efskstoldif Command

Purpose

Prints certain EFS users or groups keystore that are defined locally to stdout in ldif format.

Syntax

efskstoldif -d baseDN [-u | -g] {ALL | Name [Name] ...}

Description

The efskstoldif command reads data from locally defined EFS users or groups keystore files and prints the result to stdout in ldif format. If redirected to a file, the result can be added to a LDAP server with the ldapadd command with the -b flag or the ldif2db command.

The efskstoldif command reads the /etc/security/ldap/sectoldif.cfg file to determine what to name the user, group and cookie sub-trees that the data will be exported to. The efskstoldif command only exports data to the USERKEYSTORE, GROUPKEYSTORE, EFSCOOKIES and ADMINKEYSTORE types defined in the file. The names specified in the file will be used to create sub-trees under the base distinguished name (DN) specified with the –d flag. For more information, see the /etc/security/ldap/sectoldif.cfg file in AIX® Version 6.1 TL 4 for reference.

The LDIF output generation does not look the efs_keystore_access nor the efs_adminks_access attribute of the users/groups. Whatever will be its value either “file” or “ldap” the LDIF format will be generated. For whatever users or groups keystore the ldif format is generated, if any cookies exist for those keystore then even for them the ldif generation takes place.

Note: If there are any cookies present on files, even the LDIF generation happens for them too. System Administrator has to take care of the consistency of the keystore entries on LDAP and files if required.

Flags

Item Description
-d baseDN Specifies the base distinguished names (DN) under which to place the EFS Keystore data.
-g ALLNames ... Directs the command to generate the output for the groups specified in the succeeding arguments.
ALL
Specifies that all the groups must be considered.
Name
Specifies the single group name or list of group names separated by blanks.
-u ALLNames ... Directs the command to generate the output for the users specified in the succeeding arguments.
ALL
Specifies that all the users must be considered.
Name
Specifies the single user name or list of user names separated by blanks.

Exit status

Item Description
0 Successful completion.
>0 An error occurred.

Security

Access Control: This command should grant execute (x) access only to the root user.

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Files

Item Description
/etc/security/user Contains the EFS attributes for the creation and management of users keystore.
/etc/security/group Contains the EFS attributes for the creation and management of users keystore.
/var/efs Contains all keystores.

Examples

  1. To export all the users and groups keystore content to ldif format with the base DN of cn=aixdata, type the following command:
    efskstoldif –d cn=aixdata
  2. To export all the users keystore content to ldif format with the base DN of cn=aixdata, type the following command:
    efskstoldif –d cn=aixdata –u ALL
  3. To export all the groups keystore content to ldif format with the base DN of cn=aixdata, type the following command:
    efskstoldif –d cn=aixdata –g ALL
  4. To export only selected users keystore content to ldif format with the base DN of cn=aixdata, type the following command:
    efskstoldif –d cn=aixdata –u davis smith
  5. To export only selected groups keystore content to ldif format with the base DN of cn=aixdata, type the following command:
    efskstoldif –d cn=aixdata –g finance managers