dseditgroup
group record manipulation tool.
dseditgroup [options] [parameters] groupnameu
-o operation perform (read, create, delete, edit, checkmember) operation with given groupname
-p prompt for authentication password
-q disables interactive verification
-v verbose logging to stdout
parameters:
-m member username to use for checkmember option
-n nodename directory node location of group record
-u username authenticate with admin username
-P password authentication password
-a recordname name of the record to add
-d recordname name of the record to delete
-t recordtype type of the record to add or delete
-T grouptype type of group to create or modify
-L maintain ComputerLists in parallel with ComputerGroups
-i gid gid to add/replace
-g guid GUID to add/replace
-S sid SID to add/replace
-r realname realname to add/replace
-k keyword keyword to add
-c comment comment to add/replace
-s timetolive seconds to live to add/replace
-f n | l change the group's format - 'n' for the new group format and 'l' for the legacy group format
allows manipulation of a single named group record on either the default local node or the specified Directo-
ryService node. For the "read" operation the authentication search policy (/Search node) is consulted. Default behaviour
is presented below after a discussion of each operation and the possible parameters.
-o operation
"read" then the parameters of the specified groupname will be displayed. This is the default option. The
authentication search policy (/Search node) will be used.
"create" then create a group with the specified groupname on either the default local node or the specified
DirectoryService node.
"delete" then delete a group with the specified groupname on either the default local node or the specified
DirectoryService node.
"edit" then edit a group with the specified groupname on either the default local node or the specified
DirectoryService node.
"checkmember" then check if the user specified with -m or current logged in user is a member of the specified
groupname. The authentication search policy (/Search node) is used to find the member. The specified node
(defaults to the authentication search policy) is used to find the group. If the specified node is not on the
authentication search policy the behaviour is undefined.
-p prompt for password to use in conjunction with the specified username.
-q disables interactive verification of replace or delete operations.
-v enables the logging of the DirectoryService API calls and their return codes.
Parameters and their descriptions:
-m member The username of the account to verify group membership when using -o checkmember
-n nodename Directory Service node name such as /LDAPv3/ldap.company.com and whose default value is the local node. "." can
also be used to specify the local node.
-u username administrator
-P password to use in conjunction with the specified username.
-a recordname the record to be added to the group specified by groupname.
name is related to the first record
found on the authentication search policy when a search is made with this recordname and the given recordtype.
-d recordname name of the record to be deleted from the group specified by groupname.
This name is related to the first
record found on the authentication search policy when a search is made with this recordname and the given recordtype.
-t recordtype user, computer, group, or computergroup.
-T grouptype group or computergroup.
-L with computergroup will also maintain the computerlist if it exists or create it if a computergroup is created.
-i gid created if not specified for a create.
-g guid text representation of an 128 bit id.
-r realname
-k keyword
-c comment
-s timetolive seconds this record is deemed valid as a cached value. default value if not specified for a create.
DEFAULT BEHAVIOUR
dseditgroup mygroup
This simple version of the command will default to:
dseditgroup -o read -n . -u $USER mygroup
The output will be the parameters of the "mygroup" group record if the shell user has read access to the local node's
group record of name "mygroup".
EXAMPLES
dseditgroup extragroup
Display attributes of the group extragroup from the local node
dseditgroup -o read extragroup
The group extragroup is created from the node /LDAPv3/ldap.company.com with the realname, comment,
timetolive (instead of default of 14400 = 4 hours), and keyword atttribute values given above if the user
myusername has supplied a correct password and has write access.
dseditgroup -o create -n /LDAPv3/ldap.company.com -u myusername -P mypassword -r "Extra Group" -c "a nice comment" -s
3600 -k "some keyword" extragroup
The group extragroup is deleted from the node /LDAPv3/ldap.company.com if the user myusername has supplied
a correct password and has write access.
dseditgroup -o delete -n /LDAPv3/ldap.company.com -u myusername -P mypassword extragroup
The group extragroup from the node /LDAPv3/ldap.company.com will have the username added if the username
is in a user record on the search policy and if the correct password is presented interactively for the
user myusername which also need to have write access.
dseditgroup -o edit -n /LDAPv3/ldap.company.com -u myusername -p -a username -t user extragroup
The group extragroup from the node /LDAPv3/ldap.company.com will have the mysubgroup added if the
mysubgroup is in a group record on the search policy and if the user myusername has supplied a correct
password and has write access.
