Maintenance Commands ldif2sam(1M)
NAME
ldif2sam - add LDAP user accounts to an NT Domain Security
Accounts Manager (SAM) database via LDIF
SYNOPSIS
ldif2sam [-e] [-I instance] [-g group] [-h] [-i file] -l
logon [-p password] [-m connect] [-n local path] [-s
logon script] [-u user profile] [-y password] [-z file]
DESCRIPTION
The ldif2sam utility reads a LDAP Directory Interchange For-
mat (LDIF) file from its default location of
/etc/opt/lanman/{instance_number}/ldif.tmpl or as specified
using the -z flag. It then also reads in a LDIF file, which
was presumably generated from a LDAP database. By pattern
matching the LDIF file against the LDIF template, fields are
extracted and then added to the PC NetLink SAM database
accordingly.
The ldif2sam command can only run by authenticating to the
PC NetLink machine as administrator and running the command
as superuser.
The ldif2sam application bridges Windows NT Domain services
with LDAP. Although the passwd2sam(1M) utility will syn-
chronize user accounts from LDAP to PC NetLink if LDAP is
the native Solaris name service, not all information can be
synchronized. This utility allows all information from the
NT USER_INFO_3 record to be synchronized. It is also not a
requirement that LDAP be the native Solaris name service.
The PC NetLink Server HKLEY_LOCAL_MACHINE registry contains
a default value for the variable token in the LDIF template
file. This default registry key value pair is located in
/SYSTEM/CurrentControlSet/Services/AdvancedServer/UserServiceParameters.
The registry key name is LDIFvariableToken and its default
value is the percent sign ('%').
The LDIF template file should contain fields indicated by
the variable token before and after the field name. Below
is a chart of all field names supported by this utility.
For example, placing %uid% in the LDIF template file, will
cause the actual user ID to be extracted from the LDIF input
file whenever the pattern matches the template file.
Field name Field Type Description
___________________________________________________________
uid Ascii NT username
nthomedir Ascii NT home directory
comment Ascii NT comment
ntflags Base64 NT flags
ntscriptpath Ascii NT script path
ntfullname Ascii NT full name
ntusrcomment Ascii NT user comment
ntparms Base64 NT parameters
ntworkstations Ascii NT workstations
ntacctexpires Date NT account expires date stamp
ntlogonhours Base64 NT logon hours bit array
ntprofile Ascii NT profile path
nthomedirdrive Ascii NT home directory drive
unixhomedir Ascii Unix home directory path
Fields may have one of several types. Ascii fields are in
standard Ascii and are human readable. Base64 fields are
binary encoded fields and require a double colon (::) in
LDIF (See RFC 2849). Date fields are Ascii strings contain-
ing the Generalized Time as specified by X.208.
All input files to ldif2sam must be formatted in LDAP Direc-
tory Interchange Format (LDIF). See RFC 2849 for details.
The PC NetLink software must be running and configured as
either a Primary Domain Controller (PDC) or Backup Domain
Controller (BDC). The ldif2sam application will not run if
PC NetLink is configured as a Member Server.
By default, ldif2sam produces randomly generated
alphanumeric passwords for each user account and writes them
to the transaction log
/var/opt/lanman/{instance_number}/dirsync/ldif2sam.log. You
can override this default behavior by using the -y password
option to assign a specific password, or no password, to all
user accounts.
All transactions, errors, and datafiles (except user-
specified output files) are written to
/var/opt/lanman/{instance_number}/dirsync and each entry is
prefixed with the string ldif2sam.
OPTIONS
The ldif2sam user account migration application supports the
following options:
-I instance
Specifies the PC NetLink instance number.
-e Checks if each non-privileged LDAP user account is
defined in the Domain Security Accounts Manager (SAM)
database. Each account not defined in SAM is written to
the output file
/var/opt/lanman/{instance_number}/dirsync/ldif2sam.enumeration.
-g group
Assigns a NT Domain secondary group to each user
account added into the NT Domain. By default, NT
assigns each user account to the primary group "Domain
Users". Specifying the -g _.g_.r_.o_.u_.p (for instance, -g
"Domain Guests") option will assign each user account
to the specified secondary group.
-h Displays a help message for ldif2sam.
