Man Linux: Main Page and Category List

NAME

       cpu - a user administration tool for LDAP backends

SYNOPSIS

       cpu user{add,del,mod} [options] login

       cpu group{add,del,mod} [options] group

       cpu cat

DESCRIPTION

       The  ldap  module for cpu provides a means for administering groups and
       users being stored on an LDAP backend. Complete compatibility with  the
       GNU/Linux  versions  of  the shadow utils has tried to be maintained in
       terms of command  line  options.  This  module  also  supports  several
       options that traditional user utilities do not such as; selecting which
       hash to use for the user, generating random or linear uid’s  and  gid’s
       and  pulling  information  for a user from existing password and shadow
       files.

LDAP OPTIONS

       The LDAP options are options that are used specifically  for  the  LDAP
       server.  They may be combined with any of the cpu functions.

       -2, --2
              Use LDAPv2 instead of LDAPv3

       -a file, --addfile=file
              If  a  filename  is  given, it will be parsed and any additional
              ldap attributes specified in this file will be added along  with
              the  user  or group. This file should not contain any attributes
              that CPU requires or that you  have  already  specified  in  the
              configuration  file.  If  you  do this the modification/addition
              will fail or create multivalued attributes. The  format  of  the
              file should be:

               <attrdesc>: <attrvalue>
               <attrdesc>: <attrvalue>
               <attrdesc>:: <base64-encoded-value>
               ...

       -A cn, --cn=cn
              This  options specifies for a user what the dn should look like.
              If you specify -A foo for some user, their  dn  will  look  like
              foo=username,... This can be specified in the configuration file
              with USER_CN_STRING

       -B base, --groupbase=base
              This is the base to search for groups in. This is  required  for
              useradd  and  for  any  group  functions. This should be a fully
              qualified   base   such   as   ou=groups,o=company,c=us.    This
              corresponds to the GROUP_BASE configuration option.

       -D bind_dn, --binddn=bind_dn
              The  bind_dn  should  be  a DN with adequate credentials for the
              operation that you  are  requesting.  This  corresponds  to  the
              BIND_DN configuration file option.

       -F[file], --passfile[=file]
              If  an argument is provided, that file should be of a Unix style
              password format. If no argument is provided,  the  configuration
              file  variable  PASSWORD_FILE  will be used. Please be sure that
              the switch (-F or --passfile) has  no  trailing  whitespace,  it
              should  be immediately followed by the argument. The information
              associated with the user will be used for populating their  LDAP
              entry (uid, gid, gecos, home directory, shell).

       -H hash, --hash=hash
              Hash  should  be one of sha1, md5, ssha1, smd5, crypt, or clear.
              This corresponds to the HASH configuration file variable. Select
              the hash that is being used at your site.

       -N hostname, --hostname=hostname
              Hostname  should  be  the  hostname  that  is  running  the LDAP
              service. This may be an IP address or hostname. This corresponds
              to the LDAP_HOST variable in the configuration file.

       -o, --nonposix
              Violate  POSIX naming standards and allow characters in user and
              group names not in the character  set  [A-Za-z0-9._-].  This  is
              useful for things like adding Samba machine accounts.

       -P port, --port=port
              Port  should  be  the port that the LDAP server is listening on.
              This corresponds to the LDAP_PORT option  in  the  configuration
              file.

       -R length, --random=random
              length  should  be  the  length  that  you would like a randomly
              generated password to be. This password will be displayed to the
              user.

       -S[file], --shadfile[=file]
              If  an argument is provided, that file should be of a Unix style
              shadow format. If no argument  is  provided,  the  configuration
              file  variable SHADOW_FILE will be used. Please be sure that the
              switch (-S or --shadfile) has no trailing whitespace, it  should
              be   immediately  followed  by  the  argument.  The  information
              associated with the user will be used for populating their  LDAP
              entry  (password,  sp_lstchg, sp_min, sp_max, sp_warn, sp_inact,
              sp_expire).