dseditgroup -o edit -n /LDAPv3/ldap.company.com -u myusername -P -a mysubgroup -t group extragroup
group extragroup from the node /LDAPv3/ldap.company.com will have the username deleted if the correct
password is presented interactively for the user myusername which also need to have write access.
dseditgroup -o edit -n /LDAPv3/ldap.company.com -u myusername -p -d username -t user extragroup
Will write out a message specifying if the current user is a member of extragroup on the authentication search policy.
dseditgroup -o checkmember extragroup
write out a message specifying if the current user is a member of extragroup on the local node.
dseditgroup -o checkmember -n . extragroup
write out a message specifying if user (found in /Search) is a member of extragroup on the specified
node /LDAPv3/ldap.company.com. The specified node /LDAPv3/ldap.company.com needs to be on the
authentication search policy for a valid answer.
dseditgroup -n /LDAPv3/ldap.company.com -o checkmember -m user extragroup
LDAP server configuration/binding add/remove tool.
dsconfigldap [-fvixsgmeSN] -a servername [-n configname] [-c computerid] [-u username] [-p password] [-l username] [-q password]
dsconfigldap [-fviSN] -r servername [-u username] [-p password] [-l username] [-q password]
-f force authenticated binding/unbinding
-i prompt for passwords as required
-x choose SSL connection
-s enforce secure authentication only
-g enforce packet signing security policy
-m enforce man-in-middle security policy
-e enforce encryption security policy
-S do not update search policies
-N do not prompt about adding certificates
-a servername add config of servername
-r servername remove config of servername
-n configname name given to LDAP server config
-c computerid name used if binding to directory
-u username -p password privileged network
-l username -q password local admin
-h display usage statement
-v verbose logging to stdout
| | | | | | | | | | | | | | | | |
addition or removal of LDAP server configurations.
-f Bindings will be established or dropped in conjunction with the addition or removal of the LDAP server configuration.
-v This enables the logging to stdout of the details of the operations. This can be redirected to a file.
-i prompt for a password to use in conjunction with a specified username.
-s ensures that no clear text passwords will be sent to the LDAP server during authentication. This will only
be enabled if the server supports non-cleartext methods.
-e This ensures that if the server is capable of supporting encryption methods (i.e., SSL or Kerberos) that encryption will be enforced at all times via policy.
-m ensures that man-in-the-middle capabilities will be enforced via Kerberos, if the server supports the capability.
-g ensures that packet signing capabilities will be enforced via Kerberos, if the server supports the capability.
-x Connection to the LDAP server will only be made over SSL.
-S skip updating the search policies.
-N assume Yes for installing certificates
-h Display usage statement.
-a servername either the fully qualified domain name or correct IP address of the LDAP server to be added to the
DirectoryService LDAPv3 configuration.
-r servername either the fully qualified domain name or correct IP address of the LDAP server to be removed from the
DirectoryService LDAPv3 configuration.
-n configname the UI configuration label that is to be given the LDAP server configuration.
-c computerid the name to be used for directory binding to the LDAP server. If none is given the first substring,
before a period, of the hostname (the defined environment variable "HOST") is used.
-u username of a privileged network user to be used in authenticated directory binding.
-p password for the privileged network user. This is a less secure method of providing a password, as it may be
viewed via process list. For stronger security leave the option off and you will be prompted for a password.
-l username of a local administrator.
-q password for the local administrator. This is a less secure method of providing a password, as it may be viewed
via process list. For stronger security leave the option off and you will be prompted for a password.
| | | | | | | | | | | | | | | | | | |
EXAMPLES
sudo dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin
The LDAP server config for the LDAP server myldap.company.com will be added. If authenticated directory binding is
required by the LDAP server, then this call will fail. Otherwise, the following parameters configname, computerid, and
local admin name will respectively pick up these defaults: ip address of the LDAP servername, substring up to first
period of fully qualified hostname, and username of the user in the shell this tool was invoked.
dsconfigldap -a ldap.company.com
The LDAP server config for the LDAP server myldap.company.com will be removed but not unbound since no network user cre-
dentials were supplied. The local admin name will be the username of the user in the shell this tool was invoked.
dsconfigldap -r ldap.company.com
SEE ALSO
opendirectoryd(8), odutil(1)