7.2 Using Command Line Utilities to Manage Users and Groups

Command line utilities let you create, modify, delete, and list both user and group accounts. This section describes these utilities and explains their usage.

NOTE:The command line utilities read the necessary input parameters from the /var/nam/namutilities.inp configuration file if the parameters are not specified in the command line. If it is not present, this file is created by the utilities (except namuserlist and namgrouplist) and uses system default values such as account expiry time, admin FDN, and the default Group object to which users are associated. The context under which User and Group objects is added is also set when any of the commands listed in the section are executed.

7.2.1 Security Considerations

The nambulkadd command involves authentication to eDirectory as the Admin user. If your interaction with the server can be viewed by others, you must set an environment variable with the Admin password rather than specifying the password on the command line.

To set the required environment variable, as root, enter the following at the shell prompt:

export LUM_PWD=AdminPassword

Replace AdminPassword with the password of the eDirectory Admin user.

7.2.2 nambulkadd

The nambulkadd utility is used to do the following:

  • Create new users and groups that are enabled for Linux User Management.

  • Enable existing eDirectory users and groups for Linux User Management.

The nambulkadd utility was primarily designed to be used when copying data to an NSS volume on an OES for Linux server by using the Server Consolidation and Migration Toolkit. The utility helps you create the configuration files used by nambulkadd based on input from administrators at the time they run the utility.

For more information, see the Novell Server Consolidation and Migration Toolkit Administration Guide.

Syntax

The syntax of the nambulkadd command is as follows:

nambulkadd [-a adminFDN] -w admin_password <-g groupListFile | -u userListFile | -g groupListFile -u userListFile> [-o] [-n]

Parameters

Table 7-1 nambulkadd Parameters

Parameter

Description

-a adminFDN

The fully distinguished name of the eDirectory administrator in LDAP format.

-w admin-password

Specifies bindpasswd as the password for simple authentication. Also, you can pass the password to nambulkadd by using the environment variable export LUM_PWD=<password> before running the utility.

-u userListFile

The full path to the file, which contains list of users that need to be enabled for Linux.

-g groupListFile

The full path to the file which contains list of groups that need to be enabled for Linux.

-o

If this option is specified, the output from nambulkadd goes to the standard output. Otherwise, the output goes to the /var/log/messages file.

-n

If this option is specified, nambulkadd does not refresh the Novell Storage Services cache for user IDs. Otherwise, nambulkadd triggers a background refresh for the Novell Storage Services cache.

Defaults

There are no default values associated with this utility.

Example

nambulkadd -a cn=admin,o=novell -u /sys/scu/lum/job1-userlist.txt -g /sys/scu/lum/job1-grouplist.txt

This enables Linux User Management for all the Group objects listed in job1-grouplist.txt and all the User objects listed in job1-userlist.txt.

Creating Customized Text Files for nambulkadd

Normally, the nambulkadd command processes text files created by the Novell Server Consolidation utility. However, you can create customized files to bulk-enable system users and groups.

  1. Using any Linux text editor, create a text file for the eDirectory groups you want to enable for Linux User Management.

    These can be either new groups you want to create or existing groups that have not been enabled for Linux User Management.

    IMPORTANT:Do not use Windows editors to modify the list.

    If your custom list or the list generated by the Server Consolidation utility is edited with a Windows editor such as Notepad, Wordpad, or OpenOffice, it adds an ^M or x0D at the end of every line. If you run nambulkadd with a list edited and saved with one of these editors, it creates a new Linux User Management user with x0D in the username. Most utilities, such as ConsoleOne, do not recognize the x0D at the end of the username, so it appears as a duplicate user object.

    If Windows editors were previously used to edit the list, you need to run the DOS to UNIX cleanup utility to remove the ^M or x0D character in the userlist.

  2. On the first line in the file, include all the parameters you would normally use in connection with one instance of the namgroupadd command to create a group enabled for Linux User Management.

