useradm - manage users and roles interactively
/usr/sbin/useradm add [-u uid] [-g group] [-d dir] [-s shell] [-c comment] [-f inactive] [-e expire] [-S [files | ldap]] [-P] [-K key[+|-]=value] [-R uri] username
/usr/sbin/useradm modify [-u uid] [-g group] [-d dir] [-s shell] [-c comment] [-f inactive] [-e expire] [-S [files | ldap]] [-P] [-K key[+|-]=value] [-P -D | -L | -F] [-R uri] username
/usr/sbin/useradm delete [-S [files | ldap]] [-q qualifier] [-R uri] username
/usr/sbin/useradm list [-S [files | ldap]] [-q qualifier] [-m] [-r] [-R uri] username
The useradm command provides four subcommands that can be used to add, modify, delete or list the attributes of users and roles. It provides both traditional command line interfaces and a menu-driven interface based on curses(3CURSES). The program is a client of the Remote Access Daemon, see the rad(8) man page for more details. All data processing and policy checking is handled by the RAD server. By default, the local RAD service instance is used. However, a remote RAD service instance can be specified by using the –R option.
The username default@ is used to specify the default attributes for both local and LDAP accounts. The defaults for local accounts are equivalent to those specified by the –D option of useradd or roleadd command. They are applied when new accounts are created depending on the account type attribute. For more information, see useradd(8) and roleadd(8) man pages.
For LDAP accounts, multiple sets of default user attributes can be maintained in an LDAP account named default@ which should be created with the add subcommand. These defaults can be qualified to apply to specific hosts or netgroups by using the –q option with the modify subcommand. Matching attributes are applied at runtime to LDAP accounts which do not have explicit settings for any of the attributes listed in user_attr. For more information, see the user_attr(5) man page.
The following options apply to both the interactive and command line modes. Unless otherwise stated they apply to all the subcommands.
Specifies the naming service repository to use. If not specified, the account is looked up using the order specified in the name switch. When adding a new account, the default name service is files.
By default, user attributes for LDAP accounts are maintained in the LDAP container for user_attr. User attribute setting can be overridden for the local host by specifying files with the –S option.
Entries stored in LDAP are read-only unless the shadow password option is enabled on the LDAP server.
Specifies the hostname or netgroup to use for the attributes maintained in the LDAP container for user_attr. Netgroup names must be preposed with a plus sign. This option applies only to previously existing accounts that are maintained using the LDAP name service.
Specifies the URI to use when connecting to a remote RAD service. For example:
ssh://jdoe@foobar
If the URI is not specified, then the client's user ID and localhost are used.
The following options apply to both the add and modify subcommands when used in command line mode. Their behavior is identical to the corresponding options described in the useradd, roleadd, usermod, and rolemod commands. These descriptions are concise. For more information, see the useradd(8), roleadd(8), usermod(8), and rolemod(8) man pages.
Specifies a short description of the username.
Specifies the home directory of the user. If specified in the form server:dir then an auto_home entry is created for the account.
Specifies the expiration date for the account.
Specifies the maximum number of days allowed between uses of a login ID before it becomes invalid.
Specifies the numeric group ID or character-string group name of the primary group.
Species the account's supplementary groups.
Replace, add, or remove items from the key=attribute pairs of an account. These are described in the user_attr(5) man page.
Specifies the full pathname of the account's shell.
Specifies the uid of the account.
Specifies that a new password should be applied. If standard input is from a terminal, the user is prompted to enter the new password, and then prompted to confirm that value by re-entering it. If the entries match the new password is accepted.
The new password can also be supplied by redirecting standard input or by using a pipe. In those cases no prompts are issued. Instead, a single line is read from standard input and applied as the new password.
The following options apply to the modify subcommand when used in command line mode. Their behavior is equivalent to the corresponding passwd options. However, except for the –N option, the equivalent passwd options are specified in lowercase. For more information, see the passwd(1) man page for a complete description of the corresponding options.
Deletes the password for the account and unlocks it.
Locks the account.
Makes the password for the account unusable for UNIX authentication.
Unlocks the account.
Forces the user to user to change the password at next login.
The following options apply to the list subcommand.
Lists multiple accounts. The username field is used as a search filter and the attributes of all matching accounts are listed.
Specifies that the role context should be used. Only matching role accounts are listed, when used with the –m option. The local defaults for roles can be listed with the –r option and the username default@. This is similar to using the –D option of roleadd command.
The add and modify subcommands operate in an interactive menu-driven mode, when the only options specified are the name service, qualifier, or remote RAD service. There are menu-based equivalents for all the of the command line options for adding and modifying accounts. Most properties provide submenus of valid choices. Context-based editors are provided for the remaining properties. In addition, passwords can be assigned or updated.
The primary menu contains the following items:
Help Access Times Account Type Audit Flags Authorizations Full Name Groups Home Directory Idle Session Labels PAM Policy Password Privileges Profiles Project Role Access Session Annotation Shell User ID Commit Exit
When operating in interactive mode the following keys are used to manage the menus:
If the currently highlighted item has a submenu, indicated by >, it opens the submenu. If the currently highlighted item is a value, it selects the value and activates the previous menu.
Selects the currently highlighted item. If the item has a submenu indicated by >, it opens the submenu.
If the item is in a menu with Assigned and Available list, it moves the item to the opposite list. Items in the Assigned list can be reordered by double clicking the space bar, which moves the current item to the top of the Assigned list.
If the item is in a menu of mutually exclusive choices, the item is selected and the previous menu is activated.
Opens a new submenu of the currently highlighted item.
If the item is in the Assigned list of items in a menu with Assigned and Available list, the item is made editable so that it can be customized.
Closes the current menu and activates the previous menu.
Highlights the item above the current item. The menu will automatically scroll to ensure that the highlighted item is always visible.
Highlights the item below the current item. The menu will automatically scroll to ensure that the highlighted item is always visible.
Most lists are arranged alphabetically. Typing the first letter of an item highlights the first unique item in the list beginning with that letter.
For fields that are editable, the following special characters apply:
Moves the cursor to the beginning of the text.
Moves the cursor to the end of the text.
Completes the editing mode.
Completes the editing mode if the cursor is already at the beginning of the text.
When editing text, input is rejected if it is inconsistent with the type of the field. For example, spaces are generally rejected except in the Full Name field. Integer fields only accept integers. Audit classes can only be prepended with the characters ^, + and -, which specify positive and negative exceptions. Privileges can only be prepended with ! which specifies negation.
There are two account types: Normal and Role. A normal account can only be switched to a role account if it has no roles assigned to it. If the account type is normal then the Role Access menu shows the currently assigned and available roles. Otherwise, the menu shows the authentication credential that is required to assume the role.
The last two items of the primary menu are Commit and Exit. Nothing is saved unless Commit is selected. However, you can continue to make changes after committing current changes. The Exit command will prompt you if there are outstanding changes that have not been committed. You may then request that the changes are committed or discarded before exiting.
The interactive mode uses curses(3CURSES) and the setting TERM=xterm-256color if the terminal supports color. Otherwise, the current foreground and background colors are used.
Success
Failure
See attributes(7) for descriptions of the following attributes:
|
rad(8), passwd(1), roleadd(8), rolemod(8), user_attr(5), useradd(8), userdel(8), usermod(8), clearance(7), privileges(7), rbac(7), nsswitch.conf(5), attributes(7)