Centrify Adedit Guide
Centrify Adedit Guide
Centrify Corporation
Legal notice
This document and the software described in this document are furnished under and are subject to the terms of a
license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or
non-disclosure agreement, Centrify Corporation provides this document and the software described in this
document as is without warranty of any kind, either express or implied, including, but not limited to, the
implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of
express or implied warranties in certain transactions; therefore, this statement may not apply to you.
This document and the software described in this document may not be lent, sold, or given away without the prior
written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth
in such license agreement or non-disclosure agreement, no part of this document or the software described in this
document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some
companies, names, and data in this document are used for illustration purposes and may not represent real
companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the
information herein. These changes may be incorporated in new editions of this document. Centrify Corporation
may make improvements in or changes to the software described in this document at any time.
2004-2014 Centrify Corporation. All rights reserved. Portions of Centrify software are derived from
third party or open source software. Copyright and legal notices for these sources are listed separately in the
Acknowledgements.txt file included with the software.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the
U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48
C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for
non-DOD acquisitions), the governments rights in the software and documentation, including its rights to use,
modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all
respects to the commercial license rights and restrictions provided in the license agreement.
Centrify, DirectAudit, DirectControl and DirectSecure are registered trademarks and Centrify Server Suite,
Centrify User Suite, DirectAuthorize and DirectManage are trademarks of Centrify Corporation in the United
States and other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either
registered trademarks or trademarks of Microsoft Corporation in the United States and other countries.
Centrify software is protected by U.S. Patents 7,591,005, 8,024,360, and 8,321,523.
The names of any other companies and products mentioned in this document may be the trademarks or registered
trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies,
organizations, domain names, people and events herein are fictitious. No association with any real company,
organization, domain name, person, or event is intended or should be inferred.
Contents
About this guide
11
Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Conventions used in this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Viewing command help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Finding information about Centrify products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Getting customer support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 1
Introduction
14
Chapter 2
22
Chapter 3
35
General-purpose commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Context commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Object-management commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Utility commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Security descriptor commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Chapter 4
44
Chapter 5
69
add_command_to_role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
add_map_entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
add_map_entry_with_comment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
add_object_value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
add_pamapp_to_role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
add_sd_ace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
bind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
clear_rs_env_from_role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
create_computer_role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
create_zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
delegate_zone_right . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
delete_dz_command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
delete_map_entry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
delete_nis_map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
delete_object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
delete_pam_app . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
delete_role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
delete_role_assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
delete_rs_command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
delete_rs_env . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
delete_sub_tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
delete_zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
delete_zone_computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
delete_zone_group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
delete_zone_user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
dn_from_domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
dn_to_principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
domain_from_dn. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
explain_sd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
get_adinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
get_bind_info. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
get_child_zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
get_dz_commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
get_dzc_field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
get_group_members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
get_nis_map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
get_nis_map_field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
get_nis_map_with_comment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
get_nis_maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
get_object_field. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
get_object_field_names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
get_objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
get_pam_apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
get_pam_field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
get_parent_dn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
get_pwnam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
get_rdn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
get_role_apps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
get_role_assignment_field. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
get_role_assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Contents
get_role_commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
get_role_field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
get_role_rs_commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
get_role_rs_env. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
get_roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
get_rs_commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
get_rs_envs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
get_rsc_field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
get_rse_cmds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
get_rse_field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
get_schema_guid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
get_zone_computer_field. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
get_zone_computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
get_zone_field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
get_zone_group_field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
get_zone_groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
get_zone_nss_vars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
get_zone_user_field. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
get_zone_users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
get_zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
getent_passwd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
guid_to_id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
is_dz_enabled. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
joined_get_user_membership. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
joined_name_to_principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
joined_user_in_group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
list_dz_commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
list_nis_map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
list_nis_map_with_comment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
list_nis_maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
list_pam_apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
list_role_assignments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
list_role_rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
list_roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
list_rs_commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
list_rs_envs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
list_zone_computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
list_zone_groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
list_zone_users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
manage_dz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
move_object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
new_dz_command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
new_nis_map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
new_object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
new_pam_app . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
new_role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
new_role_assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
new_rs_command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
new_rs_env. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
new_zone_computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
new_zone_group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
new_zone_user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
pop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
principal_from_sid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
principal_to_dn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
principal_to_id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
push . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
quit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
remove_command_from_role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
remove_object_value. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
remove_pamapp_from_role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
remove_sd_ace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
rename_object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
save_dz_command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
save_nis_map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
save_object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
save_pam_app . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Contents
save_role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
save_role_assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
save_rs_command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
save_rs_env. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
save_zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
save_zone_computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
save_zone_group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
save_zone_user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
select_dz_command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
select_nis_map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
select_object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
select_pam_app. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
select_role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
select_role_assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
select_rs_command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
select_rs_env . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
select_zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
select_zone_computer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
select_zone_group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
select_zone_user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
set_dzc_field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
set_ldap_timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
set_object_field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
set_pam_field. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
set_role_assignment_field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
set_role_field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
set_rs_env_for_role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
set_rsc_field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
set_rse_field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
set_sd_owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
set_user_password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
set_zone_computer_field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
set_zone_field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
set_zone_group_field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
set_zone_user_field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
sid_to_escaped_string. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
sid_to_uid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
validate_license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Chapter 6
317
add_user_to_group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
convert_msdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
create_adgroup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
create_aduser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
create_assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
create_dz_command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
create_group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
create_nis_map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
create_pam_app . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
create_role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
create_rs_command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
create_rs_env . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
create_user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
decode_timebox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
encode_timebox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
explain_groupType . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
explain_ptype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
explain_trustAttributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
explain_trustDirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
explain_userAccountControl. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
get_all_zone_users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
get_user_groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
list_zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
lmerge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
modify_timebox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
precreate_computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
remove_user_from_group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Contents
Appendix A
349
Appendix B
352
Appendix C
356
Index
362
10
Intended audience
This guide describes ADEdit for UNIX administrators who want to manage Centrify and
Active Directory from a Linux, UNIX, or Mac computer through CLI commands or scripts.
It assumes that you are well-versed in Active Directorys architecture and management, and
that youre equally well-versed in Centrify access control and privilege management features.
For more complete information about Centrify software and management tasks, you should
read the Centrify Server Suite Administrators Guide for Linux and UNIX.
Chapter 1, Introduction describes the basic features of ADEdit and the types of
commands it offers, including how it fits in with other components of Centrify software.
Chapter 2, Getting started with ADEdit describes the basics of ADEdit command syntax
and the logical flow of commands that you need to be familiar with before you begin
executing interactive ADEdit sessions or writing ADEdit scripts.
Chapter 3, ADEdit commands organized by type assembles the ADEdit commands into
logical groups, corresponding to their usage, and summarizes each command.
Chapter 4, Using the demonstration scripts provides script samples for a series of
common tasks that you can incorporate into your scripts.
Chapter 5, ADEdit command reference provides full command descriptions in
alphabetical order.
11
Chapter 6, ADEdit Tcl procedure library reference describes the Tcl procedures
available in the ade_lib Tcl library that use ADEdit commands to perform common
administrative tasks.
Appendix A, Timebox value format describes the format of the timebox value used to
set hours of the week when a role is enabled and disabled.
Appendix B, Using ADEdit with classic zones summarizes the differences between
working with classic and hierarchical zone and lists the commands that are specifically for
managing authorization in classic zones.
Appendix C, Quick reference for commands and library procedures provides a summary
of all ADEdit commands and procedures, including the command syntax and
abbreviations.
Fixed-width font
Bold text emphasizes commands, buttons, or user interface text, and introduces new
terms.
Italics are used for book titles and to emphasize specific words or terms.
Hierarchical zones are supported in Centrify components with version 5.0 or later. In
some ADEdit options or arguments, the term tree is used when you want to specify a
hierarchical zone.
Classic zones are not hierarchical and dont support inheritance. However, there are two
types of classic zones: classic4 zones that are supported in Centrify components with
version 4.x or later, and classic3 zones that are compatible with older versions of
Centrify components.
You can also display the general help text for ADEdit by entering man
adedit
12
Contacting Centrify
You can contact Centrify by visiting our website, www.centrify.com. On the website, you can
find information about Centrify office locations worldwide, email and phone numbers for
contacting Centrify sales, and links for following Centrify on social media. If you have
questions or comments, we look forward to hearing from you.
13
Chapter 1
Introduction
Centrify ADEdit is a command-line interface (CLI) utility that enables UNIX administrators
to manage Centrify objectssuch as zones, rights, and rolesin Microsoft Active
Directory. This chapter introduces you to ADEdits main features and architecture.
14
Interactive mode. In interactive mode, ADEdit executes single CLI commands in real
time. You can enter a series of commands within a shell to perform simple
administrative tasks. ADEdit offers command history that is persistent from session to
session. You can use the up arrow and Enter keys to review and re-enter commands
instead of retyping complete commands from scratch.
Script execution. ADEdit can accept and execute a Tcl script file that includes
ADEdit commands. The Tcl scripting language includes full programming logic with
variables, logical operators, branching, functions (called procedures in Tcl), and other
useful program-flow features. As the script executes, ADEdit keeps the Active
Directory objects that it is working on in internal memory. It does not require repeated
queries to Active Directory as it works on an object.
Executable file. You can set up any ADEdit Tcl script as an executable file that can run
by itself on a UNIX platform.
Scripting makes ADEdit a very flexible administration tool. You can use a single script to
handle hundreds or thousands of repetitive tasks that would take a very long time to
perform through the console. And you can write a set of scripts to quickly and easily check
on and respond to current conditions. A script could, for example, create a new zone, read
etc/passwd files on UNIX computers in that zone, and migrate all existing UNIX users it
finds there into new zone user accounts. Another script could find users in specified groups
and then assign a new role to all users in those groups.
Chapter 1 Introduction
15
With that power comes responsibility. Its quite possible for an ADEdit scriptor even a
single ADEdit commandto completely erase Active Directorys contents if used
incorrectly. There are, for the most part, no warnings and there is no undo feature if this
happens. Only knowledgeable users should use ADEdit, and it is important to test scripts in
sample environments before deploying them to the enterprise.
Note
16
The Centrify Server Suite SDK for Windows provides application programming
interfaces (API) that you can use to control all of the same features provided the
DirectManage Access Manager console.
Its important to realize when using any of these tools that an instance of one of these tools
has no knowledge of other tool instances and acts as if its the only administrative tool at
work. For example, if one administrator uses the DirectManage Access Manager console to
modify a zone object at the same time as another administrator uses ADEdit to modify the
same zone object, their changes might clash. For example, if the changes are first saved by
the administrative using DirectManage Access Manager, those change might be overridden
by changes saved by ADEdit. The last tool to save object data has the final say.
Chapter 1 Introduction
17
ADEdit components
This is true as well for different instances of ADEdit. If two administrators both use
different ADEdit instances simultaneously to work on the same object, the administrator
who last saves the object is the only one whose work will have an effect on the object.
Its important when using ADEdit in an environment with multiple administrators to
retrieve an object, make changes, and check it back in efficiently to avoid conflicts. ADEdit
object changes are not atomic.
It helps to bind all administration tools to the same domain controller within a domain to
further minimize conflicts. If tools work on different domain controllers, one tools changes
may take time to replicate to the other domain controllers, so other tools connected to
other domain controllers wont be able to see those changes immediately.
ADEdit components
ADEdit has two components: the ADEdit application and the ade_lib Tcl library. They are
both installed when the Centrify agent is installed on a Linux, UNIX, or Mac OS X
computer to be managed.
U se r
T cl S crip ts
CLI
T cl Interpeter
ad e_lib T cl library
A D E dit
C om m ands
A D E dit
T cl
C om m ands
A ctive D irectory
D om ain C ontroller
U N IX /Linux/M ac com puter
adclient
A user can access ADEdit through a CLI in a shell or through an executing Tcl script or Tcl
application. ADEdits Tcl interpreter executes the commands it receives from the CLI using
the ADEdit commands and Tcl commands that are part of ADEdit. It may also use ade_lib
Tcl library commands if specified. Tcl scripts and applications use ADEdits commands and
ade_lib Tcl library commands directly. ADEdit binds to an Active Directory domain
controller, with which it exchanges data. ADEdit may also (in a few cases) get data from
Active Directory through the adclient process.
18
ADEdit context
ADEdit context
When ADEdit commands work on Active Directory objects, they dont specify a domain
and the object to work on as part of each command. ADEdit instead maintains a context in
memory that defines what commands work on.
ADEdits context has two types of components:
A set of one or more bindings that connect ADEdit to domains in the forest.
Each binding uses an authentication to connect to an Active Directory domain
controller. The authentication must have enough rights to perform ADEdits
administrative actions on the domain controller. Each binding binds ADEdit to a single
domain; multiple bindings bind ADEdit to multiple domains at one time.
A set of zero, one, or more selected Active Directory objects that ADEdit
works on. A selected object is typically a Centrify object such as a zone, zone user,
role, or NIS map, but can also be any generic Active Directory object. ADEdit stores
each selected object with all of its attributes (called fields within ADEdit). ADEdit
stores no more than one type of each selected object: one zone object, for example, one
PAM application object, one generic Active Directory object, and so on.
An ADEdit session or script typically starts by binding to one or more domains. If ADEdit
isnt bound to a domain, none of its commands that work with Active Directory (which is
Chapter 1 Introduction
19
ADEdit context
most of them) have any effect. Once bound, ADEdit commands work within the scope of
all currently bound domains.
An ADEdit session or script then typically selects an object to work on: it specifies an object
such as a zone user object that ADEdit retrieves from Active Directory and stores in
memory as part of the context. All subsequent zone user commands then work on the zone
user object in memory, not the zone user object as it is stored in Active Directory.
When finished with a selected object, the session or script can simply ignore the object (if
nothing has changed in it) or it can save the object back to Active Directory (if the object has
been modified and modifications need to go back to Active Directory, overwriting the
object there). The selected object remains stored in ADEdits context until the session or
script selects a new object of the same type, which replaces the previous object.
By maintaining a context with selected objects, ADEdit avoids constant Active Directory
queries for successive object management commands: A selection command queries Active
Directory to retrieve an object. Reading or modifying object fields occurs internally and
doesnt require Active Directory queries. If the object is saved, a final Active Directory
query returns the modified object to Active Directory.
Context persistence
ADEdits context persists for the duration of an ADEdit interactive session. The context in
an ADEdit script persists only until the end of the scripts execution.
Context cautions
Working with ADEdits context requires some thought. Commands that affect objects dont
explicitly specify an object, so you must be careful to ensure that the correct object is
specified before executing commands that affect the object. ADEdit has context reporting
commands that help by showing current domain bindings and selected objects.
Its important to realize that any modifications to a selected object have no effect until the
object is saved back to Active Directory. If you forget to save an object, you lose all
modifications.
If you keep an object in context a long time between selecting the object and saving the
object, be awareas noted earlierthat another administration tool may alter the object
in Active Directory during that time and you wont know about those alterations.
20
Context commands that set up and control the ADEdit domain context.
For example, you use these commands to bind to a domain before subsequent object
management commands, view current bindings, and change the context.
Object management commands that enable you to perform all of the same tasks as
you can with Active Directory Users and Computers and DirectManage Access
Manager.
For example, you use these commands to create, select, and manage zones, users,
groups, computers, rights, roles and role Assignments.
Utility commands that perform useful data retrieval and data conversion tasks.
For example, you use these commands to convert domain names and security principal
names from one format to another.
Security descriptor commands that modify security descriptors and make them
readable.
For example, you use these commands to convert security descriptors strings from one
format to another.
For more information about the commands each category, see ADEdit commands
organized by type on page 35. For details about specific commands, see ADEdit command
reference on page 69.
Chapter 1 Introduction
21
Chapter 2
Anyone can launch ADEdit. However, only users who have sufficient privileges can modify
Active Directory objects and Centrify-specific data.
22
In addition to arguments, ADEdit commands may or may not have options. Options must
precede a commands arguments. Each option is a single word preceded by a hyphen (-)
such as -write. Options can also have their own arguments. If an option takes an argument,
it must immediately follow the option.
Options are used to control specific operations of ADEdit commands. For example:
>bind -gc acme.com administrator #3gEgh^&4
In this example, the bind command has an option -gc that specifies a global catalog domain
controller. Three arguments follow the option. The first argument is required and specifies
the domain to which to bind. The second and third arguments are optional and provide a
use name and password to be used for binding.
23
ADEdit retains its command history across sessions, so if you quit ADEdit and restart it,
you can still visit commands entered in the previous session. The command history has a
50-command capacity. Once full, the history drops old commands as you enter new
commands.
24
As illustrated, the typical logic flow in a ADEdit script follows these steps:
1 Bind ADEdit to one or more domains within a forest.
The domains to which you bind will define the logical boundaries within which all
subsequent commands work.
2 Select an existing Active Directory object or create a new object with which to work.
You can use select commands to retrieve existing object from Active Directory and
store them in memory. You can use new commands to create new objects of a specified
type and store them in the ADEdit context as the currently selected object.
There are also create commands that create a new objects in Active Directory without
putting the object in the ADEdit context. You must explicitly select objects that are
created with create commands.
3 Get or set values for a selected object.
After you select an object to work with and it is stored in memorythat is, the object is
in the ADEdit contextyou can read field values to see their current settings or write
field values to change their current state.
4 Save the selected object and any settings you changed.
25
If you modify an object in memory or you have created a new object in memory, you
must save it back to Active Directory for your changes to have any effect.
As these steps suggest, ADEdit is very context-oriented. The bindings you set and the
objects you select determine the ADEdit current context. All commands work within that
context. If you select a zone, for example, subsequent commands use the selected zone as
the context in which to add new zone users, zone computers, and zone groups.
Outside of scripts that perform the most common administrative tasks, you might use
ADEdit commands differently and without following these steps. For example, you might
use ADEdit to convert data from one format to another, view help, or get information
about the local computer without following the typical logic flow, but those tasks would be
exceptions to the general rule.
If you specify a domain with no options, ADEdit automatically finds the domains closest,
fastest domain controller. Options can narrow down the choice of domain controllers. The
-write option, for example, specifies that you want ADEdit to choose a writable domain
controller. The -gc option specifies that ADEdit use the global catalog (GC) domain
controller. You can use both options to choose a writable GC domain controller, for
example:
>bind -write -gc acme.com
Alternatively, you can name a specific domain controller as a part of the domain name:
>bind dcserv1@acme.com
Active Directory is a multi-master LDAP system. Changes made at any one domain
controller eventually propagate to all other domain controllers in the domain (if theyre
universal changes). If any administration toolssuch as Active Directory Users and
Computers, DirectManage Access Manager, or other instances of ADEditbind to the same
domain controller, changes made by any one of the tools are immediately available to the
other tools without waiting for propagation.
Note
26
Authentication
If no credentials are provided with a bind command, ADEdit gets its authentication data
from the Kerberos credentials cache if one exists. Alternatively, you can provide a user
name or both a user name and password. For example:
>bind acme.com administrator {e$t86&CG}
Notice that the password is enclosed in braces ({}) to ensure that Tcl handles it correctly.
Without the braces, Tcl syntax will automatically substitute for some characters such as the
$ used in the password. For example, a dollar sign specifies the contents of a variable in Tcl.
Enclosing a string in braces guarantees that Tcl will not try to substitute for any of the
characters in the string. Tcl drops the braces when it passes the string on.
You can also use the credentials of the ADEdits host computer by using the -machine
option:
>bind -machine acme.com
Whatever credentials you use, they must be for an account on the Active Directory
domain controller with enough authority to read from and make changes to Active Directory
objects in the domain. Without the proper authority, ADEdit commands that use Active
Directory wont work.
Note
27
Selecting an object
Selecting an object
ADEdit manages Centrify information by working with the objects in Active Directory.The
Centrify-specific object types are:
Zones
Zone users
Zone computers
Zone groups
Roles
Role assignments
NIS maps
However, you are not limited to using ADEdit only for managing Centrify-specific object
types. You can also use ADEdit commands to work with generic Active Directory objects,
including computers, users, groups, and other classes.
Selection commands
The ADEdit object select commands have the form select_xxx where xxx is an object
type. When you select an object (select_zone, for example), ADEdit looks for the object
specified in Active Directory and retrieves it to store the object in the current context.
Each select command is tailored to the type of object it retrieves. As an example, after
binding to acme.com, you can use a get_zones command to list the zones in the bound
domain, then use a select_zone command to select the zone you want to work with:
>get_zones acme.com
{CN=default,CN=Zones,CN=Centrify,CN=Program Data,DC=acme,DC=com}
{CN=cz1,CN=Zones,CN=Centrify,CN=Program Data,DC=acme,DC=com}
{CN=cz2,CN=Zones,CN=Centrify,CN=Program Data,DC=acme,DC=com}
{CN=global,CN=Zones,CN=Centrify,CN=Program Data,DC=acme,DC=com}
>select_zone {CN=global,CN=Zones,CN=Centrify,CN=Program Data,DC=acme,DC=com}
As this example illustrates, each zone is list by its distinguished name (DN) and you use the
distinguished name to identify the zone you want to use.
28
Note
Persistence
A selected object stays selected until another object of the same type replaces it or until the
current interactive session ends or executing script ends. When an ADEdit session ends, all
selected objects are removed from ADEdits memory. In most cases, you must explicitly
save changes to objects in memory to ensure the changes are stored in Active Directory.
Note
29
In this example, ADEdit retrieves the value of the field unamein this case, the UNIX user
name fieldfor the currently selected zone user adam.avery@acme.com.
You can use optional arguments to limit the information the show command returns.
The get_bind_info command returns information about a bound domain. When you use
this command, you specify the information you want to retrieve, such as the domains
forest, the name of the current domain controller, the domains security identifier (SID),
the functional level of the domain, or the functional level of the domains forest. For
example:
>get_bind_info acme.com server
adserve02.acme.com
In this case, ADEdit returns the name of the bound server for the domain acme.com.
This example selects the zone user adam.avery@acme.com and sets the uname field for the
zone userthe UNIX user nameto buzz. The field is set to the new value only in
memory., however. You must save the object before the new field value is stored in Active
Directory and takes effect within the objects domain. For example:
30
>save_zone_user
Deleting an object
You can delete a currently selected object using the ADEdit delete_xxx commands, where
xxx is the object type. When you delete an object, it is deleted from both memory and
Active Directory. For example:
>select_zone_user adam.avery@acme.com
>delete_zone_user
This example deletes the currently selected zone user, adam.avery@acme.com, from the he
ADEdit context so theres no longer a selected zone user. The command also deletes the
zone user object associated with the user adam.avery@acme.com so theres no longer a
zone user by that name in Active Directory.
There is no undo for a delete command. Once the object is deleted from Active
Directory, you must recreate it if you want it back. Be especially careful if you set up an
ADEdit script to delete multiple objects.
Note
This example saves the currently selected zone object back to Active Directory along with
any field values that have been modified since the zone was selected.
Saving an object does not deselect the object. It remains the selected object in memory so
that you can further read and modify it.
31
reads the context from the top of the stack and restores it to memory as the current
context. pop also removes the restored context from the stack. Subsequent pop commands
pop more contexts off the stack until the stack is empty, at which point pop returns an
error.
pop
library:
#!/bin/env adedit
package require ade_lib
If your version of Linux or UNIX has the env command in a location other than the /bin
directory, modify the first line to specify that directory. For example, another common
location for the env command is /usr/bin. In this case, you would type:
#!/usr/bin/env adedit
3 Type an appropriate bind command to identify the Active Directory domain or domains
to use.
bind pistolas.org maya.garcia {$m1l3s88}
Depending on whether you are going to run this script interactively or as an executable
file, you might include or exclude authentication information.
4 Type the appropriate commands to create and select a new zone.
create_zone tree cn=sample,cn=zones,ou=centrify,dc=acme,dc=com std
select_zone cn=sample,cn=zones,ou=centrify,dc=acme,dc=com
5 Type the command to list the current zones to stdout to verify the new zone.
list_zones pistolas.org
32
7 Save the text file and execute it using ADEdit or as an executable file.
After you have tested the basic script, you edit it to create new zones, make a zone a child
zone, add new zone computers, groups, or users. for example, you might add lines
similar to these:
new_zone_user AD_user_UPN
set_zone_user_field field value
save_zone_user
list_zone_users
If your sample script creates and selects a zone successfully, you should delete or rename
the zone each time you iterate through the execution.
The following is a sample of what the simple script might look like:
#! /bin/env adedit
package require ade_lib
bind pistolas.org maya.garcia {$m1l3s88}
create_zone tree "cn=test6,cn=zones,ou=centrify,dc=pistolas,dc=org" std
select_zone "cn=test6,cn=zones,ou=centrify,dc=pistolas,dc=org"
set_zone_field parent "cn=US-HQ,cn=zones,ou=centrify,dc=pistolas,dc=org"
list_zones pistolas.org
save_zone
new_zone_user tim@pistolas.org
set_zone_user_field uname tim
set_zone_user_field uid 81000
set_zone_user_field gid 81000
set_zone_user_field gecos "Tim Jackson, Accounting"
save_zone_user
list_zone_users
quit
For example, if the name of the script is my_adedit_scipt and it is the current working
directory, type:
adedit my_adedit_script
33
If the script isnt in the current working directory, specify the path to the script and any
arguments if the script requires any.
The script reads it as a comment, however UNIX or Linux will use it to find and execute
ADEdit and then execute the rest of the script.
2 Use chmod to make the file executable.
For example, if the name of the script is my_adedit_scipt and it is the current working
directory, type:
chmod +x my_adedit_script
3 Make sure the files directory is listed in your PATH environment variable if you want to
Once set up this way, you can simply enter the scripts file name in a shell and have the
script execute as a command.
./my_adedit_script
34
Chapter 3
General-purpose commands
You can use the following general-purpose commands to control overall ADEdit operation
or return general information about ADEdit or its host computer.
Command
Description
help
get_adinfo
Returns information about the joined domain, the joined zone, or the name the
local computer is joined under.
quit
Quits ADEdit.
set_ldap_timeout
Sets the time-out value used by ADEdits LDAP commands that perform read
and write operations on Active Directory through a binding.
Context commands
You can use the following context commands set the current domain bindings, report on
the current bindings and selected object, and save and retrieve the ADEdit context (which
includes both bindings and currently selected objects).
Command
Description
bind
Binds to one or more Active Directory domains to define the ADEdit context for
subsequent commands.
get_bind_info
pop
Restores the context from the top of the ADEdit context stack.
push
35
Object-management commands
Command
Description
show
Displays the current context of ADEdit, including its bound domains and
currently selected objects.
validate_license
Determines whether there is a valid license and stores an indicator in the ADEdit
context.
Object-management commands
You can use object-management command to retrieve, modify, create, and delete Active
Directory objects of any kind, including Centrify-specific objects such as zones, rights, and
roles. The command set for each object type is similar to the command sets for the other
object types.
Description
create_zone
delegate_zone_right
delete_zone
get_child_zones
get_zone_field
Returns the value for a specified field from the currently selected zone.
get_zone_nss_vars
get_zones
save_zone
Saves the selected zone with its current settings to Active Directory.
select_zone
Retrieves a zone from Active Directory and stores it in memory as the currently
selected zone.
set_zone_field
Sets the value for a specified field in the currently selected zone.
Description
delete_zone_user
Deletes the zone user from Active Directory and from memory.
get_zone_user_field
Returns the value for a specified field from the currently selected zone user.
36
Object-management commands
Command
Description
get_zone_users
Returns a Tcl list of the Active Directory names of zone users in the current zone.
list_zone_users
Lists all zone users with NSS data for each user in stdout.
new_zone_user
Creates a new zone user and stores it in memory as the currently selected zone
user.
save_zone_user
Saves the selected zone user with its current settings to Active Directory.
select_zone_user
Retrieves a zone user from Active Directory and stores it in memory as the
selected zone user.
set_zone_user_field
Sets the value for a specified field in the currently selected zone user.
Description
delete_zone_group
Deletes the zone group from Active Directory and from memory.
get_zone_group_field
Returns the value for a specified field from the currently selected zone group.
get_zone_groups
Return a Tcl list of Active Directory names of all zone groups in the current zone.
list_zone_groups
Lists all zone groups with object data for each group in stdout.
new_zone_group
Creates a new zone group and stores it in memory as the currently selected zone
group.
save_zone_group
Saves the selected zone group with its current settings to Active Directory.
select_zone_group
Retrieves a zone group from Active Directory and stores it in memory as the
selected zone group.
set_zone_group_field
Sets the value for a specified field in the currently selected zone group.
Description
delete_zone_computer
Deletes the zone computer from Active Directory and from memory.
get_zone_computer_field
Returns the value for a specified field from the currently selected zone
computer.
get_zone_computers
Returns a Tcl list of Active Directory names of all zone computers in the current
zone.
list_zone_computers
Lists all zone computers along with object data for each computer in stdout.
new_zone_computer
Creates a new zone computer and stores it in memory as the currently selected
zone computer.
37
Object-management commands
Command
Description
save_zone_computer
Saves the selected zone computer with its current settings to Active Directory.
select_zone_computer
Retrieves a zone computer from Active Directory and stores it in memory as the
selected zone computer.
set_zone_computer_field
Sets the value for a specified field in the currently selected zone computer.
Description
create_computer_role
delete_zone
Deletes the selected computer role from Active Directory and memory.
get_role_assignments
Returns a Tcl list of user role assignments associated with the selected computer
role.
get_zone_field
list_role_assignments
Lists user role assignments associated with the selected computer role.
new_role_assignment
Creates a new role assignment and associates it with the selected computer role.
save_zone
Saves the selected computer role with its current settings to Active Directory.
select_zone
Retrieves a computer role from Active Directory and stores it in memory as the
selected zone for subsequent commands.
set_zone_field
Sets the computer group which is associated with the computer role.
Description
add_command_to_role
add_pamapp_to_role
delete_role
Deletes the selected role from Active Directory and from memory.
get_role_apps
Returns a Tcl list of the PAM applications associated with the currently selected
role.
get_role_commands
Returns a Tcl list of the privileged commands associated with the currently
selected role.
get_role_field
Returns the value for a specified field from the currently selected role.
get_roles
38
Object-management commands
Command
Description
list_role_rights
List all privileged commands and PAM applications associated with the currently
selected role in stdout.
list_roles
Lists all roles in the currently selected zone along with object data for each role
in stdout.
new_role
Creates a new role and stores it in memory as the currently selected role.
remove_command_from_role
remove_pamapp_from_role
save_role
Saves the selected role with its current settings to Active Directory.
select_role
Retrieves a role from Active Directory and stores it in memory as the selected
role.
set_role_field
Sets the value for a specified field in the currently selected role.
Description
delete_role_assignment
Deletes the selected role assignment from Active Directory and from memory.
get_role_assignment_field
Returns the value for a specified field from the currently selected role
assignment.
get_role_assignments
list_role_assignments
Lists all role assignments along with object data for each role assignment in
stdout.
new_role_assignment
Creates a new role assignment and stores it in memory as the currently selected
role assignment.
save_role_assignment
Saves the selected role assignment with its current settings to Active Directory.
select_role_assignment
Retrieves a role assignment from Active Directory and stores it in memory as the
selected role assignment.
set_role_assignment_field
Sets the value for a specified field in the currently selected role assignment.
39
Object-management commands
Description
delete_pam_app
Deletes the selected PAM application from Active Directory and from memory.
get_pam_apps
get_pam_field
Returns the value for a specified field from the currently selected PAM
application.
list_pam_apps
List all PAM applications along with object data for each PAM application in
stdout.
new_pam_app
Creates a new PAM application and stores it in memory as the currently selected
PAM application.
save_pam_app
Saves the selected PAM application with its current settings to Active Directory.
select_pam_app
Retrieves a PAM application from Active Directory and stores it in memory as the
selected PAM application.
set_pam_field
Sets the value for a specified field in the currently selected PAM application.
Description
delete_dz_command
Deletes the selected command from Active Directory and from memory.
get_dz_commands
get_dzc_field
Returns the value for a specified field from the currently selected command.
list_dz_commands
List all privileged commands along with object data for each command in
stdout.
new_dz_command
save_dz_command
Saves the selected command with its current settings to Active Directory.
select_dz_command
set_dzc_field
Sets the value for a specified field in the currently selected command.
40
Object-management commands
Description
add_map_entry
add_map_entry_with_comment Adds an entry with comments to the currently selected NIS map.
delete_map_entry
delete_nis_map
Deletes the selected NIS map from Active Directory and from memory.
get_nis_map
Returns a Tcl list of the entries in the currently selected NIS map.
get_nis_map_field
Returns the value for a specified field from the currently selected NIS map.
get_nis_map_with_comment
Returns a Tcl list of the entries with their comments in the currently selected NIS
map.
get_nis_maps
list_nis_map
Lists the NIS map entries from the currently selected NIS map in stdout.
list_nis_map_with_comment
Lists the NIS map entries and comments from the currently selected NIS map in
stdout.
list_nis_maps
new_nis_map
Creates a new NIS map and stores it in memory as the currently selected NIS
map.
save_nis_map
Saves the selected NIS map with its current entries to Active Directory.
select_nis_map
Retrieves a NIS map from Active Directory and stores it in memory as the
selected NIS map.
Description
add_object_value
delete_object
Deletes the selected Active Directory object from Active Directory and from
memory.
delete_sub_tree
get_object_field
Returns the value for a specified field from the currently selected Active
Directory object.
get_object_field_names
Returns a Tcl list of the field names for each of the fields attributes associated
the currently selected Active Directory object.
41
Utility commands
Command
Description
get_objects
Performs an LDAP search of Active Directory and returns a Tcl list of the
distinguished names of matching objects.
new_object
Creates a new Active Directory object and stores it in memory as the currently
selected Active Directory object.
remove_object_value
save_object
Saves the selected Active Directory object with its current settings to Active
Directory.
select_object
Retrieves an object with its attributes from Active Directory and stores it in
memory as the selected Active Directory object.
set_object_field
Sets the value for a specified field in the currently selected Active Directory
object.
Utility commands
You can use the following utility commands retrieve and convert data from format to
format, manipulate distinguished names, and manage group membership and user
passwords.
Command
Description
dn_from_domain
dn_to_principal
Searches Active Directory for a DN and, if found, returns the corresponding UPN.
domain_from_dn
get_group_members
get_parent_dn
Returns the parent of an LDAP path (a distinguished name): it removes the first
element of the DN and returns the rest.
get_pwnam
Searches the etc/passwd file for a UNIX user name and, if found, returns a Tcl list
of the passwd profile values associated with the user.
get_rdn
Returns the relative DN of an LDAP path: it returns only the first element of the
supplied DN.
get_schema_guid
finds a class or attribute in Active Directory and returns its globally unique
identifier (GUID)
getent_passwd
joined_get_user_membership Uses adclient to query Active Directory and returns a Tcl list of groups that a user
belongs to.
joined_name_to_principal
Uses adclient to search for a UNIX name and return the security principal
associated with that UNIX name.
joined_user_in_group
move_object
42
Command
Description
principal_from_sid
Searches Active Directory for an SID and returns the security principal associated
with the SID.
principal_to_dn
Searches Active Directory for a user principal name (UPN) and, if found, returns
the corresponding DN.
rename_object
set_user_password
sid_to_escaped_string
sid_to_uid
Description
add_sd_ace
explain_sd
remove_sd_ace
set_sd_owner
43
Chapter 4
Purpose
Shows two different methods for using the Tcl argv, MktDept.sh
argc and argv0 command line variables
getopt-example
CreateParentZone
CreateChildZones
Simple tools
The next set show you how to call a script (setenv) setenv
from a script and perform different queries based on GetChildZones
the values entered.
GetGroups
GetUsers
GetZones
44
Before you proceed, you need to know the location of the zone containers in Active
Directory and the distinguished names you use to specify the zone container and its objects.
This section illustrates some sample cases with different locations for the zone container and
the distinguished name for commonly used variables in the scripts.
In this example, the installer defined a base organizational unit called Centrify. This
architecture is often used because it puts all the UNIX-related information in a single
branch. The container with the zone information is called Zones.
In addition to the Zones container location, the installation script requires the installer to
specify a location for a container to store the Centrify software licenses. In this figure, the
nodeLicensesis in the base organizational unit. However, it does not need to be there.
In this figure, the installer also created another organizational unit called UNIX Groups for
the Active Directory groups used for the UNIX users. Keeping all of the groups recreated
for the UNIX users in a single node simplifies managing them and the privileges assigned to
each user. (With few exceptions, the UNIX users get their rights from the role assigned to
the group in which they are a member.) Often, more organizational units are created for
managing different classes of UNIX user and UNIX services.
There are two zones in this figure: the parent zone HQ and a child zone named Alpha. Each
zone contains nodes labeled Computers, Groups, Users, and Authorization. When you
specify a zone, computer, user, or group in an ADEdit command you must use the
distinguished name. The following table illustrates the distinguished names.
Object type
Example
Domain
demo.test
dc=demo,dc=test
Centrify
ou=Centrify,dc=demo,dc=test
Zone container
Zones
cn=Zones,ou=Centrify,dc=demo,dc=test
45
Object type
Example
Parent zone
HQ
cn=HQ,cn=Zones,ou=Centrity,dc=demo,dc=test
Child zone
Alpha
cn=Alpha,cn=HQ,cn=Zones,ou=Centrity,dc=demo,dc=test
Organizational unit
UNIX Groups
ou=UNIX Groups,ou=Centrify,dc=demo,dc=test
UNIX group
ApacheAdmins
cn=ApacheAdmin,ou=UNIX Groups,ou=Centrify,dc=demo,
dc=test
RHEL
cn=RHEL,cn=Computers,cn=Alpha,cn=HQ,cn=Zones,ou=Centrity,
dc=demo,dc=test
You should note that distinguished names can contain space, as illustrated by the UNIX
Groups organizational unit. To prevent Tcl from interpreting a space as new element in a
list, you can enclose the distinguished name with double quotes ( ) or using braces ({ }).
When specifying distinguished names, you should also be sure to use ou and cn correctly.
Commands will fail if you refer to an organizational unit using cn.
Note
46
argv: A Tcl list containing all of the arguments in the command line
argc:
argv0:
For example, the following script uses all three variables. This is a simple command in the
form
>/bin/sh MktDept.sh name name name
where name is a persons name, such as Mary or Joe. If you want to use first and last name,
surround the name with quotes, for example Jane Smith.
This code sample demonstrates starting ADEdit from a shell script. The subsequent
examples use the executable file model.
Note
MktDept.sh
#!/bin/sh
# This script takes a list of names and displays it
#
# \
exec adedit "$0" ${1+"$@"}
package require ade_lib
if { $argc == 0 } {
puts "Command format: $argv0 name name ..."
exit 1
}
set total $argc
puts "
The following people are in the marketing department"
47
The if command uses the count, argc, to determined if any arguments have been entered.
If the count is equal to zero the user did not enter any names and it displays the message
showing the argv0 command entry format.
is used again to set the total count of names entered for the while loop. Inside the
loop, the names are drawn from the argv list.
argc
Note
where:
is the Tcl list that contains the command line arguments
_argv
name
?_var?
For example, the following script illustrates the use of getopt to define the user and group
variables that will be used later in the script.
This script also demonstrates how to use a procedure, usage, that prompts the user when
she doesnt enter all of the arguments. usage first displays the full command syntax and
then the missing argument.
The user and password arguments are optional. If the user enters a user name without
the password, the bind program automatically prompts for the password. You do not need
to include that prompt in the script.
Note
getopt-example
#!/bin/env adedit
# This script takes a domain name and optionally user name and password
# and binds the user to the specified domain.
# If the user does not specify a user name or password, she is prompted.
#
package require ade_lib
proc usage {msg} {
puts {usage: -d <domain> [-u <user>] [-p <password>]}
puts $msg
exit 1
}
if {[getopt argv -d domain] == 0} {
48
Note
where:
parentZone is
adminName
password
CreateParentZone
#!/bin/env adedit
# This script creates a tree zone. Use this, for example, to create the
# parent zone for child zones created in another scripts
package require ade_lib
proc usage {msg} {
puts {usage: -z <parentZone> -u <user>}
puts $msg
exit 1
49
}
if {[getopt argv -z parentZone] == 0} {
usage "Missing the name for the new zone"
}
puts "
Enter the domain name for the bind command"
gets stdin domain
if {[getopt argv -u user] != 0} {
if {[getopt argv -p password]} {
bind $domain $user $password
} else {
bind $domain $user}
} else {
puts "Enter administrator name"
gets stdin user
bind $domain $user
}
set domaindn [dn_from_domain $domain]
puts "
Enter the name of the Active Directory container that holds the Centrify zone
data"
gets stdin zonesNode
puts "
Enter the organizational unit with the Centrify zone data container"
gets stdin baseOU
puts
puts
puts
puts
puts
"Summary:"
"Domain is $domain. DN for the domain is $domaindn"
"The base OU is $baseOU."
"The container for the zone information is $zonesNode"
"The new zone is named $parentZone"
50
where:
is the domain name
domain
parentZone is
adminName
password
The password is optional. If you do not enter it in the command line, the script prompts
you to enter it.
The script binds you to the domain based on the domain name, administrator, and password
entered.
The script prompts you to enter the name of the organizational unit and container in which
you store the zone information. After that, it prompts you to enter names for the two child
zones.
To confirm that the script has been completed properly, open Access Manager and expand
the Child Zones node under the parent zone you entered to verify the new child zones are
listed. You can then right-click the zone name to see the Active Directory and Centrify zone
properties.
CreateChildZones
#!/bin/env adedit
# This script creates 2 child zones in the domain and parent zone
# specified in the command line
#
package require ade_lib
proc usage {msg} {
puts {usage: -d <domain> -z <parentZone> [-u <user>] [-p <password>]}
puts $msg
exit 1
}
if {[getopt argv -d domain] == 0} {
usage "Missing Domain, ex. demo.test"
}
if {[getopt argv -z parentZone] == 0} {
usage "Missing parent zone, ex. HQ"
}
if {[getopt argv -u user] != 0} {
if {[getopt argv -p password]} {
bind $domain $user $password
51
} else {
bind $domain $user}
} else {
puts "Enter administrator name"
gets stdin user
bind $domain $user
}
puts "
Enter the name of the container for the Centrify zone data"
gets stdin zoneContainer
puts "
Enter the organizational unit for the Centrify zone data"
gets stdin zoneContainerOU
# Define distinguished name for domain
set domaindn [dn_from_domain $domain]
puts "
Summary:"
puts "Domain is $domain. DN for the domain is $domaindn"
puts "The base OU is $zoneContainerOU."
puts "The container for the zone information is $zoneContainer
"
# Create child zones
puts "Enter child zone name"
gets stdin czone1
puts "
Enter another child zone name"
gets stdin czone2
create_zone tree
"cn=$czone1,cn=$parentZone,cn=$zoneContainer,ou=$zoneContainerOU,$domaindn"
std
create_zone tree
"cn=$czone2,cn=$parentZone,cn=$zoneContainer,ou=$zoneContainerOU,$domaindn"
std
# link the children to parent
select_zone
"cn=$czone1,cn=$parentZone,cn=$zoneContainer,ou=$zoneContainerOU,$domaindn"
set_zone_field parent
"cn=$parentZone,cn=$zoneContainer,ou=$zoneContainerOU,$domaindn"
save_zone
select_zone
"cn=$czone2,cn=$parentZone,cn=$zoneContainer,ou=$zoneContainerOU,$domaindn"
set_zone_field parent
"cn=$parentZone,cn=$zoneContainer,ou=$zoneContainerOU,$domaindn"
save_zone
puts "
Child zones $czone1 and $czone2 created in $parentZone"
52
Role_apacheAdmin.txt
ApacheAdminRole
vi /etc/httpd/conf/*
apachectl *
htpasswd *
MakeRole
#!/bin/env adedit
# This script creates a role consisting of a set of privileged commands
# The role and commands are specified in a file specified in the command line
# See the files Role_....txt
# The first line in the file should be the new role name.
# The subsequent lines are the names of the privileged commands to
# add to the role.
package require ade_lib
if { $argc != 1 } {
puts "usage: $argv0 file"
exit 1
}
if {[catch {set fp [open [lindex $argv 0] r]} errmsg]} {
puts "Cannot open [lindex $argv 0]."
exit 1
}
53
54
new_dz_command "$cmd_name"
# set the command fields
set cmd_path $line
set_dzc_field cmd "$cmd_path"
#set_dzc_field path "User"
set_dzc_field dzdo_runas root
set_dzc_field umask 077
set_dzc_field flags 0
# save the command
save_dz_command
# Add the command to the Role
add_command_to_role "$cmd_name"
}
close $fp
save_role "$role"
55
incr row
incr numberZones -1
}
puts "
Enter the row number of the target zone"
gets stdin rowSelect
set zone [lindex $zonelist [incr rowSelect -1]]
select_zone "$zone"
puts "
Creating command-level Apache admin rights in $zone"
puts "
Creating web_edit_httpd_config"
new_dz_command web_edit_httpd_config
set_dzc_field cmd "vi /etc/httpd/conf/*"
set_dzc_field description "edit httpd config file"
set_dzc_field dzdo_runas root
set_dzc_field dzsh_runas root
set_dzc_field path /usr/local/apache2/bin
save_dz_command
puts "
Creating web_apachectl"
new_dz_command web_apachectl
set_dzc_field cmd "apachectl *"
set_dzc_field description "Web Apache Server Control"
set_dzc_field dzdo_runas root
set_dzc_field dzsh_runas root
set_dzc_field path /usr/local/apache2/bin
save_dz_command
puts "
Creating web_htpasswd"
new_dz_command web_htpasswd
set_dzc_field cmd "htpasswd *"
set_dzc_field description "Web Apache Manage user files"
set_dzc_field dzdo_runas root
set_dzc_field dzsh_runas root
set_dzc_field path /usr/local/apache2/bin
save_dz_command
#-------------------------------------------------------------------# Create ApacheAdminRights role
# The new_role command creates the role in the currently selected zone.
puts "
Creating the ApacheAdminRole with these rights"
# In each role you need to set the sysrights with the set_role_field
# to the following binary values
# password_login = 01
56
# sso = 02
# ignore_disabled = 04
# full_shell = 08
new_role ApacheAdminRights
add_command_to_role web_edit_httpd_config
add_command_to_role web_apachectl
add_command_to_role web_htpasswd
set_zone_field sysrights [expr 0x0000000b] #full_shell | sso | password_login
save_role
save_zone
Note
users.txt
You specify the names to be added in a text file in which each name is on a separate line. Be
sure to use line feed only as the end-of-line; do not use CR-LF. The sample file in the
distribution package contains the following names:
Amy.Adams
Brenda.Butler
Dennis.Day
Eric.Edwards
AddUnixUsers
In the following script, you specify the file name with the user names in the command line.
The script then prompts you for the additional information required. The target Active
Directory groupUnix Usersis hard-coded into the script.
This script uses the Tcl catch command three times to control processing when an error
occurs.
In the first case, it is used to exit gracefully if the specified file cannot be opened.
In the second case, catch is used to determine if the user already exists. An error here
indicates that the user does not exist and, rather than exiting, the else statement creates
57
the user. (If the user already existed, you would not want to create another Active
Directory account.)
In the third case, catch is used to exit gracefully if the user is already a member of the
Unix Users group.
#!/bin/env adedit
# This script creates an Active Directory account for each user the specified
# and adds the user to UNIX Users group. This automatically fills in their UNIX
profile.
# Command line input: file name w/ user names in format ffff.llll only
# Prompted input: domain, administrator name, default password
package require ade_lib
if { $argc != 1 } {
puts "usage: $argv0 file"
exit 1
}
if {[catch {set users [open [lindex $argv 0] r]} errmsg]} {
puts "Cannot open [lindex $argv 0]."
exit 1
}
# Get domain and bind
puts "Enter domain name"
gets stdin domain
set domaindn [dn_from_domain $domain]
puts "Enter account name with administrator privileges"
gets stdin administrator
puts "Enter $administrator password"
gets stdin APWD
bind $domain $administrator "$APWD"
puts "
Define password to be used for all accounts"
gets stdin pwd
# Now start creating accounts from users
# example: "cn=Ellen Edwards,cn=Users,$domaindn" "Ellen.Edwards@$domain"
ellen.edwards pwd
while {[gets $users sam] >= 0} {
set name [split $sam .]
set dn "cn=[lindex $name 0] [lindex $name 1],cn=Users,$domaindn"
set upn $sam@$domain
58
Simple tools
Simple tools
The following scripts are simple utilities for getting information from Active Directory
about the managed computers and users:
useracc-report: List the Active Directory users in the domain and several account
properties.
user-report: Lists the users in a zone.
Following these scripts are sample scripts that demonstrate how you can use a script that
calls, for example, commonly-used commands in other scripts. For more information, see
Run a script from a script on page 64.
computer-report
Use this command to list managed computers in the zone. The command line arguments
are as follows:
Label
Required/Optional Description
-domain
required
Domain name
-m
optional
-u
optional
-p
optional
-sep
optional
#!/bin/env adedit
59
Simple tools
60
Simple tools
useracc-report
Use this command to list all users and their Active Directory account control values. The
command line arguments are as follows:
Label
Required/Optional Description
-domain
required
Domain name
-m
optional
-u
optional
-p
optional
-sep
optional
#!/bin/env adedit
# This script lists all the users and their Active Directory account control
values
package require ade_lib
# List users and the following field
proc usage {msg} {
puts {usage: -domain <domain> [-m] [-u <user>] [-p <password>] [-sep csv |
tab | <char>]}
puts $msg
exit 1
}
if {[getopt argv -domain domain] == 0} {
usage "Missing domain"
}
set verbose 0
61
Simple tools
62
Simple tools
user-report
Use this command to lists the users in the specified zone. The command line arguments are
as follows:
Label
Required/Optional Description
-z
required
-m
optional
-u
optional
-p
optional
#!/bin/env adedit
# This script lists the users in the zone you specify in the command line.
# On the command line use either -m or -u
package require ade_lib
proc usage {msg} {
puts {usage: -z <zoneDN> [-m] [-u <user>] [-p <password>]}
puts $msg
exit 1
}
if {[getopt argv -z zoneDN] == 0} {
usage "Missing input zone. Enter full distinguished name"
}
if {[catch {domain_from_dn $zoneDN} domain]} {
usage "Invalid input zone name. Enter full distinguished name"
}
set verbose 0
if {[getopt argv -v]} {
set verbose 1
}
if {[getopt argv -m]} {
bind -machine $domain
} else {
if {[getopt argv -u user]} {
if {[getopt argv -p password]} {
bind $domain $user $password
} else {
bind $domain $user}
} else {
bind $domain
}
}
select_zone $zoneDN
list_zone_users
63
GetComputers
Use this command to list all the Centrify-managed computers in the specified domain.
Enter the domain name in the command line.
#!/bin/env adedit
# GetComputers
# Purpose: Retrieves a listing of all UNIX computers in all Centrify Zones.
package require ade_lib
puts "
This script retrieves a listing of all UNIX computers in the specified domain"
puts "and shows the zone to which it is joined"
if { $argc == 0 } {
puts "
Command format: $argv0 domain name"
exit 1
}
set domain [lindex $argv 0]
# Use lindex command because argv is a list and bind requires a string
puts "
Enter administrator name for bind command"
gets stdin admin
bind $domain $admin
foreach ZONE [get_zones $domain] {
select_zone $ZONE
foreach COMPUTER [get_zone_computers] {
puts -nonewline $COMPUTER:; puts $ZONE;
}
}
Note
64
The subsequent scripts in this section call the setenv script and then run a short script that
does simple queries, such as get the child zones, get the computers in the zone, and get the
groups.
setenv
This script prompts you to enter data used in the calling script. This example is intended as
a demonstration only. It prompts you to enter some information that is not relevant to the
calling script. Feel free to edit this script to make it more purposeful.
# Setenv file contents
# Purpose: Sets up a common environment for the following Active Directory
# tools, selecting the Active Directory Domain, binding the user, and
# defining commonly used variables.
# Other Active Directory tools:
# GetZones
# GetUsers
# GetGroups
# GetChildZones
# GetComputers
puts "
This portion of the script prompts you to enter the domain and account name
for the bind command."
# If you are always using the same domain, comment out the puts and gets and
use the set command instead
puts "
Enter the domain name"
gets stdin domain
# get the distinguished name for the domain.
set domaindn [dn_from_domain $domain]
puts "
Enter administrator account name for bind command"
gets stdin admin
bind $domain $admin
puts "
bind to $domain complete"
puts "
The next two prompts ask you to enter the OU and container for your zone
information"
puts "
Enter the name of the Active Directory container that holds the Centrify zonerelated data"
gets stdin zonesContainer
# If you are always using the same zone, comment out the puts and gets and use
the set command instead
# set zonesContainer <Active Directory container with zones data>
puts "
Enter the name of the organizational unit that has the zone container."
65
GetZones
Use this script to get a list of all the zones in a domain.
#!/bin/env adedit
# GetZones
# Purpose: Performs a recursive listing of all Centrify zones in the specified
# domain
package require ade_lib
source setenv
puts "
This script retrieves a recursive listing of all Centrify zones in the $domain
domain"
puts "
The Active Directory folder with the Centrify zone data is named
$zonesContainer"
puts "
That container is in organizational unit $zonesContainerOU"
puts "
The parent zone is $parentZone"
foreach ZONE [get_zones $domain] {
puts $ZONE;
}
66
GetUsers
Use this script to get a list of all users in a zone.
#!/bin/env adedit
#
#
#
#
GetUsers
Purpose: Operates on a recursive listing of all UNIX users in all
Centrify Zones, and retrieves the administered UNIX attribute values
for each user object in each zone.
GetGroups
Use this script to get the UNIX group attribute values for the groups in the managed
computers.
#!/usr/bin/env adedit
#
#
#
#
GetGroups
Purpose: Retrieves the UNIX group attribute values for each UNIX
group administered in the parent zone specified in setenv.
To select a different zone, change the DN in the select_zone command
67
GetChildZones
Use this command to get a list of the child zones for the specified parent.
#!/bin/env adedit
# # GetChildZones
# Purpose: Retrieves a recursive listing of all new hierarchical Centrify child
# zones administered underneath the parent zone specified in setenv
#
package require ade_lib
source setenv
puts "
This script retrieves a recursive listing of all child zones in $parentZone"
puts "
The Active Directory folder with the Centrify zone information is
$zonesContainer"
select_zone
"CN=$parentZone,CN=$zonesContainer,OU=$zonesContainerOU,$domaindn"
foreach ZONE [get_child_zones -tree] {
puts $ZONE;
}
68
Chapter 5
Hierarchical only: You must have a hierarchical zone selected for the command to
work.
Classic and hierarchical: You can use the command in both classic zones and
hierarchical zones. Options in the command let you specify whether you are working
with a classic or hierarchical zone. In most cases, commands that work in both classic
and hierarchical zones, require the classic zone to be a classic4 zone. The classic3 zone
type is intended for backward compatibility with older agents and only commands
where the zone type is not applicable are supported.
Classic only: You must have a classic4 zone selected for the command to work.
Not applicable: You can use the command because the zone type does not matter.
In addition to the zone type, syntax, and return values, each command description includes
at least one usage example and a summary of related commands, if appropriate.
add_command_to_role
Use the add_command_to_role command to add a privileged UNIX command to the
currently selected role that is stored in memory. The command must already exist. You can
create privileged UNIX commands using new_dz_command.
The add_command_to_role command does not change the role as it is stored Active
Directory. Running the command changes the role only in memory. You must save the role
before the added command takes effect in Active Directory. If you select another role or
quit ADEdit before saving the role, any commands youve added since the last save wont
take effect.
Zone type
Classic and hierarchical
69
Syntax
add_command_to_role command[/zonename]
Abbreviation
acr
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
command[/zonename] string
Description
Required. Specifies the name of an existing UNIX command to add to the
currently selected role.
If the UNIX command right that you want to add is defined in the current zone,
the zonename argument is optional. If the UNIX command right is defined in a
zone other than the currently selected zone, the zonename argument is
required to identify the specific UNIX command right to add.
Return value
This command returns nothing if it runs successfully.
Examples
add_command_to_role basicshell/global
This example adds the command basicshell, defined in the global zone, to the currently
selected role.
Related commands
Before you use this command, you must have a currently selected role stored in memory.
The following commands enable you to view and select a role to work with:
get_role_commands returns a Tcl list of the UNIX commands for the role.
The following commands enable you to work with a currently selected role:
delete_role deletes the selected role from Active Directory and from memory.
get_role_apps returns a Tcl list of the PAM applications for the role.
70
list_role_rights lists of all privileged commands and PAM application rights for the role.
save_role saves the selected role with its current settings to Active Directory.
add_map_entry
Use the add_map_entry command to add an entry to the currently selected NIS map stored
in memory. This command does not support a comment field. If you want to add a
comment along with the entry use add_map_entry_with_comment instead.
To change an existing entry in a NIS map, use delete_map_entry to remove the entry, then
add the revised version using add_map_entry.
The add_map_entry command changes the NIS map in memory and in Active Directory.
You do not need to save the NIS map for the added entry to take effect in Active Directory.
Zone type
Not applicable
Syntax
add_map_entry key value
Abbreviation
ame
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
key
string
value
string
71
Return value
This command returns nothing if it runs successfully.
Example
add_map_entry Finance Hank@acme.com,Sue@acme.com
This example adds the NIS map entry Finance with the value
Hank@acme.com,Sue@acme.com to the currently selected NIS map.
Related commands
The following commands enable you to view and select the NIS map you want to work
with:
get_nis_maps returns a Tcl list of NIS maps in the currently selected zone.
list_nis_maps lists to stdout of all NIS maps in the currently selected zone.
select_nis_map retrieves a NIS map from Active Directory and stores it in memory.
After you have a NIS map stored in memory, you can use additional commands to work
with that maps entries or use the following commands to delete or save the currently
selected NIS map:
delete_nis_map deletes the selected NIS map from Active Directory and from memory.
save_nis_map saves the selected NIS map with its current entries to Active Directory.
add_map_entry_with_comment
Use the add_map_entry_with_comment command to add an entry to the currently selected
NIS map stored in memory and lets you include a comment. The comment can be up to
2048 characters and does not support new line syntax.
To change an existing entry in a NIS map, use delete_map_entry to remove the entry, then
add the revised version using add_map_entry_with_comment.
The add_map_entry_with_comment command changes the NIS map in memory and in
Active Directory. You do not need to save the NIS map for the added entry to take effect in
Active Directory.
Zone type
Not applicable
Syntax
add_map_entry_with_comment key value comment
72
Abbreviation
amewc
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
key
string
value
string
comment
string
Return value
This command returns nothing if it runs successfully.
Example
add_map_entry_with_comment Finance Hank@acme.com,Sue@acme.com new Finance
staff
This example adds the NIS map entry Finance, with the value
Hank@acme.com,Sue@acme.com and comment new Finance staff to the currently selected
NIS map.
Related commands
Before you use this command, you must have a currently selected NIS map stored in
memory. The following commands enable you to view and select a NIS map to work with:
The following commands enable you to work with a currently selected NIS map:
73
add_object_value
Use the add_object_value command to add a value to a multi-valued field (attribute) of a
specified Active Directory object in Active Directory. This command only works on the
object in Active Directory, not on the currently selected Active Directory object in
memory (if there is one).
If the added value isnt valid, Active Directory will report an error and add_object_value
wont save the value.
This command is useful for fields that may be very largemembers of a group, for
example.
Zone type
Not applicable
Syntax
add_object_value dn field value
Abbreviation
aov
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
dn
string
Required. Specifies the distinguished name (DN) of the Active Directory object
in which to add a value.
field
string
value
Required. Specifies the value to add to the field. The type of value depends on
the field specified by the field argument.
Return value
This command returns nothing if it runs successfully.
Examples
add_object_value cn=groups,dc=acme,dc=com users adam.avery
74
This example adds the value adam.avery to the users field of the groups object specified by
the DN.
Related commands
The following commands enable you to work with Active Directory objects:
delete_sub_tree deletes the Active Directory object and all of its children.
add_pamapp_to_role
Use the add_pamapp_to_role command to add a PAM application right to the currently
selected role stored in memory. The PAM application right must already exist. You can
create PAM application rights using new_pam_app.
The add_pamapp_to_role command does not change the role as it is stored Active
Directory. The command only changes the role stored in memory. You must save the role
using save_role before the added PAM application takes effect in Active Directory. If you
select another role or quit ADEdit before saving the role, any PAM application rights youve
added since the last save wont take effect.
You can only use the add_pamapp_to_role if the currently selected zone is a classic4 or
hierarchical zones. The command does not work in other types of zones.
Zone type
Classic and hierarchical
Syntax
add_pamapp_to_role app[/zonename]
Abbreviation
apr
Options
This command takes no options.
75
Arguments
This command takes the following argument:
Argument
Type
Description
app[/zonename]
string
Required. Specifies the name of an existing PAM application right to add to the
currently selected role.
If the PAM application right that you want to add is defined in the current zone,
the zonename argument is optional. If the PAM application right is defined in a
zone other than the currently selected zone, the zonename argument is
required to identify the specific PAM application right to add.
Return value
This command returns nothing if it runs successfully.
