Inetuser utility

From Messaging Server Technical Reference Wiki
Jump to: navigation, search

The inetuser utility is a very limited LDAP provisioning utility for Messaging Server.

Syntax

  inetuser --command-file=file
  inetuser --help
  inetuser --version
  inetuser create [switches]'user
  inetuser show [switches]'user
  inetuser checkpw [switches]'user
  inetuser show-domain [switches]'domain
  inetuser check-dssetup

Restrictions

This command uses LDAP configuration settings by default. However, commands that update LDAP generally require Directory Manager credentials and it is a best practice to limit the access rights available to the administrative account specified by base.ugldapbinddn and by base.ugldapbindcred. As a result, it's typically necessary to specify the --bind-dn=binddn and --bind-pwfile=file switches to specify a Directory Manager account when updating LDAP directly.

Parameters

The create, show, and checkpw subcommands take a user identity as a parameter. The user identity is typically the value of the uid LDAP attribute (possibly modified by the ldap_uid option) and may include @domain to refer to an LDAP domain.

The show-domain subcommand takes a domain provisioned in LDAP as a parameter.

No parameters are present when a top-level switch is used or other subcommands are used.

Description

The inetuser utility is a very limited LDAP provisioning utility for Messaging Server that supports LDAP schema 1 and LDAP schema 2. This tool has been present in Messaging Server for some time and is used by the init-config utility to provision an initial administrative user, group, and associated default domain.

The create subcommand is used to create users and domains.

The show subcommand is used to show a user's LDAP entry.

The checkpw subcommand is used to check a user's LDAP password against the directory. The inetuser utility will return a status of 0 if the password is correct.

The show-domain subcommand shows a domain's LDAP entry.

The check-dssetup subcommand shows information from the comms_dsseetup utility that is present in the LDAP directory.

Examples

The following command creates a user with common name "John Smith" and user identity 'jsmith'. With this command, the email address defaults to 'jsmith@defaultdomain' (this assumes the directory manager password is stored in the file pwfile in the current directory):


# inetuser create -D "cn=Directory Manager" -j pwfile -p "cn=John Smith" jsmith
password:

The following command creates a new domain with a new administrative user:


# inetuser create -D "cn=Directory Manager" -j pwfile -a all -c newadmin@newdomain.example.com
password:

Switches

--command-file=file, -f file

This top-level switch reads and executes inetuser subcommands from the specified file instead of executing one subcommand from the command line.

--help, -?

This top-level switch displays command usage summary.

--version, -V

This top-level switch displays command version information.

--admin=type, -a type

This create subcommand switch specifies the type of admin user to create. Supported values are all (store administrator) and access (administrative account used by Messaging Server to authenticate). If not specified, the user account will not have administrative privilege.

--attrlist=attrs, -A attrs

This show subcommand switch specifies a comma-separated list of attributes to show from the user entry, instead of showing all known attributes.

--autocreate, -c

This create subcommand switch will cause the domain to be created when creating a user if it doesn't already exist. Note that the tool requires the first user in a domain to be a store administrator so it's generally necessary to include the --admin=all switch with this one.

--bind-dn=binddn, -D binddn

This subcommand switch specifies the bind DN to use for LDAP server authentication. If not specified, the value of the base.ugldapbinddn option is used instead. The credentials specified by that option typically do not have permission to write to the LDAP directory so this switch is usually necessary with the create subcommand (as is the --bind-pwfile switch).

--bind-pwfile=file, -j file

This subcommand switch specifies a file containing the bind password to use for LDAP server authentication. If not specified, the value of the base.ugldapbindcred option is used as the bind password instead.

--default-domain=domain, -d domain

This subcommand switch specifies the default domain to use if a domain is not explicitly specified. When this switch is not specified, the value of the base.defaultdomain option is used.

--dry-run, -n

This subcommand switch prevents the tool from modifying the LDAP directory. It may be useful to combine this with the --ldif switch.

--hostlist=host, -h host

This subcommand switch specifies one or more LDAP server host names to use when connecting to the LDAP server. If not provided, the value of the base.ugldaphost option is used. This may be needed with the create subcommand if that option specifies a slave LDAP server rather than a master LDAP server.

--ldapattrval=avl, -p avl

This create subcommand switch specifies an LDAP attribute value list of additional known attributes to include when creating a user. The syntax of the list is attr1=value1,attr2=value2. Special characters may be escaped with backslash (\). Alternatively, the value can be base64-encoded by specifying a $ symbol before the equals (=) symbol. The set of known attributes is limited, so if the attribute name is not known by the utility, an error will result.

--ldif=file, -l file

This create subcommand switch specifies a file that will record a copy of the LDIF generated internally by this tool that is used to modify the LDAP directory. Combing this with the --dry-run switch is useful to review the changes the tool would make to LDAP. This may also be helpful to customers developing their own provisioning tools.

--logfile=file, -L file

This subcommand switch requests that any diagnostics are appended to the specified file.

--myhost=host, -H host

This subcommand switch specifies the name of the host used to provision store-related attributes such as mailHost. If this is not provided, the value of the base.hostname option is used.

--novalidate

Normally the tool will prompt and abort if a mismatch or error is detected. This subcommand switch suppresses that behavior.

--orgdn=dn, -O dn

This create subcommand switch specifies the LDAP DN to use when provisioning a schema 1 organization group in LDAP when creating a domain. This switch is primarily for use by the init-config utility.

--postmaster=mailaddr, -M mailaddr

This create subcommand switch specifies the mail address of the user to include in the postmaster group when creating a domain with a postmaster group. This switch is primarily for use by the init-config utility.

--port=port, -P port

This subcommand switch specifies the LDAP server port to use. If not specified, the value of the base.ugldapport option is used.

--preserveCritical

Normally the tool will prompt and default to overwrite certain critical attributes when performing a create operation and the specified user and/or domain already exists. The subcommand switch prevents the tool from overwriting such attributes.

--pwfile=file, -J file

This create subcommand switch specifies a file containing the password to use when creating a user. If this is not provided, the tool will prompt for a password.

--quiet, -q

This subcommand switch suppresses some prompts and diagnostics.

--require-ssl, -Z

This subcommand switch require use of SSL when communicating with the LDAP server.

--verbose, -v

This subcommand switch requests additional diagnostics from the utility. May be used more than once to increase the amount of diagnostic information.


See also: