Command line utilities let you create, modify, delete, and list both user and group accounts. This section describes these utilities and explains their usage. It also describes how you can use Novell iManager to assign Linux attributes to objects.
NOTE:The command line utilities read the necessary input parameters from the /var/nam/namutilities.inp configuration file if the parameters are not specified in the command line. If it is not present, this file is created by the utilities (except namuserlist and namgrouplist) and uses system default values such as account expiry time, admin FDN, and the default Group object to which users are associated. The context under which User and Group objects is added is also set when any of the commands listed in the section are executed.
The nambulkadd command involves authentication to eDirectory as the Admin user. If your interaction with the server can be viewed by others, you must set an environment variable with the Admin password rather than specifying the password on a command line.
To set the required environment variable,
As root, enter the following at the shell prompt:
export LUM_PWD=AdminPassword
where AdminPassword is the password of the eDirectory Admin user.
The nambulkadd utility is used to do the following:
Create new users and groups that are enabled for Linux User Management.
Enable existing eDirectory users and groups for Linux User Management.
The nambulkadd utility was primarily designed to be used when copying data to an NSS volume on an OES for Linux server by using the Server Consolidation and Migration Toolkit. The utility helps you create the configuration files used by nambulkadd based on input from administrators at the time they run the utility.
For more information, see the Novell Server Consolidation and Migration Toolkit Administration Guide.
The syntax of the nambulkadd command is as follows:
nambulkadd -a adminFDN [-w bindpasswd]-g grouplistfile -u userListFile [-o][-n]
Table 7-1 nambulkadd Parameters
|
Parameter |
Description |
|---|---|
|
-a adminFDN |
Specify the fully distinguished name of the eDirectory administrator in LDAP format. |
|
-w bindpasswd |
Specify the bindpasswd as the password for eDirectory Admin user. Also, you can pass the password to the nambulkadd via environment variable export LUM_PWD=<password> before running the utility. See Security Considerations. |
|
-g groupListFile |
Specify the full path to the file which contains list of groups that have to be Linux enabled. |
|
-u userListFile |
Specify the full path to the file which contains list of users that have to be Linux enabled. |
|
-o |
If this option specified, the output from the nambulkadd will go to the standard out, otherwise the output will go to /var/log/messages file. |
|
-n |
If this option specified, the nambulkadd will not refresh Novell Storage Services cache for userIDs, otherwise the nambulkadd will triger the background refresh for Novell Storage Services cache. |
There are no default values associated with this utility.
nambulkadd -a cn=admin,o=novell -u /sys/scu/lum/job1-userlist.txt -g /sys/scu/lum/job1-grouplist.txt
This enables Linux User Management for all the Group objects listed in job1-grouplist.txt and all the User objects listed in job1-userlist.txt.
Normally, the nambulkadd command processes text files created by the Novell Server Consolidation utility. However, you can create customized files to bulk-enable system users and groups.
Using your favorite Linux text editor, create a text file for the eDirectory groups you want to enable for Linux User Management.
These can be either new groups you want to create or existing groups that have not been enabled for Linux User Management.
IMPORTANT:Do not use Windows editors to modify the list.
If your custom list or the list generated by the Server Consolidation utility is edited with a Windows editor such as Notepad, Wordpad, or OpenOffice, it adds an ^M or x0D at the end of every line. If you run nambulkadd with a list edited and saved with one of these editors, it creates a new Linux User Management user with x0D in the username. Most utilities such as ConsoleOne do not recognize the x0D at the end of the username, so it appears as a duplicate user object.
If Windows editors were previously used to edit the list, you need to run the DOS to UNIX cleanup utility to remove the ^M or x0D character in the userlist.
On the first line in the file, include all the parameters you would normally use in connection with one instance of the namgroupadd command to create a group enabled for Linux User Management.
For example, if your system doesn't currently contain the eDirectory object Group1.sales.example, and the first line contains
-x ou=sales,o=example -W LinuxSrvr1 Group1
then when you run nambulkadd, the following occurs:
Group1 is created as a group enabled for Linux User Management in sales.example.