Examples
The following example adds the PAM application login-all, which is defined in the
currently selected zone, to the currently selected role:
add_pamapp_to_role login-all
The following example adds the PAM application access right oracle-admin from the emea
zone to the currently selected role:
add_pamapp_to_role oracle-admin/emea
Related commands
The following commands enable you to view and select the role you want to work with:
list_roles displays a list to stdout of all roles in the currently selected zone.
After you have a role stored in memory, you can use additional commands to work with that
roles fields, commands, and applications or use the following commands to delete or save
the currently selected role:
save_role saves the selected role with its current settings to Active Directory.
delete_role deletes the selected role from Active Directory and from memory.
add_sd_ace
Use the add_sd_ace command to add an access control entry (ACE) in ACE string form to
a security descriptor (SD) in SDDL (security descriptor description language) form.
76
The command takes an ACE string and an SDDL string. The command writes the ACE
string there. The command returns an SDDL string that includes the added ACE string.
Zone type
Not applicable
Syntax
add_sd_ace sddl_string ace_string
Abbreviation
ase
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
sddl_string
string
ace_string
string
Required. Specifies an access control entry in ACE string form (which is always
enclosed in parentheses)
Return value
This command returns a security descriptor string in SDDL format if it runs successfully.
Examples
This example adds an ACE string to an SDDL. The ACE string to add is at the end of the
command in boldface:
add_sd_ace O:DAG:DAD:AI(A;;RCWDWOCCDCLCSWRPWPLOCR;;;DA)(OA;;CCDC;bf967aba0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a28500aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a28500aa003049e2;;PO)(A;;RCLCRPLO;;;AU)(OA;;CCDC;4828cc14-1437-45bc-9b07ad6f015e5f28;;AO)(OA;CIIOID;RP;4c164200-20c0-11d0-a76800aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c16420020c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a28500aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc141437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-902000c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac24079a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-902000c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;59ba2f42-
77
79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a28500aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc141437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b42200a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a28500aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e00a0c983f608;bf967aba-0de6-11d0-a28500aa003049e2;ED)(OA;CIIOID;RCLCRPLO;;4828cc14-1437-45bc-9b07ad6f015e5f28;RU)(OA;CIIOID;RCLCRPLO;;bf967a9c-0de6-11d0-a28500aa003049e2;RU)(OA;CIIOID;RCLCRPLO;;bf967aba-0de6-11d0-a28500aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557d63ff4f3ccd8;;PS)(A;CIID;SDRCWDWOCCDCLCSWRPWPDTLOCR;;;EA)(A;CIID;LC;;;RU)(A;
CIID;SDRCWDWOCCLCSWRPWPLOCR;;;BA) (A;;SDRCWDWOCCDCLCSWRPWPDTLOCR;;;SY)
Related commands
The following commands enable you to work with security descriptor strings:
78
bind
Use the bind command to bind ADEdit to a domain. Multiple bind commands can bind
ADEdit to multiple domains in multiple forests. ADEdit must be bound to at least one
domain before its commands have any effect on Active Directory or Centrify objects. When
ADEdit is bound to multiple domains, its commands can work on any of those domains.
You can use bind to bind to any domain for which the DNS can resolve a name and for
which you have log-in permission. ADEdits host computer does not need to be joined to a
domain for ADEdit to bind to and work on that domain.
You can optionally specify a server in the domain to bind to, in which case ADEdit binds to
that domain controller. If you dont specify a server, ADEdit automatically binds to the
closest, fastest domain controller. You can use options to request automatic binding to a
global catalog (GC) domain controller or to a writable domain controller.
You can authorize the bind connection to a domain controller in the following ways:
If you provide no user or password arguments, bind uses the user name and password
stored in the current Kerberos credential cache on the ADEdit host computer.
If you provide a user argument without the password argument, bind in interactive
mode prompts you for a password, then uses the user argument along with your entered
password for authorization.
If you provide a user argument and password argument, bind uses the user and
password arguments for authorization.
If you specify the -machine option, ADEdit authenticates using the credentials for the
ADEdit host computer. You cannot provide user or password arguments if you specify
the -machine option. Note that you must have read permission on the hosts credential
files to use this option, so you must typically have root permissions to use the option.
Zone type
Not applicable
Syntax
bind [-gc] [-write] [-machine] [server@]domain [user [password]]
Abbreviation
None
79
Options
This command takes the following options:
Option
Description
-gc
Requests an automatic binding to a global catalog (GC) domain controller. This option has
no effect if theres a domain controller specified using the server argument.
-write
Requests an automatic binding to a writable domain controller. This option has no effect if
theres a domain controller specified using the server argument.
-machine
Arguments
This command takes the following arguments:
Argument
Type
Description
[server]@domain
string
[user]
string
Optional. Specifies the user name for logging on to the domain controller.
If you dont specify this argument and the -machine option is also not present,
ADEdit attempts to log on using your current account credentials.
If you specify the -machine option, you cannot use this argument.
[password]
string
Optional. Requires the user argument. Specifies the password to use when
logging on to the domain controller as user.
Return value
This command returns no value.
Examples
The following example binds ADEdit to the domain acme.com, logging in as administrator
with the password #3gEgh^&4:
bind acme.com administrator #3gEgh^&4
Note that a password that includes Tcl-special characters such as $ might trigger character
substitution that modifies the password. To ensure that a password isnt altered by the Tcl
interpreter, enclose the password in braces ({}). For example:
bind acme.com maya,garcia {$m1l3s88}
80
Related commands
The following commands perform actions related to the bind command:
pop restores the context from the top of ADEdits context stack to ADEdit.
show returns the current context of ADEdit: its bound domains and its currently
selected objects.
clear_rs_env_from_role
Use the clear_rs_env_from_role command to remove the restricted shell environment
from the currently selected role that is stored in memory.
The clear_rs_env_from_role command does not modify the information stored in Active
Directory for the role. If you run this command using ADEdit without saving the role to
Active Directory, the change will have no effect on the restricted shell environment stored
in Active Directory.
You can only use the clear_rs_env_from_role command if the currently selected zone is a
classic4 zone. The command does not work in other types of zones.
Zone type
Classic only
Syntax
clear_rs_env_from_role
Abbreviation
crse
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
81
Examples
clear_rs_env_from_role
This example removes the restricted shell environment from the current role.
Related commands
The following commands perform actions related to this command:
select_rs_env retrieves a restricted shell environment from Active Directory and stores
it in memory.
set_rs_env_for_role assigns a restricted shell environment to the current role.
After you have a restricted shell environment stored in memory, you can use the following
commands to work with that: restricted shell environment:
delete_rs_env deletes the current restricted shell environment from Active Directory
and from memory.
get_rse_field reads a field value from the current restricted shell environment.
create_computer_role
Use the create_computer_role command to create a new computer role in Active
Directory. The command does not store the new computer role in memory nor set it as the
currently selected ADEdit computer role. To manage the computer role, you must select it
using select_zone and then use zone commands to work with the computer roles fields.
ADEdit requires a valid license before the computer role is created. The
create_computer_role command does an implicit search. The first place it looks is the
ADEdit context for a valid license indicator (see the validate_license command) for the
forest. If an indicator is not in the context, the command checks for a valid license as
follows:
Bind to the global catalog (GC) domain controller, search the forest for the license
container and validate the license.
Bind to the current domain, search for the license container and validate the license.
If it finds a valid license, it stores an indicator in the current context and creates the new
computer role. If it does not find a valid license, create_computer_role reports No valid
license found and exits. If the command fails, use validate_license to validate the license
container explicitly.
82
To associate role assignments with the new computer role, you must select the computer
role, then use new_role_assignment.
Zone type
Hierarchical only
Syntax
create_computer_role computer_role_path group_upn
Abbreviation
ccr
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
computer_role_path
string
Required. Specifies a path to the new computer role. The path consists of the
hosting zones distinguished name followed by a slash and the name of the new
computer role.
group_upn
string
Required. Specifies the user principal name (UPN) of a computer group in Active
Directory to associate with this computer role. This computer group defines the
set of computers in which this computer role functions. The computer group
must be available within the computer roles host domain.
Return value
This command returns no value if it runs successfully.
Examples
The following example creates a new computer role named LinuxComputers in the global
zone of acme.com:
create_computer_role {CN=global,CN=Zones,CN=Centrify,DC=acme,DC=com/
LinuxComputers} linux_computers@acme.com
The scope of the computer role is defined by the group named linux_computers which is
an Active Directory groups defined in acme.com. To work with the new computer role, you
must select it as a zone:
select_zone CN=global,CN=Zones,CN=Centrify,DC=acme,DC=com/LinuxComputers
83
Related commands
The following command retrieves the computer role from Active Directory and stores it in
memory so you can use other commands to work with it.
new_role_assignment creates a new role assignment for the selected computer role.
list_role_assignments lists user role assignments for the selected computer role.
get_role_assignments returns a Tcl list of user role assignments for the selected
computer role.
get_zone_field retrieves what computer group is associated with the computer role.
set_zone_field sets what computer group is associated with the computer role.
delete_zone deletes the selected computer role from Active Directory and memory.
create_zone
Use the create_zone command to create a new zone in Active Directory. The command
does not store the new zone in memory nor set it as the currently selected ADEdit zone. To
manage the zone, you must select it using select_zone and then use zone commands.
This command can create different types of zones and the zones can use different types of
schemas, depending on the schema you are using for Active Directory. Before the zone is
created, however, ADEdit checks for a valid license.
The create_zone command first checks the ADEdit context for a valid license indicator for
the forest. If an indicator is not found in the context, the command checks for a valid license
as follows:
Bind to the global catalog (GC) domain controller, search the forest for the license
container and validate the license.
Bind to the current domain, search for the license container and validate the license.
If the command finds a valid license, it stores an indicator in the current context and creates
the new zone. If it does not find a valid license, create_zone reports No valid license
found and exits. If the command fails, use the validate_license command to validate the
license container explicitly.
Note When this command creates a zone, the zone contains predefined roles such as sftp
and UNIX Login. The zone does not, however, contain the role Windows Login because
ADEdit does not support Windows rights.
84
Zone type
Classic and hierarchical
Syntax
create_zone [-ou] zone_type path [schema_type]
Abbreviation
cz
Options
This command takes the following option:
Option
Description
-ou
Creates the new zone as an organizational unit object. If not present, the new zone is
created as a container object.
Note that the parent container determines what type of object the zone can be. If the
parent container is a generic container object, the zone must be a container object. If the
parent container is an organizational unit object, the zone can be either an organizational
unit object or a container object.
Arguments
This command takes the following arguments:
Argument
Type
Description
zone_type
string
85
Argument
Type
Description
path
string
Required. Specifies a path to the new zone. The path consists of the new zones
distinguished name (DN) and (if a computer override) the name of the
computer.
schema_type
string
Optional. Specifies the type of schema to use for the new zone. The possible
values are:
sfu specifies the Microsoft Services For UNIX schema. This setting can be used
for tree, classic3, and classic4 zone types. If its used for a hierarchical zone, it
can only be the root of the zone hierarchy.
std specifies the dynamic schema. This setting can be used for all zone types.
This is the default schema unless ADEdit detects the RFC2307 schema.
rfc specifies the RFC2307 schema.This setting can be used for all zone types.
This is the default schema if ADEdit detects that RFC2307 is installed and the
domain is at Windows Server 2003 functional level.
If none of these values is present, the default is either std or rfc as described
above.
Return value
This command returns no value if it runs successfully.
Examples
The following examples illustrate how to create a classic zone, hierarchical zone, and
computer-specific zone in Centrify Suite 2012 and later.
Classic zone: The following command creates a classic zone named finance in the Centrify
organizational unit in the acme.com domain that uses the dynamic schema (std):
create_zone classic4 CN=finance,OU=Centrify,DC=acme,DC=com std
Hierarchical zone:
finance
domain:
create_zone tree CN=finance,CN=Zones,OU=Centrify,DC=acme,DC=com std
To make the finance zone a child zone within a global zone already created in the same
container, OU, and domain, you would next select finance to make it the currently
selected zone, then use set_zone_field (szf) to specify the global zone as its parent, and
the save finance. For example:
select_zone CN=finance,CN=Zones,OU=UNIX,DC=acme,DC=com
szf parent CN=global,CN=Zones,OU=UNIX,DC=acme,DC=com
save_zone
create_zone computer
svr1.acme.com@CN=apache,CN=global,CN=Zones,OU=Centrify,DC=acme,DC=com
86
Related commands
Before you use this command, you must bind to one or more Active Directory domains.
The following command enables you to store a newly created zone in memory:
delete_zone deletes the selected zone from Active Directory and memory.
get_child_zones returns a Tcl list of child zones, computer roles, or computer zones.
get_zone_nss_vars returns the NSS substitution variable for the selected zone.
save_zone saves the selected zone with its current settings to Active Directory.
delegate_zone_right
Use the delegate_zone_right command to delegate an administrative right for the
currently selected zone to a security principal (user or group). Zone rights allow a user or
group to use and manage zone properties.
Zone type
Classic and hierarchical
Syntax
delegate_zone_right right principal_upn
Abbreviation
None.
Options
This command takes no options.
87
Arguments
This command takes the following arguments:
Argument
Type
Description
right
string
principal_upn
string
Required. Specifies the user principal name (UPN) of a user or group in Active
Directory to delegate the specified right to.
Return value
This command returns no value if it runs successfully.
Examples
delegate_zone_right add_user adam.avery@acme.com
This example delegates the right to add users to the currently selected zone to the Active
Directory user Adam Avery.
88
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a zone to work with:
After you have a zone stored in memory, you can use the following commands to work with
that zone:
delete_zone deletes the selected zone from Active Directory and memory.
get_child_zones returns a Tcl list of child zones, computer roles, or computer zones.
get_zone_nss_vars returns the NSS substitution variable for the selected zone.
save_zone saves the selected zone with its current settings to Active Directory.
delete_dz_command
Use the delete_dz_command command to delete the currently selected privileged
command from Active Directory and from memory. You cannot use other commands to
manage privileged commands after deletion because there will be no currently selected
command in memory.
Zone type
Classic and hierarchical
Syntax
delete_dz_command
Abbreviation
dldzc
Options
This command takes no options.
Arguments
This command takes no arguments.
89
Return value
This command returns nothing if it runs successfully.
Examples
delete_dz_command
This example deletes the currently selected command from Active Directory and from
memory.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a UNIX command to work with:
After you have a UNIX command stored in memory, you can use the following commands
to work with that command:
save_dz_command saves the selected command with its current settings to Active
Directory.
set_dzc_field sets a field value in the currently selected command.
delete_map_entry
Use the delete_map_entry command to delete an entry from the currently selected NIS
map stored in memory. The delete_map_entry command changes the NIS map in memory
and in Active Directory. You do not need to save the NIS map for the deleted entry to take
effect in Active Directory.
Zone type
Not applicable
Syntax
delete_map_entry key:index
90
Abbreviation
dlme
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
key:index
string
Required. Specifies the key of the NIS map entry to delete followed by a colon (:)
and the index number of the key.
Return value
This command returns nothing if it runs successfully.
Examples
delete_map_entry calla:1
This example deletes the NIS map entry with the key value calla and index number 1 from
the currently selected NIS map.
Related commands
Before you use this command, you must have a currently selected NIS map stored in
memory. The following commands enable you to view and select the NIS map to work
with:
get_nis_maps returns a Tcl list of NIS maps in the currently selected zone.
list_nis_maps lists to stdout all of the NIS maps in the currently selected zone.
select_nis_map retrieves a NIS map from Active Directory and stores it in memory.
After you have a NIS map stored in memory, you can use the following commands to work
with that maps entries:
get_nis_map_field reads a field value from the currently selected NIS map.
list_nis_map or list_nis_map_with_comment lists to stdout the map entries in the
currently selected NIS map.
91
delete_nis_map
Use the delete_nis_map command to delete the currently selected NIS map from Active
Directory and from memory. You cannot use other commands to manage the NIS map after
deletion because there will be no currently selected map in memory.
Zone type
Not applicable
Syntax
delete_nis_map
Abbreviation
dlnm
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
delete_nis_map
This example deletes the currently selected NIS map from Active Directory and from
memory.
Related commands
Before you use this command, you must have a currently selected NIS map stored in
memory. The following commands enable you to view and select the NIS map to work
with:
get_nis_maps returns a Tcl list of NIS maps in the currently selected zone.
list_nis_maps lists to stdout of all NIS maps in the currently selected zone.
92
select_nis_map retrieves a NIS map from Active Directory and stores it in memory.
After you have a NIS map stored in memory, you can use the following commands to work
with that maps entries:
delete_object
Use the delete_object command to delete the currently selected Active Directory object
from Active Directory and from memory. You cannot use other commands to manage the
object after deletion because there will be no currently selected Active Directory object in
memory.
Do NOT use the delete_object command to delete an Active Directory user or
group that has been provisioned. If you use delete_object to delete a provisioned user or
group, you create orphan user or group UNIX data objects. Instead, use the
delete_zone_user or delete_zone_group command. In addition, you would use the
select_zone_user and select_zone_group rather than select_object to select the user or
group. For information about displaying orphan accounts, see the list_zone_users and
list_zone_groups.
Note
Zone type
Not applicable
Syntax
delete_object
Abbreviation
dlo
Options
This command takes no options.
93
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
delete_object
This example deletes the currently selected Active Directory object from Active Directory
and from memory.
Related commands
Before you use this command, you must have a currently selected Active Directory object
stored in memory. The following commands enable you to view and select the object to
work with:
get_objects performs an LDAP search of Active Directory and returns a Tcl list of the
distinguished names of matching objects.
After you have an Active Directory object stored in memory, you can use other commands
to work with that objects attributes, or the following commands to delete or save
information for the object:
delete_sub_tree deletes an Active Directory object and all of its children from Active
Directory.
save_object saves the selected Active Directory object with its current settings to Active
Directory.
delete_pam_app
Use the delete_pam_app command to delete the currently selected PAM application from
Active Directory and from memory. You cannot use other commands to manage the PAM
application after deletion because there will be no currently selected PAM application in
memory.
Zone type
Classic and hierarchical
94
Syntax
delete_pam_app
Abbreviation
dlpam
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
delete_pam_app
This example deletes the currently selected PAM application from Active Directory and
from memory.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
After you have a zone stored in memory, you can use the following commands to view and
select the PAM application to work with:
get_pam_apps returns a Tcl list of PAM application rights in the current zone.
list_pam_apps lists to stdout all PAM application rights in the current zone.
select_pam_app retrieves a PAM application right from Active Directory and stores it in
memory
After you have a PAM application stored in memory, you can use the following commands
to work with that PAM applications attributes, delete the PAM application, or save
information for the PAM application:
delete_pam_app deletes the selected PAM application right from Active Directory and
from memory.
get_pam_field reads a field value from the currently selected PAM application right.
save_pam_app saves the selected PAM application right with its current settings to
Active Directory.
95
set_pam_field sets a field value in the currently selected PAM application right.
delete_role
Use the delete_role command to delete the currently selected role from Active Directory
and from memory. You cannot use other commands to manage the role after deletion
because there will be no currently selected role in memory.
Zone type
Classic and hierarchical
Syntax
delete_role
Abbreviation
dlr
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
delete_role
This example deletes the currently selected role from Active Directory and from memory.
Related commands
Before you use this command, you must have a currently selected role stored in memory.
The following commands enable you to view and select the role to work with:
96
After you have a role stored in memory, you can use the following commands to work with
that role:
get_role_apps returns a Tcl list of the PAM applications associated with the role.
get_role_commands returns a Tcl list of the UNIX commands associated with the role.
list_role_rights lists to stdout all UNIX commands and PAM applications associated
with the role.
remove_command_from_role removes a UNIX command from the currently selected
role.
remove_pamapp_from_role removes a PAM application from the currently selected
role.
save_role saves the selected role with its current settings to Active Directory.
delete_role_assignment
Use the delete_role_assignment command to delete the currently selected role
assignment from Active Directory and from memory. You cannot use other commands to
manage the role assignment after deletion because there will be no currently selected role
assignment in memory.
Zone type
Classic and hierarchical
Syntax
delete_role_assignment
Abbreviation
dlra
Options
This command takes no options.
Arguments
This command takes no arguments.
97
Return value
This command returns nothing if it runs successfully.
Examples
delete_role_assignment
This example deletes the currently selected role assignment from Active Directory and
from memory.
Related commands
Before you use this command, you must have a currently selected role assignment stored in
memory. The following commands enable you to view and select the role assignment to
work with:
list_role_assignments lists to stdout all role assignments in the currently selected zone.
After you have a role assignment stored in memory, you can use other commands to work
with that role assignments fields, or the following commands to save information for the
role assignment:
save_role_assignment saves the selected role assignment with its current settings to
Active Directory.
delete_rs_command
Use the delete_rs_command command to delete the currently selected restricted shell
command from Active Directory and from memory. After you run this command, you
cannot run subsequent ADEdit commands for restricted shell commands because there will
be no currently selected restricted shell command available in memory.
Zone type
Classic only
Syntax
delete_rs_command
Abbreviation
dlrsc
98
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
delete_rs_command
This example deletes the currently selected restricted shell command from
Active Directory and from memory.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select the restricted shell command to
work with:
get_rs_commands returns a Tcl list of restricted shell commands in the current zone.
list_rs_commands lists to stdout the restricted shell commands in the current zone.
After you have a restricted shell command stored in memory, you can use the following
commands to work with that restricted shell:
save_rs_command saves the selected command with its current settings to Active
Directory.
set_rsc_field sets a field value in the currently selected command.
delete_rs_env
Use the delete_rs_env command to delete the currently selected restricted environment
from Active Directory and from memory. After you run this command, you cannot run
subsequent ADEdit commands for a restricted shell environment because there will be no
currently selected restricted shell environment available in memory.
99
Zone type
Classic only
Syntax
delete_rs_env
Abbreviation
dlrse
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
delete_rs_env
This example deletes the currently selected RSE from Active Directory and from memory.
Related commands
Before you use this command, you must have a currently selected role stored in memory.
The following commands enable you to view and select the role to work with restricted
shell environments:
select_rs_env retrieves a restricted shell environment from Active Directory and stores
it in memory.
After you have a restricted shell environment stored in memory, you can use the following
commands to work with its fields:
get_rse_field reads a field value from the current restricted shell environment.
100
delete_sub_tree
Use the delete_sub_tree command to delete an object and all of its child objects from
Active Directory. Only child objects that are in the same container as the specified parent
object are deleted. Child objects in other containers are not deleted.
WARNING: This is a very powerful command, and can cause a lot of damage if used
incorrectly. Its similar to running rm -rf * in UNIX.
In interactive mode, ADEdit prompts you for confirmation before executing this command.
If you use this command in a script, ADEdit does not prompt for confirmation. You should
use caution before using this command in a script.
This command can be used on any Active Directory object, including a container, OU,
computer object, group or user. However, it is especially useful for deleting a corrupted
zone. Youd normally use select_zone and then delete_zone to delete a zone. If the zone
is damaged, though, select_zone might not work. In that case, delete_sub_tree will do
the job.
If the zone is a hierarchical zone, this command deletes only the child zones in the same
container as the parent zone. If there are any child zones in other containers, they are not
deleted.
Zone type
Classic and hierarchical
Syntax
delete_sub_tree dn
Abbreviation
None.
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
dn
DN
Required. Specifies the distinguished name of the object (with all of its children)
to remove from Active Directory.
101
Return value
This command returns nothing if it runs successfully.
Examples
delete_sub_tree CN=marketing,CN=Zones,CN=Centrify,DC=acme,DC=com
This example deletes the currently selected marketing zone with all of its children from
Active Directory.
Related commands
The following commands enable you to view and manage the Active Directory object to
work with:
delete_object deletes the selected Active Directory object from Active Directory and
from memory.
get_objects performs an LDAP search of Active Directory and returns a Tcl list of the
distinguished names of matching objects.
new_object creates a new Active Directory object and stores it in memory.
save_object saves the selected Active Directory object with its current settings to Active
Directory.
select_object retrieves an object with its attributes from Active Directory and stores it
in memory.
The following commands enable you to view and manage Active Directory object
attributes:
get_object_field reads a field value from the currently selected Active Directory object.
remove_object_value removes a value from a multi-valued field attribute of the
currently selected Active Directory object.
set_object_field sets a field (attribute) value in the currently selected Active Directory
object.
delete_zone
Use the delete_zone command to delete the currently selected zone from Active
Directory and from memory. After you run this command, you cannot run subsequent
ADEdit commands for zones because there will be no currently selected zone available in
memory.
102
This command performs an LDAP sub-tree deletion operation. Only child zones that are in
the same container as the specified parent zone are deleted. Child zones that are located in
other containers are not deleted. Child zones that are based on pointers defined in the child
zone are not deleted. For more information about deleting sub-tree objects, see
delete_sub_tree.
In interactive mode, ADEdit prompts you for confirmation before executing this command.
If you use this command in a script, ADEdit does not prompt for confirmation. You should
use caution before using this command in a script.
Zone type
Classic and hierarchical
Syntax
delete_zone
Abbreviation
dlz
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
delete_zone
This example deletes the currently selected zone or computer role from Active Directory
and from memory.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select the zone to work with:
103
select_zone retrieves a zone from Active Directory and stores it in memory as the
currently selected zone.
After you have a zone stored in memory, you can use the following commands to work with
that zone:
get_child_zones returns a Tcl list of child zones, computer roles, or computer zones for
the current zone.
get_zone_nss_vars returns the NSS substitution variable for the selected zone.
save_zone saves the selected zone with its current settings to Active Directory.
delete_zone_computer
Use the delete_zone_computer command to delete the currently selected zone computer
from Active Directory and from memory. After you run this command, you cannot run
subsequent ADEdit commands for zone computers because there will be no currently
selected zone computer available in memory.
Zone type
Classic and hierarchical
Syntax
delete_zone_computer [-all]
Abbreviation
dlzc
Options
This command takes the following option:
Option
Description
-all
Arguments
This command takes no arguments.
104
Return value
This command returns nothing if it runs successfully.
Examples
delete_zone_computer
This example deletes the currently selected zone computer from Active Directory and from
memory.
Related commands
Before you use this command, you must have a currently selected zone computer stored in
memory. The following commands enable you to view and select the zone computer to
work with:
get_zone_computers returns a Tcl list of the Active Directory names of all zone
computers in the current zone.
After you have a zone computer stored in memory, you can use the following commands to
work with that zone computer:
delete_zone_group
Use the delete_zone_group command to delete the currently selected zone group from
Active Directory and from memory. After you run this command, you cannot run
subsequent ADEdit commands for zone groups because there will be no currently selected
zone group available in memory.
Zone type
Classic and hierarchical
Syntax
delete_zone_group
105
Abbreviation
dlzg
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
delete_zone_group
This example deletes the currently selected zone group from Active Directory and from
memory.
Related commands
Before you use this command, you must have a currently selected zone group stored in
memory. The following commands enable you to view and select the zone group to work
with:
get_zone_groups returns a Tcl list of the Active Directory names of all zone groups in
the current zone.
After you have a zone group stored in memory, you can use the following commands to
work with that zone group:
get_zone_group_field reads a field value from the currently selected zone group.
save_zone_group saves the selected zone group with its current settings to Active
Directory.
set_zone_group_field sets a field value in the currently selected zone group.
106
delete_zone_user
Use the delete_zone_user command to delete the currently selected zone user from
Active Directory and from memory. After you run this command, you cannot run
subsequent ADEdit commands for zone users because there will be no currently selected
zone user available in memory.
Zone type
Classic and hierarchical
Syntax
delete_zone_user
Abbreviation
dlzu
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
delete_zone_user
deletes the currently selected zone user from Active Directory and from memory.
Related commands
Before you use this command, you must have a currently selected zone user stored in
memory. The following commands enable you to view and select the zone user to work
with:
get_zone_users returns a Tcl list of the Active Directory names of all zone users in the
current zone.
select_zone_user retrieves a zone user from Active Directory and stores it in memory.
107
After you have a zone user stored in memory, you can use the following commands to work
with that zone user:
get_zone_user_field reads a field value from the currently selected zone user.
save_zone_user saves the selected zone user with its current settings to Active
Directory.
set_zone_user_field sets a field value in the currently selected zone user.
dn_from_domain
Use the dn_from_domain command to convert a specified domain name in dotted form
(acme.com, for example) to a distinguished name (DN). This conversion doesnt require
lookup in Active Directory. The command performs a simple text conversion.
Zone type
Not applicable
Syntax
dn_from_domain domain_name
Abbreviation
dnfd
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
domain_name
string
Return value
This command returns a domain name as a distinguished name.
Examples
dn_from_domain acme.com
108
Related commands
The following commands convert information from one format to another:
dn_to_principal
Use the dn_to_principal command to specify the distinguished name (DN) of a security
principal (user, computer, or group). The command searches Active Directory for the
principal, and if the principal is found, the command returns the sAMAccount@domain name
of the principal. Optionally, you can also use this command to return the user principal
name (UPN) for the principal.
Zone type
Not applicable
Syntax
dn_to_principal [-upn] principal_dn
Abbreviation
dntp
Options
This command takes the following option:
Option
Description
-upn
Returns the principal name in user principal name (UPN) format, not the default
sAMAccount@domain format.
Arguments
This command takes the following argument:
Argument
Type
Description
principal_dn
string
109
Return value
This command returns the sAMAccount@domain name or (optionally) the user principal
name (UPN) of a security principal. If the command doesnt find the specified security
principal in Active Directory, it presents a message that it didnt find the principal.
Examples
dn_to_principal cn=brenda butler,cn=users,dc=acme,dc=com
Related commands
The following commands search for security principals in Active Directory:
principal_to_dn searches Active Directory for a user principal name (UPN) and, if
found, returns the corresponding distinguished name (DN).
principal_from_sid searches Active Directory for an SID and returns the security
principal associated with the SID.
domain_from_dn
Use the domain_from_dn command takes a distinguished name (DN) that contains a domain
and returns the domain name in dotted form (acme.com, for example). This conversion
doesnt require lookup in Active Directory. The command performs a simple text
conversion.
Zone type
Not applicable
Syntax
domain_from_dn dn
Abbreviation
dfdn
Options
This command takes no options.
110
Arguments
This command takes the following argument:
Argument
Type
Description
dn
string
Return value
This command returns a domain name in dotted form such as acme.com. If the distinguished
name doesnt contain domain component (DC) values, the command returns a notice that
the DC values are missing.
Examples
dfdn cn=johndoe,cn=users,dc=acme,dc=com
Related commands
The following command converts information from one format to another:
explain_sd
Use the explain_sd command to specify a security descriptor (SD) in security descriptor
description language (SDDL) form and returns a human-readable form of the security
descriptor.
Zone type
Not applicable
Syntax
explain_sd sddl_string
Abbreviation
None.
