
<B>-sB> servers A comma-separated list of LDAP server names. The default is to perform an SRV lookup.
<B>-UB> user filter Regular expression used to filter users before comparing the local and remote databases.
<B>-uB> user[@domain] The user name used to bind to the LDAP server, with or without domain qualifier. The default is the name of the current user.
<B>-vB> Show progress and debugging information.
Any subsequent arguments are taken as key-value pairs which override the user attributes found in LDAP. Currently, only the home directory (home) and the login shell (shell) can be overridden.

IMPLEMENTATION NOTES

The <B>ldap2pwB> utility was designed for use with Microsoft Active Directory servers, and assumes that the server supports and requires GSSAPI authentication and that a valid Kerberos ticket is available.

EXAMPLES

Synchronize the local user and group database on a firewall that uses authpf(8):



    % sudo env KRB5CCNAME=/var/db/ro_user.cc ldap2pw -pv -u ro_user home=/var/empty shell=/usr/sbin/authpf
    # host: client.example.com
    # domain: example.com
    # user: ro_user@example.com
    # looking up SRV for _ldap._tcp.example.com
    # servers: dc01.example.com dc02.example.com
    # base: DC=example,DC=com
    # Attempting to connect to dc01.example.com
    # Retrieving users from LDAP
    # Looking for (&(objectclass=user)(uidnumber=*)) in DC=example,DC=com
    # last page (3)
    # Retrieving groups from LDAP
    # Looking for (&(objectclass=group)(gidnumber=*)) in DC=example,DC=com
    # last page (4)
    # Resolving group membership
    # bob member user bob
    # des member user des
    # kenneth member user kenneth
    # staff member user bob
    # staff member user des
    # staff member user kenneth
    # Retrieving users from local database
    # Retrieving groups from local database
    # group kenneth missing
    /usr/sbin/pw groupadd kenneth -g 1003
    # user kenneth missing
    /usr/sbin/pw useradd kenneth -u 1003 -g 1003 -c Kenneth 36 -d /var/empty -s /usr/sbin/authpf
    # group kenneth mismatch
    /usr/sbin/pw groupmod kenneth -g 1003 -M kenneth
    # group staff mismatch
    /usr/sbin/pw groupmod staff -g 1000 -M bob,des,kenneth
    # not deleting group guests



SEE ALSO

kinit(1), pw(8)

AUTHOR

The <B>ldap2pwB> utility was written by Dag-Erling Smo\k:/rgrav <d.e.smorgrav@usit.uio.no> for the University of Oslo.
Search for    or go to Top of page |  Section 1 |  Main Index


perl v5.20.3 LDAP2PW (1) 2015-11-06

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.