Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Thursday, March 14, 2019
 
 

useradm (8)

Name

useradm - manage users and roles interactively

Synopsis

/usr/sbin/useradm add [-u uid] [-g group] [-d dir] [-s shell]
    [-c comment] [-f inactive] [-e expire] [-S [files | ldap]]
    [-P] [-K key[+|-]=value] [-R uri] username
/usr/sbin/useradm modify [-u uid] [-g group] [-d dir]
    [-s shell] [-c comment] [-f inactive] [-e expire]
    [-S [files | ldap]] [-P] [-K key[+|-]=value] [-P -D | -L | -F]
    [-R uri] username
/usr/sbin/useradm delete [-S [files | ldap]] [-q qualifier]
    [-R uri] username
/usr/sbin/useradm  list [-S [files | ldap]] [-q qualifier] [-m] [-r]
    [-R uri] username

Description

The useradm command provides four subcommands that can be used to add, modify, delete or list the attributes of users and roles. It provides both traditional command line interfaces and a menu-driven interface based on curses(3CURSES). The program is a client of the Remote Access Daemon, see the rad(8) man page for more details. All data processing and policy checking is handled by the RAD server. By default, the local RAD service instance is used. However, a remote RAD service instance can be specified by using the –R option.

The username default@ is used to specify the default attributes for both local and LDAP accounts. The defaults for local accounts are equivalent to those specified by the –D option of useradd or roleadd command. They are applied when new accounts are created depending on the account type attribute. For more information, see useradd(8) and roleadd(8) man pages.

For LDAP accounts, multiple sets of default user attributes can be maintained in an LDAP account named default@ which should be created with the add subcommand. These defaults can be qualified to apply to specific hosts or netgroups by using the –q option with the modify subcommand. Matching attributes are applied at run time to LDAP accounts which do not have explicit settings for any of the attributes listed in user_attr. For more information, see the user_attr(5) man page.

Options

The following options apply to both the interactive and command line modes. Unless otherwise stated they apply to all the subcommands.

–S files | ldap

Specifies the naming service repository to use. If not specified, the account is looked up using the order specified in the name switch. When adding a new account, the default name service is files.

By default, user attributes for LDAP accounts are maintained in the LDAP container for user_attr. User attribute setting can be overridden for the local host by specifying files with the –S option.

Entries stored in LDAP are read-only unless the shadow password option is enabled on the LDAP server.

–q qualifier

Specifies the hostname or netgroup to use for the attributes maintained in the LDAP container for user_attr. Netgroup names must be preposed with a plus sign. This option applies only to previously existing accounts that are maintained using the LDAP name service.

–R uri

Specifies the URI to use when connecting to a remote RAD service. For example:

ssh://jdoe@foobar

If the URI is not specified, then the client's user ID and localhost are used.

Command Line Mode

The following options apply to both the add and modify subcommands when used in command line mode. Their behavior is identical to the corresponding options described in the useradd, roleadd, usermod, and rolemod commands. These descriptions are concise. For more information, see the useradd(8), roleadd(8), usermod(8), and rolemod(8) man pages.

–c comment

Specifies a short description of the username.

–d dir

Specifies the home directory of the user. If specified in the form server:dir then an auto_home entry is created for the account.

–e expire

Specifies the expiration date for the account.

–f inactive

Specifies the maximum number of days allowed between uses of a login ID before it becomes invalid.

–g group

Specifies the numeric group ID of the primary group.

–G group[,group...]

Species the account's supplementary groups.

–K key[+|-]=value

Replace, add, or remove items from the key=attribute pairs of an account. These are described in the user_attr(5) man page.

–s shell

Specifies the full pathname of the account's shell.

–u uid

Specifies the uid of the account.

–P

Specifies that a new password should be applied. If standard input is from a terminal, the user is prompted to enter the new password, and then prompted to confirm that value by re-entering it. If the entries match the new password is accepted.

The new password can also be supplied by redirecting standard input or by using a pipe. In those cases no prompts are issued. Instead, a single line is read from standard input and applied as the new password.