    For example, assume that your system doesn't currently contain the eDirectory object Group1.sales.example, and the first line contains the following:

    -x ou=sales,o=example -W LinuxSrvr1 Group1

    When you run nambulkadd, the following occurs:

    • Group1 is created as a group enabled for Linux User Management in sales.example.

    • Group1.sales.example is added to the members list of the LinuxSrvr1 UNIX Workstation object that already exists in the tree.

    • LinuxSrvr1 is added to the workstation list of the newly created Group1.sales.example group.

  3. After creating a line in the file for each group you want to enable for Linux User Management, create a second file to contain information for the users you want to enable for Linux User Management.

    As with the group text file, the users in this file can be either new users that you want to create or existing users that have not been enabled for Linux User Management.

  4. On the first line in the file, include all the parameters you would normally use in connection with one instance of the namgroupadd command to create a Linux User Management-enabled user.

    For example, assume that your system doesn't currently contain the eDirectory object John.sales.example, and the first line contains

    -x ou=sales,o=example -g cn=Group1,ou=sales,o=example John

    When you run nambulkadd, the following occurs:

    • John is created as a Linux User Management-enabled user in sales.example.

    • John is added to the members list of the Linux User Management-enabled group Group1.sales.example.

  5. After creating a line in the userlist file for each user you want to enable for Linux User Management, save the file and run the utility by using the syntax specified in Syntax.

Considerations

The nambulkadd utility is designed specifically for enabling User and Group objects for Linux User Management. Keep the following points in mind as you plan to use the utility.

  • If a Group or User object already exists, the object is enabled for Linux User Management and is added to the appropriate member lists.

  • If the Group or User objects are already enabled for Linux User Management, the operation fails.

    The nambulkadd utility is only designed to enable groups and users for Linux User Management. It cannot be used to make other modifications after the enabling task is completed.

  • The groups specified in the userlist text file must have been previously enabled for Linux User Management, or they must be included in the grouplist text file processed during the same nambulkadd session.

7.2.3 namdiagtool

The namdiagtool is a command line utility that lets you diagnose errors in LUM deployments.

The tool enables you to diagnose the following errors in LUM deployments:

  • Ambiguity in usernames and group names. This results in users having incorrect rights.

  • Identifies Unix Config object range conflicts.

  • Identifies users who have a UID from the wrong Unix Config object, if there are multiple Unix Config objects in the tree.

  • Error in configurations of UNIX Config objects (UCO). The namdiagtool lists all the Unix Config objects in the tree to help identify if there are redundant Unix Config objects in the same hierarchy.

Syntax

namdiagtool [-a adminFDN] [-p bindpasswd] {-F [-i][-g][-l][-b <base-name>| -Q[-i][-g]{-r |-w} -D [-i][-g] {-u <user-name> | -d <uidnumber>}}

Parameters

Table 7-2 namdiagtool parameters

Parameter

Description

-a <admin FDN>

The fully distinguished name of the administrator.

-p <password>

The password of the administrator. This is a mandatory option.

-r

Checks all of the users/groups associated with the Unix Config object. The Unix Config object is automatically identified from the nam.conf file.

-w

Checks all of the users associated with the workstation.

-i

Determines if each user under the base context has the correct UID. It checks to see if the UID number is within the range of the Unix Config object, which helps to know if the user is assigned a UID from a wrong Unix Config object earlier.

-g

Logs all of the statistics to a file that contains information about the users, groups, and workstations. This information can also be used for debugging.

-b

Gives the base context to search the Unix Config objects in the tree at a specific location. If the option is not used, the entire tree is searched for the Unix Config objects.

-d

Specifies the UID number.

-l

Lists all of the Unix Config objects in the tree. This option helps you identify any redundancies that are caused by the hierarchy of the Unix Config object placement.

-u

Specifies the username.

namdiagtool Usage Options

namdiagtool works in three modes:

  • Quick Mode: This option runs the namdiagtool in Quick mode, which checks a single UCO (UNIX config object) to see if there are multiple users and groups with same name associated with the workstation.

