freeipa/install/tools/man/ipa-ldap-updater.1

.\" A man page for ipa-ldap-updater
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program.  If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-ldap-updater" "1" "Sep 12 2008" "freeipa" ""
.SH "NAME"
ipa\-ldap\-updater \- Update the IPA LDAP configuration
.SH "SYNOPSIS"
ipa\-ldap\-updater [options] input_file(s)
ipa\-ldap\-updater [options]
.SH "DESCRIPTION"
Run with no file arguments, ipa\-ldap\-updater will process all files with the extension .update in /usr/share/ipa/updates.

An update file describes an LDAP entry and a set of operations to be performed on that entry. It can be used to add new entries or modify existing entries. It cannot remove entries, just specific values in a given attribute.

Blank lines and lines beginning with # are ignored.

There are 7 keywords:

    * default: the starting value
    * add: add a value (or values) to an attribute
    * remove: remove a value (or values) from an attribute
    * only: set an attribute to this
    * deleteentry: remove the entry
    * replace: replace an existing value, format is old: new
    * addifnew: add a new attribute and value only if the attribute doesn't already exist. Only works with single-value attributes.

Values is a comma\-separated field so multi\-values may be added at one time. Double or single quotes may be put around individual values that contain embedded commas.

The difference between the default and add keywords is if the DN of the entry exists then default is ignored. So for updating something like schema, which will be under cn=schema, you must always use add (because cn=schema is guaranteed to exist). It will not re\-add the same information again and again.

It alsos provide some things that can be templated such as architecture (for plugin paths), realm and domain name.

The available template variables are:

    * $REALM \- the kerberos realm (EXAMPLE.COM)
    * $FQDN \- the fully\-qualified domain name of the IPA server being updated (ipa.example.com)
    * $DOMAIN \- the domain name (example.com)
    * $SUFFIX \- the IPA LDAP suffix (dc=example,dc=com)
    * $ESCAPED_SUFFIX \- the ldap-escaped IPA LDAP suffix
    * $LIBARCH \- set to 64 on x86_64 systems to be used for plugin paths
    * $TIME \- an integer representation of current time

A few rules:

   1. Only one rule per line
   2. Each line stands alone (e.g. an only followed by an only results in the last only being used)
   3. adding a value that exists is ok. The request is ignored, duplicate values are not added
   4. removing a value that doesn't exist is ok. It is simply ignored.
   5. If a DN doesn't exist it is created from the 'default' entry and all updates are applied
   6. If a DN does exist the default values are skipped
   7. Only the first rule on a line is respected
.SH "OPTIONS"
.TP
\fB\-d\fR, \fB\-\-debug
Enable debug logging when more verbose output is needed
.TP
\fB\-t\fR, \fB\-\-test\fR
Run through the update without changing anything. If changes are available then the command returns 2. If no updates are available it returns 0.
.TP
\fB\-y\fR
File containing the Directory Manager password
.TP
\fB\-l\fR, \fB\-\-ldapi\fR
Connect to the LDAP server using the ldapi socket
.TP
\fB\-u\fR, \fB\-\-\-upgrade\fR
Upgrade an installed server in offline mode (implies \-\-ldapi)
.TP
\fB\-W\fR, \fB\-\-\-password\fR
Prompt for the Directory Manager password
.SH "EXIT STATUS"
0 if the command was successful