Options for modify Subcommand

The following options apply to the modify subcommand when used in command line mode. Their behavior is equivalent to the corresponding passwd options. However, except for the –N option, the equivalent passwd options are specified in lower case. For more information, see the passwd(1) man page for a complete description of the corresponding options.

–P

Deletes the password for the account and unlocks it.

–L

Locks the account.

–N

Makes the password for the account unusable for UNIX authentication.

–U

Unlocks the account.

–F

Forces the user to user to change the password at next login.

Options for list Subcommand

The following options apply to the list subcommand.

–m

Lists multiple accounts. The username field is used as a search filter and the attributes of all matching accounts are listed.

–r

Specifies that the role context should be used. Only matching role accounts are listed, when used with the –m option. The local defaults for roles can be listed with the –r option and the username default@. This is similar to using the –D option of roleadd command.

Interactive Mode

The add and modify subcommands operate in an interactive menu-driven mode, when the only options specified are the name service, qualifier, or remote RAD service. There are menu-based equivalents for all the of the command line options for adding and modifying accounts. Most properties provide submenus of valid choices. Context-based editors are provided for the remaining properties. In addition, passwords can be assigned or updated.

The primary menu contains the following items:

Help
Access Times
Account Type
Audit Flags
Authorizations
Full Name
Groups
Home Directory
Idle Session
Labels
PAM Policy
Password
Privileges
Profiles
Project
Role Access
Session Annotation
Shell
User ID
Commit
Exit

When operating in interactive mode the following keys are used to manage the menus:

RETURN

If the currently highlighted item has a submenu, indicated by >, it opens the submenu. If the currently highlighted item is a value, it selects the value and activates the previous menu.

SPACEBAR

Selects the currently highlighted item. If the item has a submenu indicated by >, it opens the submenu.

If the item is in a menu with Assigned and Available list, it moves the item to the opposite list. Items in the Assigned list can be reordered by double clicking the space bar, which moves the current item to the top of the Assigned list.

If the item is in a menu of mutually exclusive choices, the item is selected and the previous menu is activated.

RIGHT ARROW

Opens a new submenu of the currently highlighted item.

If the item is in the Assigned list of items in a menu with Assigned and Available list, the item is made editable so that it can be customized.

LEFT ARROW

Closes the current menu and activates the previous menu.

UP ARROW

Highlights the item above the current item. The menu will automatically scroll to ensure that the highlighted item is always visible.

DOWN ARROW

Highlights the item below the current item. The menu will automatically scroll to ensure that the highlighted item is always visible.

Most lists are arranged alphabetically. Typing the first letter of an item highlights the first unique item in the list beginning with that letter.

For fields that are editable, the following special characters apply:

HOME

Moves the cursor to the beginning of the text.

END

Moves the cursor to the end of the text.

RETURN

Completes the editing mode.

LEFT ARROW

Completes the editing mode if the cursor is already at the beginning of the text.

When editing text, input is rejected if it is inconsistent with the type of the field. For example, spaces are generally rejected except in the Full Name field. Integer fields only accept integers. Audit classes can only be prepended with the characters ^, + and -, which specify positive and negative exceptions. Privileges can only be prepended with ! which specifies negation.

There are two account types: Normal and Role. A normal account can only be switched to a role account if it has no roles assigned to it. If the account type is normal then the Role Access menu shows the currently assigned and available roles. Otherwise, the menu shows the authentication credential that is required to assume the role.

The last two items of the primary menu are Commit and Exit. Nothing is saved unless Commit is selected. However, you can continue to make changes after committing current changes. The Exit command will prompt you if there are outstanding changes that have not been committed. You may then request that the changes are committed or discarded before exiting.

Environment Variables

The interactive mode uses curses(3CURSES) and the setting TERM=xterm-256color if the terminal supports color. Otherwise, the current foreground and background colors are used.

Exit Status

0

Success

>0

Failure

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
system/management/useradm
Interface Stability
Committed

See Also

rad(8), passwd(1), roleadd(8), rolemod(8), user_attr(5), useradd(8), userdel(8), usermod(8), clearance(7), privileges(7), rbac(7), nsswitch.conf(5), attributes(7)