    To run the tool in Quick mode, use the following parameters as described in Table 7-2: -a, -p, -r, -w, -i, -g.

    For example: namdiagtool -Q -a cn=admin,o=novell -p novell -r

  • Full Mode: This option runs the namdiagtool in Full mode, which checks all the Unix Config objects in the tree. This option is used if the administrator is not aware of the placement of the multiple Unix Config objects in the tree. It determines if there are multiple users and groups with same name associated with the workstation.

    To run the tool in full mode, use the following parameters as described in Table 7-2: -a, -p, -i, -l, -g, -b.

    For example: namdiagtool -F -a cn=admin,o=novell -p novell -l

  • Direct Mode: This option runs the namdiagtool in the Direct mode, which diagnoses any ambiguity in the tree for the specified username or UID number.

    • If a username is specified, a check is run for duplicate names belonging to any of the groups associated with the workstation.

    • If a UID is specified, a check is run to see if there are any duplicate UID assignments.

    • Additionally, this option gives the details of group memberships and workstation associations. It also checks if the UID allocated is within the range of the Unix Config object.

    To run the tool in Direct mode, use the following parameters as described in Table 7-2: -a, -p, -u, -d, -g, -i.

    For example: namdiagtool -D -a cn=admin,o=novell -p novell -d 601

7.2.4 namuseradd

The namuseradd utility is used to create a Linux User object in eDirectory with the attributes you specify on the command line. If a User object with the same name already exists under the specified eDirectory context, namuseradd checks whether the user is a Linux user or an eDirectory user. If the user is a Linux user, a message indicates that a Linux user with the same name already exists.

Syntax

The syntax of the namuseradd utility is as follows:

namuseradd [-a adminFDN] -w bindpasswd -x user_context [-c comment][-d directory][-e expiry_date] -g primary_groupFDN [-G groupFDN][-G groupFDN]...][-m [-k skeldir]][-n][-s shell][-D][-P][-p passwd][-u uid][-o] [-f]] [-E pamServiceExclude] [-E pamServiceExclude]...] login_name

Parameters

Table 7-3 namuseradd Parameters

Parameter

Description

-a adminFDN

The fully distinguished name of the eDirectory administrator.

-w bindpasswd

Specifies the bindpasswd as the password for simple authentication.

-x user_context

The fully distinguished eDirectory context in which the User object will be added.

-A

Enables all non-LUM users in the specified context. This option cannot be used with the options u,o,f,d,and P. You must not specify the login_name with the -A option.

-c comment

Any text string; generally a short description of the user login.

-d directory

The home directory for the user. If this parameter is used with the -D option, this directory is used as the default home directory prefix while creating logins.

-e expiry_date

The expiration date for a login in mm/dd/yyyy format. After the specified date, no user can access this login.

-g primary_groupFDN

The full eDirectory context of the primary group of the user.

-G groupFDN

The full eDirectory context of the secondary group to which the user belongs. Multiple secondary groups can be specified by using the -G parameter multiple times.

-m

Creates the home directory on the local machine.

-k skeldir

A directory that contains skeleton information, such as user profile information, that can be copied into a new user's home directory. This directory must already exist.

-s shell

The full pathname of the program used as the login shell for the user.

-u uid

A unique User ID for the user.

-o

Allows the specified User ID to be duplicated (non-unique).

-f

Forces the User ID specified. This overrides the User ID range specified in the Unix Config object.

login_name

The login name of the user, which is also the CommonName for the user in eDirectory. This is a mandatory parameter.

-n

Disallows upgrading a NetWare user if a NetWare user with the same name already exists.

-P

Checks for the uniqueness of the specified name at the domain root before adding the User object.

-p passwd

Assigns the specified password to the user while adding the User object.

-D

Sets the default values in the /var/lib/novell-lum/namutils.inp file.