Options
This command takes no options.
111
Arguments
This command takes the following argument:
Argument
Type
Description
sddl_string
string
Return value
This command returns text that describes the supplied security descriptor in
human-readable form.
Examples
explain_sd
O:DAG:DAD:AI(A;;SDRCWDWOCCDCLCSWRPWPDTLOCR;;;SY)(A;;RCWDWOCCDCLCSWRPWPLOCR;;
;DA)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a28500aa003049e2;;PO)(A;;RCLCRPLO;;;AU)(OA;;CCDC;4828cc14-1437-45bc-9b07ad6f015e5f28;;AO)(OA;CIIOID;RP;4c164200-20c0-11d0-a76800aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c16420020c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a28500aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc141437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-902000c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac24079a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-902000c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;59ba2f4279a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a28500aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc141437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b42200a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a28500aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e00a0c983f608;bf967aba-0de6-11d0-a28500aa003049e2;ED)(OA;CIIOID;RCLCRPLO;;4828cc14-1437-45bc-9b07ad6f015e5f28;RU)(OA;CIIOID;RCLCRPLO;;bf967a9c-0de6-11d0-a28500aa003049e2;RU)(OA;CIIOID;RCLCRPLO;;bf967aba-0de6-11d0-a28500aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557d63ff4f3ccd8;;PS)(A;CIID;SDRCWDWOCCDCLCSWRPWPDTLOCR;;;EA)(A;CIID;LC;;;RU)(A;
CIID;SDRCWDWOCCLCSWRPWPLOCR;;;BA)
112
Related commands
The following commands enable you to work with security descriptor strings:
113
get_adinfo
Use the get_adinfo command to return information about the current join state for the
ADEdit host computer. The command returns information about the joined domain, the
joined zone, or the name the host computer is joined under.
Zone type
Not applicable
Syntax
get_adinfo domain|zone|host
Abbreviation
adinfo
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
domain|zone|host
string
Return value
This command returns a domain name, zone name, or computer name depending on the
provided argument.
Examples
get_adinfo domain
This example returns the path to the joined zone. For example:
CN=default,CN=Zones,CN=Centrify,CN=Program Data,DC=acme,DC=com
114
Related commands
None.
get_bind_info
Use the get_bind_info command to return information about one of ADEdits currently
bound domains. The command can return the name of the domains forest, the name of the
server bound within the domain, the security identifier (SID) of the domain, and the
functional level of the domain or the domains forest.
Zone type
Not applicable
Syntax
get_bind_info domain forest|server|sid|domain_level|forest_level
Abbreviation
gbi
Options
This command takes no options.
115
Arguments
This command takes the following arguments:
Argument
Type
Description
domain
string
Required. Specifies the name of the domain for which to get information.
string
Return value
This command returns a forest name, server name, security identifier, or functional level
depending on the provided argument.
Examples
get_bind_info acme.com server
Related commands
The following commands perform actions related to this command:
pop restores the context from the top of ADEdits context stack to ADEdit.
show returns the current context of ADEdit, including its bound domains and its
currently selected objects.
116
get_child_zones
Use the get_child_zones command to return a Tcl list of the child zones, computer roles,
and computer zones for the currently selected zone stored in memory. The options to
return child zones and computer roles are only applicable when you are working with
hierarchical zones.
In classic zones, you can use this command to return a Tcl list of classic-computer zones
under the currently selected classic zone. A classic-computer zone is a special zone type that
contains a single computer to enable computer-level role assignments. The classic zone
must have the corresponding computer object and that computer must be identified as a
classic-computer zone to support computer-specific role assignments.
Because classic zones do not have child zones or computer roles, executing
get_child_zones with the -crole or -tree option without the -computer option returns
an empty list.
Zone type
Classic and hierarchical
Syntax
get_child_zones [-tree] [-crole] [-computer]
Abbreviation
gcz
Options
This command takes any of the following options:
Option
Description
-tree
Returns a Tcl list of the current zones child zones. If the currently selected zone is a classic
zone, this option is ignored.
-crole
Returns a Tcl list of the current zones hosted computer roles. If the currently selected zone
is a classic zone, this option is ignored.
-computer
If you dont specify an option and the currently selected zone is a hierarchical zone,
get_child_zones returns the complete list of child zones including computer roles and
computer-specific zones that enable computer-specific overrides. If you dont specify an
option and the currently selected zone is a classic zone, get_child_zones returns the list of
classic-computer zones.
117
Arguments
This command takes no arguments.
Return value
This command returns a Tcl list of child zones, computer roles, or computer-specific zones
depending on the options used.
Examples
get_child_zones
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select the zone to work with:
After you have a zone stored in memory, you can use the following commands to work with
that zone:
delete_zone deletes the selected zone from Active Directory and memory.
get_zone_nss_vars returns the NSS substitution variable for the selected zone.
save_zone saves the selected zone with its current settings to Active Directory.
get_dz_commands
Use the get_dz_commands command to check Active Directory and return a Tcl list of
UNIX command objects defined within the currently selected zone. If executed in a script,
this command does not output its list to stdout, and no output appears in the shell where
the script is executed. Use the list_dz_commands command to output to stdout.
You can only use the get_dz_commands command if the currently selected zone is a classic4
or hierarchical zones. The command does not work in other types of zones.
118
Zone type
Classic and hierarchical
Syntax
get_dz_commands
Abbreviation
gdzc
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a Tcl list of UNIX commands defined in the currently selected zone.
Examples
get_dz_commands
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a UNIX command to work with:
After you have a UNIX command stored in memory, you can use the following commands
to work with that command:
delete_dz_command deletes the selected command from Active Directory and from
memory.
119
get_dzc_field
Use the get_dzc_field command to return the value for a specified field from the
currently selected command object that is stored in memory.
The get_dzc_field command does not query Active Directory for the command. If you
change field values using ADEdit without saving the command to Active Directory, the field
value you retrieve using get_dzc_field wont match the same field value for the command
stored in Active Directory.
You can only use the get_dzc_field command if the currently selected zone is a classic4 or
hierarchical zone. The command does not work in other types of zones.
Zone type
Classic and hierarchical
Syntax
get_dzc_field field
Abbreviation
gdzcf
Options
This command takes no options.
120
Arguments
This command takes the following arguments:
Argument
Type
Description
field
string
Required. Specifies the case-sensitive name of the field whose value to retrieve.
The possible values are:
description: Returns text describing the UNIX command.
cmd: Returns the restricted shell command string or strings.
path: Returns the path to the commands location.
form: Returns an integer that indicates whether the cmd and path strings
use wild cards (0) or a regular expression (1).
dzdo_runas: Returns a list of users and groups that can run this command
under dzdo version of sudo. Users may be listed by user name or user ID
(UID).
dzsh_runas: Returns a list of users and groups that can run this command in a
restricted shell environment (dzsh). Users can be listed by user name or UID.
You cannot get this field value if the selected zone is a classic4 zone.
keep: Returns a comma-separated list of environment variables from the
current users environment to keep.
del: Returns a comma-separated list of environment variables from the
current users environment to delete.
add: Returns a comma-separated list of environment variables to add to the
final set of environment variables.
pri: Returns an integer that specifies the command priority for the restricted
shell command object.
umask: Returns an integer that defines who can execute the command.
flags: Returns an integer from 0 to 31 that specifies a combination of different
properties for the command.
createTime: Returns the time and date this command was created, returned
in generalized time format.
modifyTime: Returns the time and date this command was last modified,
returned in generalized time format.
dn: Returns the commands distinguished name.
If you specify the cmd and path fields, the return value can be a string that uses wild cards
(*, ?, and !), or a regular expression. If the cmd and path strings use wild cards, an asterisk
(*) matches zero or more characters, a question mark (?) matches exactly one character,
and the exclamation mark (!) negates matching of the specified string.
For both the cmd and path fields, the form field indicates whether the specified string is
interpreted as a regular expression or as a string that includes wild cards.
121
If you specify the keep, del, or add field, the return value is a comma-separated list of
environment variables. The keep, del, and add fields control the environment variables
used by the commands specified by the cmd string. The keep and del settings are mutually
exclusive:
The keep field only takes effect if the flag 16 is included in the setting for the flag field.
The del field only takes effect if the flag 16 is not included in the setting for the flag
field.
Any environment variables kept or deleted are in addition to the default set of the users
environment variables that are either retained or deleted. The default set of environment
variables to keep is defined in the dzdo.env_keep configuration parameter in the
centrifydc.conf file. The default set of environment variables to delete is defined in the
dzdo.env_delete configuration parameter in the centrifydc.conf file.
The add field returns the environment variables added to the final set of environment
variables resulting from the keep or del fields.
Getting the command priority field value
If you specify the pri field, the return value indicates the command priority when there are
multiple matches for command strings in a command object. If there are multiple
commands specified by this command object, the pri field specifies the specifies their
relative priority. The higher the value returned by this field, the higher the commands
priority.
Getting the umask field value
If you specify the umask field, the return value is a 3-digit octal value that defines who can
read, write, and execute the selected command object. The three digits of the umask field
specify the read, write, or execute permission for the file owner, group, and other users.
The left digit defines the owner execution rights, the middle digit defines the group
execution rights, and the right digit defines execution rights for other users. Each digit is a
combination of binary flags, one flag for each right as follows:
4 is read
2 is write
1 is execute
These values are added together to define the rights available for each entity. For example, a
umask value of 600 indicates read and write permission (4+2) for the owner, but no
permissions for the group or other users. Similarly, a umask value of 740 indicates read,
write, execute permissions (4+2+1) for the owner, read permissions for the group, but no
permissions for other users.
122
If you specify the flags field, the return value is an integer from 0 to 31 that defines a
combination of binary flags, with one flag for each of the following properties:
1Prevents nested command execution. If this flag value is not set, nested command
execution is allowed.
2Requires authentication with the users password.
4Requires authentication with the run-as users password.
8Preserves group membership. If this flag value is not set, group membership is not
preserved.
16Resets environment variables for the command, deleting the variables specified in the
dzdo.env_delete parameter and keeping the variables specified in the keep field. If this flag
is not set, the command removes the unsafe environment variables specified in the
parameter along with any additional environment variables specified by
the del field.
dzdo.env_delete
Return value
This command returns a field value, which varies in type depending on the data type stored
by the field.
Examples
get_dzc_field dzdo_runas
returns: root
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a UNIX command to work with:
123
After you have a UNIX command stored in memory, you can use the following commands
to work with that command:
delete_dz_command deletes the selected command from Active Directory and from
memory.
save_dz_command saves the selected command with its current settings to Active
Directory.
set_dzc_field sets a field value in the currently selected command.
get_group_members
Use the get_group_members command to check the Active Directory group membership
for a specified group. The commands recursively expands a specified group by opening
groups that are members of groups, and returns a Tcl list of the users in the specified group.
Zone type
Not applicable
Syntax
get_group_members [-upn] group_UPN
Abbreviation
ggm
Options
This command takes the following option:
Option
Description
-upn
Returns user names in user principal name (UPN) format, not the default
sAMAccount@domain format.
Arguments
This command takes the following argument:
Argument
Type
Description
group_UPN
string
Required. Specifies the user principal name (UPN) of the group to check for user
membership.
Return value
This command returns a Tcl list of group members.
124
Examples
get_group_members poweradmins@acme.com
This example returns the list of users who are members of the poweradmin@acme.com
group. For example:
martin.moore@acme.com rachel.roberts@acme.com
Related commands
The following commands perform actions related to this command:
get_nis_map
Use the get_nis_map command to return a Tcl list containing the entries for the currently
selected NIS map stored in memory. This command does not return the contents of the
comment field. If you want to retrieve the comment, use get_nis_map_with_comment
instead.
The get_nis_map command does not query Active Directory for this NIS map, but changing
map entries using add_map_entry and delete_map_entry changes both selected NIS map in
memory and the corresponding NIS map in Active Directory so their contents should
match.
Zone type
Not applicable
Syntax
get_nis_map
Abbreviation
gnm
Options
This command takes no options.
125
Arguments
This command takes no arguments.
Return value
This command returns a Tcl list of NIS map entries. Each entry contains:
The key
The instance number of the key (there may be multiple entries with the same key)
The value
Examples
get_nis_map
Related commands
Before you use this command, you must have a currently selected NIS map stored in
memory. The following commands enable you to view and manage NIS maps:
delete_nis_map deletes the selected NIS map from Active Directory and from memory.
get_nis_maps returns a Tcl list of NIS maps in the currently selected zone.
list_nis_maps lists to stdout all NIS maps in the currently selected zone.
save_nis_map saves the selected NIS map with its current entries to Active Directory.
select_nis_map retrieves a NIS map from Active Directory and stores it in memory.
After you have a NIS map stored in memory, you can use the following commands to work
with that maps entries:
126
get_nis_map_field
Use the get_nis_map_field command to return the value for a specified field from the
currently selected NIS map stored in memory. The get_nis_map_field command does not
query Active Directory for the NIS map. If youve changed field values using ADEdit
without saving the NIS map to Active Directory, the field value you retrieve using
get_nis_map_field wont match the same field value for the NIS map stored in Active
Directory.
Zone type
Not applicable
Syntax
get_nis_map_field field
Abbreviation
gnmf
Options
This command takes no options.
Arguments
This command takes the following argument, which is case-sensitive:
Argument
Type
Description
field
string
Required. Specifies the case-sensitive name of the field whose value to retrieve.
The possible values are:
createTime: Specifies the time and date this NIS map was created, returned in
generalized time format
modifyTime: Specifies the time and date this NIS map was last modified,
returned in generalized time format
dn: Specifies the NIS maps distinguished name
Return value
This command returns a field value, which varies in type depending on the data type stored
by the field.
Examples
get_nis_map_field createTime
This example returns the value of the createTime field. For example: 20110525163718.0Z
127
Related Commands
Before you use this command, you must have a currently selected NIS map stored in
memory. The following commands enable you to view and manage NIS maps:
delete_nis_map deletes the selected NIS map from Active Directory and from memory.
get_nis_maps returns a Tcl list of NIS maps in the currently selected zone.
list_nis_maps lists to stdout all NIS maps in the currently selected zone.
save_nis_map saves the selected NIS map with its current entries to Active Directory.
select_nis_map retrieves a NIS map from Active Directory and stores it in memory.
After you have a NIS map stored in memory, you can use the following commands to work
with that maps entries:
get_nis_map_with_comment
Use the get_nis_map command to return a Tcl list containing the entries for the currently
selected NIS map stored in memory. This command includes the comment field for map
entries. The get_nis_map_with_comment command does not query Active Directory for
this NIS map, but changing map entries using add_map_entry and delete_map_entry
changes both selected NIS map in memory and the corresponding NIS map in Active
Directory so their contents should match.
Zone type
Not applicable
Syntax
get_nis_map_with_command
Abbreviation
gnmwc
128
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a Tcl list of NIS map entries. Each entry contains:
The key
The instance number of the key (there may be multiple entries with the same key)
The value
The comment
Examples
get_nis_map_with_comment
Related commands
Before you use this command, you must have a currently selected NIS map stored in
memory. The following commands enable you to view and manage NIS maps:
delete_nis_map deletes the selected NIS map from Active Directory and from memory.
get_nis_maps returns a Tcl list of NIS maps in the currently selected zone.
list_nis_maps lists to stdout all NIS maps in the currently selected zone.
save_nis_map saves the selected NIS map with its current entries to Active Directory.
select_nis_map retrieves a NIS map from Active Directory and stores it in memory.
After you have a NIS map stored in memory, you can use the following commands to work
with that maps entries:
get_nis_map_field reads a field value from the currently selected NIS map.
get_nis_maps returns a Tcl list of NIS maps in the currently selected zone.
129
get_nis_maps
Use the get_nis_maps command to check Active Directory and return a Tcl list of NIS
maps defined within the currently selected zone. If executed in a script, this command does
not output its list to stdout, and no output appears in the shell where the script is
executed. Use list_nis_maps to output the list of NIS maps to stdout.
Zone type
Not applicable
Syntax
get_nis_maps
Abbreviation
gnms
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a Tcl list of NIS maps defined in the currently selected zone.
Examples
get_nis_maps
Printers Services
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and manage NIS maps:
delete_nis_map deletes the selected NIS map from Active Directory and from memory.
list_nis_maps lists to stdout all NIS maps in the currently selected zone.
130
save_nis_map saves the selected NIS map with its current entries to Active Directory.
select_nis_map retrieves a NIS map from Active Directory and stores it in memory.
After you have a NIS map stored in memory, you can use the other commands to work with
that maps entries.
get_object_field
Use the get_object_field command to return the value of a specified field from the
currently selected Active Directory object stored in memory. The get_object_field
command does not query Active Directory for the object. If you change field values using
ADEdit without saving the object to Active Directory, the field value you retrieve using
get_object_field wont match the same field value for the object stored in Active
Directory.
Zone type
Not applicable
Syntax
get_object_field field
Abbreviation
gof
Options
This command takes no options.
131
Arguments
This command takes the following argument:
Argument
Type
Description
field
string
Required. Specifies the case-sensitive name of the field whose value to retrieve.
The possible values include any attribute that can be defined for the type of
object currently selected. Special values are:
sid: The objects security identifier.
guid: The objects globally unique identifier.
sd: The objects security descriptor.
createTime: The time and date this object was created, returned in
generalized time format.
modifyTime: The time and date this object was last modified, returned in
generalized time format.
dn: The objects distinguished name.
Return value
This command returns a field value, which varies in type depending on the data type stored
by the field.
Examples
get_object_field guid
This example returns the globally unique identifier for an object. For example:
44918ee7-80bc-4741-95d3-dd189e235ab8
Related commands
Before you use this command, you must have a currently selected Active Directory object
stored in memory. The following commands enable you to view and select the object to
work with:
get_objects performs an LDAP search of Active Directory and returns a Tcl list of the
distinguished names of matching objects.
After you have an Active Directory object stored in memory, you can use the following
commands to work with that objects attributes, delete the object, or save information for
the object:
132
delete_object deletes the selected Active Directory object from Active Directory and
from memory.
delete_sub_tree deletes an Active Directory object and all of its children from Active
Directory.
get_object_field_names returns a Tcl list of the field names (attributes) for the
currently selected Active Directory object.
remove_object_value removes a value from a multi-valued field attribute of the
currently selected Active Directory object.
save_object saves the selected Active Directory object with its current settings to Active
Directory.
set_object_field sets a field value in the currently selected Active Directory object.
get_object_field_names
Use the get_object_field_names command to return a Tcl list of the field names for each
of the fieldsthe object attributesof the currently selected Active Directory object. The
get_object_field_names command does not query Active Directory for the objects field
names but looks at the selected object as it is stored in ADEdit memory.
Zone type
Not applicable
Syntax
get_object_field_names
Abbreviation
gofn
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a Tcl list of field names.
133
Examples
select_object cn=amy adams,cn=users,dc=ajax,dc=com
get_object_field_names
This example returns the field names associated with the selected user Amy Adams:
_SID _dn _objectCategory _server accountExpires cn codePage countryCode
distinguishedName gidNumber instanceType lastLogonTimestamp loginShell
msDS-MembersForAzRoleBL msSFU30NisDomain nTSecurityDescriptor name
objectCategory objectClass objectGUID objectSid primaryGroupID pwdLastSet
sAMAccountName sAMAccountType uSNChanged uSNCreated uid uidNumber
unixHomeDirectory userAccountControl userPrincipalName whenChanged
whenCreated
Related commands
Before you use this command, you must have a currently selected Active Directory object
stored in memory. The following commands enable you to view and select the object to
work with:
get_objects performs an LDAP search of Active Directory and returns a Tcl list of the
distinguished names of objects that match the search criteria.
After you have an Active Directory object stored in memory, you can use the following
commands to work with that objects attributes, delete the object, or save information for
the object:
delete_object deletes the selected Active Directory object from Active Directory and
from memory.
delete_sub_tree deletes an Active Directory object and all of its children from Active
Directory.
get_object_field reads a field value from the currently selected Active Directory object.
remove_object_value removes a value from a multi-valued field attribute of the
currently selected Active Directory object.
save_object saves the selected Active Directory object with its current settings to Active
Directory.
set_object_field sets a field value in the currently selected Active Directory object.
134
get_objects
Use the get_objects command to perform an LDAP search of Active Directory and return
a Tcl list of the distinguished names (DNs) of the objects that match the search criteria. You
specify a container in Active Directory where the search begins and a standard LDAP filter
that defines the objects youre searching for.
You can control the nature of the search through options that specify whether to use the
global catalog (GC) for a forest-wide search, the number of levels deep for the search to go
below the beginning container of the search, and the maximum number of objects for the
get_objects command to return.
Zone type
Not applicable
Syntax
get_objects [-gc] [-depth one|sub] [-limit limit] base filter
Abbreviation
go
Options
This command takes the following options:
Option
Description
-gc
Requests a forest-wide search using a global catalog. For this option to work, ADEdit must
be bound to a GC using the bind command with the -gc option.
If you dont specify this option, the search is only within the currently bound domains.
Specifies how deep to search. This option must be followed by one of two values:
one: Specifies that the search will search only through objects immediately below the
container specified by the argument base.
sub: Specifies that the search will be full-depth, starting at the container specified by
base and continuing through all sub-containers below that level.
If you dont specify this option, the search defaults to the value one.
-limit limit
Limits the number of objects returned by the search to the positive integer specified by
limit.
If you dont specify this option, the search returns all matching objects without limit.
135
Arguments
This command takes the following arguments:
Argument
Type
Description
base
DN
filter
LDAP
filter
Required. A string that uses standard LDAP filter syntax to specify criteria for the
search.
Return value
This command returns a Tcl list of the distinguished names of the objects matching the
search criteria.
Examples
get_objects cn=users,dc=acme,dc=com (objectclass=*)
This example returns a list of distinguished name matching the objectclass filter:
CN=Builtin,DC=acme,DC=com CN=Computers,DC=acme,DC=com
{OU=Domain Controllers,DC=acme,DC=com}
CN=ForeignSecurityPrincipals,DC=acme,DC=com CN=Infrastructure,DC=acme,DC=com
CN=LostAndFound,DC=acme,DC=com {CN=NTDS Quotas,DC=acme,DC=com}
{CN=Program Data,DC=acme,DC=com} CN=System,DC=acme,DC=com
CN=Users,DC=acme,DC=com
Related commands
The following commands enable you to view and select the object to work with:
select_object retrieves an object and its attributes from Active Directory and stores it in
memory.
After you have an Active Directory object stored in memory, you can use the following
commands to work with that objects attributes, delete the object, or save information for
the object:
delete_object deletes the selected Active Directory object from Active Directory and
from memory.
delete_sub_tree deletes an Active Directory object and all of its children from Active
Directory.
get_object_field reads a field value from the currently selected Active Directory object.
remove_object_value removes a value from a multi-valued field attribute of the
currently selected Active Directory object.
136
save_object saves the selected Active Directory object with its current settings to Active
Directory.
set_object_field sets a field value in the currently selected Active Directory object.
get_pam_apps
Use the get_pam_apps command to check Active Directory and return a Tcl list of plug-in
authentication module (PAM) applications defined within the currently selected zone. If
executed in a script, this command does not output its list to stdout, and no output appears
in the shell where the script is executed. Use list_pam_apps to output the list of PAM
applications to stdout.
You can only use the get_pam_apps command to return information about PAM
applications if the currently selected zone is a classic4 or hierarchical zones. The command
does not work for other types of zones.
Zone type
Classic and hierarchical
Syntax
get_pam_apps
Abbreviation
gpam
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a Tcl list of PAM applications defined in the currently selected zone.
Each element in the string is the name of a PAM application.
Examples
get_pam_apps
This example returns all of the PAM application rights for the selected zone:
137
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
After you have a zone stored in memory, you can use the following commands to view and
select the PAM application to work with:
list_pam_apps lists to stdout the PAM application rights in the current zone.
After you have a PAM application stored in memory, you can use the following commands
to work with that PAM applications attributes, delete the PAM application, or save
information for the PAM application:
delete_pam_app deletes the selected PAM application from Active Directory and from
memory.
get_pam_field reads a field value from the currently selected PAM application.
save_pam_app saves the selected PAM application with its current settings to Active
Directory.
set_pam_field sets a field value in the currently selected PAM application.
get_pam_field
Use the get_pam_field command to return the value of a specified field for the currently
selected plug-in authentication module (PAM) application object stored in memory. The
get_pam_field command does not query Active Directory for the PAM application. If you
change field values using ADEdit without saving the PAM application to Active Directory,
the field value you retrieve using get_pam_field wont match the same field value for the
PAM application stored in Active Directory.
You can only use the get_pam_field command if the currently selected zone is a classic4 or
hierarchical zone. The command does not work in other types of zones.
Zone type
Classic and hierarchical
Syntax
get_pam_field field
138
Abbreviation
gpf
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
field
string
Required. Specifies the case-sensitive name of the field whose value to retrieve.
The possible values are:
application: The name of the application allowed to use adclients PAM
authentication service. The name can be literal, or it can contain ? or *
wildcard characters to specify multiple applications.
description: Text describing the PAM application.
createTime: The time and date this PAM application was created, returned in
generalized time format.
modifyTime: The time and date this PAM application was last modified,
returned in generalized time format.
dn: the PAM applications distinguished name.
Return value
This command returns a field value. The data type for this value depends on the field
specified.
Examples
get_pam_field application
The selected PAM application object specifies ftp can authenticate using adclient.
Related commands
Before you use this command, you must have a currently selected PAM application object
stored in memory. The following commands to view and select the PAM application to
work with:
get_pam_apps returns a Tcl list of PAM application rights in the current zone.
list_pam_apps lists to stdout the PAM application rights in the current zone.
139
select_pam_app retrieves a PAM application right from Active Directory and stores it in
memory.
After you have a PAM application stored in memory, you can use the following commands
to work with that PAM applications attributes, delete the PAM application, or save
information for the PAM application:
delete_pam_app deletes the selected PAM application right from Active Directory and
from memory.
get_pam_field reads a field value from the currently selected PAM application right.
save_pam_app saves the selected PAM application right with its current settings to
Active Directory.
set_pam_field sets a field value in the currently selected PAM application right.
get_parent_dn
Use the get_parent_dn command to specify an LDAP path using a distinguished name
(DN) and return the parent of the path. This command removes the first element from the
distinguished name and returns the rest of the DN.
Zone type
Not applicable
Syntax
get_parent_dn DN
Abbreviation
gpd
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
DN
string
140
Return value
This command returns a distinguished name that is the parent of the supplied distinguished
name.
Examples
get_parent_dn CN=global,CN=Zones,CN=Centrify,DC=acme,DC=com
Related commands
The following command performs actions related to this command:
get_pwnam
Use the get_pwnam command to look up a UNIX user name in the /etc/passwd file on the
ADEdit host computer. If theres an entry for the specified user name, the command
returns the profile values of that entry as a Tcl list. The get_pwnam command uses the NSS
layer to perform the lookup operation. You can use the command to look up information
for any user in the /etc/passwd file, including root.
Zone type
Not applicable
Syntax
get_pwnam unix_name
Abbreviation
gpn
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
unix_name
string
Required. Specifies the UNIX user name to search for in the /etc/passwd file.
141
Return value
This command returns a Tcl list of user profile attributes for a specified user if the specified
user name is found in the local /etc/passwd file. If the command doesnt find the specified
user, it a User not found message.
Examples
get_pwnam adam
This example returns the profile for the UNIX user adam:
adam x 500 500 {Adam Andrews} /home/adam /bin/bash
Related commands
The following command performs actions related to this command:
getent_passwd returns a Tcl list of all entries in the local /etc/passwd file.
get_rdn
Use the get_rdn command to specify an LDAP path using a distinguished name (DN) and
return the relative distinguished name. This command returns only the first element of the
supplied distinguished name.
Zone type
Not applicable
Syntax
get_rdn DN
Abbreviation
grdn
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
DN
string
142
Return value
This command returns the first element of the supplied distinguished name.
Examples
get_rdn CN=global,CN=Zones,CN=Centrify,DC=acme,DC=com
Related commands
The following command performs actions related to this command:
get_role_apps
Use the get_role_apps command to return a Tcl list of PAM application rights associated
with the currently selected role.
The get_role_apps command does not query Active Directory for the role. If you change
the PAM applications associated with the current role using ADEdit without saving the role
to Active Directory, the PAM applications you retrieve using get_role_apps wont match
the same PAM applications for the role as stored in Active Directory.
You can only use the get_role_apps command if the currently selected zone is a classic4 or
hierarchical zone. The command does not work in other types of zones.
Zone type
Classic and hierarchical
Syntax
get_role_apps
Abbreviation
grap
Options
This command takes no options.
Arguments
This command takes no arguments.
143
Return value
This command returns a Tcl list of PAM applications associated with the currently selected
role. Each PAM application in the list shows the application name followed by a slash (/) and
the zone in which the PAM application is defined.
Examples
get_role_apps
This example returns the list of PAM applications for the currently selected role: ftp/cz1
Related commands
Before you use this command, you must have a currently selected role stored in memory.
The following commands to view and select the role to work with:
After you have a role stored in memory, you can use the following commands to work with
that roles attributes, delete the role, or save information for the role:
delete_role deletes the selected role from Active Directory and from memory.
get_role_commands returns a Tcl list of the UNIX commands associated with the
currently selected role.
get_role_field reads a field value from the currently selected role.
list_role_rights returns a list of all UNIX commands and PAM applications associated
with the currently selected role.
remove_command_from_role removes a UNIX command from the currently selected
role.
remove_pamapp_from_role removes a PAM application from the currently selected
role.
save_role saves the selected role with its current settings to Active Directory.
144
get_role_assignment_field
Use the get_role_assignment_field command to return the value for a specified field
from the currently selected role assignment stored in memory. The
get_role_assignment_field command does not query Active Directory for the role
assignment. If you change field values using ADEdit without saving the role assignment to
Active Directory, the field value you retrieve using get_role_assignment_field wont
match the same field value for the role assignment stored in Active Directory.
You can only use the get_role_assignment_field command if the currently selected zone
is a classic4 or hierarchical zone. The command does not work in other types of zones.
Zone type
Classic and hierarchical
Syntax
get_role_assignment_field field
Abbreviation
graf
Options
This command takes no options.
145
Arguments
This command takes the following argument:
Argument
Type
Description
field
string
Required. Specifies the case-sensitive name of the field whose value to retrieve.
The possible values are:
role: Returns the name of the role and the zone in which the role is defined.
from: Returns the starting date and time for the role assignment.
to: Returns the ending date and time for the role assignment.
