NAME¶
cpu - a user administration tool for LDAP backends
SYNOPSIS¶
cpu user{add,del,mod} [options] login
cpu group{add,del,mod} [options] group
cpu cat
DESCRIPTION¶
The ldap module for cpu provides a means for administering groups and users
being stored on an LDAP backend. Complete compatibility with the GNU/Linux
versions of the shadow utils has tried to be maintained in terms of command
line options. This module also supports several options that traditional user
utilities do not such as; selecting which hash to use for the user, generating
random or linear uid's and gid's and pulling information for a user from
existing password and shadow files.
LDAP OPTIONS¶
The LDAP options are options that are used specifically for the LDAP server.
They may be combined with any of the cpu functions.
- -2, --2
- Use LDAPv2 instead of LDAPv3
- -a file, --addfile=file
- If a filename is given, it will be parsed and any additional ldap
attributes specified in this file will be added along with the user or
group. This file should not contain any attributes that CPU requires or
that you have already specified in the configuration file. If you do this
the modification/addition will fail or create multivalued attributes. The
format of the file should be:
<attrdesc>: <attrvalue>
<attrdesc>: <attrvalue>
<attrdesc>:: <base64-encoded-value>
...
- -A cn, --cn=cn
- This options specifies for a user what the dn should look like. If you
specify -A foo for some user, their dn will look like
foo=username,... This can be specified in the configuration file with
USER_CN_STRING
- -B base, --groupbase=base
- This is the base to search for groups in. This is required for useradd and
for any group functions. This should be a fully qualified base such as
ou=groups,o=company,c=us. This corresponds to the GROUP_BASE configuration
option.
- -D bind_dn, --binddn=bind_dn
- The bind_dn should be a DN with adequate credentials for the operation
that you are requesting. This corresponds to the BIND_DN configuration
file option.
- -F[file], --passfile[=file]
- If an argument is provided, that file should be of a Unix style password
format. If no argument is provided, the configuration file variable
PASSWORD_FILE will be used. Please be sure that the switch ( -F or
--passfile) has no trailing whitespace, it should be immediately
followed by the argument. The information associated with the user will be
used for populating their LDAP entry (uid, gid, gecos, home directory,
shell).
- -H hash, --hash=hash
- Hash should be one of sha1, md5, ssha1, smd5, crypt, md5crypt or clear.
This corresponds to the HASH configuration file variable. Select the hash
that is being used at your site.
- -N hostname, --hostname=hostname
- Hostname should be the hostname that is running the LDAP service. This may
be an IP address or hostname. This corresponds to the LDAP_HOST variable
in the configuration file.
- -o, --nonposix
- Violate POSIX naming standards and allow characters in user and group
names not in the character set [A-Za-z0-9._-]. This is useful for things
like adding Samba machine accounts.
- -P port, --port=port
- Port should be the port that the LDAP server is listening on. This
corresponds to the LDAP_PORT option in the configuration file.
- -R length, --random=random
- length should be the length that you would like a randomly
generated password to be. This password will be displayed to the
user.
- -S[file], --shadfile[=file]
- If an argument is provided, that file should be of a Unix style shadow
format. If no argument is provided, the configuration file variable
SHADOW_FILE will be used. Please be sure that the switch ( -S or
--shadfile) has no trailing whitespace, it should be immediately
followed by the argument. The information associated with the user will be
used for populating their LDAP entry (password, sp_lstchg, sp_min, sp_max,
sp_warn, sp_inact, sp_expire).
- -t timeout, --timeout=timeout
- This value is used to specify how long (in seconds) before LDAP operations
should time out. The corresponding configuration file is TIMEOUT.
- -U base, --userbase=base
- This is the base to search for users in. This is required for any user
functions. This should be a fully qualified base such as
ou=users,o=company,c=us. This corresponds to the USER_BASE configuration
option.
- -w[pass], --bindpass[=pass]
- If an argument is provided, that value will be used for the bind password.
If no argument is provided, the user will be prompted for a password. This
option can be omitted by specifying the password in the configuration file
with the option BIND_PASS. If a value is specified at the command line,
the switch should have no whitespace following it.
- -x, --tls
- Try to starttls before talking with the ldap server.
- The following options can be used for populating LDAP attributes.
-
- -f name, --firstname=name
- Name is used in possible combination with lastname in order to have a more
complete CN. This value is also used for the givenName (gn) attribute.
This value is not required by RFC2307.
- -E name, --lastname=name
- Name is used in possible combination with firstname in order to have a
more complete CN. This value is also used for the surname (sn) attribute.
This value is not required by RFC2307.
- -e address, --email=address
- The value address is used to populate the mail attribute. This attribute
is not required by RFC2307 for posixAccount but many people's LDAP schemas
do require it. inetOrgPerson is one object that contains it.
- The following options are not LDAP specific.
-
- -h, --help
- Display help.
- -v, --verbose
- Turn the verbose level up.
- -V, --version
- Display the version of the module.
cpu cat¶
The
cat command will cause any users and groups stored in the LDAP
directory to be displayed in a Unix style format.
cat requires no
options.
cpu useradd [options] login¶
The
useradd function is used to add new users to an LDAP directory. The
options are similar to those used by traditional GNU/Linux user administration
utilities.
