Provided by: cpu_1.4.3-11.3ubuntu1_i386 bug

NAME

       cpu - a user administration tool for LDAP backends

SYNOPSIS

       cpu user{add,del,mod} [options] login

       cpu group{add,del,mod} [options] group

       cpu cat

DESCRIPTION

       The  ldap  module for cpu provides a means for administering groups and
       users being stored on an LDAP backend. Complete compatibility with  the
       GNU/Linux  versions  of  the shadow utils has tried to be maintained in
       terms of command  line  options.  This  module  also  supports  several
       options that traditional user utilities do not such as; selecting which
       hash to use for the user, generating random or linear uid's  and  gid's
       and  pulling  information  for a user from existing password and shadow
       files.

LDAP OPTIONS

       The LDAP options are options that are used specifically  for  the  LDAP
       server.  They may be combined with any of the cpu functions.

       -2, --2
              Use LDAPv2 instead of LDAPv3

       -a file, --addfile=file
              If  a  filename  is  given, it will be parsed and any additional
              ldap attributes specified in this file will be added along  with
              the  user  or group. This file should not contain any attributes
              that CPU requires or that you  have  already  specified  in  the
              configuration  file.  If  you  do this the modification/addition
              will fail or create multivalued attributes. The  format  of  the
              file should be:

               <attrdesc>: <attrvalue>
               <attrdesc>: <attrvalue>
               <attrdesc>:: <base64-encoded-value>
               ...

       -A cn, --cn=cn
              This  options specifies for a user what the dn should look like.
              If you specify -A foo for some user, their  dn  will  look  like
              foo=username,... This can be specified in the configuration file
              with USER_CN_STRING

       -B base, --groupbase=base
              This is the base to search for groups in. This is  required  for
              useradd  and  for  any  group  functions. This should be a fully
              qualified   base   such   as   ou=groups,o=company,c=us.    This
              corresponds to the GROUP_BASE configuration option.

       -D bind_dn, --binddn=bind_dn
              The  bind_dn  should  be  a DN with adequate credentials for the
              operation that you  are  requesting.  This  corresponds  to  the
              BIND_DN configuration file option.

       -F[file], --passfile[=file]
              If  an argument is provided, that file should be of a Unix style
              password format. If no argument is provided,  the  configuration
              file  variable  PASSWORD_FILE  will be used. Please be sure that
              the switch (-F or --passfile) has  no  trailing  whitespace,  it
              should  be immediately followed by the argument. The information
              associated with the user will be used for populating their  LDAP
              entry (uid, gid, gecos, home directory, shell).

       -H hash, --hash=hash
              Hash  should  be one of sha1, md5, ssha1, smd5, crypt, or clear.
              This corresponds to the HASH configuration file variable. Select
              the hash that is being used at your site.

       -N hostname, --hostname=hostname
              Hostname  should  be  the  hostname  that  is  running  the LDAP
              service. This may be an IP address or hostname. This corresponds
              to the LDAP_HOST variable in the configuration file.

       -o, --nonposix
              Violate  POSIX naming standards and allow characters in user and
              group names not in the character  set  [A-Za-z0-9._-].  This  is
              useful for things like adding Samba machine accounts.

       -P port, --port=port
              Port  should  be  the port that the LDAP server is listening on.
              This corresponds to the LDAP_PORT option  in  the  configuration
              file.

       -R length, --random=random
              length  should  be  the  length  that  you would like a randomly
              generated password to be. This password will be displayed to the
              user.

       -S[file], --shadfile[=file]
              If  an argument is provided, that file should be of a Unix style
              shadow format. If no argument  is  provided,  the  configuration
              file  variable SHADOW_FILE will be used. Please be sure that the
              switch (-S or --shadfile) has no trailing whitespace, it  should
              be   immediately  followed  by  the  argument.  The  information
              associated with the user will be used for populating their  LDAP
              entry  (password,  sp_lstchg, sp_min, sp_max, sp_warn, sp_inact,
              sp_expire).

       -t timeout, --timeout=timeout
              This value is used to specify how long (in seconds) before  LDAP
              operations should time out. The corresponding configuration file
              is TIMEOUT.

       -U base, --userbase=base
              This is the base to search for users in. This  is  required  for
              any  user  functions. This should be a fully qualified base such
              as ou=users,o=company,c=us. This corresponds  to  the  USER_BASE
              configuration option.

       -w[pass], --bindpass[=pass]
              If an argument is provided, that value will be used for the bind
              password. If no argument is provided, the user will be  prompted
              for  a  password.  This  option can be omitted by specifying the
              password in the configuration file with the option BIND_PASS. If
              a value is specified at the command line, the switch should have
              no whitespace following it.

       -x, --tls
              Try to starttls before talking with the ldap server.

       The following options can be used for populating LDAP attributes.

       -f name, --firstname=name
              Name is used in possible combination with lastname in  order  to
              have  a  more  complete  CN.  This  value  is  also used for the
              givenName (gn) attribute. This value is not required by RFC2307.

       -E name, --lastname=name
              Name is used in possible combination with firstname in order  to
              have a more complete CN. This value is also used for the surname
              (sn) attribute. This value is not required by RFC2307.

       -e address, --email=address
              The value address is used to populate the mail  attribute.  This
              attribute  is  not required by RFC2307 for posixAccount but many
              people's LDAP schemas do require it. inetOrgPerson is one object
              that contains it.

       The following options are not LDAP specific.

       -y, --yes
              Reply yes to any questions (such as whether it is ok to remove a
              directory)

       -h, --help
              Display help.

       -v, --verbose
              Turn the verbose level up.

       -V, --version
              Display the version of the module.

cpu cat

       The cat command will cause any users and  groups  stored  in  the  LDAP
       directory  to  be  displayed  in  a  Unix style format. cat requires no
       options.

cpu useradd [options] login

       The useradd function is used to add new users to an LDAP directory. The
       options  are  similar  to  those  used  by  traditional  GNU/Linux user
       administration utilities.

       -c comment, --gecos=comment
              The value specified is used to populate the gecos attribute. You
              can  specify a default value in the configuration file using the
              GECOS variable. This is not required by RFC2307. This  can  also
              be populated using the -F option (see above).

       -d home_dir, --directory=home_dir
              The new user will be created using home_dir as the value for the
              user's login directory.  The  default  is  to  append  login  to
              HOME_DIRECTORY (from the configuration file) and use that as the
              login directory name. This is required by RFC2307.

       -g initial_group, --gid=initial_group
              The group id or name of the  user's  initial  login  group.  The
              group  should  exist  but  does not have to. CPU will search the
              LDAP directory and warn you if that group does not exist. If the
              group  does  exist,  the  users  gidNumber  will  be  set to the
              gidNumber of  that  group.  This  is  required  by  RFC2307.  If
              unspecified  CPU  will  search  for  the  next  unused GID. This
              behavior  can  be  adjusted  by  MAX_GIDNUMBER,   MIN_GIDNUMBER,
              ID_MAX_PASSES, and RANDOM in the configuration file.

       -G group,[...] --sgroup=group,[...]
              A  list  of supplementary groups which the user is also a member
              of. Each group is separated from the next by a  comma,  with  no
              intervening  whitespace. CPU will search the directory for these
              groups, and if found, add the user to those groups. The  default
              is for the user to belong only to the initial group.

       -k[skeleton_dir] --skel[=skeleton_dir]
              This  option  is  only  useful  is  specified  along with the -m
              option.  If both are specified,  the  contents  of  skeleton_dir
              will  be copied to the users new home directory. If skeleton_dir
              is specified it should have no whitespace  between  the  command
              line  switch.  If  skeleton_dir  is  not specified, the value of
              SKEL_DIR as specified in the configuration file will be used.