The start and end dates and times are expressed in standard UNIX time. You
can use the Tcl clock command to manipulate these values. A value of 0
indicates no date or time is set for the role assignment.
dn: Returns the role assignments distinguished name.
createTime: Returns the time and date this role assignment was created,
returned in generalized time format.
modifyTime: Returns the time and date this role assignment was last
modified, returned in generalized time format.
ptype: Returns a letter or symbol that indicates the account type associated
with a role assignment. You can use the explain_ptype command to translate
the returned value into a text string that describes the account type.
Return value
This command returns a field value. The data type depends on the field specified.
Examples
get_role_assignment_field role
This example returns the role name (root) and the zone where the role is defined (global):
root/global
Related commands
Before you use this command, you must have a currently selected role assignment stored in
memory. The following commands to view and select the role assignment to work with:
After you have a role assignment stored in memory, you can use the following commands to
work with that role assignments attributes, delete the role assignment, or save information
for the role assignment:
146
delete_role_assignment deletes the selected role assignment from Active Directory and
from memory.
save_role_assignment saves the selected role assignment with its current settings to
Active Directory.
set_role_assignment_field sets a field value in the currently selected role assignment.
get_role_assignments
Use the get_role_assignments command to check Active Directory and return a Tcl list
of role assignments defined within the currently selected zone. If executed in a script, this
command does not output its list to stdout, and no output appears in the shell where the
script is executed. Use list_role_assignments to output the list to stdout.
If you do not specify an option, the command returns the current users and groups in the
zone with a role assignment.
You can only use the get_role_assignments command if the currently selected zone is a
classic4 or hierarchical zone. The command does not work in other types of zones.
Zone type
Classic and hierarchical
Syntax
get_role_assignments [-upn] [-user] [-group] [-invalid]
Abbreviation
gra
Options
This command takes any one of the following options:
Option
Description
-upn
Returns user names in user principal name (UPN) format, not the default
sAMAccount@domain format.
-user
Returns a Tcl list of the current users in the zone with a role assignment.
-group
Returns a Tcl list of the current groups in the zone with a role assignment.
-invalid
147
Arguments
This command takes no arguments.
Return value
This command returns a Tcl list of role assignments defined in the currently selected zone.
Each role assignment includes the sAMAccount@domain name or the user principal name of
the user or group to whom the role is assigned, the name of the role assigned, and the zone
in which the role is defined. These three pieces of data are separated from each other by a
slash (/).
Examples
get_role_assignments
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
After you have a zone stored in memory, you can use the following commands to view and
select the role assignment to work with:
After you have a role assignment stored in memory, you can use the following commands to
work with that role assignments attributes, delete the role assignment, or save information
for the role assignment:
delete_role_assignment deletes the selected role assignment from Active Directory and
from memory.
get_role_commands
Use the get_role_commands command to return a Tcl list of UNIX commands associated
with the currently selected role. The get_role_commands command does not query Active
148
Directory for the role. If you change commands associated with the current role using
ADEdit without saving the role to Active Directory, the commands you retrieve using
get_role_commands wont match the same commands for the role stored in Active
Directory.
You can only use the get_role_commands command if the currently selected zone is a
classic4 or hierarchical zone. The command does not work in other types of zones.
Zone type
Classic and hierarchical
Syntax
get_role_commands
Abbreviation
grc
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a Tcl list of commands associated with the currently selected role.
Each command in the list shows the command name followed by a slash (/) and the zone in
which the command is defined.
Examples
get_role_commands
Related commands
Before you use this command, you must have a currently selected role stored in memory.
The following commands enable you to view and select the role to work with:
149
After you have a role stored in memory, you can use the following commands to work with
that roles attributes, delete the role, or save information for the role:
delete_role deletes the selected role from Active Directory and from memory.
get_role_apps returns a Tcl list of the PAM applications associated with the currently
selected role.
get_role_field reads a field value from the currently selected role.
list_role_rights returns a list of all UNIX commands and PAM applications associated
with the currently selected role.
remove_command_from_role removes a UNIX command from the currently selected
role.
remove_pamapp_from_role removes a PAM application from the currently selected
role.
save_role saves the selected role with its current settings to Active Directory.
get_role_field
Use the get_role_field command to return the value for a specified field from the
currently selected role stored in memory. The get_role_field command does not query
Active Directory for the role. If you change field values using ADEdit without saving the
role to Active Directory, the field value you retrieve using get_role_field wont match
the same field value for the role stored in Active Directory.
You can only use the get_role_field command if the currently selected zone is a classic4
or hierarchical zone. The command does not work in other types of zones.
Zone type
Classic and hierarchical
Syntax
get_role_field field
Abbreviation
grf
150
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
field
string
Required. Specifies the case-sensitive name of the field whose value to retrieve.
The possible values are:
auditLevel: Returns the auditing level configured for the role. Roles can be
configured without auditing (not requested), to audit if possible, or to have
auditing required. You cannot get this field value if the selected zone is a
classic4 zone.
allowLocalUser: Returns true or false depending on whether local users can
be assigned to the role. You cannot get this field value if the selected zone is a
classic4 zone.
AlwaysPermitLogin: Returns true or false depending on whether rescue
rights are configured for the role. You cannot get this field value if the
selected zone is a classic4 zone.
createTime: Returns the time and date this role was created in generalized
time format.
description: Returns the text string that describes the role.
dn: Returns the roles distinguished name.
modifyTime: Returns the time and date this role was last modified in
generalized time format.
sysrights: Returns the system rights granted to the role. This value is an
integer from 0 to 15 that represents a combination of binary flags, one for
each system right. You cannot get this field value if the selected zone is a
classic4 zone.
For more information about the value returned for system rights, see
Getting the system rights field for a role on page 151.
timebox: Returns the hours and days in the week when the role is enabled.
This value is a 42-digit hexadecimal number.
When represented in binary, each bit represents an hour of the week as
described in the Appendix A, Timebox value format..
You can specify the sysrights field to return information about the UNIX system rights that
have been granted to the currently selected role. This field value is an integer from 0 to 15
that represents a combination of binary flags, with one flag for each of the following UNIX
system rights:
1Password login and non password (SSO) login are allowed.
2Non password (SSO) login is allowed.
4Account disabled in Active Directory can be used by sudo, cron, etc.
151
Return value
This command returns a field value, which varies in type depending on the data type stored
by the field.
Examples
get_role_field timebox
This return value indicates that the role is enabled during all hours of the weekdays, but
none of the weekends.
Related commands
Before you use this command, you must have a currently selected role stored in memory.
The following commands enable you to view and select the role to work with:
After you have a role stored in memory, you can use the following commands to work with
that roles attributes, delete the role, or save information for the role:
delete_role deletes the selected role from Active Directory and from memory.
get_role_apps returns a Tcl list of the PAM applications associated with the currently
selected role.
get_role_commands returns a Tcl list of the UNIX commands associated with the
currently selected role.
list_role_rights returns a list of all UNIX commands and PAM applications associated
with the currently selected role.
152
save_role saves the selected role with its current settings to Active Directory.
get_role_rs_commands
Use the get_role_rs_commands command to return a Tcl list of the restricted shell
commands associated with the currently selected role.
The get_role_rs_commands command does not query Active Directory for the restricted
shell commands. If you change the restricted shell commands associated with the current
role using ADEdit without saving the role to Active Directory, the commands you retrieve
using get_role_rs_commands wont match the restricted shell commands that are stored in
Active Directory.
You can only use get_role_rs_commands if the currently selected zone is a classic4 zone.
This command does not work in other types of zones.
Zone type
Classic only
Syntax
get_role_rs_commands
Abbreviation
grrsc
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a Tcl list of restricted shell commands associated with the currently
selected role. Each restricted shell command in the list shows the restricted shell command
name followed by a slash (/) and the zone in which the restricted shell command is defined.
153
Examples
get_role_rs_commands
rse1-id2/c123 rse1-id1/c123
Related commands
Before you use this command, you must have a currently selected role stored in memory.
The following commands enable you to view and select the role to work with:
After you have a role stored in memory, you can use the following commands to work with
restricted shells:
get_role_rs_env returns the restricted shell environment from the currently selected
role.
get_role_rs_env
Use the get_role_rs_env command to return the restricted shell environment from the
currently selected role that is stored in memory.
The get_role_rs_env command does not query the data stored in Active Directory for the
role. If you change the restricted shell environment in ADEdit without saving the role to
Active Directory, the value you retrieve using get_role_rs_env wont match the same
value for the role that is stored in Active Directory.
You can only use the get_role_rs_env command if the currently selected zone is a classic4
zone. The command does not work in other types of zones.
Zone type
Classic only
Syntax
get_role_rs_env
Abbreviation
grrse
154
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns the restricted shell environment of the currently selected role if it
runs successfully. If the currently selected role does not require a restricted shell
environment, the command returns nothing.
Examples
get_role_rs_env
This example returns the restricted shell environment if it exists for the selected role:
rse1
Related commands
Before you use this command, you must have a currently selected role stored in memory.
The following commands enable you to view and select the role to work with:
After you have a role stored in memory, you can use the following commands to work with
restricted shells:
select_rs_env retrieves a restricted shell environment from Active Directory and stores
it in memory.
get_roles
Use the get_roles command to check Active Directory and return a Tcl list of roles
defined within the currently selected zone. If executed in a script, this command does not
output its list to stdout, and no output appears in the shell where the script is executed.
Use list_roles to output the list to stdout.
155
You can only use the get_roles command if the currently selected zone is a classic4 or
hierarchical zone. The command does not work in other types of zones.
Zone type
Classic and hierarchical
Syntax
get_roles
Abbreviation
getr
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a Tcl list of roles defined in the currently selected zone.
Examples
get_roles
Related commands
Before you use this command, you must have a currently selected role stored in memory.
The following commands enable you to view and select the role to work with:
After you have a role stored in memory, you can use the following commands to work with
role:
delete_role deletes the selected role from Active Directory and from memory.
156
get_role_apps returns a Tcl list of the PAM applications associated with the currently
selected role.
get_role_commands returns a Tcl list of the UNIX commands associated with the
currently selected role.
list_role_rights returns a list of all UNIX commands and PAM applications associated
with the currently selected role.
remove_command_from_role removes a UNIX command from the currently selected
role.
remove_pamapp_from_role removes a PAM application from the currently selected
role.
save_role saves the selected role with its current settings to Active Directory.
get_rs_commands
Use the get_rs_commands command to return a Tcl list of restricted shell commands that
are defined for the currently selected zone. If you want to return a list of restricted shell
commands to stdout, use the list_rs_commands command.
Zone type
Classic only
Syntax
get_rs_commands
Abbreviation
grsc
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a Tcl list of restricted shell commands for the currently selected
zone.
157
Examples
get_rs_commands
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select the restricted shell command to
work with:
list_rs_commands lists to stdout the restricted shell commands in the current zone.
After you have a restricted shell command stored in memory, you can use the following
commands to work with that restricted shell:
delete_rs_command deletes the selected command from Active Directory and from
memory.
get_rs_envs
Use the get_rs_envs command to check Active Directory and return a list of restricted
environments that are defined within the currently selected zone. If you want to return a
list of restricted shell environment to stdout, use the list_rs_envs command.
Zone type
Classic only
Syntax
get_rs_envs
Abbreviation
grse
158
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a Tcl list of restricted environments in the currently selected zone.
Examples
get_rs_envs
rse1 rse2
Related commands
Before you use this command, you must have a currently selected role stored in memory.
The following commands enable you to view and select the role to work with restricted
shell environments:
After you have a restricted shell environment stored in memory, you can use the following
commands to work with its fields:
delete_rs_env deletes the current restricted shell environment from Active Directory
and from memory.
get_rse_field reads a field value from the current restricted shell environment.
get_rsc_field
Use the get_rsc_field command to return the value of a specified field value from the
currently selected restricted shell command that is stored in memory. Centrify-specific
fields are similar to Active Directory attributes but are stored within the Active Directory
schema.
159
The get_rsc_field command does not query Active Directory for the restricted shell
command. If you change field values using ADEdit without saving the restricted shell
command to Active Directory, the field value you retrieve using get_rsc_field wont
match the value stored in Active Directory.
You can only use the get_rsc_field command if the currently selected zone is a classic4
zone. The command does not work in other types of zones.
Zone type
Classic only
Syntax
get_rsc_field field
Abbreviation
grscf
Options
This command takes no options.
160
Arguments
This command takes the following argument:
Argument
Type
Description
field
string
Required. Specifies the name of the field whose value you want to
retrieve. The possible values are:
description: Returns text describing the restricted shell command.
cmd: Returns the restricted shell command string or strings.
path: Returns the path to the commands location.
form: Returns an integer that indicates whether the cmd and path
strings use wild cards (0) or a regular expression (1).
dzsh_runas: Returns a list of users and groups that can run this
command in a restricted shell environment (dzsh). Users can be
listed by user name or UID.
keep: Returns a comma-separated list of environment variables from
the current users environment to keep.
del: Returns a comma-separated list of environment variables from
the current users environment to delete.
add: Returns a comma-separated list of environment variables to add
to the final set of environment variables.
pri: Returns a n integer that specifies the command priority for the
restricted shell command object.
umask: Returns an integer that defines who can execute the
command.
flags: Returns an integer from 0 to 31 that specifies a combination of
different properties for the command.
createTime: The time and date this command was created, returned in
generalized time format.
modifyTime: The time and date this command was last modified,
returned in generalized time format.
dn: The commands distinguished name.
Return value
This command returns a field value. The data type depends on the field specified. For more
information about the field values returned by different fields, see get_dzc_field on
page 120.
Examples
get_rsc_field description
161
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select the restricted shell command to
work with:
get_rs_commands returns a Tcl list of restricted shell commands in the current zone.
list_rs_commands lists to stdout the restricted shell commands in the current zone.
After you have a restricted shell command stored in memory, you can use the following
commands to work with that restricted shell:
delete_rs_command deletes the selected command from Active Directory and from
memory.
save_rs_command saves the selected command with its current settings to Active
Directory.
set_rsc_field sets a field value in the currently selected command.
get_rse_cmds
Use the get_rse_cmds command to return a Tcl list of restricted shell commands associated
with the currently selected restricted shell environment.
The get_rse_cmds command does not query Active Directory for the restricted shell
environment. If you change the restricted shell commands associated with the current
restricted shell environment using ADEdit without saving the restricted shell environment
to Active Directory, the commands you retrieve using get_rse_cmds wont match those
stored in Active Directory.
You can only use the get_rse_cmds command if the currently selected zone is a classic4
zone. The command does not work in other types of zones.
Zone type
Classic only
Syntax
get_rse_cmds
Abbreviation
grsec
162
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a Tcl list of restricted shell commands associated with the currently
selected restricted shell environment. Each restricted shell command in the list shows the
command name followed by a slash (/) and the zone in which the command is defined.
Examples
get_rse_cmds
Related commands
Before you use this command, you must have a currently selected restricted shell
environment stored in memory. The following commands enable you to view and select the
restricted shell environments:
select_rs_env retrieves a restricted shell environment from Active Directory and stores
it in memory.
After you have a restricted shell environment stored in memory, you can use the following
command to work with its fields:
get_rse_field
Use the get_rse_field command to return a field value from the currently selected
restricted shell environment stored in memory.
The get_rse_field command does not query Active Directory for the restricted shell
environment. If you have changed field values using ADEdit without saving the restricted
shell environment to Active Directory, the field value you retrieve using get_rse_field
wont match the field value for the restricted shell environment that is stored in Active
Directory.
163
You can only use the get_rse_field command if the currently selected zone is a classic4
zone. The command does not work in other types of zones.
Zone type
Classic only
Syntax
get_rse_field field
Abbreviation
grsef
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
field
string
Required. Specifies the name of the field whose value to get. The only
possible value is:
description: Returns a text string describing the restricted shell
environment.
Return value
This command returns a field value, which varies in type depending on the data type stored
by the field.
Examples
get_rse_field description
This command returns the content of the description field. For example:
This is the restricted shell environment description
Related commands
Before you use this command, you must have a currently selected role stored in memory.
The following commands enable you to view and select the role to work with restricted
shell environments:
164
After you have a restricted shell environment stored in memory, you can use the following
commands to work with its fields:
delete_rs_env deletes the current restricted shell environment from Active Directory
and from memory.
get_schema_guid
Use the get_schema_guid command to look up a specified class or attribute in Active
Directory. If the specified object is found, the command returns the globally unique
identifier (GUID) of the class or attribute.
This command is useful for setting a security descriptor (SD) at a class or attribute level.
Zone type
Not applicable
Syntax
get_schema_guid schema_name
Abbreviation
gsg
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
schema_name
string
Return value
This command returns the globally unique identifier (GUID) of the provided schema object
(class or attribute).
165
Examples
get_schema_guid MS-DS-Az-Role
Related commands
None.
get_zone_computer_field
Use the get_zone_computer_field command to return the value of a specified field from
the currently selected zone computer stored in memory. The get_zone_computer_field
command does not query Active Directory for the zone computer. If you change field values
using ADEdit without saving the zone computer to Active Directory, the field value you
retrieve using get_zone_computer_field wont match the same field value for the zone
computer stored in Active Directory.
Zone type
Classic and hierarchical
Syntax
get_zone_computer_field field
Abbreviation
gzcf
Options
This command takes no options.
166
Arguments
This command takes the following argument:
Argument
Type
Description
field
string
Required. Specifies the case-sensitive name of the field whose value to retrieve.
The possible values are:
cpus: Returns the number of CPUs in the computer.
enabled: Returns 1 if the zone computer is enabled in its zone or 0 if it is not.
agentversion: Returns the version of agent currently installed on the zone
computer.
dnsname: Returns the domain name service (DNS) name of the zone
computer.
createTime: Returns the time and date this zone computer was created (in
generalized time format).
modifyTime: Returns the time and date this zone computer was last modified
(in generalized time format).
dn: Returns the zone computers distinguished name. If the computer is in a
Services for UNIX (SFU) zone, no value is returned for this field.
Return value
This command returns a field value. The data type depends on the field specified.
Examples
get_zone_computer_field dnsname
This example returns the name of the zone computer as listed in DNS:
printserver.acme.com
Related commands
Before you use this command, you must have a currently selected zone computer stored in
memory. The following commands enable you to view and manage the zone computers:
get_zone_computers returns a Tcl list of the Active Directory names of all zone
computers in the current zone.
After you have a zone computer stored in memory, you can use the following commands to
work with that zone computer:
delete_zone_computer deletes the zone computer from Active Directory and from
memory.
167
save_zone_computer saves the zone computer with its current settings to Active
Directory.
set_zone_computer_field sets a field value in the currently selected zone computer.
get_zone_computers
Use the get_zone_computers command to check Active Directory and return a Tcl list of
zone computers defined within the currently selected zone. If executed in a script, this
command does not output its list to stdout, and no output appears in the shell where the
script is executed. Use list_zone_computers to output the list to stdout.
Zone type
Classic and hierarchical
Syntax
get_zone_computers
Abbreviation
gzc
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a Tcl list of zone computers defined in the currently selected zone.
Each entry in the list is the security identifier (SID) of a computer that you can use to look
up that computer.
Examples
get_zone_computers
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and manage the zone computers:
168
After you have a zone computer stored in memory, you can use the following commands to
work with that zone computer:
delete_zone_computer deletes the zone computer from Active Directory and from
memory.
get_zone_field
Use the get_zone_field command to return the value for a specified field from the
currently selected zone stored in memory. The get_zone_field command does not query
Active Directory for this zone. If you change field values using ADEdit without saving the
zone to Active Directory, the field value you retrieve using get_zone_field wont match
the same field value for the zone stored in Active Directory.
Zone type
Classic and hierarchical
Syntax
get_zone_field field
Abbreviation
gzf
Options
This command takes no options.
169
Arguments
This command takes the following argument:
Argument
Type
Description
field
string
Required. Specifies the case-sensitive name of the field whose value to retrieve.
The possible values are:
type: Returns the type of the zone, for example, classic4 or tree.
schema: Returns the schema used in this zone, for example, std.
parent: Returns the zones parent zone distinguished name (DN). Only use
this argument if the currently selected zone is a hierarchical (tree) zone.
computers: Returns the computer group UPN that is assigned to the
computer role selected as a zone.
nisdomain: Returns the name of the NIS domain if it has been set. The default
value is the zone name.
sfudomain: Returns the Windows domain name for the SFU zone. Only use
this argument if the currently selected zone is a Service for UNIX (sfu) zone.
uidnext: Returns the next UID to use when auto-assigning UID numbers to
new users created in the zone.
uidreserved: Returns the UID number or range of numbers (1-100) that are
reserved.
defaultgid: Returns the default primary group to assign when a new user is
created. The value can be a GID value or include variables.
defaultgecos: Returns the default GECOS data to assign when a new user is
created. The value can be a string or include variables.
defaulthome: Returns the default home directory to assign when a new user
is created. The value can be a string that defines the path or include variables.
defaultshell: Returns the default shell to assign when a new user is created.
The value can be a string that defines the shell or include variables.
availableshells: Returns the shells available to choose from when adding a
new user to the zone. The value is a list of shell commands, separated by
colons (:). For example, /bin/bash:/bin/csh:/bin/ksh
gidnext: Returns the next GID to use when auto-assigning GID numbers to
new groups created in the zone.
gidreserved: Returns the GID number or range of numbers (1-100) that are
reserved.
createTime: Returns the time and date this zone was created (in generalized
time format).
modifyTime: Returns the time and date this zone was last modified (in
generalized time format).
dn: Returns the zones distinguished name.
Return value
This command returns a field value. The data type depends on the field specified.
170
Examples
get_zone_field type
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select the zone:
After you have a zone stored in memory, you can use the following commands to work with
that zone computer:
delete_zone deletes the selected zone from Active Directory and memory.
get_child_zones returns a Tcl list of child zones, computer roles, or computer zones.
get_zone_nss_vars returns the NSS substitution variable for the selected zone.
save_zone saves the selected zone with its current settings to Active Directory.
get_zone_group_field
Use the get_zone_group_field command to return the value for a specified field from the
currently selected zone group stored in memory. The get_zone_group_field command
does not query Active Directory for the zone group. If you change field values using ADEdit
without saving the zone group to Active Directory, the field value you retrieve using
get_zone_group_field wont match the same field value for the zone group stored in
Active Directory.
Zone type
Classic and hierarchical
Syntax
get_zone_group_field field
Abbreviation
gzgf
171
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
field
string
Required. Specifies the case-sensitive name of the field whose value to retrieve.
The possible values are:
name: Returns the group name.
gid: Returns the numeric identifier for the group.
required: Returns 1 if the zone group is required for members in this zone, or
0 if the group is not required. Users assigned to a required group cannot
remove the group from their active set of groups.
createTime: Returns the time and date this zone group was created (in
generalized time format).
modifyTime: Returns the time and date this zone group was last modified (in
generalized time format).
dn: Returns the zone groups distinguished name.
Return value
This command returns a field value. The data type depends on the field specified.
Examples
get_zone_group_field name
Related commands
Before you use this command, you must have a currently selected zone group stored in
memory. The following commands enable you to view and manage the zone groups:
After you have a zone group stored in memory, you can use the following commands to
work with that zone group:
delete_zone_group deletes the selected zone group from Active Directory and from
memory.
172
save_zone_group saves the selected zone group with its current settings to Active
Directory.
set_zone_group_field sets a field value in the currently selected zone group.
get_zone_groups
Use the get_zone_groups command to check Active Directory and return a Tcl list of zone
groups defined within the currently selected zone. If executed in a script, this command
does not output its list to stdout, and no output appears in the shell where the script is
executed. Use list_zone_groups to output the list to stdout.
Zone type
Classic and hierarchical
Syntax
get_zone_groups
Abbreviation
gzg
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a Tcl list of zone groups defined in the currently selected zone. Each
entry in the list is the user principal name (UPN) of a group that you can use to look up that
group.
Examples
get_zone_groups
auditors@acme.com
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select zone groups:
173
After you have a zone group stored in memory, you can use the following commands to
work with that zone group:
delete_zone_group deletes the selected zone group from Active Directory and from
memory.
get_zone_group_field reads a field value from the currently selected zone group.
save_zone_group saves the selected zone group with its current settings to Active
Directory.
set_zone_group_field sets a field value in the currently selected zone group.
get_zone_nss_vars
Use the get_zone_nss_vars command to return a Tcl list containing the NSS substitution
variables for the currently selected zone stored in memory. This command only works on
hierarchical zones and wont return a value for other zone types.
The get_zone_nss_vars command does not query Active Directory for this zone. If you
change the variables using set_zone_field without saving the zone Active Directory, the
variable you retrieve using get_zone_nss_vars wont match the same field variable for the
zone stored in Active Directory.
Zone type
Hierarchical only
Syntax
get_zone_nss_vars
Abbreviation
gznv
Options
This command takes no options.
Arguments
This command takes no arguments.
174
Return value
This command returns a Tcl list of strings in the form A=B.
Examples
get_zone_nss_vars
NSRANDFILE=/params/nssrand.seed
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a zone:
After you have a zone stored in memory, you can use the following commands to work with
that zone:
delete_zone deletes the selected zone from Active Directory and memory.
get_child_zones returns a Tcl list of child zones, computer roles, or computer zones.
save_zone saves the selected zone with its current settings to Active Directory.
get_zone_user_field
Use the get_zone_user_field command to return the value for a specified field from the
currently selected zone user stored in memory. The get_zone_user_field command does
not query Active Directory for the zone user. If you change field values using ADEdit
without saving the zone user to Active Directory, the field value you retrieve using
get_zone_user_field wont match the same field value for the zone user stored in Active
Directory.
Zone type
Classic and hierarchical
Syntax
get_zone_user_field field
175
Abbreviation
gzuf
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
field
string
Required. Specifies the case-sensitive name of the field whose value to retrieve.
The possible values are:
uname: Returns the user name.
uid: Returns the numeric identifier for the user.
gid: Returns the primary group identifier (GID) for the user.
gecos: Returns information from the GECOS field.
home: the Returns users home directory.
shell: Returns the users shell type.
enabled: Returns 1 if the user is enabled, or 0 if the user is disabled. This field
is only applicable for users in classic zones. All other zone types use roles.
createTime: Returns the time and date this zone user was created.
modifyTime: Returns the time and date this zone user was last modified.
dn: Returns the zone users distinguished name.
If the zone is a Services for UNIX (sfu) zone, no value is returned for this field.
Return value
This command returns a field value. The data type depends on the field specified.
Examples
get_zone_user_field uname
Related commands
Before you use this command, you must have a currently selected zone user stored in
memory. The following commands enable you to view and select a zone user:
get_zone_users returns a Tcl list of the Active Directory names of all zone users in the
current zone.
list_zone_users lists to stdout the zone users and their NSS data in the current zone.
176
select_zone_user retrieves a zone user from Active Directory and stores it in memory.
After you have a zone user stored in memory, you can use the following commands to work
with that zone user:
delete_zone_user deletes the selected zone user from Active Directory and from
memory.
save_zone_user saves the selected zone user with its current settings to Active
Directory.
set_zone_user_field sets a field value in the currently selected zone user.
get_zone_users
Use the get_zone_users command to check Active Directory and return a Tcl list of zone
users defined within the currently selected zone. If executed in a script, this command does
not output its list to stdout, and no output appears in the shell where the script is
executed. Use list_zone_users to output the list to stdout.
Zone type
Classic and hierarchical
Syntax
get_zone_users [-upn]
Abbreviation
gzu
Options
This command takes the following option:
Option
-upn
Description
Optional. Returns user names in user principal name (UPN) format rather than the default
sAMAccount@domain format.
Arguments
This command takes no arguments.
Return value
This command returns a Tcl list of zone users defined in the currently selected zone. By
default, users are listed by sAMAccountName@domain. You can use the -upn option to return
users listed by user principal name (UPN). If a zone user is an orphan userthat is, its
177
corresponding Active Directory user no longer existsthe user is listed by its security
identifier (SID) instead of the sAMAccountName or user principal name.
Examples
get_zone_users
brenda.butler chris.carter
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a zone user:
list_zone_users lists to stdout the zone users and their NSS data in the current zone.
select_zone_user retrieves a zone user from Active Directory and stores it in memory.
After you have a zone user stored in memory, you can use the following commands to work
with that zone user:
delete_zone_user deletes the selected zone user from Active Directory and from
memory.
get_zone_user_field reads a field value from the currently selected zone user.
save_zone_user saves the selected zone user with its current settings to Active
Directory.
set_zone_user_field sets a field value in the currently selected zone user.
get_zones
Use the get_zones command to check Active Directory and return a Tcl list of zones
within a specified domain. Note that this does not include computer-specific override zones
or computer roles.
Zone type
Classic and hierarchical
Syntax
get_zones domain
Abbreviation
gz
178
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
domain
string
Required. Specifies the name of the domain for which to return zones.
Return value
This command returns a Tcl list with the distinguished name for each zone in the specified
domain.
Examples
get_zones acme.com
Related commands
The following commands perform actions related to this command:
After you have a zone stored in memory, you can use the following commands to work with
that zone:
delete_zone deletes the selected zone from Active Directory and memory.
get_child_zones returns a Tcl list of child zones, computer roles, or computer zones.
get_zone_nss_vars returns the NSS substitution variable for the selected zone.
save_zone saves the selected zone with its current settings to Active Directory.
179
getent_passwd
Use the getent_passwd command to return a Tcl list of local UNIX users that are defined
in the /etc/passwd file on the ADEdit host computer.
Zone type
Not applicable
Syntax
getent_passwd
Abbreviation
gep
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a Tcl list of /etc/passwd file entries with all user profile attributes.
Examples
getent_passwd
Related commands
The following command performs actions related to this command:
get_pwnam searches the /etc/passwd file for a UNIX user name and, if found, returns a
Tcl list of the profile attributes associated with the user.
180
guid_to_id
Use the guid_to_id command to specify a globally unique identifier (GUID) for a user or
group and returns a UID or GID that uses the Apple methodology for automatically
generated unique identifiers.
Zone type
Not applicable
Syntax
guid_to_id guid
Abbreviation
None.
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
guid
string
Return value
This command returns UID or GID for the user or group generated using the Apple
mechanism for automatically generating identifiers.
Examples
guid_to_id 763ddbc8-44cc-4a79-83aa-abc899b46aba
This example returns the UID for the user associated with the specified globally unique
identifier:
1983765448
Related commands
The following command performs actions related to this command:
principal_to_id returns a unique UID or GID based on either the Apple methodology or
the Centrify Auto Zone methodology for generating numeric identifiers.
181
help
Use the help command to return information about one or more ADEdit commands. Its
followed by a command pattern that is either the name of a single ADEdit command or a
string with wild cards that specifies multiple possible commands. The command pattern can
also be a command abbreviation.
The command pattern wild cards are:
Zone type
Not applicable
Syntax
help command_pattern
Abbreviation
h
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
command_pattern
string
Required. Specifies the name of one or more ADEdit commands for which to
return information.
You can specify a command name, command shortcut or use the ? and *
wild cards to specify a single character or multiple characters respectively.