Group1.sales.example is added to the members list of the LinuxSrvr1 UNIX Workstation object that already exists in the tree.
LinuxSrvr1 is added to the workstation list of the newly created Group1.sales.example group.
After creating a line in the file for each group you want to enable for Linux User Management, create a second file to contain information for the users you want to enable for Linux User Management.
As with the group text file, the users in this file can be either new users that you want to create or existing users that have not been enabled for Linux User Management.
On the first line in the file, include all the parameters you would normally use in connection with one instance of the namgroupadd command to create a Linux User Management-enabled user.
For example, if your system doesn't currently contain the eDirectory object John.sales.example, and the first line contains
-x ou=sales,o=example -g cn=Group1,ou=sales,o=example John
then when you run nambulkadd, the following occurs:
John is created as a Linux User Management-enabled user in sales.example.
John is added to the members list of the Linux User Management-enabled group Group1.sales.example.
After creating a line in the userlist file for each user you want to enable for Linux User Management, save the file and run the utility by using the syntax specified in Syntax.
The nambulkadd utility is designed specifically for enabling User and Group objects for Linux User Management. Keep the following points in mind as you plan to use the utility.
If a Group or User object already exists, then the object is enabled for Linux User Management and added to the appropriate member lists.
If the Group or User objects are already enabled for Linux User Management the operation fails.
The nambulkadd utility is only designed to enable groups and users for Linux User Management and cannot be used to make other modifications after that enabling task is completed.
The groups specified in the userlist text file must have been previously enabled for Linux User Management, or they must be included in the grouplist text file processed during the same nambulkadd session.
The namdiagtool is a command line utility that lets you diagnose errors in LUM deployments.
The tool enables you to diagnose the following errors in LUM deployments:
Ambiguity in usernames and group names. This results in users having incorrect rights.
Identifies UCO range conflicts.
Identifies users who have a UID from the wrong UCO, if there are multiple UCOs in the tree.
Error in configurations of UNIX config objects (UCO). The namdiagtool lists all the UCOs present in the tree to help identify if there are redundant UCOs in the same hierarchy.
The tool works in three modes: Quick mode, Full mode, and Direct mode.
namdiagtool <options [parameters]>
Table 7-2 namdiagtool parameters
|
Parameter |
Description |
|---|---|
|
-a <admin FDN> |
Specifies the fully distinguished name of the administrator. This is a mandatory option. |
|
-p <password> |
Specifies the password of the administrator. This is a mandatory option. |
|
-r |
Use this option to check all the users/groups associated with the UCO. The UCO is automatically identified from the nam.conf file. |
|
-w |
Use this option to check all the users associated with the workstation. |
|
-i |
Use this option to determine if each user under the base context has the correct UID. It checks to see if the UID number is within the range of the UCO, which helps to know if the user is assigned a UID from a wrong UCO earlier. |
|
-g |
Use this option to log all the statistics to a file that contains information about the users, groups, and workstations. This information can also be used for debugging. |
|
-l |
Use this option to list all the UCOs in the tree. This option helps you identify any redundancies that are caused by the hierarchy of the UCO placement. |
|
-b |
Use this option to give the base context to search the UCOs in the tree at specific location. If the option is not used, then the entire tree is searched for the UCOs. |
|
-d |
Use this option to specify the UID number. |
|
-u |
Use this option to specify the username. |
namdiagtool works in three modes: Quick mode, Full mode, and Direct mode.
Quick Mode: This option runs the namdiagtool in Quick mode. This mode checks a single UCO (UNIX config object) to see if there are multiple users and groups with same name associated with the workstation.
Use the following parameters as described in Table 7-2 to run the tool in Quick Mode: -a, -p, -r, -w, -i, -g.
For example: namdiagtool -Q -a cn=admin,o=novell -p novell -r
Full Mode: This option runs the namdiagtool in Full mode which checks all the UCOs in the tree. This option is used if the administrator is not aware of the placement of the multiple UCOs in the tree. It determines if there are multiple users and groups with same name associated with the workstation.
Use the following parameters as described in Table 7-2 to run the tool in Full Mode: -a, -p, -i, -l, -g, -b.
