--- ../tmp/ldaplist.1.txt Fri Apr 4 13:39:01 2008 +++ ldaplist.1.txt.standalone Wed Apr 16 09:59:56 2008 @@ -1,251 +1,377 @@ User Commands ldaplist(1) NAME ldaplist - search and list naming information from an LDAP directory using the configured profile SYNOPSIS - /usr/bin/ldaplist [-dlv] [database [key]...] + /usr/bin/ldaplist [-dlv] [-h LDAP_server[:serverPort] [-M + domainName] [-N profileName] [-a authenticationMethod] [-P + certifPath] [-D bindDN] [-w bindPassword] [-j filename] + [database [key]...] /usr/bin/ldaplist -h + /usr/bin/ldaplist -g DESCRIPTION - The ldaplist utility searches for and lists the naming - information from the LDAP directory service defined in the - LDAP configuration files generated by ldapclient(1M) during - the client initialization phase. The Solaris LDAP client - must be set up in order to use this utility. + If the -h LDAP_server[:serverPort] option is specified, + ldaplist establishes a connection to the server pointed to + by the option in order to obtain a DUAProfile specified + by -N option. Then ldaplist lists the information from the + directory described by the configuration obtained. + By default (if the -h LDAP_server[:serverPort] option is not + specified), the utility searches for and lists the naming + information from the LDAP directory service defined in the + LDAP configuration files generated by ldapclient(1M) during + the client initialization phase. In order to use the utility + in the default mode, the Solaris LDAP client must be set up + in advance. The database is either a container name or a database name as defined in nsswitch.conf(4). A container is a non-leaf entry in the Directory Information Tree (DIT) that contains naming service information. The container name is the LDAP Relative Distinguished Name (RDN) of the container relative to the defaultSearchBase as defined in the configuration files. For example, for a container named ou=people, the database name is the database specified in nsswitch.conf. This database is mapped to a container, for example, passwd maps to ou=people. If an invalid database is specified, it is mapped to a generic container, for example, nisMapName=name). The key is the attribute value to be searched in the data- base. You can specify more than one key to be searched in the same database. The key can be specified in either of two forms: attribute=value or value. In the first case, lda- plist passes the search key to the server. In the latter case, an attribute is assigned depending on how the database is specified. If the database is a container name, then the "cn" attribute type is used. If the database is a valid database name as defined in the nsswitch.conf, then a prede- fined attribute type is used (see table below). If the data- base is an invalid database name, then cn is used as the attribute type. The ldaplist utility relies on the Schema defined in the RFC 2307bis, currently an IETF draft. The data stored on the LDAP server must be stored based on this Schema, unless the profile contains schema mapping definitions. For more infor- mation on schema mapping see ldapclient(1M). The following table lists the default mapping from the database names to the container, the LDAP object class, and the attribute type used if not defined in the key. Database Object Class Attribute Type Container aliases mailGroup cn ou=Aliases automount nisObject cn automountMapName=auto_* bootparams bootableDevice cn ou=Ethers ethers ieee802Device cn ou=Ethers group posixgroup cn ou=Group hosts ipHost cn ou=Hosts ipnodes ipHost cn ou=Hosts netgroup ipNetgroup cn ou=Netgroup netmasks ipNetwork ipnetworknumber ou=Networks networks ipNetwork ipnetworknumber ou=Networks passwd posixAccount uid ou=People protocols ipProtocol cn ou=Protocols publickey nisKeyObject uidnumber ou=People - cn ou=Hosts + cn ou=Hosts rpc oncRpc cn ou=Rpc services ipService cn ou=Services printers printerService printer-uri ou=printers auth_attr SolarisAuthAttr nameT ou=SolarisAuthAttr prof_attr SolarisProfAttr nameT ou=SolarisProfAttr exec_attr SolarisExecAttr nameT ou=SolarisProfAttr user_attr SolarisUserAttr uidT ou=people audit_user SolarisAuditUser uidT ou=people The following databases are available only if the system is configured with Trusted Extensions: tnrhtp ipTnetTemplate ipTnetTemplateName ou=ipTnet tnrhdb ipTnetHost ipTnetNumber ou=ipTnet o For the automount database, auto_*, in the con- tainer column, represents auto_home, auto_direct, ... o For the publickey database, if the key starts with a digit, it is interpreted as an uid number. If the key starts with a non-digit, it is interpreted as a host name. The ldaplist utility supports substring search by using the wildcard "*" in the key. For example, "my*" matches any strings that starts with "my". In some shell environments, keys containing the wildcard may need to be quoted. If the key is not specified, all the containers in the current search baseDN is listed. OPTIONS The following options are supported: -d Lists the attributes for the specified database, rather than the entries. By default, the entries are listed. - -h Lists the database mapping. + -g Lists the database mapping. + -h (Deprecated) Lists the database mapping. + + -l Lists all the attributes for each entry matching the search criteria. By default, ldaplist lists only the Distinguished Name of the entries found. -v Sets verbose mode. The ldaplist utility also prints the filter used to search for the entry. The filter is