idadmin(1Mbnu)
idadmin --
ID map database administration
Synopsis
idadmin [-S scheme [-l logname]]
idadmin -S scheme -a -r g_name -l logname
idadmin -S scheme -d [-r g_name] -l logname
idadmin -S scheme -I descr
idadmin -S scheme [-Duscf]
Description
The idadmin command displays and updates
entries in the
system ID mapping database.
All update operations are logged (whether successful or not)
in the file /var/adm/log/idmap.log.
Options
The options to idadmin are:
-S scheme-
Specify the name of the ID mapping scheme.
-l logname-
Specify a local name (logname) into which the remote name maps.
logname must be a valid logname on the local server.
To be valid, logname must appear in /etc/passwd.
The logname may take the form %n or %i, where
%n is used for transparent mapping and %i forces
remote names to be rejected.
-a-
Add a map entry.
The local and remote names must be specified.
-r g_name-
Specify the remote (global) name.
The format of g_name is scheme-dependent; generally, it
includes a login name and a machine name.
-d-
Delete a map entry.
The scheme name and the local name must
be specified.
Specifying the remote name is optional.
If only
the local name is specified, all entries mapping to that local
name are deleted.
If a remote name is also specified, only that
particular map entry is deleted.
-I descr-
Install a new scheme.
A remote name format descriptor (descr) must
be specified for the new scheme.
The remote name file descriptor is a string that indicates the
format of the remote name; it includes field numbers, the
letter ``M'' to indicate the field is mandatory,
and field separators.
-D-
Delete a scheme.
The scheme name must be specified.
-u-
Enable user-controlled ID mapping (USER mode).
The scheme name must be
specified.
-s-
Disable user-controlled ID mapping (SECURE mode).
The scheme name must be specified.
-c-
Check the consistency of a map file.
The scheme name must be specified.
Map entries containing syntax errors and unknown users are displayed.
Users are unknown if they do not exist in /etc/passwd.
-f-
Fix an inconsistent mapping file.
Entries that are out of order are sorted;
mapping entries containing syntax
errors and unknown users are
displayed, and the system administrator is given the
opportunity to change or delete them.
When no options are specified, idadmin lists all installed
schemes and the mode of each (USER or SECURE).
If only scheme is specified,
idadmin displays the contents of the system map file.
When
scheme and logname are entered,
idadmin lists
all entries in the scheme's system map file that map into logname.
Transparent mapping may be achieved by specifying the metacharacter
in
the remote name and %n for the local logname, where n
is the number of the field that namemap will extract from
the remote name and return as the local name.
An asterisk may appear in any field in g_name to match any
string of characters in the corresponding field of a remote name.
If %i is used for logname, namemap will reject
all remote names that match the g_name.
When namemap searches for a remote name in the system map file,
it sequentially scans the file.
Therefore, the ordering of remote names in this
file is critical.
Remote names are sorted on the highest numbered field first.
Entries with explicit values in this
field appear first in the file.
Entries which include regular expressions in this field are sorted
from the most specific to the least specific based
on the position of metacharacters in the pattern.
The more a metacharacter is to the left in the
pattern the less specific the pattern is.
For example, s* is less specific than sf*.
If two or more entries have patterns which are equally specific,
the specificity of the next lower numbered field is examined.
Fields are examined from highest to lowest until the remote
names can be differentiated.
Files
/etc/idmap/scheme_name/idata-
system map file for scheme scheme_name
/etc/idmap/scheme_name/uidata-
user map file for scheme scheme_name
/var/adm/log/idmap.log-
log file
/etc/passwd-
password file
Usage
The system ID
mapping database consists of one or more system
map files, where each map has a different record
descriptor.
Maps with different record descriptors
support different authentication schemes.
idadmin also provides an administrator with a mechanism
to enable and disable user-controlled mapping
(see
uidadmin(1bnu)).
ID mapping databases are used by
namemap(3iac)
to map
remote lognames to local ones.
If an ID mapping scheme is enabled for
user-controlled mapping, namemap looks at the user
ID map before the system ID map.
Only a privileged user can execute this command.
Examples
The following command line installs a new scheme, called myscheme:
idadmin -S myscheme -I M2!M1
In the remote name format descriptor
M2!M1, M indicates that the field is mandatory.
The numbers indicate the order of
significance of the fields, where higher numbered fields
are more significant.
In this example,
the first field (M2) is meant to contain a system name,
and the second field
(M1) is meant to contain a user name.
Because the first
field indicates
the entity of greater significance, it is assigned the higher
field number.
The character ! is used as the field separator.
Given the ID Mapping scheme myscheme,
the following command line creates an entry in the database that
maps user foo on machine comunix
into user foo on the local host:
idadmin -S myscheme -a -r comunix!foo -l foo
The following command line creates an entry in the database that
provides transparent mapping from
any logname on any remote machine to a local user identity
with the same logname:
idadmin -S myscheme -a -r "!" -l %1
References
attradmin(1Mbnu),
attrmap(3iac),
namemap(3iac),
uidadmin(1bnu)
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 25 April 2004