-E pamServiceExclude

The name of the services that uses PAM to disallow user access via PAM to this service. The names should match the names of the services in the /etc/pam.d/ directory. Multiple services can be specified by using the -E option multiple times.

Defaults

The following default values are taken from the /var/lib/novell-lum/namutils.inp file, if they are not specified at the command line:

  • adminFDN: Fully distinguished name of the eDirectory administrator to be used while creating users. Set from the value provided with the -a option.

  • expiry_date: Default date when the login expires. Set from the value provided with the -e option.

  • directory: Default prefix for the user home directories. Set from the value provided with the -d option.

  • shell: Default shell. Set from the value provided with the -s option.

Format

The names of eDirectory objects can be specified in the following format:

cn=a,ou=b,ou=c,ou=d,ou=a,o=b,o=a and so on.

Examples

namuseradd -a cn=admin,o=novell -x ou=nam,o=novell -g cn=sale,o=novell -E sshd Dave

This adds a user, Dave, to the eDirectory context ou=nam,o=novell. Dave will not have SSH access to the Linux server/workstation.

7.2.5 namgroupadd

The namgroupadd utility is used to create a Linux Group object in eDirectory, with the attributes you specify on the command line. If a Group object with the same name already exists under the specified eDirectory context, namgroupadd checks whether the group is a Linux group or a NetWare group. By default, if the group is a NetWare group, namgroupadd upgrades the group to a Linux group, unless otherwise specified in the -n parameter. If the group is a Linux group, a message indicates that a Linux group with the same name already exists.

Syntax

The syntax of the namgroupadd utility is as follows:

namgroupadd [-a adminFDN] -w bindpasswd - x group_context {-A | -W workstation_name [,workstation_name]} [-g gid[-o][-f]] [-P] [-n][-E pamServiceExclude][-E pamServiceExclude]...] group_name

Parameters

Table 7-4 namgroupadd Parameters

Parameter

Description

-a adminFDN

The fully distinguished name of the eDirectory administrator.

-w bindpasswd

Specifies bindpasswd as the password for simple authentication.

-x group_context

The fully distinguished eDirectory context under which the UNIX Group object will be added.

-W workstation_name

A comma-separated list of UNIX Workstation names (host names) to be added to the workstation list of the group. The group is also added to the members list of the UNIX Workstation object.

-g gid

The Group ID for the group.

-o

Allows the specified Group ID to be duplicated (non-unique).

-f

Forces the User ID specified. This will override the User ID range specified in Unix Config.

-P

Checks for the uniqueness of the specified name at the domain root before adding the Group object.

-A

Includes all workstations in the workstation list of the group.

-n

Disallows upgrading a NetWare group if a NetWare group with the same name already exists.

-E pamServiceExclude

The name of the services that use PAM to disallow access via PAM to this service. Names should match the names of the services in the /etc/pam.d/ directory. Multiple services can be specified by using the -E option multiple times.

group_name

The name of the group. This is a mandatory parameter.

Defaults

The following default value is taken from the /var/lib/novell-lum/namutils.inp file, if it is not specified at the command line:

adminFDN

Examples

namgroupadd -W garfield -g 110 grp1 -E ftp

This adds a group named grp1 to a workstation named garfield and assigns it the group ID 110. The users of this group will cannot access FTP service on the Linux server via PAM.

namgroupadd -A -P -x ou=nam,o=novell grp2

This adds a group named grp2 to the specified eDirectory context, after first checking that the group does not already exist under the partition root.

7.2.6 namusermod

The namusermod utility is used to modify a Linux user's login in eDirectory. It changes the definition of the specified login and updates all the login-related system files.