- -c comment, --gecos=comment
- The value specified is used to populate the gecos attribute. You can
specify a default value in the configuration file using the GECOS
variable. This is not required by RFC2307. This can also be populated
using the -F option (see above).
- -d home_dir, --directory=home_dir
- The new user will be created using home_dir as the value for the
user's login directory. The default is to append login to
HOME_DIRECTORY (from the configuration file) and use that as the login
directory name. This is required by RFC2307.
- -g initial_group, --gid=initial_group
- The group id or name of the user's initial login group. The group should
exist but does not have to. CPU will search the LDAP directory and warn
you if that group does not exist. If the group does exist, the users
gidNumber will be set to the gidNumber of that group. This is required by
RFC2307. If unspecified CPU will search for the next unused GID. This
behavior can be adjusted by MAX_GIDNUMBER, MIN_GIDNUMBER, ID_MAX_PASSES,
and RANDOM in the configuration file.
- -G group,[...] --sgroup=group,[...]
- A list of supplementary groups which the user is also a member of. Each
group is separated from the next by a comma, with no intervening
whitespace. CPU will search the directory for these groups, and if found,
add the user to those groups. The default is for the user to belong only
to the initial group.
- -k[skeleton_dir] --skel[=skeleton_dir]
- This option is only useful is specified along with the -m option.
If both are specified, the contents of skeleton_dir will be copied
to the users new home directory. If skeleton_dir is specified it
should have no whitespace between the command line switch. If
skeleton_dir is not specified, the value of SKEL_DIR as specified
in the configuration file will be used.
- -m, --makehome
- The user's home directory will be created if it does not exist. The files
contained in skeleton_dir will be copied to the home directory if
the -k option is used. The -k option is only valid in
conjunction with the -m options. The default is to not create the
directory and to not copy any files.
- -p[passwd] --password[=password]
- The encrypted or unencrypted password. If no argument is given, the user
is prompted to enter a password. If CPU was compiled with libcrack, the
password will be checked for weakness. If the password is encrypted, hash
should be the value of the hash type that was used. If not specified at
the command line or found in the shadow file (if -S was used) * is
used which should lock the account.
- -s shell, --shell=shell
- The name of the user's login shell. If not specified at the command line
one can specify it with the DEFAULT_SHELL configuration file option. This
is not required by RFC2307.
- -u uid, --uid=uid
- The numerical value of the user's ID. This value must be unique, the value
must be non-negative. If unspecified CPU will search for an unused UID.
This behavior can be adjusted by MAX_UIDNUMBER, MIN_UIDNUMBER,
ID_MAX_PASSES, and RANDOM in the configuration file.
- -X script, --exec=script
- After the user has successfully been added to the directory, execute this
script. The script is passed the login name. If this option is not
supplied, the configuration file will be checked for ADD_SCRIPT.
cpu usermod [options] login¶
All options that apply to
useradd also apply to
usermod except for
-k.
- -l login_name, --newusername=login_name
- The name of the user will be changed from login to
login_name. The LDAP attributes cn and uid are changed to
login_name, the users rdn is also modified. If specified in
conjunction with the -m switch, the users old home directory will
be copied the the appropriate new location (see -d switch for
behavior).
- -L, --lock
- Lock the given user account
- -U, --unlock
- Unlock the given user account
cpu userdel [options] login¶
The
userdel command modifies the LDAP directory, deleting all entries
that refer to
login. The named user must exist. The options which apply
to the
userdel command are:
- -r, --removehome
- Files in the user's home directory will be removed along with the home
directory itself. The users mail spool is not deleted. Files located in
other file systems will have to be searched for and deleted manually.
- -X script, --exec=script
- After the user has successfully been removed from the directory, execute
this script. The script is passed the login name. If this option is not
supplied, the configuration file will be checked for DEL_SCRIPT.
cpu groupadd [options] group¶
The
groupadd command creates a new group account using the values
specified on the command line and the default values from the configuration
file. The new group will be entered into the LDAP directory as needed. The
options which apply to the
groupadd command are
- -g gid, --gid=gid
- The numerical value of the group's ID. This value should be unique. The
value must be non-negative. A new gid can be generated by not specifying
this option. This generation can be modified by changing the configuration
file.
cpu groupmod [options] group¶
The
groupmod command modifies the
group specified at the command
line. The options which apply to the
groupmod command are
- -g gid, --gid=gid
- The numerical value of the group's ID. This value should be unique. The
value must be non-negative.
- -n group_name, --newgroupname=group_name
- The name of the group will be changed from group to
group_name. The cn and rdn will also be modified.
cpu groupdel [options] group¶
The
groupdel command removes the
group specified at the command
line from the LDAP directory.
SEE ALSO¶
cpu.conf(5) cpu(8)
AUTHORS¶
Blake Matheny <bmatheny@purdue.edu>
The current version of this software is always available at
http://cpu.sourceforge.net
BUGS¶
To report a bug or problem, please e-mail:
cpu-users@lists.sourceforge.net
TODO¶
See TODO file that accompanied software. Please e-mail us with any additional
suggestions.