| Oracle® Authentication Services for Operating Systems Administrator's Guide 10g (10.1.4.0.1-OAS4OS) E12023-01 |
|
|
View PDF |
| Oracle® Authentication Services for Operating Systems Administrator's Guide 10g (10.1.4.0.1-OAS4OS) E12023-01 |
|
|
View PDF |
This chapter contains the following topics:
On Linux systems, you do not have to create each user's home directory when you migrate or add that user to Oracle Internet Directory. The client configuration script that you ran on each client computer enabled the creation of each user's home directory on first login. On operating systems other than Linux, however, you must manually create user home directories.
If your client has the libuser library and you have configured it to use Oracle Internet Directory, you can use system-config-users or luseradd to add users. When you invoke one of the libuser commands, it will prompt you for the password for logging into Oracle Internet Directory. See your operating system documentation for more information about system-config-users.
|
Note:
|
If you do not have libuser, or you have not configured it to use Oracle Internet Directory, you can use ODM, LDAP commands, or bulk tools. See the Oracle Internet Directory Administrator's Guide for more information.
The Oracle Internet Directory Administrator's Guide contains information about managing Oracle Internet Directory. See the "Directory Administration and Monitoring Tools" chapter for information on Oracle Directory Manager. See the "Process Management" chapter for information on starting and stopping Oracle Internet Directory. See the Using Bulk Tools chapter for information on the bulk tools.
The Oracle Identity Management User Reference provides the syntax for Oracle Internet Directory command-line tools, including the bulk tools and LDAP tools.
Please see the Oracle Internet Directory Administrator's Guide for information about modifying or deleting users and groups.
You can test whether a user has been added by using the following command:
ldapsearch -D cn=orcladmin -w password -b 'searchbase' -s -sub '(uid=username)'
where searchbase is the realm, for example, dc=us,dc=oracle,dc=com.You can also test the account by logging in as the user. For example, you can log in to one client from another by using ssh. For example:
ssh -l username hostname
Once you are logged in, type:
id
to confirm that you are logged in as the correct user.
To change a user's password, you use the command:
ldapmodify -p port -h host -D binddn -w old_password -v -f passwd_file
where passwd_file looks like this:
dn: userDN changetype: modify replace: userpassword userpassword: new_password
|
Note:
|
To add users and groups from the command line you use a command line such as:
ldapadd -p port -h host -D binddn -w bindpwd -v -f ldif_file
where ldif_file contains the information about the entry you are adding in LDIF format.
In the following ldif_file example, we create a user called jueno. The user is created in the user container ou=People,dc=us,dc=oracle,dc=com under the realm dc=us,dc=oracle,dc=com. To create a user, you must provide the following attributes: uid, homedirectory, loginshell, uidnumber, gidnumber, cn, objectclass, and userpassword (in cleartext). For compatibility with a variety of clients and with the system-config-users management tool, use all the object classes shown in the example.
dn: uid=jueno,ou=People,dc=us,dc=oracle,dc=com
uid: jueno
homedirectory: /home/jueno
loginshell: /bin/tcsh
uidnumber: 506
gidnumber: 506
cn: juri ueno
objectclass: posixAccount
objectclass: shadowAccount
objectclass: account
objectclass: top
userpassword: password
shadowwarning: -1
shadowmax: 99999
shadowlastchange: 13916
shadowexpire: -1
shadowmin: 0
shadowinactive: -1
gecos: jueno
After you have used the LDIF file, delete it or remove the cleartext password.
To add groups from the command line, you use the same command line you use to add users. That is:
ldapadd -p port -h host -D binddn -w bindpwd -v -f ldif_file
In the following example, we create a group called kobukuro with group ID 505. The group is created in the group container ou=Group,dc=us,dc=oracle,dc=com in the realm dc=us,dc=oracle,dc=com. We also add a member, juero, at the same time, by specifying the memberuid and the value. The LDIF file looks like this:
dn: cn=kobukuro,ou=Group,dc=us,dc=oracle,dc=com cn: kobukuro gidnumber: 505 objectclass: posixGroup objectclass: groupOfUniqueNames objectclass: top memberuid: jueno
Adding a member to the group at the same time is optional.
See the Managing Password Policies chapter in Oracle Internet Directory Administrator's Guide.
|
Note: If you usesystem-config-users or other tools in the libuser package to add passwords or entries containing passwords, Oracle Internet Directory cannot enforce its password policies on those passwords. The reason is that the libuser tools generate a hashed password before sending it to Oracle Internet Directory, so Oracle Internet Directory cannot determine whether the password meets policy criteria or not. |