For example: namdiagtool -F -a cn=admin,o=novell -p novell -l
Direct Mode: This option runs the namdiagtool in the Direct mode which diagnoses any ambiguity in the tree for the specified username or UID number.
If a username is specified, a check is run for duplicate names belonging to any of the groups associated with the workstation.
If a UID is specified, a check is run to see if there are any duplicate UID assignments.
Additionally, this option gives the details of group memberships and workstation associations. It also checks if the UID allocated is within the range of the UCO.
Use the following parameters as described in Table 7-2 to run the tool in Direct Mode: -a, -p, -u, -d, -g, -i.
For example: namdiagtool -D -a cn=admin,o=novell -p novell -d 601
The namuseradd utility is used to create a Linux User object in eDirectory with the attributes you specify on the command line. If a User object with the same name already exists under the specified eDirectory context, namuseradd checks whether the user is a Linux user or an eDirectory user. If the user is a Linux user, a message indicates that a Linux user with the same name already exists.
The syntax of the namuseradd utility is as follows:
namuseradd [-a adminFDN][-w bindpasswd]-x user_context[-c comment][-d directory][-e expiry_date]-g primary_groupFDN[-G groupFDN][-G groupFDN]...][-m [-k skeldir]][-n][-s shell][-D][-P][-p passwd][-u uid][-o][-f]][-E pamServiceExclude ] [-E pamServiceExclude ]...] login_name
Table 7-3 namuseradd Parameters
|
Parameter |
Description |
|---|---|
|
-a adminFDN |
Specify the fully distinguished name of the eDirectory administrator. |
|
-w bindpasswd |
Specify bindpasswd as the password for simple authentication. |
|
-x user_context |
Specify the fully distinguished eDirectory context in which the User object is to be added. |
|
-c comment |
Any text string; generally a short description of the user login. |
|
-d directory |
Specify the home directory for the user. If used with the -D option, this is used as the default home directory prefix while creating logins. |
|
-e expiry_date |
Specify the expiration date for a login in mm/dd/yyyy format. After the specified date no user will be able to access this login. |
|
-g primary_groupFDN |
Specify the full eDirectory context of the primary group of the user. |
|
-G groupFDN |
Specify the full eDirectory context of the secondary group to which the user belongs. Multiple secondary groups can be specified by using the -G option multiple times. |
|
-m |
Create the home directory on the local machine. |
|
-k skeldir |
A directory that contains skeleton information, such as user profile information, that can be copied into a new user's home directory. This directory must already exist. |
|
-s shell |
Specify the full pathname of the program used as the login shell for the user. |
|
-u |
Specify a unique User ID for the user. |
|
-o |
Allow the specified User ID to be duplicated (non-unique). Specify the login name or User ID of the user you are creating. |
|
-f |
Force the User ID specified.This will override the User ID range specified in Unix Config. |
|
login name |
Specify the login name of the user, which is also the CommonName for the user in eDirectory. You must provide this value. |
|
-n |
Disallow upgrading a NetWare user if a NetWare user with the specified name already exists. |
|
-P |
Check for the uniqueness of the specified name at the domain root before adding the User object. |
|
-p passwd |
Assign the specified password to the user while adding the User object. |
|
-D |
Set the default values in the /var/lib/novell-lum/namutils.inp file. |
|
-E pamServiceExclude |
Specify the name of the service(s) which uses PAM to disallow user access via PAM to this service. The name(s) should match the name(s) of the service(s) in /etc/pam.d/ directory. Multiple services can be specified using the -E option multiple times. |
The following default values are taken from the /var/lib/novell-lum/namutils.inp file, if they are not specified at the command line:
adminFDN: Taken from the value provided with the -a option.
expiry_date: Default date when the login expires.Taken from the value provided with the -e option.
directory: Default prefix for the user home directories. Taken from the value provided with the -d option.
shell: Default shell. Taken from the value provided with the -s option.
namuseradd -a cn=admin,o=novell -x ou=lum,o=novell - g cn=other,ou=linux_groups,o=novell Dave
This adds a user, Dave, to the eDirectory context ou=lum,o=novell that has the primary group of other.