-i file
Adds to the Domain Security Accounts Manager (SAM)
database user accounts specified by the LDIF input
file.
-l logon
Lets you log on to the domain by specifying the logon
name for a Domain Administrative account, which you
must supply for all ldif2sam operations.
-m connect
Creates a global NT Domain home directory for each user
account ldif2sam adds.
The connect argument is a global home directory path,
which is a Universal Naming Convention (UNC) path pre-
fixed by a drive letter and colon. The drive letter
and colon must be specified (for instance, H:). The
UNC path can be a local or remote LAN Manager path to
an existing network shared directory.
Each user's logon name is automatically appended to the
end of the Home Directory Connect path if not speci-
fied. Alternatively, using the %USERNAME% wildcard
appends each user's logon name to the end of the UNC
path. This option applies to all accounts in the add
operation.
NOTE: When specifying UNC paths, you must substitute
two backslashes for each backslash, to support Solaris
command line shells (for instance, -m
H:\\\\SERVER\\USERS\\%USERNAME%).
-n local_path
Specifies a user's local home directory on the Windows
workstation where the user logs on. This local direc-
tory path must be prefixed by a drive letter and colon
(for instance, -n C:\\USERS\\%USERNAME%).
Each user's logon name is automatically appended to the
end of the local directory if not specified. Alterna-
tively, using the %USERNAME% wildcard appends each
user's logon name to the end of the UNC path. This
option applies to all accounts being added. -p pass-
word Specifies a NT Domain Administrative account pass-
word, which you must supply for all ldif2sam opera-
tions. If -p password is omitted, then ldif2sam prompts
you for an Administrative password.
-s logon_script
Sets up a network logon script that runs each time a
user logs on to Domain.
The logon_script argument is a file name (for instance,
-s NETLOGON.CMD) that contains commands to execute upon
user logon. A network logon script is defined using
relative pathing and pertains only to the authenticat-
ing Primary Domain Controller (PDC) Server. When a user
logs on, the authenticating PDC computer finds the
specified logon script by following the PDC logon
script path \\SERVER\NETLOGON. This option applies to
all user accounts being added.
-u user_profile
Specifies the User Profile Path, which is a Universal
Naming Convention (UNC) path, that points to a roaming
or mandatory user profile. The UNC path can be a local
or remote LAN Manager path.
Each user's logon name is automatically appended to the
end of the User path if no other name is specified.
Alternatively, use the %USERNAME% wildcard to append
each user's logon name to the end of the UNC path (for
instance, -u \\\\SERVER\\PROFILES\\%USERNAME%).
-y password
Overrides the randomly generated default alphanumeric
password and assigns a password you specify to all NT
Domain user accounts added by ldif2sam. Specifying NULL
(for instance, -y NULL) creates accounts without pass-
words. The password you specify is applied to all user
accounts being added. You can manage password lengths
using Microsoft Windows NT Server's User Manager for
Domains tool: look for the Policies, Account panel.
NULL passwords are allowed only if you enable the radio
button Permit Bank Password.
All user account passwords are written to the ldif2sam
transaction log
/var/opt/lanman/{instance_number}/dirsync/ldif2sam.log.
These passwords are readable only by the superuser.
Windows NT Domain users will be prompted to change
their password upon initial Domain logon. This option
applies to all accounts being added.
-z file
Specifies alternate location for LDIF template file.
If this flag is not specified, the following file is
used as the template file:
/etc/opt/lanman/{instance_number}/ldif.tmpl
EXAMPLES
See passwd2sam(1M) for related examples.
FILES
/var/opt/lanman/{instance_number}/dirsync/ldif2sam.log
ldif2sam tran-
saction log.
/var/opt/lanman/{instance_number}/dirsync/ldif2sam.errors
ldif2sam error
log.
/var/opt/lanman/{instance_number}/dirsync/ldif2sam.eumeration
Solaris user
accounts not
defined in the
NT Domain.
SEE ALSO
mapuname(1), sam2passwd(1M), passwd2sam(1M), sam2ldif(1M),
ldapmodify(1M), ldaplist(1),
NOTES
When using ldif2sam arguments containing backslashes, you
must substitute two backslashes for each backslash, to sup-
port Solaris command line shells.