prefixed with "+++". + -a authenticationMethod + Specify authentication method. The default value is what + has been configured in the profile. The supported + authentication methods are: + + simple + sasl/CRAM-MD5 + sasl/DIGEST-MD5 + tls:simple + tls:sasl/CRAM-MD5 + tls:sasl/DIGEST-MD5 + + Selecting simple causes passwords to be sent over the + network in clear text. Its use is strongly discouraged. + Additionally, if the client is configured with a profile + which uses no authentication, that is, either the + credentialLevel attribute is set to anonymous or authen- + ticationMethod is set to none, the user must use this + option to provide an authentication method. + + + + -D bindDN + + Specifies an entry which has read permission to the + requested database. + + + -h LDAP_server[:serverPort] + + An address (or a name) and a port of the LDAP server in + which the entries will be stored. The current naming + service specified in the nsswitch.conf file is used. + The default value for the port is 389, unless when + TLS is specified in the authentication method. In this + case, the default LDAP server port number is 636. + + -M domainName + + A name of a domain served by the specified server. + If not specified, the default domain name will be used. + + -N profileName + + Specify a DUAProfile name. A profile with such a + name is supposed to exist on the server specified by -H + option. The default value is default. + + -P certifPath + + A certificate path to the location of the certificate + database. The value is the path where security database + files reside. This is used for TLS support, which is + specified in the authenticationMethod and serviceAuthen- + ticationMethod attributes. The default is /var/ldap. + + -w bind_password Password to be used for authenti- + cating the bindDN. If this param- + eter is missing, the command will + prompt for a password. NULL pass- + words are not supported in LDAP. + + When you use -w bind_password to + specify the password to be used + for authentication, the password + is visible to other users of the + system by means of the ps com- + mand, in script files or in shell + history. + + If the value of "-" is supplied + as a password, the command will + prompt for a password. + + + -j filename Specify a file containing the + password for the bind DN or the + password for the SSL client's key + database. To protect the + password, use this option in + scripts and place the password in + a secure file. This option is + mutually exclusive of the -w opt- + ion. + EXAMPLES Example 1 Listing All Entries in the Hosts Database The following example lists all entries in the hosts data- base: example% ldaplist hosts Example 2 Listing All Entries in a Non-Standard Database ou=new The following example lists all entries in a non-standard database: example% ldaplist ou=new Example 3 Finding user1 in the passwd Database The following example finds user1 in the passwd database: example% ldaplist passwd user1 Example 4 Finding the Entry With Service Port of 4045 in the services Database The following example finds the entry with the service port of 4045 in the services database: example% ldaplist services ipServicePort=4045 Example 5 Finding All Users With Username Starting with new in the passwd Database The following example finds all users with the username starting with new in the passwd database: example% ldaplist passwd 'new*' Example 6 Listing the Attributes for the hosts Database The following example lists the attributes for the hosts database: example% ldaplist -d hosts + Example 7 Finding "user1" in the passwd Database. An LDAP + server is specified explicitly. + example% ldaplist -H 10.10.10.10:3890 \ + -M another.domain.name -N special_duaprofile \ + -D "cn=directory manager" -w secret \ + user1 + + + EXIT STATUS The following exit values are returned: 0 Successfully matched some entries. 1 Successfully searched the table and no matches were found. 2 An error occurred. An error message is output. FILES /var/ldap/ldap_client_file Files that contain the LDAP /var/ldap/ldap_client_cred configuration of the client. Do not manually modify these files. Their content is not guaranteed to be human read- able. To update these files, use ldapclient(1M) +CAVEATS + + + Currently StartTLS is not supported by libldap.so.5, + therefore the port number provided refers to the port + used during a TLS open, versus the port used as part + of a StartTLS sequence. + + Example + + -h foo:1000 -a tls:simple + + Refers to a raw TLS open on host foo port 1000, not a + open, StartTLS sequence on an unsecured port 1000. + If port 1000 is unsecured the connection will not + be made. + + ATTRIBUTES See attributes(5) for descriptions of the following attri- butes: ____________________________________________________________ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | |_____________________________|_____________________________| | Availability | SUNWnisu | |_____________________________|_____________________________| - | Interface Stability | Evolving | + | Interface Stability | Committed | |_____________________________|_____________________________| SEE ALSO ldap(1), ldapadd(1), ldapdelete(1), ldapmodify(1), ldap- modrdn(1), ldapsearch(1), idsconfig(1M), ldap_cachemgr(1M), ldapaddent(1M), ldapclient(1M), suninstall(1M), resolv.conf(4), attributes(5) NOTES RFC 2307bis is an IETF informational document in draft stage that defines an approach for using LDAP as a naming service.