Syntax

The syntax of the namusermod utility is as follows:

namusermod [-a adminFDN] -w bindpasswd [-c comment][-d directory][-m][-e expiry_date][-p passwd][-g primary_groupFDN][-G groupFDN[-G groupFDN]...][-D groupFDN[-D groupFDN]...][-u uid[-o][-f][-s shell][ -l login_name] [-E pamServiceExclude ] [-E pamServiceExclude ]...] [-R pamServiceExclude ] [-R pamServiceExclude ]...]userFDN

Parameters

Table 7-5 namusermod Parameters

Parameter

Description

-a adminFDN

The fully distinguished name of the eDirectory administrator.

-w bindpasswd

Specifies bindpasswd as the password for simple authentication.

-c comment

Any text string, generally a short description of the user’s login.

-d directory

The user's home directory. If this parameter is used with the -m option, the existing home directory on the system is moved into the new home directory.

-m

Moves the user's home directory to the new directory specified with the -d option.

-e expiry_date

The expiration date for the login in mm/dd/yyyy format. After the specified date, no user can access the login.

-p passwd

Assigns the specified password to the user while modifying the User object.

-g primary_groupFDN

The full eDirectory context of the user’s primary group.

-G groupFDN

The full eDirectory context of the secondary group to which the user belongs. Multiple secondary groups can be specified by using the -G option multiple times.

-D groupFDN

Specify the full eDirectory context of a secondary group from which the User object is to be deleted. Multiple secondary groups can be specified by using the -D option multiple times.

-s shell

The full pathname of the program that is used as the user’s login shell

-u uid

A new User ID for the user.

-o

Allows the specified User ID to be duplicated (non-unique).

-f

Forces the User ID specified. This overrides the User ID range specified in Unix Config.

-l login_name

Changes the user's login name by changing the CommonName and UniqueID for the user in eDirectory.

-E pamServiceExclude

The name of the services that use PAM to disallow user access via PAM to this service. The names should match the names of the services in the /etc/pam.d/ directory. Multiple services can be specified by using the -E option multiple times.

-R pamServiceExclude

The name of the services that use PAM to allow (remove from exclude list) user access via PAM to this service. The names should match the names of the services in the /etc/pam.d/ directory. Multiple services can be specified by using the -R option multiple times.

userFDN

The fully distinguished name of the User object to be modified. This is a mandatory value. Ensure that the user exists with the fully distinguished name as specified.

Defaults

The following default value is taken from the /var/lib/novell-lum/namutils.inp file, if it is not specified at the command line:

adminFDN

Examples

namusermod -g cn=hrd,ou=unix_groups,o=novell -G cn=grp2,ou=nam,o=novell cn=John,ou=unix-users,o=novell

This replaces the existing primary group of a user named John with a group named hrd whose fully distinguished eDirectory context is provided; it also adds John to another group named grp2.

7.2.7 namgroupmod

The namgroupmod utility is used to modify the attributes of a Linux Group object in eDirectory.

Syntax

The syntax of the namgroupmod utility is as follows:

namgroupmod [-a adminFDN] -w bindpasswd [-W workstation_name[, workstation_name]][- d workstation_name[, workstation_name]][-P][-g gid -o]][-n name] [-E pamServiceExclude] [-E pamServiceExclude]...][-R pamServiceExclude] [-R pamServiceExclude]...] groupFDN

Parameters

Table 7-6 namgroupmod Parameters

Parameter

Description

-a adminFDN

The fully distinguished name of the eDirectory administrator.

-w bindpasswd

Specifies bindpasswd as the password for simple authentication.

-W workstation_name

A comma-separated list of UNIX Workstation names (host names) to be added to the workstation list of the group. The group is also added to the members list of the UNIX Workstation object.

-d workstation_name

A comma-separated list of UNIX Workstation names (host names) to be deleted from the workstation list of the group. The group is also deleted from the members list of the UNIX workstation object.

-P

Checks for the uniqueness of the specified name at the domain root before modifying the Group object.

-g gid

Specifies the Group ID for the group.

-o

Allows the specified Group ID to be duplicated (non-unique).

-f

Forces the Group ID specified. This overrides the Group ID range specified in Unix Config.

