idadmin(1M) idadmin(1M)
NAME
idadmin - ID map data base administration
SYNOPSIS
idadmin [-S scheme [-l logname]]
idadmin -S scheme -a -r g_name -l logname
idadmin -S scheme -d [-r g_name] -l logname
idadmin -S scheme -I descr
idadmin -S scheme [-Duscf]
DESCRIPTION
The idadmin command displays and updates entries in the system
ID mapping data base. All update operations are logged
(whether successful or not) in the file
/var/adm/log/idmap.log.
Files
/etc/idmap/scheme_name/idata
system map file for scheme scheme_name
/etc/idmap/scheme_name/uidata
user map file for scheme scheme_name
/var/adm/log/idmap.log
log file
/etc/passwd password file
USAGE
The system ID mapping data base consists of one or more system
map files, where each map has a different record descriptor.
Maps with different record descriptors support different
authentication schemes. idadmin also provides an
administrator with a mechanism to enable and disable user-
controlled mapping [see uidadmin].
ID mapping data bases are used by namemap to map remote
lognames to local ones. If an ID mapping scheme is enabled
for user-controlled mapping, namemap looks at the user ID map
before the system ID map.
Only a privileged user can execute this command.
Options
The options to idadmin have the following meanings:
Copyright 1994 Novell, Inc. Page 1
idadmin(1M) idadmin(1M)
-S scheme
Specify the name of the ID mapping scheme.
-l logname
Specify a local name (logname) into which the remote
name maps. logname must be a valid logname on the local
server. To be valid, logname must appear in
/etc/passwd. The logname may take the form %n or %i,
where %n is used for transparent mapping and %i forces
remote names to be rejected.
-a Add a map entry. The local and remote names must be
specified.
-r g_name
Specify the remote (global) name. The format of g_name
is scheme-dependent; generally, it includes a login name
and a machine name.
-d Delete a map entry. The scheme name and the local name
must be specified. Specifying the remote name is
optional. If only the local name is specified, all
entries mapping to that local name are deleted. If a
remote name is also specified, only that particular map
entry is deleted.
-I descr
Install a new scheme. A remote name format descriptor
descr must be specified for the new scheme. The remote
name file descriptor is a string that indicates the
format of the remote name; it includes field numbers,
the letter M to indicate the field is mandatory, and
field separators.
-D Delete a scheme. The scheme name must be specified.
-u Enable user-controlled ID mapping (USER mode). The
scheme name must be specified.
-s Disable user-controlled ID mapping (SECURE mode). The
scheme name must be specified.
-c Check the consistency of a map file. The scheme name
must be specified. Map entries containing syntax errors
and unknown users are displayed. Users are unknown if
they do not exist in /etc/passwd.
Copyright 1994 Novell, Inc. Page 2
idadmin(1M) idadmin(1M)
-f Fix an inconsistent mapping file. Entries that are out
of order are sorted; mapping entries containing syntax
errors and unknown users are displayed, and the system
administrator is given the opportunity to change or
delete them.
When no options are specified, idadmin lists all installed
schemes and the mode of each, USER or SECURE. If only a
scheme is specified, idadmin displays the contents of the
system map file. When a scheme and a logname are entered,
idadmin lists all entries in the scheme's system map file that
map into the logname.
Transparent mapping may be achieved by specifying the
metacharacter * in the remote name and %n for the local
logname, where n is the number of the field that namemap will
extract from the remote name and return as the local name. An
asterisk may appear in any field in g_name and matches any
string of characters in the corresponding field of a remote
name. If %i is used for logname, namemap will reject all
remote names that match the g_name.
When namemap searches for a remote name in the system map
file, it sequentially scans the file. Therefore, the ordering
of remote names in this file is critical.
Remote names are sorted on the highest numbered field first.
Entries with explicit values in this field appear first in the
file. Entries which include regular expressions in this field
are sorted from the most specific to the least specific based
on the position of metacharacters in the pattern. The more a
metacharacter is to the left in the pattern the less specific
the pattern is. For example, s* is less specific than sf*.
If two or more entries have patterns which are equally
specific, the specificity of the next lower numbered field is
examined. Fields are examined from highest to lowest until
the remote names can be differentiated.
Examples
The following command line installs a new scheme, called
myscheme:
idadmin -S myscheme -I M2!M1
Copyright 1994 Novell, Inc. Page 3
idadmin(1M) idadmin(1M)
In the remote name format descriptor M2!M1, M indicates that
the field is mandatory. The numbers indicate the order of
significance of the fields, where higher numbered fields are
more significant; in this example, the first field (M2) is
meant to contain a system name, and the second field (M1) is
meant to contain a user name. Because the first field
indicates the entity of greater significance, it is assigned
the higher field number. The character ! is used as the field
separator.
Given the ID Mapping scheme myscheme, the following command
line creates an entry in the data base that maps user foo on
machine comunix into user foo on the local host.
idadmin -S myscheme -a -r comunix!foo -l foo
The following command line creates an entry in the data base
that provides transparent mapping from any logname on any
remote machine to a local user identity with the same logname:
idadmin -S myscheme -a -r "*!*" -l %1
REFERENCES
attradmin(1M), attrmap(3I), namemap(3I), uidadmin(1)
Copyright 1994 Novell, Inc. Page 4