1 if an error occurred

2 if run with in test mode (\-t) and updates are available
Sort updates by DN length and by default process all files in the updates dir. The updates directory is currently hardcoded to /usr/share/ipa/updates. All of the files are read into memory and then sorted by the length of the DN. This is so we can be sure that parent entries are added before children. Also add a man page. 2008-09-12 17:40:26 -05:00			`.\" A man page for ipa-ldap-updater`
			`.\" Copyright (C) 2008 Red Hat, Inc.`
Automatically update IPA LDAP on rpm upgrades Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087 2011-03-18 10:19:53 -05:00			`.\"`
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239 2010-12-09 06:59:11 -06:00			`.\" This program is free software; you can redistribute it and/or modify`
			`.\" it under the terms of the GNU General Public License as published by`
			`.\" the Free Software Foundation, either version 3 of the License, or`
			`.\" (at your option) any later version.`
Automatically update IPA LDAP on rpm upgrades Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087 2011-03-18 10:19:53 -05:00			`.\"`
Sort updates by DN length and by default process all files in the updates dir. The updates directory is currently hardcoded to /usr/share/ipa/updates. All of the files are read into memory and then sorted by the length of the DN. This is so we can be sure that parent entries are added before children. Also add a man page. 2008-09-12 17:40:26 -05:00			`.\" This program is distributed in the hope that it will be useful, but`
			`.\" WITHOUT ANY WARRANTY; without even the implied warranty of`
			`.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`.\" General Public License for more details.`
Automatically update IPA LDAP on rpm upgrades Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087 2011-03-18 10:19:53 -05:00			`.\"`
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239 2010-12-09 06:59:11 -06:00			`.\" You should have received a copy of the GNU General Public License`
			`.\" along with this program. If not, see <http://www.gnu.org/licenses/>.`
Automatically update IPA LDAP on rpm upgrades Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087 2011-03-18 10:19:53 -05:00			`.\"`
Sort updates by DN length and by default process all files in the updates dir. The updates directory is currently hardcoded to /usr/share/ipa/updates. All of the files are read into memory and then sorted by the length of the DN. This is so we can be sure that parent entries are added before children. Also add a man page. 2008-09-12 17:40:26 -05:00			`.\" Author: Rob Crittenden <rcritten@redhat.com>`
Automatically update IPA LDAP on rpm upgrades Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087 2011-03-18 10:19:53 -05:00			`.\"`
Sort updates by DN length and by default process all files in the updates dir. The updates directory is currently hardcoded to /usr/share/ipa/updates. All of the files are read into memory and then sorted by the length of the DN. This is so we can be sure that parent entries are added before children. Also add a man page. 2008-09-12 17:40:26 -05:00			`.TH "ipa-ldap-updater" "1" "Sep 12 2008" "freeipa" ""`
			`.SH "NAME"`
			`ipa\-ldap\-updater \- Update the IPA LDAP configuration`
			`.SH "SYNOPSIS"`
			`ipa\-ldap\-updater [options] input_file(s)`
			`ipa\-ldap\-updater [options]`
			`.SH "DESCRIPTION"`
			`Run with no file arguments, ipa\-ldap\-updater will process all files with the extension .update in /usr/share/ipa/updates.`

			`An update file describes an LDAP entry and a set of operations to be performed on that entry. It can be used to add new entries or modify existing entries. It cannot remove entries, just specific values in a given attribute.`

			`Blank lines and lines beginning with # are ignored.`

The default groups we create should have ipaUniqueId set This adds a new directive to ipa-ldap-updater: addifnew. This will add a new attribute only if it doesn't exist in the current entry. We can't compare values because the value we are adding is automatically generated. ticket 1177 2011-04-14 13:37:45 -05:00			`There are 7 keywords:`
Sort updates by DN length and by default process all files in the updates dir. The updates directory is currently hardcoded to /usr/share/ipa/updates. All of the files are read into memory and then sorted by the length of the DN. This is so we can be sure that parent entries are added before children. Also add a man page. 2008-09-12 17:40:26 -05:00
			`* default: the starting value`
			`* add: add a value (or values) to an attribute`
			`* remove: remove a value (or values) from an attribute`
Automatically update IPA LDAP on rpm upgrades Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087 2011-03-18 10:19:53 -05:00			`* only: set an attribute to this`
			`* deleteentry: remove the entry`
			`* replace: replace an existing value, format is old: new`
The default groups we create should have ipaUniqueId set This adds a new directive to ipa-ldap-updater: addifnew. This will add a new attribute only if it doesn't exist in the current entry. We can't compare values because the value we are adding is automatically generated. ticket 1177 2011-04-14 13:37:45 -05:00			`* addifnew: add a new attribute and value only if the attribute doesn't already exist. Only works with single-value attributes.`
Sort updates by DN length and by default process all files in the updates dir. The updates directory is currently hardcoded to /usr/share/ipa/updates. All of the files are read into memory and then sorted by the length of the DN. This is so we can be sure that parent entries are added before children. Also add a man page. 2008-09-12 17:40:26 -05:00
			`Values is a comma\-separated field so multi\-values may be added at one time. Double or single quotes may be put around individual values that contain embedded commas.`

			`The difference between the default and add keywords is if the DN of the entry exists then default is ignored. So for updating something like schema, which will be under cn=schema, you must always use add (because cn=schema is guaranteed to exist). It will not re\-add the same information again and again.`

			`It alsos provide some things that can be templated such as architecture (for plugin paths), realm and domain name.`

			`The available template variables are:`

			`* $REALM \- the kerberos realm (EXAMPLE.COM)`
			`* $FQDN \- the fully\-qualified domain name of the IPA server being updated (ipa.example.com)`
			`* $DOMAIN \- the domain name (example.com)`
			`* $SUFFIX \- the IPA LDAP suffix (dc=example,dc=com)`
Automatically update IPA LDAP on rpm upgrades Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087 2011-03-18 10:19:53 -05:00			`* $ESCAPED_SUFFIX \- the ldap-escaped IPA LDAP suffix`
Sort updates by DN length and by default process all files in the updates dir. The updates directory is currently hardcoded to /usr/share/ipa/updates. All of the files are read into memory and then sorted by the length of the DN. This is so we can be sure that parent entries are added before children. Also add a man page. 2008-09-12 17:40:26 -05:00			`* $LIBARCH \- set to 64 on x86_64 systems to be used for plugin paths`
Automatically update IPA LDAP on rpm upgrades Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087 2011-03-18 10:19:53 -05:00			`* $TIME \- an integer representation of current time`
Sort updates by DN length and by default process all files in the updates dir. The updates directory is currently hardcoded to /usr/share/ipa/updates. All of the files are read into memory and then sorted by the length of the DN. This is so we can be sure that parent entries are added before children. Also add a man page. 2008-09-12 17:40:26 -05:00
			`A few rules:`

