This chapter contains the following topics:
Managing Oracle Internet Directory with Oracle Directory Services Manager and Command-Line Utilities
On Linux systems, you do not have to create each user's home directory when you migrate or add that user to Oracle Internet Directory. The client configuration script that you ran on each client computer enabled the creation of each user's home directory on first login. On operating systems other than Linux, however, you must manually create user home directories.
In addition to the Oracle Internet Directory tools ODSM, LDAP commands, and bulk tools, you can use some platform-specific tools to manage users and groups after you have configured Oracle Authentication Services for Operating Systems.
If your client has the libuser
library and you have configured it to use Oracle Internet Directory, you can use system-config-users
or luseradd
to add users. When you invoke one of the libuser
commands, it will prompt you for the password for logging into Oracle Internet Directory. See your operating system documentation for more information about system-config-users
.
Note:
If you use system-config-users
or other tools in the libuser
package to add passwords or entries containing passwords, Oracle Internet Directory cannot enforce its password policies on those passwords. The reason is that the libuser
tools generate a hashed password before sending it to Oracle Internet Directory, so Oracle Internet Directory cannot determine whether the password meets policy criteria or not.
The system-config-users
tool requires that you configure your client and server for SSL.
Before using system-config-users
, ensure that the user entries have all the required attributes shown in "Migrating from NIS to Oracle Internet Directory".The tool may report errors if fields are missing.
You cannot use the non-libuser
commands useradd
, userdel
, groupadd
, or groupdel
for user or group administrative tasks.
The Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory contains information about managing Oracle Internet Directory. See the "Directory Administration and Monitoring Tools" chapter for information on Oracle Directory Services Manager. See the "Process Management" chapter for information on starting and stopping Oracle Internet Directory. See the Using Bulk Tools chapter for information on the bulk tools.
The Oracle Fusion Middleware Reference for Oracle Identity Management provides the syntax for Oracle Internet Directory command-line tools, including the bulk tools and LDAP tools.
Please see the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for information about modifying or deleting users and groups.
You can test whether a user has been added by using the following command:
ldapsearch -D cn=orcladmin -q -b 'searchbase' -s -sub '(uid=username)'
where searchbase
is the realm, for example, dc=us,dc=example,dc=com
.You can also test the account by logging in as the user. For example, you can log in to one client from another by using ssh
. For example:
ssh -l username hostname
Once you are logged in, type:
id
to confirm that you are logged in as the correct user.
To change a user's password, you use the command:
ldapmodify -p port -h host -D binddn -q -v -f passwd_file
where passwd_file
looks like this:
dn: userDN changetype: modify replace: userpassword userpassword: new_password
Note:
After you have used passwd_file
, delete it or remove the cleartext password.
Users can change their own passwords by using the passwd
command.
To add users and groups from the command line you use a command line such as:
ldapadd -p port -h host -D binddn -q -v -f ldif_file
where ldif_file
contains the information about the entry you are adding in LDIF format.
In the following ldif_file
example, we create a user called jueno
. The user is created in the user container ou=People,dc=us,dc=example,dc=com
under the realm dc=us,dc=example,dc=com
. To create a user, you must provide the following attributes: uid
, homedirectory
, loginshell
, uidnumber
, gidnumber
, cn
, objectclass
, and userpassword
(in cleartext). For compatibility with a variety of clients and with the system-config-users
management tool, use all the object classes shown in the example.
dn: uid=jueno,ou=People,dc=us,dc=example,dc=com
uid: jueno
homedirectory: /home/jueno
loginshell: /bin/tcsh
uidnumber: 506
gidnumber: 506
cn: juri ueno
objectclass: posixAccount
objectclass: shadowAccount
objectclass: account
objectclass: top
userpassword: password
shadowwarning: -1
shadowmax: 99999
shadowlastchange: 13916
shadowexpire: -1
shadowmin: 0
shadowinactive: -1
gecos: jueno
After you have used the LDIF file, delete it or remove the cleartext password.
To add groups from the command line, you use the same command line you use to add users. That is:
ldapadd -p port -h host -D binddn -q -v -f ldif_file
In the following example, we create a group called kobukuro
with group ID 505. The group is created in the group container ou=Group,dc=us,dc=example,dc=com
in the realm dc=us,dc=example,dc=com
. We also add a member, juero
, at the same time, by specifying the memberuid and the value. The LDIF file looks like this:
dn: cn=kobukuro,ou=Group,dc=us,dc=example,dc=com cn: kobukuro gidnumber: 505 objectclass: posixGroup objectclass: groupOfUniqueNames objectclass: top memberuid: jueno
Adding a member to the group at the same time is optional.
See the Managing Password Policies chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
Note:
If you use system-config-users
or other tools in the libuser
package to add passwords or entries containing passwords, Oracle Internet Directory cannot enforce its password policies on those passwords. The reason is that the libuser
tools generate a hashed password before sending it to Oracle Internet Directory, so Oracle Internet Directory cannot determine whether the password meets policy criteria or not.
On AIX, the passwd
utility does not display password policy errors. Instead, it displays:
3004-604 Your entry does not match the old password.