GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
LDAP2PW(1) User Contributed Perl Documentation LDAP2PW(1)

ldap2pw - Synchronize local user database with LDAP directory

ldap2pw [-npv] [-b base] [-d domain] [-h host] [-P page size] [-s servers] [-u user[@domain]] [-G group filter] [-U user filter] [overrides]

The ldap2pw utility synchronizes the local user database with an LDAP directory. It is intended for systems where NSS modules cannot be used or access to the LDAP server is intermittent.

The ldap2pw utility starts by searching the LDAP directory for user objects that have a UIDNumber attribute and group objects that have a GIDNumber attribute. Next, it reads the local user and group database. The users and groups obtained from both the LDAP directory and the local database are filtered according to the following criteria:

  • Users with a UID below 1000 are ignored.
  • Any user named nobody is ignored.
  • If a user filter was specified, users whose names do not match the filter are ignored.
  • Groups with a GID below 1000 are ignored.
  • Any groups named nobody or nogroup are ignored.
  • If a group filter was specified, groups whose names do not match the filter are ignored.

Finally, the two lists are compared and the local database is updated as follows:

1.
Groups which were found in the LDAP directory but not in the local database are created.
2.
Users which were found in the LDAP directory but not in the local database are created.
3.
Existing users whose attributes (UID, primary group, GECOS, home directory and shell) do not match those found in the LDAP directory are updated.
4.
Existing groups whose attributed (GID and membership) do not match those found in the LDAP directory are updated.
5.
Users and groups which were found in the local database but not in the LDAP directory are deleted, unless the -p option was specified, in which case they are simply ignored.

The following options are available:

-b base
The search base for LDAP lookups. The default is derived from the LDAP domain.
-d domain
The LDAP domain. The default is derived from the host name.
-G group filter
Regular expression used to filter groups before comparing the local and remote databases.
-h host
The client's host name. The default is whatever uname(3) returns.
-n
Perform all LDAP and local lookups, compare the lists, and show what would be done, but do not actually create, modify or delete any users or groups.
-P page size
The page size to use for LDAP requests. The default is 250.
-p
Preserve existing users and groups even if they are no longer found in the LDAP directory.
-s servers
A comma-separated list of LDAP server names. The default is to perform an SRV lookup.
-U user filter
Regular expression used to filter users before comparing the local and remote databases.
-u user[@domain]
The user name used to bind to the LDAP server, with or without domain qualifier. The default is the name of the current user.
-v
Show progress and debugging information.

Any subsequent arguments are taken as key-value pairs which override the user attributes found in LDAP. Currently, only the home directory (home) and the login shell (shell) can be overridden.

The ldap2pw utility was designed for use with Microsoft Active Directory servers, and assumes that the server supports and requires GSSAPI authentication and that a valid Kerberos ticket is available.

Synchronize the local user and group database on a firewall that uses authpf(8): 

    % sudo env KRB5CCNAME=/var/db/ro_user.cc ldap2pw -pv -u ro_user home=/var/empty shell=/usr/sbin/authpf
    # host: client.example.com
    # domain: example.com
    # user: ro_user@example.com
    # looking up SRV for _ldap._tcp.example.com
    # servers: dc01.example.com dc02.example.com
    # base: DC=example,DC=com
    # Attempting to connect to dc01.example.com
    # Retrieving users from LDAP
    # Looking for (&(objectclass=user)(uidnumber=*)) in DC=example,DC=com
    # last page (3)
    # Retrieving groups from LDAP
    # Looking for (&(objectclass=group)(gidnumber=*)) in DC=example,DC=com
    # last page (4)
    # Resolving group membership
    # bob member user bob
    # des member user des
    # kenneth member user kenneth
    # staff member user bob
    # staff member user des
    # staff member user kenneth
    # Retrieving users from local database
    # Retrieving groups from local database
    # group kenneth missing
    /usr/sbin/pw groupadd kenneth -g 1003
    # user kenneth missing
    /usr/sbin/pw useradd kenneth -u 1003 -g 1003 -c 'Kenneth 36' -d /var/empty -s /usr/sbin/authpf
    # group kenneth mismatch
    /usr/sbin/pw groupmod kenneth -g 1003 -M kenneth
    # group staff mismatch
    /usr/sbin/pw groupmod staff -g 1000 -M bob,des,kenneth
    # not deleting group guests

kinit(1), pw(8)

The ldap2pw utility was written by Dag-Erling Smørgrav <d.e.smorgrav@usit.uio.no> for the University of Oslo.
2017-09-22 perl v5.32.1
Search for    or go to Top of page |  Section 1 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.