The namgroupadd utility is used to create a Linux Group object in eDirectory, with the attributes you specify on the command line. If a Group object with the same name already exists under the specified eDirectory context, namgroupadd checks whether the group is a Linux group or a NetWare group. By default, if the group is a NetWare group, namgroupadd upgrades the group to a Linux group, unless otherwise specified in the parameter -n. If the group is a Linux group, a message indicates that a Linux group with the same name already exists.
The syntax of the namgroupadd utility is as follows:
namgroupadd [-a adminFDN][-w bindpasswd] - x group_context [-A | -W workstation_name [,workstation_name...]] [-g gid[-o]] [-P] [-n] group_name
Table 7-4 namgroupadd Parameters
|
Parameter |
Description |
|---|---|
|
-a |
Specify the fully distinguished name of the eDirectory administrator. |
|
-w |
Specify the password for simple authentication. |
|
-x |
Specify the fully distinguished eDirectory context in which the Group object is to be added. |
|
-A |
Include all workstations in the workstation list of the group. |
|
-W |
Specify a comma-separated list of Workstation objects to be added to the workstation list of the group. The group is also added to the members list of the Workstation object. |
|
-g |
Specify the Group ID for the group. |
|
-o |
Allow the specified Group ID to be duplicated (non-unique). |
|
-P |
Check for the uniqueness of the specified name at the domain root before adding the Group object. |
|
-n |
Disallow upgrading a NetWare group if a NetWare group with the same name already exists. Specify the fully distinguished name of the group. This is a mandatory parameter. |
The following default value is taken from the /var/lib/novell-lum/namutils.inp file, if it is not specified at the command line:
adminFDN
namgroupadd -W garfield -g 110 grp1
This adds a group named grp1 to a workstation named garfield and assigns it the group ID 110.
namgroupadd -P -x ou=nam,o=novell -A grp2
This adds a group named grp2 to the specified eDirectory context, after first checking that the group does not already exist under the partition root.
The namusermod utility is used to modify a Linux user's login in eDirectory. It changes the definition of the specified login and updates all the login-related system files appropriately.
The syntax of the namusermod utility is as follows:
namusermod [-a adminFDN][-w bindpasswd][-c comment][-d directory][-e expiry_date][-p passwd][-g primary_groupFDN][-G groupFDN[-G groupFDN]...][-D groupFDN[-D groupFDN]...][-u uid[-o]][-s shell] userFDN
Table 7-5 namusermod Parameters
|
Parameter |
Description |
|---|---|
|
-a |
Specify the fully distinguished name of the eDirectory administrator. |
|
-w |
Specify the password for simple authentication. |
|
-c |
Any text string, generally a short description of the user login. |
|
-d |
Specify the home directory for the user. If used with the parameter -D, this is taken as the default home directory prefix while creating logins. |
|
-e |
Specify the expiration date after which no user can access this account. Use the mm/dd/yy format. |
|
-p |
Assign the specified password to the user while adding the User object. |
|
-g |
Specify the full eDirectory context of the primary group of the user. |
|
-G |
Specify the full eDirectory context of the secondary group to which the user belongs. Multiple groups can be specified by using the -G option multiple times. |
|
-D |
Specify the full eDirectory context of the secondary group to which the user belongs. Multiple groups can be specified by using the -G option multiple times. |
|
-u |
Specify a unique User ID for the user. |
|
-o |
Allow the specified User ID to be duplicated (non-unique). |
|
-s |
Specify the full pathname of the program used as the login shell for the user. Specify the user's fully distinguished name (FDN) in eDirectory. This is a mandatory parameter. |
The following default value is taken from the /var/lib/novell-lum/namutils.inp file, if it is not specified at the command line:
adminFDN
namusermod -g cn=hrd,ou=Linux_groups,o=novell -G cn=grp2,ou=nam,o=novell cn=John,ou=unixuser,o=novell
This replaces the existing primary group of a user named John with a group named hrd whose fully distinguished eDirectory context is provided; it also adds John to another group named grp2.
