idadmin(1Mbnu)

idadmin -- ID map database administration

Synopsis

idadmin [-S scheme [-l logname]]
idadmin -S scheme -a -r g_name -l logname
idadmin -S scheme -d [-r g_name] -l logname
idadmin -S scheme -I descr
idadmin -S scheme [-Duscf]

Description

The idadmin command displays and updates entries in the system ID mapping database. All update operations are logged (whether successful or not) in the file /var/adm/log/idmap.log.

Options

The options to idadmin are:

-S scheme: Specify the name of the ID mapping scheme.
-l logname: Specify a local name (logname) into which the remote name maps. logname must be a valid logname on the local server. To be valid, logname must appear in /etc/passwd. The logname may take the form %n or %i, where %n is used for transparent mapping and %i forces remote names to be rejected.
-a: Add a map entry. The local and remote names must be specified.
-r g_name: Specify the remote (global) name. The format of g_name is scheme-dependent; generally, it includes a login name and a machine name.
-d: Delete a map entry. The scheme name and the local name must be specified. Specifying the remote name is optional. If only the local name is specified, all entries mapping to that local name are deleted. If a remote name is also specified, only that particular map entry is deleted.
-I descr: Install a new scheme. A remote name format descriptor (descr) must be specified for the new scheme. The remote name file descriptor is a string that indicates the format of the remote name; it includes field numbers, the letter ``M'' to indicate the field is mandatory, and field separators.
-D: Delete a scheme. The scheme name must be specified.
-u: Enable user-controlled ID mapping (USER mode). The scheme name must be specified.
-s: Disable user-controlled ID mapping (SECURE mode). The scheme name must be specified.
-c: Check the consistency of a map file. The scheme name must be specified. Map entries containing syntax errors and unknown users are displayed. Users are unknown if they do not exist in /etc/passwd.
-f: Fix an inconsistent mapping file. Entries that are out of order are sorted; mapping entries containing syntax errors and unknown users are displayed, and the system administrator is given the opportunity to change or delete them.

When no options are specified, idadmin lists all installed schemes and the mode of each (USER or SECURE). If only scheme is specified, idadmin displays the contents of the system map file. When scheme and logname are entered, idadmin lists all entries in the scheme's system map file that map into logname.

Transparent mapping may be achieved by specifying the metacharacter in the remote name and %n for the local logname, where n is the number of the field that namemap will extract from the remote name and return as the local name. An asterisk may appear in any field in g_name to match any string of characters in the corresponding field of a remote name. If %i is used for logname, namemap will reject all remote names that match the g_name.

When namemap searches for a remote name in the system map file, it sequentially scans the file. Therefore, the ordering of remote names in this file is critical.

Remote names are sorted on the highest numbered field first. Entries with explicit values in this field appear first in the file. Entries which include regular expressions in this field are sorted from the most specific to the least specific based on the position of metacharacters in the pattern. The more a metacharacter is to the left in the pattern the less specific the pattern is. For example, s* is less specific than sf*.

If two or more entries have patterns which are equally specific, the specificity of the next lower numbered field is examined. Fields are examined from highest to lowest until the remote names can be differentiated.

Files

/etc/idmap/scheme_name/idata: system map file for scheme scheme_name
/etc/idmap/scheme_name/uidata: user map file for scheme scheme_name
/var/adm/log/idmap.log: log file
/etc/passwd: password file

Usage

The system ID mapping database consists of one or more system map files, where each map has a different record descriptor. Maps with different record descriptors support different authentication schemes. idadmin also provides an administrator with a mechanism to enable and disable user-controlled mapping (see uidadmin(1bnu)).

ID mapping databases are used by namemap(3iac) to map remote lognames to local ones. If an ID mapping scheme is enabled for user-controlled mapping, namemap looks at the user ID map before the system ID map.

Only a privileged user can execute this command.

Examples

The following command line installs a new scheme, called myscheme:

idadmin -S myscheme -I M2!M1

In the remote name format descriptor M2!M1, M indicates that the field is mandatory. The numbers indicate the order of significance of the fields, where higher numbered fields are more significant. In this example, the first field (M2) is meant to contain a system name, and the second field (M1) is meant to contain a user name. Because the first field indicates the entity of greater significance, it is assigned the higher field number. The character ! is used as the field separator.

Given the ID Mapping scheme myscheme, the following command line creates an entry in the database that maps user foo on machine comunix into user foo on the local host:

idadmin -S myscheme -a -r comunix!foo -l foo

The following command line creates an entry in the database that provides transparent mapping from any logname on any remote machine to a local user identity with the same logname:

idadmin -S myscheme -a -r "!" -l %1

References

attradmin(1Mbnu), attrmap(3iac), namemap(3iac), uidadmin(1bnu)