       -t timeout, --timeout=timeout
              This value is used to specify how long (in seconds) before  LDAP
              operations should time out. The corresponding configuration file
              is TIMEOUT.

       -U base, --userbase=base
              This is the base to search for users in. This  is  required  for
              any  user  functions. This should be a fully qualified base such
              as ou=users,o=company,c=us. This corresponds  to  the  USER_BASE
              configuration option.

       -w[pass], --bindpass[=pass]
              If an argument is provided, that value will be used for the bind
              password. If no argument is provided, the user will be  prompted
              for  a  password.  This  option can be omitted by specifying the
              password in the configuration file with the option BIND_PASS. If
              a value is specified at the command line, the switch should have
              no whitespace following it.

       -x, --tls
              Try to starttls before talking with the ldap server.

       The following options can be used for populating LDAP attributes.

       -f name, --firstname=name
              Name is used in possible combination with lastname in  order  to
              have  a  more  complete  CN.  This  value  is  also used for the
              givenName (gn) attribute. This value is not required by RFC2307.

       -E name, --lastname=name
              Name  is used in possible combination with firstname in order to
              have a more complete CN. This value is also used for the surname
              (sn) attribute. This value is not required by RFC2307.

       -e address, --email=address
              The  value  address is used to populate the mail attribute. This
              attribute is not required by RFC2307 for posixAccount  but  many
              people’s LDAP schemas do require it. inetOrgPerson is one object
              that contains it.

       The following options are not LDAP specific.

       -y, --yes
              Reply yes to any questions (such as whether it is ok to remove a
              directory)

       -h, --help
              Display help.

       -v, --verbose
              Turn the verbose level up.

       -V, --version
              Display the version of the module.

cpu cat

       The  cat  command  will  cause  any users and groups stored in the LDAP
       directory to be displayed in a  Unix  style  format.  cat  requires  no
       options.

cpu useradd [options] login

       The useradd function is used to add new users to an LDAP directory. The
       options are  similar  to  those  used  by  traditional  GNU/Linux  user
       administration utilities.

       -c comment, --gecos=comment
              The value specified is used to populate the gecos attribute. You
              can specify a default value in the configuration file using  the
              GECOS  variable.  This is not required by RFC2307. This can also
              be populated using the -F option (see above).

       -d home_dir, --directory=home_dir
              The new user will be created using home_dir as the value for the
              user’s  login  directory.  The  default  is  to  append login to
              HOME_DIRECTORY (from the configuration file) and use that as the
              login directory name. This is required by RFC2307.

       -g initial_group, --gid=initial_group
              The  group  id  or  name  of the user’s initial login group. The
              group should exist but does not have to.  CPU  will  search  the
              LDAP directory and warn you if that group does not exist. If the
              group does exist,  the  users  gidNumber  will  be  set  to  the
              gidNumber  of  that  group.  This  is  required  by  RFC2307. If
              unspecified CPU will  search  for  the  next  unused  GID.  This
              behavior   can  be  adjusted  by  MAX_GIDNUMBER,  MIN_GIDNUMBER,
              ID_MAX_PASSES, and RANDOM in the configuration file.

       -G group,[...] --sgroup=group,[...]
              A list of supplementary groups which the user is also  a  member
              of.  Each  group  is separated from the next by a comma, with no
              intervening whitespace. CPU will search the directory for  these
              groups,  and if found, add the user to those groups. The default
              is for the user to belong only to the initial group.

       -k[skeleton_dir] --skel[=skeleton_dir]
              This option is only  useful  is  specified  along  with  the  -m
              option.   If  both  are  specified, the contents of skeleton_dir
              will be copied to the users new home directory. If  skeleton_dir
              is  specified  it  should have no whitespace between the command
              line switch. If skeleton_dir is  not  specified,  the  value  of
              SKEL_DIR as specified in the configuration file will be used.