The namgroupmod utility is used to modify the attributes of a Linux Group object in eDirectory.
The syntax of the namgroupmod utility is as follows:
namgroupmod [-a adminFDN][-w bindpasswd][-W workstation_name[-W workstation_name]...][- d workstation_name][-P][-g gid][-o][-n name] groupFDN
Table 7-6 namgroupmod Parameters
|
Parameter |
Description |
|---|---|
|
-a |
Specify the fully distinguished name of the eDirectory administrator. |
|
-w |
Specify the password for simple authentication. |
|
-W |
Specify the name of the Workstation object to be added to the workstation list of the group. The group is also added to the members list of the Workstation object. Multiple workstations can be specified by using the -W option multiple times. |
|
-d |
Specify the fully distinguished eDirectory context of the Workstation object to be deleted from the workstation list of the group. The group is also deleted from the members list of the Workstation object. Multiple workstations can be specified by using the -d option multiple times. |
|
-P |
Check for the uniqueness of the specified name at the domain root before modifying the Group object. |
|
-g |
Specify the Group ID for the group. |
|
-o |
Allow the specified Group ID to be duplicated (non-unique). |
|
-n |
Change the CommonName of the Linux Group object in eDirectory. Specify the fully distinguished name of the group. This is a mandatory parameter. |
The following default value is taken from the /var/lib/novell-lum/namutils.inp file, if it is not specified at the command line:
adminFDN
namgroupmod -W linux10 -d garfield cn=grp1,ou=nam,o=novell
This adds a group named grp1 to a workstation named linux10 and also removes it from the workstation named garfield.
The namuserdel utility deletes a Linux user's login from eDirectory and updates all the login-related system files appropriately.
The syntax of the namuserdel utility is as follows:
namuserdel [-a adminFDN][-w bindpasswd][-r] userFDN
Table 7-7 namuserdel Parameters
|
Parameter |
Description |
|---|---|
|
-a |
Specify the fully distinguished name of the eDirectory administrator. |
|
-w |
Specify the password for simple authentication. |
|
-r |
Remove the user's home directory from the system. |
The following default value is taken from the /var/lib/novell-lum/namutils.inp file, if it is not specified at the command line:
adminFDN
namuserdel cn=usr1,ou=nam,o=novell
This deletes the user named usr1 from eDirectory.
The namgroupdel utility deletes a Linux Group object from eDirectory and updates all the login-related system files appropriately.
The syntax of the namgroupdel utility is as follows:
namgroupdel[-a adminFDN][-w bindpasswd]groupFDN
Table 7-8 namgroupdel Parameters
|
Parameter |
Description |
|---|---|
|
-a |
Specify the fully distinguished name of the eDirectory administrator. |
|
-w |
Specify the password for simple authentication. |
|
Specify the fully distinguished name of the group to be deleted. This is a mandatory parameter. |
The following default value is taken from the /var/lib/novell-lum/namutils.inp file, if it is not specified at the command line:
adminFDN
namgroupdel cn=grp1,ou=nam,o=novell
This removes the group named grp1.
The namuserlist utility lists the attributes of Linux User objects in eDirectory in /etc/passwd format. If you do not specify the user context, the attributes of all users in the current workstation are listed.
The syntax of the namuserlist utility is as follows:
namuserlist {-x user_context : user_name}
Table 7-9 namuserlist Parameters
|
Parameter |
Description |
|---|---|
|
-x |
Specify the fully distinguished eDirectory context of the user. Specify the user's login name and CommonName in eDirectory. |
namuserlist usr1
This displays the attributes of the user named usr1.
The namgrouplist utility lists some of the attributes of Linux Group objects in eDirectory. Use iManager to see all of the attributes, including the UNIX Workstation objects associated with the Group.
The syntax of the namgrouplist utility is as follows:
namgrouplist{-x group_context : group_name}
Table 7-10 namgrouplist Parameters
|
Parameter |
Description |
|---|---|
|
-x |
Specify the fully distinguished eDirectory context of the group. |
|
Specify the fully distinguished name of the group. |
namgrouplist grp1
This lists the attributes of a group named grp1.