Return value
This command returns information for the specified command or commands. If theres no
match for the command_pattern you specify, the command returns nothing.
Examples
help explain_sd
182
This example returns information for the ADEdit commands that start with get or set,
such as get_zones, get_zone_field, set_zone_field, and set_role_field.
Related commands
None.
is_dz_enabled
Use this command to check whether authorization is enabled in a currently selected classic
zone.
Zone type
Classic only
Syntax
is_dz_enabled
Abbreviation
idze
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns 1 if authorization is enabled in a classic or 0 if authorization is not
enabled.
Examples
create_zone classic4 cn=c125,cn=zones,dc=test,dc=net
select_zone cn=c125,cn=zones,dc=test,dc=net
is_dz_enable
0
manage_dz -on
is_dz_enable
1
183
This code example creates a new classic zone, checks that authorization is disabled by
default, then enables authorization for the zone.
Related commands
The following command performs actions related to this command:
joined_get_user_membership
Use the joined_get_user_membership command to have adclient query Active Directory
for a list of groups that a specified user belongs to in the domain to which ADEdits host
computer is joined. If the adclient query returns groups, this command returns those
groups in a Tcl list.
Because this command queries Active Directory through adclient, the query might use the
adclient cache instead of connecting directly to Active Directory. The adclient cache
isnt guaranteed to be updated with ADedit activity. Therefore, you might need to execute
the Centrify UNIX command adflush before using joined_get_user_membership to
ensure you get the most up-to-date results.
Zone type
Not applicable
Syntax
joined_get_user_membership user_UPN
Abbreviation
jgum
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
user_UPN
string
Required. Specifies the user principal name (UPN) of the user to check for group
membership.
184
Return value
This command returns a Tcl list of groups.
Examples
joined_get_user_membership liz.lemon@acme.com
This example returns group membership for liz.lemon in the joined domain:
acme.com/Users/Domain Users
Related commands
The following commands performs actions related to this command:
joined_name_to_principal
Use the joined_name_to_principal command have adclient query Active Directory for a
UNIX name of a specified user. If the specified user is found, the command returns the
associated Active Directory user name in the format of sAMAccountName@domain. The
command can also optionally return the user principal name (UPN) of the user. This
command works only for users within the domain to which ADEdits host computer is
joined through adclient.
Zone type
Not applicable
Syntax
joined_name_to_principal [-upn] UNIX_name
Abbreviation
jntp
Options
This command takes the following option:
Option
Description
-upn
Returns the users Active Directory name in user principal name (UPN) format.
185
Arguments
This command takes the following argument:
Argument
Type
Description
UNIX_name
string
Required. Specifies the UNIX name of a user to look for in Active Directory.
Return value
This command returns the sAMAccountName@domain form of the user name if the user is
found in Active Directory. If you specify the -upn option, this command returns the UPN
form of user name.
Examples
joined_name_to_principal -upn adam
This example returns the sAMAccountName@domain for the UNIX user adam:
adam.avery@acme.com
Related commands
The following commands performs actions related to this command:
principal_to_dn searches Active Directory for a user principal name (UPN) and, if
found, returns the corresponding DN.
joined_user_in_group
Use the joined_user_in_group command to have adclient query Active Directory to see
if a specified user belongs to a specified group. This command works only for users and
groups within the domain to which ADEdits host computer is joined through adclient.
Because this command queries Active Directory through adclient, the query might use
adclients cache rather than connect directly to Active Directory. The adclient cache isnt
guaranteed to be updated with ADedit activity. Therefore, you might need to execute the
Centrify UNIX command adflush before using joined_user_in_group to ensure you get
the most up-to-date results.
Zone type
Not applicable
186
Syntax
joined_user_in_group user_UPN group_UPN
Abbreviation
jug
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
user_UPN
string
Required. Specifies the user principal name (UPN) of the user for which you
want to check group membership.
group_UPN
string
Required. Specifies the UPN of the group for which you want to check user
membership.
Return value
This command returns 1 if the user is a member of the group, or 0 if the user is not a
member of the group.
Examples
joined_user_in_group martin.moore@acme.com poweradmins@acme.com
Related commands
The following commands performs actions related to this command:
get_user_groups checks Active Directory directly and returns a Tcl list of groups a user
belongs to.
get_group_members checks Active Directory and returns a Tcl list of members in a
group.
187
list_dz_commands
Use the list_dz_commands command to check Active Directory and return a list of UNIX
command objects defined within the currently selected zone. If executed in a script, this
command outputs its list to stdout so that the output appears in the shell where the script is
executed. The command does not return a Tcl list back to the executing script. Use
get_dz_commands to return a Tcl list.
You can only use the list_dz_commands command to return UNIX command data for
classic4 and hierarchical zones.
Zone type
Classic and hierarchical
Syntax
list_dz_commands
Abbreviation
lsdzc
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a list to stdout of UNIX commands defined in the currently selected
zone. Each entry in the list contains the following fields, separated by colons (:):
The name of the UNIX command followed by a slash (/) and the name of the zone
where the command is defined.
Examples
list_dz_commands
188
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a UNIX command:
After you have a UNIX command stored in memory, you can use the following commands
to work with that command:
delete_dz_command deletes the selected command from Active Directory and from
memory.
list_nis_map
Use the list_nis_map command to return a list of all map entries within the currently
selected NIS map. If executed in a script, this command outputs its list to stdout so that the
output appears in the shell where the script is executed. The command does not return a
Tcl list back to the executing script. Use get_nis_map to return a Tcl list of NIS map
entries.
Zone type
Not applicable
Syntax
list_nis_map
Abbreviation
lsnm
Options
This command takes no options.
189
Arguments
This command takes no arguments.
Return value
This command returns a list to stdout of the map entries for the currently selected NIS
map. Each map entry in the list contains the following fields separated by colons (:):
The key
The value
Examples
list_nis_map
Mktg:1:Mike@acme.com,Sue@acme.com
Related commands
Before you use this command, you must have a currently selected NIS map stored in
memory. The following commands enable you to view and select a NIS map:
get_nis_maps returns a Tcl list of NIS maps in the currently selected zone.
list_nis_maps returns a list to stdout of all NIS maps in the currently selected zone.
select_nis_map retrieves a NIS map from Active Directory and stores it in memory.
After you have a NIS map stored in memory, you can use the following commands to work
with that map:
delete_nis_map deletes the selected NIS map from Active Directory and from memory.
190
list_nis_map_with_comment
Use the list_nis_map_with_comment command to return a list of all map entries for the
currently selected NIS map and includes the entries comment. If executed in a script, this
command outputs its list to stdout so that the output appears in the shell where the script is
executed.
The command does not return a Tcl list back to the executing script. Use get_nis_map or
get_nis_map_with_comment to return a Tcl list of NIS map entries for parsing or further
processing within the script.
Zone type
Not applicable
Syntax
list_nis_map_with_comment
Abbreviation
lsnmwc
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a list to stdout of the map entries for the currently selected NIS
map. Each map entry in the list contains the following fields separated by colons (:):
The key
The value
The comment
Examples
list_nis_map_with_comment
191
Related commands
Before you use this command, you must have a currently selected NIS map stored in
memory. The following commands enable you to view and select a NIS map:
get_nis_maps returns a Tcl list of NIS maps in the currently selected zone.
list_nis_maps lists to stdout the NIS maps in the currently selected zone.
select_nis_map retrieves a NIS map from Active Directory and stores it in memory.
After you have a NIS map stored in memory, you can use the following commands to work
with that map:
delete_nis_map deletes the selected NIS map from Active Directory and from memory.
get_nis_map_field reads a field value from the currently selected NIS map.
list_nis_map lists to stdout the map entries in the currently selected NIS map.
save_nis_map saves the selected NIS map with its current entries to Active Directory.
list_nis_maps
Use the list_nis_maps command to check Active Directory and return a list of NIS maps
defined in the currently selected zone. If executed in a script, this command outputs its list
to stdout so that the output appears in the shell where the script is executed. The
command does not return a Tcl list back to the executing script. Use get_nis_maps to
return a Tcl list.
Zone type
Not applicable
Syntax
list_nis_maps
Abbreviation
lsnms
192
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a list to stdout of NIS maps defined in the currently selected zone.
Examples
list_nis_maps
Related commands
Before you use this command, you must have a currently selected NIS map stored in
memory. The following commands enable you to view and select a NIS map:
get_nis_maps returns a Tcl list of NIS maps in the currently selected zone.
list_nis_maps lists to stdout the NIS maps in the currently selected zone.
select_nis_map retrieves a NIS map from Active Directory and stores it in memory.
After you have a NIS map stored in memory, you can use the following commands to work
with that map:
delete_nis_map deletes the selected NIS map from Active Directory and from memory.
193
list_pam_apps
Use the list_pam_apps command to check Active Directory and return a list of PAM
application rights defined in the currently selected zone. If executed in a script, this
command outputs its list to stdout so that the output appears in the shell where the script is
executed. The command does not return a Tcl list back to the executing script. Use
get_pam_apps to return a Tcl list.
You can only use the list_pam_apps command to return PAM application rights for classic4
and hierarchical zones.
Zone type
Classic and hierarchical
Syntax
list_pam_apps
Abbreviation
lspa
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a list to stdout of PAM application rights defined in the currently
selected zone. Each entry contains the following fields, separated by colons (:):
The name of the PAM access right followed by a slash (/) and the zone in which the PAM
access right is defined.
The name of one or more PAM applications to which the right applies.
Examples
list_pam_apps
This example returns a list of PAM application access rights for the selected zone (the
following is a subset of the default predefined rights):
dzssh-all/global : dzssh-* : All of ssh services
dzssh-exec/global : dzssh-exec : Command execution
194
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a PAM application object:
After you have a PAM application object stored in memory, you can use the following
commands to work with that PAM application:
delete_pam_app deletes the selected PAM application from Active Directory and from
memory.
get_pam_field reads a field value from the currently selected PAM application.
save_pam_app saves the selected PAM application with its current settings to Active
Directory.
set_pam_field sets a field value in the currently selected PAM application.
list_role_assignments
Use the list_role_assignments command to check Active Directory and return a list of
role assignments defined within the currently selected zone. If executed in a script, this
command outputs its list to stdout so that the output appears in the shell where the script is
executed. The command does not return a Tcl list back to the executing script. Use
get_role_assignments to return a Tcl list.
If you do not specify an option, the command returns the current users and groups in the
zone with a role assignment using the default sAMAccount@domain format.
You can only use the list_role_assignments command to return role assignments for
classic4 and hierarchical zones.
Zone type
Classic and hierarchical
195
Syntax
list_role_assignments [-upn] [-user] [-group] [-invalid]
Abbreviation
lsra
Options
This command takes the following options:
Option
-upn
Description
Optional. Returns user names in user principal name (UPN) format rather than the default
sAMAccount@domain format.
-user
Returns a list to stdout of the current users in the zone with a role assignment. Use this
option if you only want to return valid users with a role assignment.
-group
Returns a list to stdout of the current groups in the zone with a role assignment. Use this
option if you only want to return valid groups with a role assignment.
-invalid
Returns a list to stdout of any invalid role assignments in the zone. A role assignment is
invalid if it specifies a group or user that no longer exists. Use this option if you only want
to return invalid role assignments.
Arguments
This command takes no arguments.
Return value
This command returns a list to stdout of role assignments defined in the currently selected
zone. Each entry in the list provides the following information:
The user or group to whom the role assignment applies by sAMAccount@domain name or
user principal name.
The name of the role assigned followed by a slash (/) and the zone where the role is
defined.
Examples
>bind pistolas.org
>select_zone cn=northamerica,cn=zones,ou=centrify,dc=pistolas,dc=org
>list_role_assignments
This example returns the role assignments for the northamerica zone:
Domain Users@pistolas.org: Window Login/northamerica
adm-sf@pistolas.org: UNIX Login/northamerica
rey@pistolas.org: UNIX Login/northamerica
maya@pistolas.org: SQLAdmin/northamerica
196
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a role assignment:
After you have a role assignment stored in memory, you can use the following commands to
work with that role assignment:
delete_role_assignment deletes the selected role assignment from Active Directory and
from memory.
list_role_rights
Use the list_role_rights command to return a list of all UNIX commands and PAM
application rights set within the currently selected role. If executed in a script, this
command outputs its list to stdout so that the output appears in the shell where the script is
executed. The command does not return a Tcl list back to the executing script.
The list_role_rights command does not query Active Directory for the role. If you
change commands or PAM applications using ADEdit without saving the role to Active
Directory, commands and PAM applications you retrieve using list_role_rights wont
match those stored in Active Directory.
You can only use list_role_rights to return role rights for classic4 and hierarchical zones.
Zone type
Classic and hierarchical
Syntax
list_role_rights
Abbreviation
lsrr
197
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a list to stdout of the PAM application and UNIX command rights
that are defined for the currently selected role.
Each entry lists the name of the application or command right, the attributes of the
application or command, and any descriptive text.
Examples
list_role_rights
This example returns the list of PAM application and UNIX command rights:
dzssh-all/northamerica : dzssh-exec : Command execution
login-all/seattle : * : Predefined global PAM permission. Do not delete.
cron-exec/seattle : cron form(0) dzdo_runas(admin) flags(16) ;
Related commands
Before you use this command, you must have a currently selected role stored in memory.
The following commands enable you to view and select a role:
After you have a role stored in memory, you can use the following commands to work with
that role:
delete_role deletes the selected role from Active Directory and from memory.
get_role_apps returns a Tcl list of the PAM application rights associated with the
current role.
get_role_commands returns a Tcl list of the UNIX commands associated with the
current role.
198
save_role saves the selected role with its current settings to Active Directory.
list_roles
Use the list_roles command to check Active Directory and return a list of roles defined
in the currently selected zone. If executed in a script, this command outputs its list to
stdout so that the output appears in the shell where the script is executed. The command
does not return a Tcl list back to the executing script. Use get_roles to return a Tcl list.
You can only use list_roles to return role information for classic4 and hierarchical zones.
Zone type
Classic and hierarchical
Syntax
list_roles
Abbreviation
lsr
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a list to stdout of roles defined in the currently selected zone.
Examples
list_roles
199
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a role:
new_role creates a new role and stores it in memory as the currently selected role.
select_role retrieves a role from Active Directory and stores it in memory as the
selected role.
After you have a role stored in memory, you can use the following commands to work with
that role:
delete_role deletes the selected role from Active Directory and from memory.
get_role_apps returns a Tcl list of the PAM application rights associated with the
current role.
get_role_commands returns a Tcl list of the UNIX commands associated with the
current role.
get_role_field reads a field value from the current role.
list_role_rights returns a list of all UNIX command and PAM application rights
associated with the current role.
save_role saves the selected role with its current settings to Active Directory.
list_rs_commands
Use the list_rs_commands command to print a list of the restricted shell commands that
are defined for the currently selected zone. This command retrieves information from
Active Directory and to returns the list of restricted shell commands to stdout. If you want
to return a Tcl list of restricted shell commands, use get_rs_commands.
Zone type
Classic only
Syntax
list_rs_commands
200
Abbreviation
lsrsc
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a list of restricted shell commands for the currently selected zone.
Examples
list_rs_commands
This command returns the list of restricted shell commands and attributes similar to this:
rseid1/c123 : id form(0) dzsh_runas($) umask(77) path(USERPATH) flags(0) :
rseid2/c123 : id2 form(0) dzsh_runas($) pri(1) umask(77) path(USERPATH) flags(0) : id2
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select the restricted shell command to
work with:
get_rs_commands returns a Tcl list of restricted shell commands in the current zone.
After you have a restricted shell command stored in memory, you can use the following
commands to work with that restricted shell:
delete_rs_command deletes the selected command from Active Directory and from
memory.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and manage the restricted shell commands:
201
delete_rs_command deletes the selected command from Active Directory and from
memory.
new_rs_command creates a new restricted shell command and stores it in memory.
save_rs_command saves the selected restricted shell command with its current settings
to Active Directory.
select_rs_command retrieves a restricted shell command from Active Directory and
stores it in memory.
After you have a restricted shell command stored in memory, you can use the following
commands to work with its fields:
get_rsc_field reads a field value from the current restricted shell command.
list_rs_envs
Use the list_rs_envs command to check Active Directory and print a list of restricted
shell environments defined within the currently selected zone to stdout. Use the
get_rs_envs command to return a Tcl list.
Zone type
Classic only
Syntax
list_rs_envs
Abbreviation
lsrse
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command prints the list of restricted shell environments to stdout. It has no return
value.
202
Examples
list_rs_envs
Related commands
Before you use this command, you must have a currently selected role stored in memory.
The following commands enable you to view and select the role to work with restricted
shell environments:
After you have a restricted shell environment stored in memory, you can use the following
commands to work with its fields:
delete_rs_env deletes the current restricted shell environment from Active Directory
and from memory.
get_rse_field reads a field value from the current restricted shell environment.
list_zone_computers
Use the list_zone_computers command to check Active Directory and return a list of
zone computers defined within the currently selected zone. If executed in a script, this
command outputs its list to stdout so that the output appears in the shell where the script is
executed. The command does not return a Tcl list back to the executing script. Use
get_zone_computers to return a Tcl list.
Zone type
Classic and hierarchical
Syntax
list_zone_computers
Abbreviation
lszc
203
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a list to stdout of zone computers defined in the currently selected
zone. Each zone computer entry includes the following fields, separated by colons (:):
Number of CPUs in the computer and the version of Centrify software installed on the
computer.
Name of the computer in DNS.
Examples
list_zone_computers
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a zone computer:
get_zone_computers returns a Tcl list of the Active Directory names of all zone
computers in the current zone.
After you have a zone computer stored in memory, you can use the following commands to
work with that zone computer:
delete_zone_computer deletes the zone computer from Active Directory and from
memory.
204
list_zone_groups
Use the list_zone_groups command to check Active Directory and return a list of zone
groups defined in the currently selected zone. If executed in a script, this command outputs
its list to stdout so that the output appears in the shell where the script is executed. The
command does not return a Tcl list back to the executing script. Use get_zone_groups to
return a Tcl list.
Zone type
Classic and hierarchical
Syntax
list_zone_groups
Abbreviation
lszg
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns a list to stdout of zone groups defined in the currently selected
zone. Each entry in the list contains the following fields, separated by colons (:):
The string Required if the Users are required to be members of this group option is
set for the group.
Examples
list_zone_groups
205
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select zone groups:
get_zone_groups returns a Tcl list of the Active Directory names of the zone groups in
the current zone.
After you have a zone group stored in memory, you can use the following commands to
work with that zone group:
delete_zone_group deletes the selected zone group from Active Directory and from
memory.
get_zone_group_field reads a field value from the currently selected zone group.
save_zone_group saves the selected zone group with its current settings to Active
Directory.
set_zone_group_field sets a field value in the currently selected zone group.
list_zone_users
Use the list_zone_users command to check Active Directory and return a list of zone
users defined in the currently selected zone. If executed in a script, this command outputs
its list to stdout so that the output appears in the shell where the script is executed. The
command does not return a Tcl list back to the executing script. Use get_zone_users to
return a Tcl list.
Zone type
Classic and hierarchical
Syntax
list_zone_users [-upn]
Abbreviation
lszu
206
Options
This command takes the following option:
Option
-upn
Description
Optional. Returns user names in user principal name (UPN) format rather than the default
sAMAccount@domain format.
Arguments
This command takes no arguments.
Return value
This command returns a list to stdout of zone users for the currently selected zone. Each
entry in the list contains the following user profile fields separated by colons (:):
Examples
list_zone_users
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select zone users:
207
get_zone_users returns a Tcl list of the Active Directory names of zone users in the
current zone.
select_zone_user retrieves a zone user from Active Directory and stores it in memory.
After you have a zone user stored in memory, you can use the following commands to work
with that zone user:
delete_zone_user deletes the selected zone user from Active Directory and from
memory.
get_zone_user_field reads a field value from the currently selected zone user.
save_zone_user saves the selected zone user with its current settings to Active
Directory.
set_zone_user_field sets a field value in the currently selected zone user.
manage_dz
Use the manage_dz command to enable or disable authorization in classic zones. In classic
zones, authorization-related features are disabled by default, and the authorization store
that is required for managing rights, roles, and restricted environment is not available in
Active Directory.
To enable authorization in classic zones using ADEdit, you can run the manage_dz -on
command. This command creates the authorization store if it does not exist, and sets the
zone property that enables DirectAuthorize features.
To disable authorization in a classic zone, you can run the manage_dz off command.
Running this command disables authorization services. The command does not remove any
existing authorization data from Active Directory.
Zone type
Classic only
Syntax
manage_dz [-on|-off]
Abbreviation
mnz
208
Options
This command takes the following options:
Option
Description
-on
Enables authorization for the currently selected zone and creates the authorization data
store if it not currently defined in Active Directory.
-off
Disables authorization for the currently selected zone. This option does not remove any
data from the authorization data store if it currently exists.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
create_zone classic4 cn=c125,cn=zones,dc=ross,dc=net
select_zone cn=c125,cn=zones,dc=ross,dc=net
is_dz_enable
0
manage_dz -on
is_dz_enable
1
This code example creates a zone, checks that authorization is disabled by default, then
enables authorization for the zone.
Related commands
The following command performs actions related to this command:
move_object
Use the move_object command to move the selected object to the specified location. The
new location must be in the same domain. You cannot use this command to move an object
to another domain. You do not need to save the object after moving it.
Zone type
Not applicable
209
Syntax
move_object destination
Abbreviation
mvo
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
destination
string
Return value
This command returns nothing if it runs successfully.
Example
The following commands move the ApacheAdmins group from the Groups container in the
Global zone to the Groups container in the US zone.
select_object
cn=ApacheAdmins@demo.test,cn=Groups,cn=Global,cn=Zones,cn=Centrify,dc=demo,
dc=test
mvo cn=Groups,cn=US,cn=Zones,ou=Centrify,dc=demo,dc=test
Related commands
The following command performs actions related to this command:
new_dz_command
Use the new_dz_command command to create a new UNIX command object for the current
zone and sets the new command as the currently selected command in memory. The new
command has no field values set. The new_dz_command does not save the new command to
Active Directory. To save the UNIX command, you must first set at least the command
field using set_dzc_field, then use save_dz_command. If you dont save a new UNIX
command, it will disappear when you select a new command or when the ADEdit session
ends.
210
You can only use the new_dz_command command if the currently selected zone is a classic4
or hierarchical zone. The command does not work in other types of zones.
Zone type
Classic and hierarchical
Syntax
new_dz_command name
Abbreviation
newdzc
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
name
string
Return value
This command returns nothing if it runs successfully.
Examples
new_dz_command account_manager
This example creates a new UNIX command named account_manager in the current zone.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select UNIX commands:
list_dz_commands returns a list of all UNIX commands in the currently selected zone.
select_dz_command retrieves a UNIX command from Active Directory and stores it in
memory.
After you have a UNIX command stored in memory, you can use the following commands
to work with that command:
211
delete_dz_command deletes the selected command from Active Directory and from
memory.
get_dzc_field reads a field value from the currently selected command.
save_dz_command saves the selected command with its current settings to Active
Directory.
set_dzc_field sets a field value in the currently selected command.
new_nis_map
Use the new_nis_map command to create a new NIS map for the current zone and sets the
new NIS map as the currently selected NIS map in memory. The new NIS map has no map
entries.
The new_nis_map does not save the new NIS map to Active Directory. To save the new map,
you must use save_nis_map. If you dont save a new NIS map, it will disappear when you
select a new NIS map or when the ADEdit session ends.
Zone type
Not applicable
Syntax
new_nis_map map
Abbreviation
newnm
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
map
string
Return value
This command returns nothing if it runs successfully.
212
Examples
The following command creates the NIS map Printers in the current zone.
new_nis_map Printers
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select NIS maps:
select_nis_map retrieves a NIS map from Active Directory and stores it in memory.
After you have a NIS map stored in memory, you can use the following commands to work
with that map:
delete_nis_map deletes the selected NIS map from Active Directory and from memory.
new_object
Use the new_object command to create a new Active Directory object and set the new
object as the currently selected Active Directory object in memory. The new object has no
field values set. The new_object command does not save the new object to Active
Directory. To save the new object, you must use save_object. If you dont save a new
object, it will disappear when you select a new object or when the ADEdit session ends.
The new_object command does not check to see if the new object conforms to Active
Directorys expectations for the new object in the location you specify. Active Directory
will report any errors when you try to save the object.
Zone type
Not applicable
213
Syntax
new_object dn
Abbreviation
newo
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
dn
DN
Return value
This command returns nothing if it runs successfully.
Examples
new_object ou=Centrify,cn=Program Data,dc=acme,dc=com
This example creates a new organizational unit Centrify in the container Program Data in
the domain acme.com and stores it in memory as the currently selected Active Directory
object.
Related commands
The following commands enable you to view and select Active Directory objects:
get_objects performs an LDAP search of Active Directory and returns a Tcl list of the
distinguished names of objects matching the specified search criteria.
select_object retrieves an object with its attributes from Active Directory and stores it
in memory.
After you have an object stored in memory, you can use the following commands to work
with that object:
delete_object deletes the selected Active Directory object from Active Directory and
from memory.
delete_sub_tree deletes an Active Directory object and all of its children from Active
Directory.
214
get_object_field reads a field value from the currently selected Active Directory object.
remove_object_value removes a value from a multi-valued field attribute of the
currently selected Active Directory object.
save_object saves the selected Active Directory object with its current settings to Active
Directory.
set_object_field sets a field value in the currently selected Active Directory object.
new_pam_app
Use the new_pam_app command to create a new PAM application right for the current zone
and set the new PAM application as the currently selected PAM application in memory. The
new PAM application has no field values set.
The new_pam_app does not save the new PAM application to Active Directory. To save the
PAM application right, you must first set at least the application field using
set_pam_field, then use save_pam_app. If you dont save a new PAM application, it will
disappear when you select a new PAM application or when the ADEdit session ends.
You can only use the new_pam_app to create PAM application rights if the currently selected
zone is a classic4 or hierarchical zone. The command does not work in other types of zones.
Zone type
Classic and hierarchical
Syntax
new_pam_app name
Abbreviation
newpam
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
name
string
Required. Specifies the name to assign to the new PAM application access right.
215
Return value
This command returns nothing if it runs successfully.
Examples
new_pam_app basic
This example creates a new PAM application access right named basic in the current zone.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select PAM application rights:
get_pam_apps returns a Tcl list of PAM application rights in the current zone.
list_pam_apps lists to stdout the PAM application rights in the currently selected zone.
select_pam_app retrieves a PAM application right from Active Directory and stores it in
memory.
After you have a PAM application right stored in memory, you can use the following
commands to work with that PAM application right:
delete_pam_app deletes the selected PAM application right from Active Directory and
from memory.
get_pam_field reads a field value from the currently selected PAM application right.
save_pam_app saves the selected PAM application right with its current settings to
Active Directory.
set_pam_field sets a field value in the currently selected PAM application right.
new_role
Use the new_role command to create a new role for the current zone and set the new role
as the currently selected role in memory. The new role has no field values set. The
new_role command does not save the new role to Active Directory. To save the new role,
you must use save_role. If you dont save a new role, it will disappear when you select
another role or when the ADEdit session ends.
You can only use the new_role to create a role if the currently selected zone is a classic4 or
hierarchical zone. The command does not work in other types of zones.
Zone type
Classic and hierarchical
216
Syntax
new_role name
Abbreviation
newr
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
name
string
Return value
This command returns nothing if it runs successfully.
Examples
new_role customerservice
This example creates a new role named customerservice in the current zone.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select roles:
After you have a role stored in memory, you can use the following commands to work with
that role:
delete_role deletes the selected role from Active Directory and from memory.
get_role_apps returns a Tcl list of the PAM applications associated with the currently
selected role.
get_role_commands returns a Tcl list of the UNIX commands associated with the
current role.
217
save_role saves the selected role with its current settings to Active Directory.
new_role_assignment
Use the new_role_assignment command to create a new role assignment for the current
zone and set the new role assignment as the currently selected role assignment in memory.
The new role assignment has no field values set.
The new_role_assignment command does not save the new role assignment to Active
Directory. To save the role assignment, you must first set at least the role field using
set_role_assignment_field, then use save_role_assignment. If you dont save a new
role assignment, it will disappear when you select another role assignment or when the
ADEdit session ends.
You can only use the new_role_assignment to create a role assignment if the currently
selected zone is a classic4 or hierarchical zone. The command does not work in other types
of zones.
Zone type
Classic and hierarchical
Syntax
new_role_assignment user|All AD users|All Unix users
Abbreviation
newra
Options
This command takes no options.
218
Arguments
This command takes the following argument:
Argument
Type
Description
Required. Specifies the user or group to assign the role to.
This argument can be a user principal name (UPN) or a sAMAccountName if you
are assigning a role to an Active Directory user or group, a UNIX user name or
UID if assigning the role to a local UNIX user, or the UNIX group name if you
assigning the role to a local UNIX group.
To assign a role to a local UNIX account, use the following format:
oracle@localhost
You can also specify All AD users to assign a selected role to all Active Directory
users or All Unix users to assign the selected role to all local UNIX users.
This argument is not supported if the selected zone is a classic4 zone.
Return value
This command returns nothing if it runs successfully.
Examples
new_role_assignment adam.avery@acme.com
This example creates a new role assignment for adam.avery@acme.com in the current zone.
You must set at least one role assignment field and an available time for the role to be
effective.
The following example creates a new role assignment for the local UNIX user oracle in the
current zone.
oracle@localhost
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select role assignment to work with:
After you have a role assignment stored in memory, you can use the following commands to
work with that role assignments attributes, delete the role assignment, or save information
for the role assignment:
219
delete_role_assignment deletes the selected role assignment from Active Directory and
from memory.
get_role_assignment_field reads a field value from the currently selected role
assignment.
save_role_assignment saves the selected role assignment with its current settings to
Active Directory.
set_role_assignment_field sets a field value in the currently selected role assignment.
new_rs_command
Use the new_rs_command command to create a new restricted shell command under the
currently selected restricted shell environment and set the new restricted shell command as
the currently selected restricted shell command in memory. The umask field for the new
restricted shell command is set to a default value of 077 and default priority field (pri) is set
to 0. For more information about restricted shell command fields, see the command
description for get_rsc_field.
The new_rs_command command does not save the new restricted shell command to
Active Directory. To store the new restricted shell command in Active Directory, you must
use save_rs_command. If you dont save a new restricted shell command, it will disappear
when you select another restricted shell command or when the ADEdit session ends.
You can only use the new_rs_command command if the currently selected zone is a classic4
zone. The command does not work in other types of zones.
Zone type
Classic only
Syntax
new_rs_command name
Abbreviation
newrsc
Options
This command takes no options.