       -m, --makehome
              The user's home directory will be created if it does not  exist.
              The  files  contained in skeleton_dir will be copied to the home
              directory if the -k option is used. The -k option is only  valid
              in conjunction with the -m options. The default is to not create
              the directory and to not copy any files.

       -p[passwd] --password[=password]
              The encrypted or unencrypted password. If no argument is  given,
              the  user  is  prompted to enter a password. If CPU was compiled
              with libcrack, the password will be checked for weakness. If the
              password is encrypted, hash should be the value of the hash type
              that was used. If not specified at the command line or found  in
              the shadow file (if -S was used) * is used which should lock the
              account.

       -s shell, --shell=shell
              The name of the user's login shell.  If  not  specified  at  the
              command   line   one  can  specify  it  with  the  DEFAULT_SHELL
              configuration file option. This is not required by RFC2307.

       -u uid, --uid=uid
              The numerical value of the user's ID. This value must be unique,
              the  value  must be non-negative. If unspecified CPU will search
              for  an  unused  UID.  This  behavior   can   be   adjusted   by
              MAX_UIDNUMBER,  MIN_UIDNUMBER,  ID_MAX_PASSES, and RANDOM in the
              configuration file.

       -X script, --exec=script
              After the user has successfully been  added  to  the  directory,
              execute  this  script.  The  script is passed the login name. If
              this option is not supplied,  the  configuration  file  will  be
              checked for ADD_SCRIPT.

cpu usermod [options] login

       All options that apply to useradd also apply to usermod except for -k.

       -l login_name, --newusername=login_name
              The  name  of the user will be changed from login to login_name.
              The LDAP attributes cn and uid are changed  to  login_name,  the
              users rdn is also modified. If specified in conjunction with the
              -m switch, the users old home directory will be copied  the  the
              appropriate new location (see -d  switch for behavior).

       -L, --lock
              Lock the given user account

       -U, --unlock
              Unlock the given user account

cpu userdel [options] login

       The  userdel  command modifies the LDAP directory, deleting all entries
       that refer to login. The named user must exist. The options which apply
       to the userdel command are:

       -r, --removehome
              Files  in  the  user's home directory will be removed along with
              the home directory itself. The users mail spool is not  deleted.
              Files located in other file systems will have to be searched for
              and deleted manually.

       -X script, --exec=script
              After the user has successfully been removed from the directory,
              execute  this  script.  The  script is passed the login name. If
              this option is not supplied,  the  configuration  file  will  be
              checked for DEL_SCRIPT.

cpu groupadd [options] group

       The  groupadd  command  creates  a  new  group account using the values
       specified  on  the  command  line  and  the  default  values  from  the
       configuration  file.  The  new  group  will  be  entered  into the LDAP
       directory as needed. The options which apply to  the  groupadd  command
       are

       -g gid, --gid=gid
              The  numerical  value  of  the  group's ID. This value should be
              unique. The value  must  be  non-negative.  A  new  gid  can  be
              generated  by not specifying this option. This generation can be
              modified by changing the configuration file.

cpu groupmod [options] group

       The groupmod command modifies the group specified at the command  line.
       The options which apply to the groupmod command are

       -g gid, --gid=gid
              The  numerical  value  of  the  group's ID. This value should be
              unique. The value must be non-negative.

       -n group_name, --newgroupname=group_name
              The name of the group will be changed from group to  group_name.
              The cn and rdn will also be modified.

cpu groupdel [options] group

       The  groupdel  command  removes the group specified at the command line
       from the LDAP directory.

SEE ALSO

       cpu.conf(5) cpu(8)

AUTHORS

       Blake Matheny <bmatheny@purdue.edu>

       The  current  version  of  this  software  is   always   available   at
       http://cpu.sourceforge.net

BUGS

       To report a bug or problem, please e-mail:

       cpu-users@lists.sourceforge.net

TODO

       See  TODO  file  that  accompanied  software. Please e-mail us with any
       additional suggestions.

                               17 February 2003                    CPU-LDAP(8)