       -m, --makehome
              The  user’s home directory will be created if it does not exist.
              The files contained in skeleton_dir will be copied to  the  home
              directory  if the -k option is used. The -k option is only valid
              in conjunction with the -m options. The default is to not create
              the directory and to not copy any files.

       -p[passwd] --password[=password]
              The  encrypted or unencrypted password. If no argument is given,
              the user is prompted to enter a password. If  CPU  was  compiled
              with libcrack, the password will be checked for weakness. If the
              password is encrypted, hash should be the value of the hash type
              that  was used. If not specified at the command line or found in
              the shadow file (if -S was used) * is used which should lock the
              account.

       -s shell, --shell=shell
              The  name  of  the  user’s  login shell. If not specified at the
              command  line  one  can  specify  it  with   the   DEFAULT_SHELL
              configuration file option. This is not required by RFC2307.

       -u uid, --uid=uid
              The numerical value of the user’s ID. This value must be unique,
              the value must be non-negative. If unspecified CPU  will  search
              for   an   unused   UID.   This  behavior  can  be  adjusted  by
              MAX_UIDNUMBER, MIN_UIDNUMBER, ID_MAX_PASSES, and RANDOM  in  the
              configuration file.

       -X script, --exec=script
              After  the  user  has  successfully been added to the directory,
              execute this script. The script is passed  the  login  name.  If
              this  option  is  not  supplied,  the configuration file will be
              checked for ADD_SCRIPT.

cpu usermod [options] login

       All options that apply to useradd also apply to usermod except for  -k.

       -l login_name, --newusername=login_name
              The  name  of the user will be changed from login to login_name.
              The LDAP attributes cn and uid are changed  to  login_name,  the
              users rdn is also modified. If specified in conjunction with the
              -m switch, the users old home directory will be copied  the  the
              appropriate new location (see -d  switch for behavior).

       -L, --lock
              Lock the given user account

       -U, --unlock
              Unlock the given user account

cpu userdel [options] login

       The  userdel  command modifies the LDAP directory, deleting all entries
       that refer to login. The named user must exist. The options which apply
       to the userdel command are:

       -r, --removehome
              Files  in  the  user’s home directory will be removed along with
              the home directory itself. The users mail spool is not  deleted.
              Files located in other file systems will have to be searched for
              and deleted manually.

       -X script, --exec=script
              After the user has successfully been removed from the directory,
              execute  this  script.  The  script is passed the login name. If
              this option is not supplied,  the  configuration  file  will  be
              checked for DEL_SCRIPT.

cpu groupadd [options] group

       The  groupadd  command  creates  a  new  group account using the values
       specified  on  the  command  line  and  the  default  values  from  the
       configuration  file.  The  new  group  will  be  entered  into the LDAP
       directory as needed. The options which apply to  the  groupadd  command
       are

       -g gid, --gid=gid
              The  numerical  value  of  the  group’s ID. This value should be
              unique. The value  must  be  non-negative.  A  new  gid  can  be
              generated  by not specifying this option. This generation can be
              modified by changing the configuration file.

cpu groupmod [options] group

       The groupmod command modifies the group specified at the command  line.
       The options which apply to the groupmod command are

       -g gid, --gid=gid
              The  numerical  value  of  the  group’s ID. This value should be
              unique. The value must be non-negative.

       -n group_name, --newgroupname=group_name
              The name of the group will be changed from group to  group_name.
              The cn and rdn will also be modified.

cpu groupdel [options] group

       The  groupdel  command  removes the group specified at the command line
       from the LDAP directory.

SEE ALSO

       cpu.conf(5) cpu(8)

AUTHORS

       Blake Matheny <bmatheny@purdue.edu>

       The  current  version  of  this  software  is   always   available   at
       http://cpu.sourceforge.net

BUGS

       To report a bug or problem, please e-mail:

       cpu-users@lists.sourceforge.net

TODO

       See  TODO  file  that  accompanied  software. Please e-mail us with any
       additional suggestions.

                               17 February 2003