220
Arguments
This command takes the following argument:
Argument
Type
Description
name
string
Return value
This command returns nothing if it runs successfully.
Examples
new_rs_command rsc1
This example creates a new restricted shell command named rsc1 in the current zone.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select the restricted shell command to
work with:
get_rs_commands returns a Tcl list of restricted shell commands in the current zone.
list_rs_commands lists to stdout the restricted shell commands in the current zone.
select_rs_command retrieves a restricted shell command from Active Directory and
stores it in memory.
After you have a restricted shell command stored in memory, you can use the following
commands to work with that restricted shell:
delete_rs_command deletes the selected command from Active Directory and from
memory.
new_rs_env
Use the new_rs_env command to create a new restricted shell environment for the current
zone and set the new restricted shell environment as the currently selected restricted shell
environment stored in memory. The new restricted shell environment has no field values
set.
221
The new_rs_env command does not save the new restricted shell environment to
Active Directory. To save the new restricted shell environment to Active Directory, you
must use the save_rs_env command. If you dont save a new restricted shell environment,
it will disappear when you select another restricted shell environment or when the ADEdit
session ends.
You can only use the new_rs_env command if the currently selected zone is a classic4 zone.
The command does not work in other types of zones.
Zone type
Classic only
Syntax
new_rs_env name
Abbreviation
newrse
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
name
string
Return value
This command creates a new restricted shell environment in the currently selected zone.
Examples
new_rs_envs rse3
This example creates a new restricted environment named rse3 in the current zone.
Related commands
Before you use this command, you must have a currently selected role stored in memory.
The following commands enable you to view and select the role to work with restricted
shell environments:
222
After you have a restricted shell environment stored in memory, you can use the following
commands to work with its fields:
delete_rs_env deletes the current restricted shell environment from Active Directory
and from memory.
get_rse_field reads a field value from the current restricted shell environment.
new_zone_computer
Use the new_zone_computer command to create a new zone computer in the current zone
and set the new zone computer as the currently selected zone computer in memory. The
new zone computer has no field values set.
The new_zone_computer command does not save the new zone computer to Active
Directory. To save the new zone computer, you must use save_zone_computer. If you dont
save a new zone computer, it will disappear when you select another zone computer or
when the ADEdit session ends.
The new_zone_computer command requires you to specify an Active Directory computer
account name. If the computer name you specify is not found in Active Directory, the
command does not create the zone computer.
Zone type
Classic and hierarchical
Syntax
new_zone_computer sAMAccountName@domain
Abbreviation
newzc
Options
This command takes no options.
223
Arguments
This command takes the following argument:
Argument
Type
Description
sAMAccountName
@domain
string
Return value
This command returns nothing if it runs successfully.
Examples
new_zone_computer sales2$@acme.com
This example creates a new zone computer sales2@acme.com in the current zone. Note
that Tcl syntax requires $@ to represent a literal @. You could also enclose the argument
in braces: {sales2@acme.com}.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and manage the zone computers:
get_zone_computers returns a Tcl list of the Active Directory names of all zone
computers in the current zone.
After you have a zone computer stored in memory, you can use the following commands to
work with that zone computer:
delete_zone_computer deletes the zone computer from Active Directory and from
memory.
224
new_zone_group
Use the new_zone_group command to create a new group in the current zone that is based
on an existing Active Directory group. If the command is successful, the new zone group
becomes the currently selected zone group stored in memory.
The new_zone_group command does not set any field values or save the new zone group to
Active Directory. Before you can save the new zone group, you must first set at least one
field for the new zone group using the set_zone_group_field command. You can then
save the zone group profile using the save_zone_group command.
If the currently selected zone is a classic zone, you must set all fields for the new zone
group before saving the group profile.
Note
If you dont save a new zone group, it will disappear when you select another zone group or
end the ADEdit session.
The new_zone_group command requires you to specify an Active Directory group name.
The command will search for the group first by the supplied UPN in the specified domain,
then by the sAMAccountname in the specified domain, then by the supplied UPN in any
bound domain. If the group name cannot be found, the new zone group is not created.
Zone type
Classic and hierarchical
Syntax
new_zone_group AD_group_UPN
Abbreviation
newzg
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
AD_group_UPN
string
Required. Specifies the user principal name (UPN) of an Active Directory group.
Return value
This command returns nothing if it runs successfully.
225
Examples
new_zone_group poweradmins@acme.com
This example creates a new zone group named poweradmins@acme.com in the current zone.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select zone groups:
get_zone_groups returns a Tcl list of the Active Directory names of all zone groups in
the current zone.
After you have a zone group stored in memory, you can use the following commands to
work with that zone group:
delete_zone_group deletes the selected zone group from Active Directory and from
memory.
new_zone_user
Use the new_zone_user command to create a new zone user in the current zone based on
an existing Active Directory user. If the command is successful, the new zone user becomes
the currently selected zone user stored in memory.
The new_zone_user command does not set any field values or save the new zone user to
Active Directory. Before you can save the new zone user, you must first set at least one field
value using the set_zone_user_field command. You can then save the zone user profile
using the save_zone_user command.
If the currently selected zone is a classic zone, you must set all fields for the new zone
user before saving the user profile.
Note
If you dont save a new zone user, it will disappear when you select another zone user or end
the ADEdit session.
You can create more than one zone user within a zone based on a single Active Directory
user. The first zone user you create uses the Active Directory users user principal name
(UPN), for example, martin.moore@acme.com. Any other zone users you create for the
226
same Active Directory user must use aliases. An alias is the Active Directory users UPN
with +n appended where n is a positive integer that is unique for this Active Directory user
in this zone. For example, martin.moore@acme.com+1 is an alias, as is
martin.moore@acme.com+5. Alias integers need not be consecutive or in order. (Note that
SFU zones do not support user aliases.)
The new_zone_user command requires you to specify Active Directory user name. The
command will search for the user first by the supplied UPN in the specified domain, then by
the sAMAccountname in the specified domain, then by the supplied UPN in any bound
domain. If the user name cannot be found, the new zone user is not created.
Zone type
Classic and hierarchical
Syntax
new_zone_user AD_user_UPN
Abbreviation
newzu
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
AD_user_UPN
string
Required. Specifies the user principal name (UPN) of an Active Directory user. If
you are specifying an alias, append the UPN with + followed by a positive
integer that is unique for this user and the zone.
Return value
This command returns nothing if it runs successfully.
Examples
new_zone_user adam.avery@acme.com
This example creates a new zone user based on the Active Directory user
adam.avery@acme.com in the current zone.
227
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a zone user:
get_zone_users returns a Tcl list of the Active Directory names of all zone users in the
current zone.
list_zone_users lists to stdout the zone users and their NSS data in the current zone.
select_zone_user retrieves a zone user from Active Directory and stores it in memory.
After you have a zone user stored in memory, you can use the following commands to work
with that zone user:
delete_zone_user deletes the selected zone user from Active Directory and from
memory.
get_zone_user_field reads a field value from the currently selected zone user.
save_zone_user saves the selected zone user with its current settings to Active
Directory.
set_zone_user_field sets a field value in the currently selected zone user.
pop
Use the pop command to retrieve a previously-stored context of bindings and selected
objects from the top of the context stack. This command replaces the current ADEdit
context with the retrieved context. Popping a context from the context stack removes the
context from the stack.
This command is useful for Tcl scripts that use subroutines. A push can save the context
before its altered in the subroutine; a pop can return the saved context when the
subroutine returns.
Zone type
Not applicable
Syntax
pop
Abbreviation
None.
Options
This command takes no options.
228
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully. If the stack is empty, it returns a
message stating so.
Examples
pop
This example retrieves the context from the top of the context stack and uses it as the
current ADEdit context.
Related commands
The following commands perform actions related to this command:
show returns the current context of ADEdit, including its bound domains and its
currently selected objects.
push saves the current ADEdit context to the ADEdit context stack.
principal_from_sid
Use the principal_from_sid command look up the security principal for a specified
security identifier (SID) in Active Directory. If the security identifier is found, the
command returns the Active Directory name of the principal.
Zone type
Not applicable
Syntax
principal_from_sid [-upn] sid
Abbreviation
pfs
229
Options
This command takes the following option:
Option
Description
-upn
Returns the user names in user principal name (UPN) format, not the default
sAMAccount@domain format.
Arguments
This command takes the following argument:
Argument
Type
Description
sid
string
Return value
This command returns the Active Directory name of the principal if it finds a principal. If it
does not find a principal, it returns a message stating so.
Examples
principal_from_sid S-1-5-21-2076040321-3326545908-468068287-1159
Related commands
The following commands perform actions related to this command:
principal_to_dn searches Active Directory for a user principal name (UPN) and, if
found, returns the corresponding distinguished name (DN).
dn_to_principal searches Active Directory for a distinguished name (DN) and, if found,
returns the corresponding user principal name (UPN).
principal_to_dn
Use the principal_to_dn command to search Active Directory for the specified user
principal name (UPN) of a security principal (user, machine, or group). If a security
principal is found for the specified UPN, the command returns the distinguished name
(DN) of the principal.
Zone type
Not applicable
230
Syntax
principal_to_dn principal_upn
Abbreviation
ptd
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
principal_upn
string
Return value
This command returns a distinguished name. If the command doesnt find the specified
security principal in Active Directory, it presents a message that it didnt find the principal.
Examples
principal_to_dn brenda.butler@acme.com
This example returns the distinguished name for the specified UPN:
cn=brenda butler,cn=users,dc=acme,dc=com
Related commands
The following commands perform actions related to this command:
231
principal_to_id
Use the principal_to_id command to search Active Directory for the specified user
principal name (UPN) of a user or group security principal. If a security principal is found
for the specified UPN, the command returns the numeric identifier for the principal.
Zone type
Not applicable
Syntax
principal_to_id [-apple] upn
Abbreviation
pti
Options
This command takes the following option:
Option
Description
-apple
Specifies that you want to use the Apple scheme for generating the UID or GID for the
specified user or group principal.
If you dont specify this option, the UID or GID returned is based on the Centrify Auto Zone
scheme.
Arguments
This command takes the following argument:
Argument
Type
Description
upn
string
Required. Specifies the user principal name (UPN) of a user or group security
principal.
Return value
This command returns a unique UID or GID based on either the Apple methodology or the
Centrify Auto Zone methodology for generating numeric identifiers. If the user or group
principal is not found in Active Directory, the command returns an error message
indicating that it didnt find the principal.
Examples
principal_to_id -apple brenda.butler@acme.com
This example returns the UID for the specified user generated using the Apple scheme:
232
1983765448
Related commands
The following commands perform actions related to this command:
guid_to_id accepts a globally unique identifier (GUID) for a user or group and returns a
UID or GID generated using the Apple scheme.
principal_from_sid searches Active Directory for a security identifier and returns the
security principal associated with the security identifier.
push
Use the push command to save the current ADEdit contextits bindings and selected
objects in memoryto a context stack. This command leaves the current context in place,
so all current bindings and selected objects remain in effect in ADEdit after the push.
This command is useful for Tcl scripts that use subroutines. You can use the push command
to save the context before its altered in the subroutine. You can then use the pop command
to retrieve the saved context when the subroutine returns.
Zone type
Not applicable
Syntax
push
Abbreviation
None.
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing.
Examples
push
233
Related commands
The following commands perform actions related to this command:
show returns the current context of ADEdit, including its bound domains and currently
selected objects.
pop restores the context from the top of the ADEdit context stack to ADEdit.
quit
Use the quit command to quit ADEdit and return to the shell from which ADEdit was
launched. You can also end an interactive ADEdit session by pressing CTRL-D or entering
exit.
Zone type
Not applicable
Syntax
quit
Abbreviation
q
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing.
Examples
quit
Related commands
None.
234
remove_command_from_role
Use the remove_command_from_role command to remove a UNIX command from the
currently selected role stored in memory.
The remove_command_from_role command does not change the role as it is stored in Active
Directory. You must save the role before the removed command takes effect in Active
Directory. If you select another role or quit ADEdit before saving the role, any UNIX
commands you have removed since the last save wont take effect.
You can only use the remove_command_from_role command if the currently selected zone is
a classic4 or hierarchical zone. The command does not work in other types of zones.
Zone type
Classic and hierarchical
Syntax
remove_command_from_role command[/zonename]
Abbreviation
rcfr
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
command[/zonename] string
Description
Required. Specifies the name of a UNIX command to remove from the currently
selected role.
If the UNIX command that you want to remove is defined in the current zone,
the zonename argument is optional. If the UNIX command right is defined in a
zone other than the currently selected zone, the zonename argument is
required to identify the specific command to remove.
Return value
This command returns nothing if it runs successfully.
Examples
remove_command_from_role basicshell/global
235
This example removes the UNIX command named basicshell, which is defined in the
global zone, from the currently selected role.
Related commands
Before you use this command, you must have a currently selected role stored in memory.
The following commands enable you to view and select the role to work with:
After you have a role stored in memory, you can use the following commands to work with
that role:
delete_role deletes the selected role from Active Directory and from memory.
get_role_apps returns a Tcl list of the PAM applications associated with the current
role.
get_role_commands returns a Tcl list of the UNIX commands associated with the
current role.
list_role_rights returns a list of all UNIX commands and PAM applications associated
with the current role.
save_role saves the selected role with its current settings to Active Directory.
remove_object_value
Use the remove_object_value command to remove a value from a multi-valued attribute of
a specified Active Directory object. This command only affects the specified attribute for
specified object in Active Directory. The command does not change the currently selected
Active Directory object in memory, if there is one.
If the field or value to be removed isnt valid, Active Directory will report an error and
remove_object_value wont remove the value.
This command is useful for fields that may be very largemembers of a group, for
example.
236
Zone type
Not applicable
Syntax
remove_object_value dn field value
Abbreviation
rov
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
dn
string
Required. Specifies the distinguished name (DN) of the Active Directory object
from which to remove a value.
field
string
value
Required. Specifies the value to remove from the field. The data type of the
value depends on the field you specify.
Return value
This command returns nothing if it runs successfully.
Examples
remove_object_value cn=groups,dc=acme,dc=com users adam.avery
This example removes the value adam.avery from the users field of the groups object in
Active Directory.
Related commands
The following commands enable you to view and select the object to work with:
get_objects performs an LDAP search of Active Directory and returns a Tcl list of the
distinguished names of objects matching the search criteria.
237
After you have an Active Directory object stored in memory, you can use the following
commands to work with that objects attributes, delete the object, or save information for
the object:
delete_object deletes the selected Active Directory object from Active Directory and
from memory.
delete_sub_tree deletes an Active Directory object and all of its children from Active
Directory.
get_object_field reads a field value from the currently selected Active Directory object.
save_object saves the selected Active Directory object with its current settings to Active
Directory.
set_object_field sets a field value in the currently selected Active Directory object.
remove_pamapp_from_role
Use the remove_pamapp_from_role command to remove a PAM application access right
from the currently selected role stored in memory.
The remove_pamapp_from_role command does not change the role as it is stored Active
Directory. To remove the PAM application right from the role stored in Active Directory,
you must save your changes using the save_role command. If you select another role or quit
ADEdit before saving the role, any PAM applications youve removed since the last save
wont take effect.
You can only use the remove_pamapp_from_role command if the currently selected zone is
a classic4 or hierarchical zone. The command does not work in other types of zones.
Zone type
Classic and hierarchical
Syntax
remove_pamapp_from_role app[/zonename]
Abbreviation
rpamfr
238
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
app[/zonename]
string
Required. Specifies the name of a PAM application right to remove from the
currently selected role.
If the PAM application right that you want to remove is defined in the current
zone, the zonename argument is optional. If the PAM application right is defined
in a zone other than the currently selected zone, the zonename argument is
required to identify the specific PAM application right to remove.
Return value
This command returns nothing if it runs successfully.
Examples
remove_pamapp_from_role ftp-all
This example removes the PAM application right named ftp-all defined in the currently
selected zone from the currently selected role.
To remove the PAM application right when it is defined in the seattle zone, you would
include the zone name:
remove_pamapp_from_role ftp-all/seattle
Related commands
Before you use this command, you must have a currently selected role stored in memory.
The following commands enable you to view and select the role to work with:
After you have a role stored in memory, you can use the following commands to work with
that role:
delete_role deletes the selected role from Active Directory and from memory.
239
get_role_apps returns a Tcl list of the PAM applications associated with the current
role.
get_role_commands returns a Tcl list of the UNIX commands associated with the
current role.
list_role_rights returns a list of all UNIX commands and PAM applications associated
with the current role.
save_role saves the selected role with its current settings to Active Directory.
remove_sd_ace
Use the remove_sd_ace command to remove an access control entry (ACE) in ACE string
form from a security descriptor (SD) in SDDL (security descriptor description language)
form.
The command looks for the supplied ACE string within the supplied SDDL string. If the
command finds the ACE string, it removes it from the SDDL string and returns the SDDL
string.
Zone type
Not applicable
Syntax
remove_sd_ace sddl_string ace_string
Abbreviation
rsa
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
sddl_string
string
ace_string
string
Required. Specifies an access control entry in ACE string form, which is always
enclosed in parentheses.
240
Return value
This command returns a modified security descriptor in SDDL format if it runs
successfully.
Examples
This example removes the first ACE string from an SDDL. The ACE string to remove is at
the end of the command (A;;SDRCWDWOCCDCLCSWRPWPDTLOCR;;;SY):
remove_sd_ace
O:DAG:DAD:AI(A;;SDRCWDWOCCDCLCSWRPWPDTLOCR;;;SY)(A;;RCWDWOCCDCLCSWRPWPLOCR;;
;DA)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a28500aa003049e2;;PO)(A;;RCLCRPLO;;;AU)(OA;;CCDC;4828cc14-1437-45bc-9b07ad6f015e5f28;;AO)(OA;CIIOID;RP;4c164200-20c0-11d0-a76800aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c16420020c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a28500aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc141437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-902000c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac24079a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-902000c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;59ba2f4279a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a28500aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc141437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b42200a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a28500aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e00a0c983f608;bf967aba-0de6-11d0-a28500aa003049e2;ED)(OA;CIIOID;RCLCRPLO;;4828cc14-1437-45bc-9b07ad6f015e5f28;RU)(OA;CIIOID;RCLCRPLO;;bf967a9c-0de6-11d0-a28500aa003049e2;RU)(OA;CIIOID;RCLCRPLO;;bf967aba-0de6-11d0-a28500aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557d63ff4f3ccd8;;PS)(A;CIID;SDRCWDWOCCDCLCSWRPWPDTLOCR;;;EA)(A;CIID;LC;;;RU)(A;
CIID;SDRCWDWOCCLCSWRPWPLOCR;;;BA) (A;;SDRCWDWOCCDCLCSWRPWPDTLOCR;;;SY)
The command returns the SDDL string without the first ACE string:
O:DAG:DAD:AI(A;;RCWDWOCCDCLCSWRPWPLOCR;;;DA)(OA;;CCDC;bf967aba-0de6-11d0a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a28500aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a28500aa003049e2;;PO)(A;;RCLCRPLO;;;AU)(OA;;CCDC;4828cc14-1437-45bc-9b07ad6f015e5f28;;AO)(OA;CIIOID;RP;4c164200-20c0-11d0-a76800aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c16420020c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a28500aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc141437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-902000c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac24079a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-902000c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;59ba2f4279a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-
241
00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc141437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b42200a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a28500aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e00a0c983f608;bf967aba-0de6-11d0-a28500aa003049e2;ED)(OA;CIIOID;RCLCRPLO;;4828cc14-1437-45bc-9b07ad6f015e5f28;RU)(OA;CIIOID;RCLCRPLO;;bf967a9c-0de6-11d0-a28500aa003049e2;RU)(OA;CIIOID;RCLCRPLO;;bf967aba-0de6-11d0-a28500aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557d63ff4f3ccd8;;PS)(A;CIID;SDRCWDWOCCDCLCSWRPWPDTLOCR;;;EA)(A;CIID;LC;;;RU)(A;
CIID;SDRCWDWOCCLCSWRPWPLOCR;;;BA) (A;;SDRCWDWOCCDCLCSWRPWPDTLOCR;;;SY)
Related commands
The following commands enable you to work with security descriptor strings:
rename_object
Use the rename_object command to rename the selected object. You can replace only the
first relative distinguished name in the selected object. You do not need to save the object
after you change the name.
Zone type
Not applicable
Syntax
rename_object name
Abbreviation
rno
Options
This command takes no options.
242
Arguments
This command takes the following argument:
Argument
Type
Description
name
string
Required. Specifies the replacement relative distinguished name for the first
relative distinguished name in the selected object.
Return value
This command returns nothing if it runs successfully.
Examples
The following example selects the user object Lois
LoisLane:
Lane
The following example selects the organizational unit UnixServers an renames it to UNIX
Servers:
select_object ou=UnixServers,ou=Centrify,dc=demo,dc=test
rno UNIX Servers
Related commands
The following command performs actions related to this command:
save_dz_command
Use the save_dz_command command to save the currently selected UNIX command stored
in memory to Active Directory. You must save a UNIX command for any changes you make
using ADEdit to take effect in Active Directory. If you select another UNIX command or
end the ADEdit session before saving the currently selected UNIX command, your changes
will be lost.
Zone type
Classic and hierarchical
Syntax
save_dz_command
243
Abbreviation
svdzc
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
save_dz_command
This example saves the currently selected UNIX command to Active Directory.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a UNIX command:
After you have a UNIX command stored in memory, you can use the following commands
to work with that command:
delete_dz_command deletes the selected command from Active Directory and from
memory.
save_nis_map
Use the save_nis_map command to save the currently selected NIS map stored in memory
to Active Directory. You must save the NIS map for any changes you make using ADEdit to
take effect in Active Directory. If you select another NIS map or end the ADEdit session
before saving the currently selected NIS map, your changes will be lost.
244
Zone type
Not applicable
Syntax
save_nis_map
Abbreviation
svnm
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
save_nis_map
This example saves the currently selected NIS map to Active Directory.
Related commands
Before you use this command, you must have a currently selected NIS map stored in
memory. The following commands enable you to view and select a NIS map:
select_nis_map retrieves a NIS map from Active Directory and stores it in memory.
After you have a NIS map stored in memory, you can use the following commands to work
with that map:
delete_nis_map deletes the selected NIS map from Active Directory and from memory.
245
save_object
Use the save_object command to save the currently selected Active Directory object
stored in memory to Active Directory. You must save the Active Directory object for any
changes you make using ADEdit to take effect in Active Directory. If you select another
Active Directory object or end the ADEdit session before saving the currently selected
object, your changes will be lost.
If an object has invalid attributes or values or is the wrong class for the container where its
being saved, Active Directory will report an error and the object will not be saved.
Zone type
Not applicable
Syntax
save_object
Abbreviation
svo
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
save_object
This example saves the currently selected Active Directory object to Active Directory.
246
Related commands
The following commands enable you to view and select the object to work with:
get_objects performs an LDAP search of Active Directory and returns a Tcl list of the
distinguished names of objects matching the specified search criteria.
After you have an Active Directory object stored in memory, you can use the following
commands to work with that objects attributes, delete the object, or save information for
the object:
delete_object deletes the selected Active Directory object from Active Directory and
from memory.
delete_sub_tree deletes an Active Directory object and all of its children from Active
Directory.
get_object_field reads a field value from the currently selected Active Directory object.
remove_object_value removes a value from a multi-valued field attribute of the
currently selected Active Directory object.
set_object_field sets a field value in the currently selected Active Directory object.
save_pam_app
Use the save_pam_app command to save the currently selected PAM application access
right stored in memory to Active Directory. You must save the PAM application right for
any changes you make using ADEdit to take effect in Active Directory. If you select another
PAM application right or end the ADEdit session before saving the currently selected PAM
application right, your changes will be lost.
Zone type
Classic and hierarchical
Syntax
save_pam_app
Abbreviation
svpam
247
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
save_pam_app
This example saves the currently selected PAM application to Active Directory.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a PAM application object:
list_pam_apps lists to stdout the PAM application rights in the current zone.
select_pam_app retrieves a PAM application right from Active Directory and stores it in
memory.
After you have a PAM application right stored in memory, you can use the following
commands to work with that PAM application:
delete_pam_app deletes the selected PAM application from Active Directory and from
memory.
get_pam_field reads a field value from the currently selected PAM application.
save_role
Use the save_role command to save the currently selected role stored in memory to
Active Directory. You must save the role for any changes you make using ADEdit to take
effect in Active Directory. If you select another role or end the ADEdit session before saving
the currently selected role, your changes will be lost.
Zone type
Classic and hierarchical
248
Syntax
save_role
Abbreviation
svr
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
save_role
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select roles:
After you have a role stored in memory, you can use the following commands to work with
that role:
delete_role deletes the selected role from Active Directory and from memory.
get_role_apps returns a Tcl list of the PAM application rights associated with the
current role.
get_role_commands returns a Tcl list of the UNIX commands associated with the
current role.
get_role_field reads a field value from the current role.
249
list_role_rights returns a list of all UNIX commands and PAM application rights
associated with the current role.
save_role_assignment
Use the save_role_assignment command to save the currently selected role assignment
stored in memory to Active Directory. You must save the role assignment for any changes
you make using ADEdit to take effect in Active Directory. If you select another role
assignment or end the ADEdit session before saving the currently selected role assignment,
your changes will be lost.
Zone type
Classic and hierarchical
Syntax
save_role_assignment
Abbreviation
svra
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
save_role_assignment
This example saves the currently selected role assignment to Active Directory.
250
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select role assignment to work with:
After you have a role assignment stored in memory, you can use the following commands to
work with that role assignments attributes, delete the role assignment, or save information
for the role assignment:
delete_role_assignment deletes the selected role assignment from Active Directory and
from memory.
save_rs_command
Use the save_rs_command command to save the currently selected restricted shell
command that is stored in memory to Active Directory. You must save the restricted shell
command for any changes you make using ADEdit to take effect in Active Directory. If you
select another restricted shell command or end the ADEdit session before saving the
currently selected restricted shell command, your changes will be lost.
Zone type
Classic only
Syntax
save_rs_command
Abbreviation
svrsc
Options
This command takes no options.
251
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
save_rs_command
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select the restricted shell command to
work with:
get_rs_commands returns a Tcl list of restricted shell commands in the current zone.
list_rs_commands lists to stdout the restricted shell commands in the current zone.
After you have a restricted shell command stored in memory, you can use the following
commands to work with that restricted shell:
delete_rs_command deletes the selected command from Active Directory and from
memory.
save_rs_env
Use the save_rs_env command to save the currently selected restricted shell environment
that is stored in memory to Active Directory. You must save the selected restricted shell
environment for any changes you make using ADEdit to take effect in Active Directory. If
you select another restricted shell environment or end the ADEdit session before saving the
currently selected restricted shell environment, your changes will be lost.
Zone type
Classic only
252
Syntax
save_rs_env
Abbreviation
svrse
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
save_rs_env
This command saves the currently selected restricted shell environment to Active
Directory.
Related commands
Before you use this command, you must have a currently selected role stored in memory.
The following commands enable you to view and select the role to work with restricted
shell environments:
select_rs_env retrieves a restricted shell environment from Active Directory and stores
it in memory.
After you have a restricted shell environment stored in memory, you can use the following
commands to work with its fields:
delete_rs_env deletes the current restricted shell environment from Active Directory
and from memory.
get_rse_field reads a field value from the current restricted shell environment.
253
save_zone
Use the save_zone command to save the currently selected zone stored in memory to
Active Directory. You must save the selected zone for any changes you make using ADEdit
to take effect in Active Directory. If you select another zone or end the ADEdit session
before saving the currently selected zone, your changes will be lost.
This command only saves fields that are properties in the currently selected zone. The
command does not save any users or groups added to a zone. You must save users and
groups individually using the save_zone_user and save_zone_group commands.
Zone type
Classic and hierarchical
Syntax
save_zone
Abbreviation
svz
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
save_zone
This example saves the currently selected zone or computer role to Active Directory.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a zone to work with:
254
After you have a zone stored in memory, you can use the following commands to work with
that zone:
delete_zone deletes the selected zone from Active Directory and memory.
get_child_zones returns a Tcl list of child zones, computer roles, or computer zones.
get_zone_nss_vars returns the NSS substitution variable for the selected zone.
save_zone_computer
Use the save_zone_computer command to save the currently selected zone computer
stored in memory to Active Directory. You must set at least one field value before you can
save a zone computer. In classic zones, you must set all field values before you can save a
zone computer.
You must save the selected zone computer for any changes you make using ADEdit to take
effect in Active Directory. If you select another zone computer or end the ADEdit session
before saving the currently selected zone computer, your changes will be lost.
Zone type
Classic and hierarchical
Syntax
save_zone_computer
Abbreviation
svzc
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
255
Examples
save_zone_computer
This example saves the currently selected zone computer to Active Directory.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and manage the zone computers:
get_zone_computers returns a Tcl list of the Active Directory names of all zone
computers in the current zone.
After you have a zone computer stored in memory, you can use the following commands to
work with that zone computer:
delete_zone_computer deletes the zone computer from Active Directory and from
memory.
save_zone_group
Use the save_zone_group command to save the currently selected zone group stored in
memory to Active Directory. You must set at least one field value before you can save a zone
group. In classic zones, you must set all field values before you can save a zone group.
You must save the selected zone group for any changes you make using ADEdit to take
effect in Active Directory. If you select another zone group or end the ADEdit session
before saving the currently selected zone group, your changes will be lost.
Zone type
Classic and hierarchical
Syntax
save_zone_group
256
Abbreviation
svzg
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
save_zone_group
This example saves the currently selected zone group to Active Directory.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select zone groups:
get_zone_groups returns a Tcl list of the Active Directory names of all zone groups in
the current zone.
After you have a zone group stored in memory, you can use the following commands to
work with that zone group:
delete_zone_group deletes the selected zone group from Active Directory and from
memory.
get_zone_group_field reads a field value from the currently selected zone group.
save_zone_group saves the selected zone group with its current settings to Active
Directory.
set_zone_group_field sets a field value in the currently selected zone group.
257
save_zone_user
Use the save_zone_user command to save the currently selected zone user stored in
memory to Active Directory. You must set at least one field value before you can save a zone
user. In classic zones, you must set all field values before you can save a zone user.
You must save the selected zone user for any changes you make using ADEdit to take effect
in Active Directory. If you select another zone user or end the ADEdit session before saving
the currently selected zone user, your changes will be lost.
Zone type
Classic and hierarchical
Syntax
save_zone_user
Abbreviation
svzu
Options
This command takes no options.
Arguments
This command takes no arguments.
Return value
This command returns nothing if it runs successfully.
Examples
save_zone_user
This example saves the currently selected zone user to Active Directory.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a zone user:
get_zone_users returns a Tcl list of the Active Directory names of all zone users in the
current zone.
list_zone_users lists to stdout the zone users and their NSS data in the current zone.
