sectoldif Command

Purpose

Prints users and groups defined locally to stdout in ldif format.

Syntax

sectoldif -d baseDN [ -S schematype ] [ -u username ]

Description

The sectoldif command reads users and groups defined locally, and prints the result to stdout in ldif format. If redirected to a file, the result can be added to a LDAP server with the ldapadd command or the ldif2db command.

The -S option specifies the schema type used for the ldif output. The sectoldif command accepts three schema types:
  • AIX® - AIX schema (aixaccount and aixaccessgroup objectclasses)
  • RFC2307 - RFC 2307 schema (posixaccount, shadowaccount, and posixgroup objectclasses)
  • RFC2307AIX - RFC 2307 schema with full AIX support (posixaccount, shadowaccount , and posixgroup objectclasses, plus the aixauxaccount and aixauxgroup objectclasses).

The sectoldif command is called by the mksecldap command to export users and groups during LDAP server setup. One needs to be extra cautious when exporting additional users and groups from other systems to the LDAP server using the sectoldif output. The ldapadd and ldif2db commands check only for entry name (user name or group name) but not for the numeric id when adding entries. Exporting users and groups from multiple systems using sectoldif output can result in sharing of a numeric id by multiple accounts, which is a security violation.

The sectoldif command reads the /etc/security/ldap/sectoldif.cfg file to determine what to name the user, group and system sub-trees that the data will be exported to. The sectoldif command only exports data to the USER, GROUP and SYSTEM types. The names specified in the file will be used to create sub-trees under the base DN specified with the -d flag. Refer to the /etc/security/ldap/sectoldif.cfg file documentation for more information.

Flags

Item Description
-d baseDN Specifies the base DN under which to place the user and group data.
-S schematype Specifies the LDAP schema used to represent user/group entries in the LDAP server. Valid values are AIX, RFC2307, and RFC2307AIX. Default is AIX.
-u username Specifies to print a specific user.

Examples

  1. To print all users and groups defined locally, enter the following:
    sectoldif -d cn=aixsecdb,cn=aixdata -S rfc2307aix

    This prints all users and groups defined locally to stdout in ldif format. User entries and group entries are represented using the rfc2307aix schema type. The base DN is set to cn=aixsecdb, cn=aixdata.

  2. To print only locally defined user foo, enter the following:
    sectoldif -d cn=aixsecdb,cn=aixdata -u foo 

    This prints locally defined user foo to stdout in ldif format. Without the -S option, the default AIX schema type is used to represent foo's ldif output.

  3. To export data in a format that is compatible with AIX 4.3 and AIX 5.1 clients, perform the following:
    1. Edit the /etc/security/ldap/sectoldif.cfg file to include the following entries:
      USER            ou      organizationalUnit      aixuser
      GROUP           ou      organizationalUnit      aixgroup
      ID              ou      organizationalUnit      System
    2. Invoke the sectoldif command as follows:
      sectoldif -d cn=aixsecdb,cn=aixdata -S aix
      This prints all users and groups defined locally to stdout in ldif format. User entries and group entries are represented using the AIX schema type. The base DN is set to cn=aixsecdb,cn=aixdata, with user subtree ou=aixuser and group subtree ou=aixgroup.

Files

Mode File
r /etc/passwd
r /etc/group
r /etc/security/passwd
r /etc/security/limits
r /etc/security/user
r /etc/security/environ
r /etc/security/user.roles
r /etc/security/lastlog
r /etc/security/smitacl.user
r /etc/security/mac_user
r /etc/security/group
r /etc/security/smitacl.group
r /etc/security/login.cfg