-n name

Changes the CommonName of the Linux Group object in eDirectory.

-E pamServiceExclude

The name of the services that use PAM to disallow access via PAM to this service. The names should match the names of the services in the /etc/pam.d/ directory. Multiple services can be specified by using the -E option multiple times.

-R pamServiceExclude

The name of the services that use PAM to allow (remove from exclude list) access via PAM to this service. The names should match the names of the services in the /etc/pam.d/ directory. Multiple services can be specified by using the -R option multiple times.

groupFDN

The fully distinguished name of the UNIX Group object. This is a mandatory parameter.

Defaults

The following default value is taken from the /var/lib/novell-lum/namutils.inp file, if it is not specified at the command line:

-a

Examples

namgroupmod -W server1 -d server2 cn=grp1,ou=nam,o=novell -E sshd -R su

This adds a group named grp1 to a workstation named server1 and also removes it from the workstation named server2. The users of this group have access to the su service via PAM, but not to the SSH service via PAM on server1.

7.2.8 namuserdel

The namuserdel utility deletes a Linux user's login from eDirectory and updates all the login-related system files.

Syntax

The syntax of the namuserdel utility is as follows:

namuserdel [-a adminFDN][-w bindpasswd][-r] userFDN

Parameters

Table 7-7 namuserdel Parameters

Parameter

Description

-a adminFDN

Specify the fully distinguished name of the eDirectory administrator.

-w bindpasswd

Specify bindpasswd as the password for simple authentication.

-r

Remove the user's home directory from the system. This directory must exist; otherwise, an error is returned.

userFDN

Specify the fully distinguished name of the User object. You must provide this value.

Defaults

The following default value is taken from the /var/lib/novell-lum/namutils.inp file, if it is not specified at the command line:

-a

Examples

namuserdel cn=usr1,ou=nam,o=novell

This deletes the user named usr1 from eDirectory.

7.2.9 namgroupdel

The namgroupdel utility deletes a Linux Group object from eDirectory and updates all the login-related system files appropriately.

Syntax

The syntax of the namgroupdel utility is as follows:

namgroupdel[-a adminFDN]-w bindpasswd groupFDN

Parameters

Table 7-8 namgroupdel Parameters

Parameter

Description

-a adminFDN

Specify the fully distinguished name of the eDirectory administrator.

-w bindpasswd

Specify bindpasswd as the password for simple authentication.

groupFDN

Specify the fully distinguished name of the UNIX Group Object being deleted. This is a mandatory parameter.

Defaults

The following default value is taken from the /var/lib/novell-lum/namutils.inp file, if it is not specified at the command line:

-a

Examples

namgroupdel cn=grp1,ou=nam,o=novell

This removes the group named grp1.

7.2.10 namuserlist

The namuserlist utility lists the attributes of Linux User objects in eDirectory in /etc/passwd format. If you do not specify the user context, the attributes of all users in the current workstation are listed.

Syntax

The syntax of the namuserlist utility is as follows:

namuserlist {-x user_context | login_name}

Parameters

Table 7-9 namuserlist Parameters

Parameter

Description

-x user_context

Specify the user's fully distinguished eDirectory context.

login_name

Specify the user's login name, which is also the user's UniqueID (UID) in eDirectory.

Examples

namuserlist usr1

This displays the attributes of the user named usr1.

7.2.11 namgrouplist

The namgrouplist utility lists some of the attributes of Linux Group objects in eDirectory. Use iManager to see all of the attributes, including the UNIX Workstation objects associated with the Group.

Syntax

The syntax of the namgrouplist utility is as follows:

namgrouplist{-x group_context | group_name}

Parameters

Table 7-10 namgrouplist Parameters

Parameter

Description

-x group_context

Specify the fully distinguished eDirectory context of the group.

group_name

Specify the name of the group, and the CommonName for the group in eDirectory.

Examples

namgrouplist grp1

This lists the attributes of a group named grp1.