			`1. Only one rule per line`
			`2. Each line stands alone (e.g. an only followed by an only results in the last only being used)`
			`3. adding a value that exists is ok. The request is ignored, duplicate values are not added`
			`4. removing a value that doesn't exist is ok. It is simply ignored.`
			`5. If a DN doesn't exist it is created from the 'default' entry and all updates are applied`
			`6. If a DN does exist the default values are skipped`
Automatically update IPA LDAP on rpm upgrades Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087 2011-03-18 10:19:53 -05:00			`7. Only the first rule on a line is respected`
Sort updates by DN length and by default process all files in the updates dir. The updates directory is currently hardcoded to /usr/share/ipa/updates. All of the files are read into memory and then sorted by the length of the DN. This is so we can be sure that parent entries are added before children. Also add a man page. 2008-09-12 17:40:26 -05:00			`.SH "OPTIONS"`
Automatically update IPA LDAP on rpm upgrades Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087 2011-03-18 10:19:53 -05:00			`.TP`
Sort updates by DN length and by default process all files in the updates dir. The updates directory is currently hardcoded to /usr/share/ipa/updates. All of the files are read into memory and then sorted by the length of the DN. This is so we can be sure that parent entries are added before children. Also add a man page. 2008-09-12 17:40:26 -05:00			`\fB\-d\fR, \fB\-\-debug`
			`Enable debug logging when more verbose output is needed`
Automatically update IPA LDAP on rpm upgrades Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087 2011-03-18 10:19:53 -05:00			`.TP`
Sort updates by DN length and by default process all files in the updates dir. The updates directory is currently hardcoded to /usr/share/ipa/updates. All of the files are read into memory and then sorted by the length of the DN. This is so we can be sure that parent entries are added before children. Also add a man page. 2008-09-12 17:40:26 -05:00			`\fB\-t\fR, \fB\-\-test\fR`
Add detection to the update tool to detect when it would apply changes. Remove SUP name from RFC2307bis.update to match FDS 2008-09-17 22:18:09 -05:00			`Run through the update without changing anything. If changes are available then the command returns 2. If no updates are available it returns 0.`
Automatically update IPA LDAP on rpm upgrades Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087 2011-03-18 10:19:53 -05:00			`.TP`
Run the LDAP updater at the end of the installation process. Running at the end ensures that /etc/ipa/ipa.conf is created and generally makes it more likely to succeed. Added a new argument to ipa-server-installl, -y <password_file>, so we don't have to pass it on the command-line. 2008-09-15 17:15:12 -05:00			`\fB\-y\fR`
			`File containing the Directory Manager password`
Automatically update IPA LDAP on rpm upgrades Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087 2011-03-18 10:19:53 -05:00			`.TP`
			`\fB\-l\fR, \fB\-\-ldapi\fR`
			`Connect to the LDAP server using the ldapi socket`
			`.TP`
			`\fB\-u\fR, \fB\-\-\-upgrade\fR`
			`Upgrade an installed server in offline mode (implies \-\-ldapi)`
Fix traceback in ipa-nis-manage. The root user cannot use ldapi because of the autobind configuration. Fall back to a standard GSSAPI sasl bind if the external bind fails. With --ldapi a regular user may be trying this as well, catch that and report a reasonable error message. This also gives priority to the DM password if it is passed in. Also require the user be root to run the ipa-nis-manage command. We enable/disable and start/stop services which need to be done as root. Add a new option to ipa-ldap-updater to prompt for the DM password. Remove restriction to be run as root except when doing an upgrade. Ticket 1157 2011-04-11 14:30:11 -05:00			`.TP`
			`\fB\-W\fR, \fB\-\-\-password\fR`
			`Prompt for the Directory Manager password`
Sort updates by DN length and by default process all files in the updates dir. The updates directory is currently hardcoded to /usr/share/ipa/updates. All of the files are read into memory and then sorted by the length of the DN. This is so we can be sure that parent entries are added before children. Also add a man page. 2008-09-12 17:40:26 -05:00			`.SH "EXIT STATUS"`
			`0 if the command was successful`

			`1 if an error occurred`
Add detection to the update tool to detect when it would apply changes. Remove SUP name from RFC2307bis.update to match FDS 2008-09-17 22:18:09 -05:00
			`2 if run with in test mode (\-t) and updates are available`