258
select_zone_user retrieves a zone user from Active Directory and stores it in memory.
After you have a zone user stored in memory, you can use the following commands to work
with that zone user:
delete_zone_user deletes the selected zone user from Active Directory and from
memory.
get_zone_user_field reads a field value from the currently selected zone user.
save_zone_user saves the selected zone user with its current settings to Active
Directory.
set_zone_user_field sets a field value in the currently selected zone user.
select_dz_command
Use the select_dz_command command to retrieve a UNIX command in the currently
selected zone from Active Directory. This command stores the selected UNIX command in
memory, and makes it the currently selected UNIX command for subsequent ADEdit
commands. The UNIX command remains selected until you select another UNIX command
or zone, delete the UNIX command, or end the ADEdit session.
If you use ADEdit commands such as set_dzc_field to change settings for the selected
UNIX command, you must save the selected UNIX command using the save_dz_command
command for your changes to take effect in Active Directory. If you select another UNIX
command or end the ADEdit session before saving the currently selected UNIX command,
your changes will be lost.
You can only use the select_dz_command command to select UNIX commands if the
currently selected zone is a classic4 or hierarchical zone. The command does not work for
other types of zones.
Zone type
Classic and hierarchical
Syntax
select_dz_command command
Abbreviation
sldzc
Options
This command takes no options.
259
Arguments
This command takes the following arguments:
Argument
Type
Description
command
string
Return value
This command returns nothing if it runs successfully.
Examples
select_dz_command account_manager
This example looks for the UNIX command named account_manager in the current zone
and, if found, selects it as the current UNIX command.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a UNIX command to work with:
After you have a UNIX command stored in memory, you can use the following commands
to work with that command:
delete_dz_command deletes the selected command from Active Directory and from
memory.
select_nis_map
Use the select_nis_map command to retrieve a NIS map in the currently selected zone
from Active Directory. This command stores the NIS map in memory, and makes it the
currently selected NIS map for subsequent ADEdit commands. The NIS map remains
selected until you select another NIS map or zone, delete the NIS map, or end the ADEdit
session.
260
If you use ADEdit commands such as add_map_entry to change settings for the selected NIS
map, you must save the selected NIS map using the save_nis_map command for your
changes to take effect in Active Directory. If you select another NIS map or end the ADEdit
session before saving the currently selected NIS map, your changes will be lost.
Zone type
Not applicable
Syntax
select_nis_map map
Abbreviation
slnm
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
map
string
Required. Specifies the name of the NIS map to retrieve from Active Directory.
Return value
This command returns nothing if it runs successfully.
Examples
select_nis_map Printers
This example looks for the NIS map named Printers in the current zone and, if found,
selects it as the current NIS map.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select NIS maps:
list_nis_maps returns a list to stdout of all NIS maps in the current zone.
261
After you have a NIS map stored in memory, you can use the following commands to work
with that map:
delete_nis_map deletes the selected NIS map from Active Directory and from memory.
select_object
Use the select_object command to retrieve the specified Active Directory object and its
attributes from Active Directory. This command stores the object in memory and makes it
the currently selected Active Directory object. You can use options to retrieve the rootDSE
of the object or to list specific attributes to retrieve for the object.
Zone type
Not applicable
Syntax
select_object [-rootdse] [-attrs a1[,a2,...]] dn
Abbreviation
slo
262
Options
This command takes the following options:
Option
Description
-rootdse
-attrs a1[,a2,...]
Arguments
This command takes the following argument:
Argument
Type
Description
dn
DN
Return value
This command returns nothing if it runs successfully.
Examples
select_object cn=users,dc=acme,dc=com
This example returns the container object cn=users,dc=acme,dc=com and its attributes,
and stores it in memory as the currently selected Active Directory object.
Related commands
The following commands enable you to view and select the object to work with:
get_objects performs an LDAP search of Active Directory and returns a Tcl list of the
distinguished names of objects matching the specified search criteria.
After you have an Active Directory object stored in memory, you can use the following
commands to work with that objects attributes, delete the object, or save information for
the object:
delete_object deletes the selected Active Directory object from Active Directory and
from memory.
263
delete_sub_tree deletes an Active Directory object and all of its children from Active
Directory.
get_object_field reads a field value from the currently selected Active Directory object.
remove_object_value removes a value from a multi-valued field attribute of the
currently selected Active Directory object.
save_object saves the selected Active Directory object with its current settings to Active
Directory.
set_object_field sets a field value in the currently selected Active Directory object.
select_pam_app
Use the select_pam_app command to retrieve a PAM application access right in the
currently selected zone from Active Directory. This command stores the PAM application
right in memory, and makes it the currently selected PAM application right for subsequent
ADEdit commands. The PAM application right remains selected until you select another
PAM application right or zone, delete the PAM application right, or end the ADEdit
session.
If you use ADEdit commands such as set_pam_field to change settings for the selected
PAM application right, you must save the selected PAM application right using the
save_pam_app command for your changes to take effect in Active Directory. If you select
another PAM application right or end the ADEdit session before saving the currently
selected PAM application right, your changes will be lost.
You can only use the select_pam_app command to select PAM applications if the currently
selected zone is a classic4 or hierarchical zone. The command does not work for other types
of zones.
Zone type
Classic and hierarchical
Syntax
select_pam_app name[/zonename]
Abbreviation
slpam
Options
This command takes no options.
264
Arguments
This command takes the following argument:
Argument
Type
Description
name[/zonename]
string
Return value
This command returns nothing if it runs successfully.
Examples
The following example retrieves the PAM application right named sftp in the current zone
and makes it the currently selected PAM application right:
select_pam_app sftp
The following example retrieves the PAM application right named sftp defined in the
chicago zone and makes it the currently selected PAM application right:
select_pam_app sftp/chicago
The definition for the PAM application right named sftp might be the same in both zones,
but it is not required to be. Specifying the zone ensures you get the definition you expect.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
After you have a zone stored in memory, you can use the following commands to view and
select the PAM application to work with:
get_pam_apps returns a Tcl list of PAM application rights in the current zone.
list_pam_apps lists to stdout the PAM application rights in the current zone.
select_pam_app retrieves a PAM application right from Active Directory and stores it in
memory
After you have a PAM application stored in memory, you can use the following commands
to work with that PAM applications attributes, delete the PAM application, or save
information for the PAM application:
delete_pam_app deletes the selected PAM application right from Active Directory and
from memory.
get_pam_field reads a field value from the currently selected PAM application right.
265
save_pam_app saves the selected PAM application right with its current settings to
Active Directory.
set_pam_field sets a field value in the currently selected PAM application right.
select_role
Use the select_role command to retrieve a role in the currently selected zone from Active
Directory. This command stores the role in memory, and makes it the currently selected
role for subsequent ADEdit commands. The role remains selected until you select another
role or zone, delete the role, or end the ADEdit session.
If you use ADEdit commands such as set_role_field to change settings for the selected
role, you must save the selected role using the save_role command for your changes to
take effect in Active Directory. If you select another role or end the ADEdit session before
saving the currently selected role, your changes will be lost.
You can only use the select_role command to select roles if the currently selected zone is
a classic4 or hierarchical zone. The command does not work for other types of zones.
Zone type
Classic and hierarchical
Syntax
select_role role
Abbreviation
slr
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
role
string
Return value
This command returns nothing if it runs successfully.
266
Examples
select_role servicerep
This example retrieves the role definition named servicerep in the current zone and makes
it as the currently selected role.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a role:
After you have a role stored in memory, you can use the following commands to work with
that role:
delete_role deletes the selected role from Active Directory and from memory.
get_role_apps returns a Tcl list of the PAM application rights associated with the
current role.
get_role_commands returns a Tcl list of the UNIX commands associated with the
current role.
get_role_field reads a field value from the current role.
list_role_rights returns a list of all UNIX command and PAM application rights
associated with the current role.
save_role saves the selected role with its current settings to Active Directory.
select_role_assignment
Use the select_role_assignment command to retrieve a role assignment in the currently
selected zone from Active Directory. This command stores the role assignment in memory,
and makes it the currently selected role assignment for subsequent ADEdit commands. The
role assignment remains selected until you select another role assignment or zone, delete
the role assignment, or end the ADEdit session.
267
Zone type
Classic and hierarchical
Syntax
select_role_assignment principal/role[/zone]
Abbreviation
slra
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
principal/role[/zone]
string
Required. Specifies the user principal name (UPN) of the user or group to whom
the role is assigned, followed by a slash (/) and the name of the role to assign to
the principal.
The zone argument is optional if the role is defined in the currently selected
zone. If the role is defined in a zone other than the currently selected zone, the /
zone argument is required.
Return value
This command returns nothing if it runs successfully.
Examples
select_role_assignment poweradmins@acme.com/root/global
This example retrieves the role assignment that assigns the role named root, as defined in
the global zone, to the principal named poweradmins@acme.com. The principal is a group.
268
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a role assignment:
After you have a role assignment stored in memory, you can use the following commands to
work with that role assignment:
delete_role_assignment deletes the selected role assignment from Active Directory and
from memory.
select_rs_command
Use the select_rs_command command to retrieve a restricted shell command in the
currently selected zone from Active Directory, store it in memory, and set it as the
currently selected restricted shell command for other ADEdit commands. After you select
the restricted shell command to work with, it remains selected until you select a different
restricted shell command, change the currently selected zone, delete the restricted shell
command, or end the ADEdit session.
If you use ADEdit commands such as set_rsc_field to change settings for the selected
restricted shell command, you must save the restricted shell command using the
save_rs_command command for your changes to take effect in Active Directory. If you
select another restricted shell command or end the ADEdit session before saving the
currently selected restricted shell command, your changes will be lost.
You can only use the select_rs_command if the currently selected zone is a classic zone.The
command does not work in other types of zones.
Zone type
Classic only
269
Syntax
select_rs_command rs_cmd
Abbreviation
slrsc
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
rs_cmd
string
Return value
This command returns nothing if it runs successfully.
Examples
select_rs_command rsc1
This command looks for the restricted shell command name rsc1 in the current zone. If
rsc1 is found in the current zone, it becomes the currently selected context for subsequent
commands.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select the restricted shell command to
work with:
get_rs_commands returns a Tcl list of restricted shell commands in the current zone.
list_rs_commands lists to stdout the restricted shell commands in the current zone.
After you have a restricted shell command stored in memory, you can use the following
commands to work with that restricted shell command:
delete_rs_command deletes the selected command from Active Directory and from
memory.
270
select_rs_env
Use the select_rs_env command to retrieve a restricted shell environment in the
currently selected zone from Active Directory, stores it in memory, and sets it to be the
currently selected restricted shell environment for other ADEdit commands. The restricted
shell environment remains selected until you select another restricted shell environment,
change the currently selected zone, delete the restricted shell environment, or end the
ADEdit session.
If you use ADEdit commands such as set_rse_field to change settings for the restricted shell
environment, you must save the restricted shell environment using the save_rs_env
command for your changes to take effect in Active Directory. If you select another
restricted shell environment or end the ADEdit session before saving the currently selected
restricted shell environment, your changes will be lost.
You can only use the select_rs_env command if the currently selected zone is a classic4
zone. The command does not work in other types of zones.
Zone type
Classic only
Syntax
select_rs_env rse_name
Abbreviation
slrse
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
rse_name
string
Return value
This command returns nothing if it runs successfully.
271
Examples
select_rs_env rse1
This command looks for the restricted shell environment named rse1 in the current zone.
If rse1 is found in the current zone, it becomes the currently selected context for
subsequent commands.
Related commands
Before you use this command, you must have a currently selected role stored in memory.
The following commands enable you to view and select the role to work with restricted
shell environments:
After you have a restricted shell environment stored in memory, you can use the following
commands to work with its fields:
delete_rs_env deletes the current restricted shell environment from Active Directory
and from memory.
get_rse_field reads a field value from the current restricted shell environment.
select_zone
Use the select_zone command to retrieve a zone from Active Directory, stores the zone in
memory, and make that zone as the currently selected zone for subsequent ADEdit
commands. The zone remains selected until you select another zone, delete the zone, or
end the ADEdit session.
If you use ADEdit commands such as set_zone_field to change settings for the zone, you
must save the zone using the save_zone command for your changes to take effect in Active
Directory. If you select another zone or end the ADEdit session before saving the currently
selected zone, your changes will be lost.
You should note that ADEdit treats computer roles and computer-specific overrides as special usecase zones. You can, therefore, use the select_zone command to retrieve a computer role
zone or a computer-specific zone to work with as the currently selected zone. If you
specify a zone that is a computer role zone or a computer-specific zone, subsequent ADEdit
commands will treat the zone as a computer role or a computer-specific zone instead of a
standard zone. You can only work with one zone at a time, regardless of type. Because some
ADEdit commands behave differently in different types of zones, you should verify the type
of zone you are working with when you select a zone.
272
Zone type
Classic and hierarchical
Syntax
select_zone [-nc] path
Abbreviation
slz
Options
This command takes the following option:
Option
Description
-nc
Arguments
This command takes the following argument:
Argument
Type
Description
path
string
Required. Specifies the path to the selected zone or computer role. The path
format depends on the type of zone selected:
A tree, classic3, classic4, or SFU zone path consists of the zones distinguished
name. Enclose the path in braces or quotes to allow spaces in the
distinguished name.
A computer role path consists of the host zones distinguished name followed
by a slash (/) and the name of the computer zone. Enclose the path in braces
or quotes to allow spaces in the distinguished name.
A computer override path consists of the computer name followed by an
ampersand (@) and the distinguished name of the host zone.
Return value
This command returns nothing if it runs successfully.
Examples
The following example selects a standard zone named cz1 in the Zones container in the
UNIX organizational unit in the acme.com domain:
select_zone "CN=cz1,CN=Zones,OU=UNIX,DC=acme,DC=com
273
The following example selects the computer role named LinuxComputers in the global
zone in the Zones container in the UNIX organizational unit in the acme.com domain:
select_zone CN=global,CN=Zones,OU=UNIX,DC=acme,DC=com/LinuxComputers
The following example selects the computer-specific override zone named server1 in the
global zone in the acme.com domain:
select_zone server1@CN=global,CN=Zones,OU=Centrify,DC=acme,DC=com
Related commands
The following commands perform actions related to this command:
After you have a zone stored in memory, you can use the following commands to work with
that zone:
delete_zone deletes the selected zone from Active Directory and memory.
get_child_zones returns a Tcl list of child zones, computer roles, or computer zones.
get_zone_nss_vars returns the NSS substitution variable for the selected zone.
save_zone saves the selected zone with its current settings to Active Directory.
select_zone_computer
Use the select_zone_computer command to retrieve a zone computer in the currently
selected zone from Active Directory, store it in memory, and make it the currently selected
zone computer for subsequent ADEdit commands. The zone computer remains selected
until you select another zone computer, delete the zone computer, or end the ADEdit
session.
If you use ADEdit commands such as set_zone_computer_field to change settings for the
zone computer, you must save the zone computer using the save_zone_computer command
for your changes to take effect in Active Directory. If you select another zone computer or
end the ADEdit session before saving the currently selected zone computer, your changes
will be lost.
Zone type
Classic and hierarchical
274
Syntax
select_zone_computer sAMAccountName$@domain
Abbreviation
slzc
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
sAMAccountName
string
Return value
This command returns nothing if it runs successfully.
Examples
select_zone_computer sales2$@acme.com
This example looks for the zone computer named sales2 in the current zone and, if found,
selects it as the current zone computer.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and manage the zone computers:
get_zone_computers returns a Tcl list of the Active Directory names of all zone
computers in the current zone.
After you have a zone computer stored in memory, you can use the following commands to
work with that zone computer:
delete_zone_computer deletes the zone computer from Active Directory and from
memory.
275
select_zone_group
Use the select_zone_group command to retrieve a zone group in the currently selected
zone from Active Directory. The command stores the zone group in memory and makes it
the currently selected zone group for subsequent ADEdit commands. The zone group
remains selected until you select another zone group, delete the zone group, or end the
ADEdit session.
If you use ADEdit commands such as set_zone_group_field to change settings for the
zone group, you must save the zone group using the save_zone_group command for your
changes to take effect in Active Directory. If you select another zone group or end the
ADEdit session before saving the currently selected zone group, your changes will be lost.
Zone type
Classic and hierarchical
Syntax
select_zone_group AD_group_UPN
Abbreviation
slzg
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
AD_group_UPN
string
Required. Specifies the user principal name (UPN) of a zone group in the
currently selected zone.
Return value
This command returns nothing if it runs successfully.
276
Examples
select_zone_group poweradmins@acme.com
This example looks for the group named poweradmins in the current zone and, if found,
selects it as the current zone group.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select zone groups:
get_zone_groups returns a Tcl list of the Active Directory names of all zone groups in
the current zone.
After you have a zone group stored in memory, you can use the following commands to
work with that zone group:
delete_zone_group deletes the selected zone group from Active Directory and from
memory.
get_zone_group_field reads a field value from the currently selected zone group.
save_zone_group saves the selected zone group with its current settings to Active
Directory.
set_zone_group_field sets a field value in the currently selected zone group.
select_zone_user
Use the select_zone_user command to retrieve a zone user in the currently selected zone
from Active Directory. This command stores the zone user in memory, and makes it the
currently selected zone user for subsequent ADEdit commands. The zone user remains
selected until you select another zone user, delete the zone user, or end the ADEdit session.
If you use ADEdit commands such as set_zone_user_field to change settings for the zone
user, you must save the zone user using the save_zone_user command for your changes to
take effect in Active Directory. If you select another zone user or end the ADEdit session
before saving the currently selected zone user, your changes will be lost.
Zone type
Classic and hierarchical
Syntax
select_zone_user user
277
Abbreviation
slzu
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
user
string
Return value
This command returns nothing if it runs successfully.
Examples
select_zone_user adam.avery@acme.com
This example looks for the Active Directory user adam.avery in the current zone and, if
found, selects that user as the current zone user.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a zone user:
get_zone_users returns a Tcl list of the Active Directory names of all zone users in the
current zone.
list_zone_users lists to stdout the zone users and their NSS data in the current zone.
select_zone_user retrieves a zone user from Active Directory and stores it in memory.
After you have a zone user stored in memory, you can use the following commands to work
with that zone user:
delete_zone_user deletes the selected zone user from Active Directory and from
memory.
get_zone_user_field reads a field value from the currently selected zone user.
278
save_zone_user saves the selected zone user with its current settings to Active
Directory.
set_zone_user_field sets a field value in the currently selected zone user.
set_dzc_field
Use the set_dzc_field command to set the value for a specified field in the currently
selected UNIX command stored in memory. The set_dzc_field command does not set a
field value stored in Active Directory for the selected UNIX command.
If you change any fields, you must save the UNIX command using the save_dz_command
command for your changes to take effect in Active Directory. If you select another UNIX
command or end the ADEdit session before saving the currently selected UNIX command,
your changes will be lost.
You can only use the set_dzc_field command to set UNIX command fields if the currently
selected zone is a classic4 or hierarchical zone. The command does not work in other types
of zones.
Zone type
Classic and hierarchical
Syntax
set_dzc_field field value
Abbreviation
sdzcf
Options
This command takes no options.
279
Arguments
This command takes the following arguments:
Argument
Type
Description
field
string
Required. Specifies the name of the field you want to set. The possible values
are:
description: Text describing the UNIX command.
cmd: The UNIX command string or strings. You can use wild cards or a regular
expression.
path: The path to the commands location. You can use wild cards or a regular
expression.
form: An integer that indicates whether the cmd and path strings use wild
cards (0) or a regular expression (1).
dzdo_runas: A list of users and groups that can run this command under
dzdo (similar to sudo). Users can be listed by user name or UID.
dzsh_runas: A list of users and groups that can run this command in a
restricted shell environment (dzsh). Users can be listed by user name or UID.
You cannot set this field value if the selected zone is a classic4 zone.
keep: A comma-separated list of environment variables from the current
users environment to keep.
del: A comma-separated list of environment variables from the current users
environment to delete.
add: A comma-separated list of environment variables to add to the final set
of environment variables.
pri: An integer that specifies the command priority for the restricted shell
command object.
umask: An integer that defines who can execute the command.
flags: An integer from 0 to 31 that specifies a combination of different
properties for the command.
value
Required. Specifies the value to assign to the specified field. The data type
depends on the field specified.
Assign a dash (-) to a field to unset the field value.
You can specify the cmd and path strings using wild cards (*, ?, and !), or as a regular
expression. If you specify the cmd and path strings using wild cards, use an asterisk (*) to
match zero or more characters, the question mark (?) to match exactly one character, or the
exclamation mark (!) to negate matching of the specified string.
To set to the command path to the equivalent of the Standard user path option, you can
set the value of the path field to USERPATH. To set to the path to the equivalent of the
Standard system path option, set the value of the path field to SYSTEMPATH. To set to the
path to the equivalent of the System search path option, set the value of the path field to
SYSTEMSEARCHPATH.
280
For both the cmd and path fields, the form field controls whether the specified string is
interpreted as a regular expression or as a string that includes wild cards.
Specifying the environment variables to use
You can use the keep, del, and add settings to control the environment variables used by the
commands specified by the cmd string. The keep and del settings are mutually exclusive.
The keep field only takes effect if the flag 16 is included in the setting for the flag field. The
del field only takes effect if the flag 16 is not included in the setting for the flag field.
Any environment variables kept or deleted are in addition to the default set of the users
environment variables that are either retained or deleted. The default set of environment
variables to keep is defined in the dzdo.env_keep configuration parameter in the
centrifydc.conf file. The default set of environment variables to delete is defined in the
dzdo.env_delete configuration parameter in the centrifydc.conf file. You can also add
environment variables to the final set of environment variables resulting from the keep or
del fields.
Specifying the command priority
You can use the pri field to specify the command priority when there are multiple matches
for the UNIX commands specified by wild cards. If commands specified by this UNIX
command object match commands specified by another UNIX command object, the UNIX
command object with the higher command priority prevails. This field takes an integer
value; the higher the number, the higher the priority.
Specifying the umask value
You can use the umask field to define who can execute the command. The umask field
specifies a 3-digit octal value that defines read, write, or execute permission for owner,
group, and other users. The left digit defines the owner execution rights, the middle digit
defines the group execution rights, and the right digit defines other execution rights. Each
digit is a combination of binary flags, one flag for each right as follows:
4 is read
2 is write
1 is execute
You add these values add together to define the rights available for each entity. For example,
a umask value of 600 indicates read and write permission (4+2) for the owner, but no
permissions for the group or other users. Similarly, a umask value of 740 indicates read,
write, execute permissions (4+2+1) for the owner, read permissions for the group, but no
permissions for other users.
Specifying command properties using the flags field
You can use the flags field to define a combination of binary flags, with one flag for each of
the following properties:
281
1Prevents nested command execution. If this flag value is not set, nested command
execution is allowed.
2Requires authentication with the login users password. You cannot set 2 flag and the 4
flag simultaneously. If you do not set either flag value, authentication is not required.
4Requires authentication with the run-as users password.
8Preserves group membership. If this flag value is not set, group membership is not
preserved.
16Resets environment variables for the command, deleting the variables specified in the
dzdo.env_delete parameter and keeping the variables specified in the keep field. If this flag
is not set, the command removes the unsafe environment variables specified in the
dzdo.env_delete parameter along with any additional environment variables specified by
the del field.
You add these values together to define the setting for the flags field. For example, a flags
field value of 5 prevents nested command execution and requires authentication using the
run-as users password (1+4).
Return value
This command returns nothing if it runs successfully.
Examples
The following example sets the current UNIX command dzdo_runas field to root:
set_dzc_field dzdo_runas root
The following example sets the UNIX command properties so that nested command
execution is not allowed and authentication is required with the users password:
sdzcf flags 3
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a UNIX command to work with:
After you have a UNIX command stored in memory, you can use the following commands
to work with that command:
delete_dz_command deletes the selected command from Active Directory and from
memory.
282
set_ldap_timeout
Use the set_ldap_timeout command to set the time-out interval used by LDAP
commands. LDAP commands are ADEdit commands such as select_zone that perform
read/write operations on Active Directory through a binding. The time-out value controls
how long these commands will wait for a response before declaring a time-out and ceasing
operation.
The default value is five minutes.
Zone type
Not applicable
Syntax
set_ldap_timeout timeout_in_seconds
Abbreviation
None.
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
timeout_in_seconds
integer
Required. Specifies the number of seconds to wait for a response from Active
Directory before ending an operation.
The default value is 300 seconds (5 minutes).
Return value
This command returns nothing if it runs successfully.
Examples
set_ldap_timeout 120
283
This example sets the LDAP time-out interval to 120 seconds (2 minutes).
Related commands
None.
set_object_field
Use the set_object_field command to set the value for a specified field in the currently
selected Active Directory object stored in memory. The set_object_field command does
not set a field value stored in Active Directory for this object.
If you change any fields, you must save the object using the save_object command for your
changes to take effect in Active Directory. If you select another object or end the ADEdit
session before saving the currently selected object, your changes will be lost.
The set_object_field command does not check to see if fields and values are valid. When
you save an object, Active Directory will check fields and values at that time and report an
error if they arent valid.
Zone type
Not applicable
Syntax
set_object_field field value
Abbreviation
sof
Options
This command takes no options.
284
Arguments
This command takes the following arguments:
Argument
Type
Description
field
string
value
Required. Specifies the value to assign to the specified field. The data type
depends on the specified field.
The set_object_field command does not check whether the value is valid.
Active Directory will check for valid values when ADEdit saves the object.
Return value
This command returns nothing if it runs successfully.
Examples
set_object_field sd $sdvalue
This example sets the current objects security descriptor field to the string contained in the
variable sdvalue (an SDDL string).
Related commands
The following commands enable you to view and select Active Directory objects:
get_objects performs an LDAP search of Active Directory and returns a Tcl list of the
distinguished names of objects matching the specified search criteria.
After you have an object stored in memory, you can use the following commands to work
with that object:
delete_object deletes the selected Active Directory object from Active Directory and
from memory.
delete_sub_tree deletes an Active Directory object and all of its children from Active
Directory.
get_object_field reads a field value from the currently selected Active Directory object.
remove_object_value removes a value from a multi-valued field attribute of the
currently selected Active Directory object.
285
save_object saves the selected Active Directory object with its current settings to Active
Directory.
set_pam_field
Use the set_pam_field command to set the value for a specified field in the currently
selected PAM application right stored in memory. The set_pam_field command does not
set a field value stored in Active Directory for this PAM application right.
If you change any fields, you must save the PAM application right using the save_pam_app
command for your changes to take effect in Active Directory. If you select another PAM
application right or end the ADEdit session before saving the currently selected PAM
application right, your changes will be lost.
You can only use the set_pam_field command if the currently selected zone is a classic4 or
hierarchical zone. The command does not work in other types of zones.
Zone type
Classic and hierarchical
Syntax
set_pam_field field value
Abbreviation
spf
Options
This command takes no options.
286
Arguments
This command takes the following arguments:
Argument
Type
Description
field
string
Required. Specifies the name of the field that you want to set. The possible
values are:
application: The name of the PAM application that is allowed to use the
adclient PAM authentication service. The name can be literal, or it can
contain ? or * wildcard characters to specify multiple applications.
description: Text describing the PAM application.
Note that in a classic zone, setting the application field changes the name of the
PAM application right. For example, assume you create a new PAM application
right in a classic zone using a command like this:
new_pam_app myftp
If you then use this command to set the application field like this:
set_pam_field application newftp
The PAM application right itself will be renamed. If you were to use the
list_pam_apps command after running the set_pam_field command,
the right would be returned as newftp:
list_pam_apps
newftp : Renamed application right
value
Return value
This command returns nothing if it runs successfully.
Examples
set_pam_field application *
This example sets the application field for the current PAM application right to allow
PAM access rights to all applications (* is the wildcard for all possible strings).
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select PAM application rights:
get_pam_apps returns a Tcl list of PAM application rights in the current zone.
list_pam_apps lists to stdout the PAM application rights in the currently selected zone.
select_pam_app retrieves a PAM application right from Active Directory and stores it in
memory.
287
After you have a PAM application right stored in memory, you can use the following
commands to work with that PAM application right:
delete_pam_app deletes the selected PAM application right from Active Directory and
from memory.
get_pam_field reads a field value from the currently selected PAM application right.
save_pam_app saves the selected PAM application right with its current settings to
Active Directory.
set_role_assignment_field
Use the set_role_assignment_field command to sets the value for a specified field in the
currently selected role assignment stored in memory. The set_role_assignment_field
command does not set a field value stored in Active Directory for this role assignment.
If you change any fields, you must save the role assignment using the save_role_assignment
command for your changes to take effect in Active Directory. If you select another role
assignment or end the ADEdit session before saving the currently selected role assignment,
your changes will be lost.
You can only use the set_role_assignment_field command if the currently selected zone
is a classic4 or hierarchical zone. The command does not work in other types of zones.
Zone type
Classic and hierarchical
Syntax
set_role_assignment_field field value
Abbreviation
sraf
Options
This command takes no options.
288
Arguments
This command takes the following arguments:
Argument
Type
Description
field
string
Required. Specifies the name of the field that you want to set. The possible
values are:
role: Sets the name of the role to assign and the zone in which the role was
defined.
The zone value is optional if the role is defined in the currently selected zone.
The zone is required if the role is defined in another zone.
from: Sets the starting date and time for the role assignment. The date and
time is expressed in standard UNIX time. The Tcl clock command manipulates
these time values. A value of 0 means no starting date and time for the role
assignment.
to: Sets the ending date and time for the role assignment.
The start and end dates and times are expressed in standard UNIX time. You
can use the Tcl clock command to manipulate these values. A value of 0
indicates no date or time is set for the role assignment.
value
Return value
This command returns nothing if it runs successfully.
Examples
set_role_assignment_field role su-root/global
This example assigns the role named su-root that is defined in the global zone.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a role assignment:
After you have a role assignment stored in memory, you can use the following commands to
work with that role assignment:
delete_role_assignment deletes the selected role assignment from Active Directory and
from memory.
289
set_role_field
Use the set_role_field command to set the value for a specified field in the currently
selected role stored in memory. The set_role_field does not set a field value stored in
Active Directory for this role.
If you change any fields, you must save the role using the save_role command for your
changes to take effect in Active Directory. If you select another role or end the ADEdit
session before saving the currently selected role, your changes will be lost.
You can only use the set_role_field command if the currently selected zone is a classic4
or hierarchical zone. The command does not work in other types of zones.
Zone type
Classic and hierarchical
Syntax
set_role_field field value
Abbreviation
srf
Options
This command takes no options.
290
Arguments
This command takes the following arguments:
Argument
Type
Description
field
string
Required. Specifies the name of the field that you want to set. The possible
values are:
allowLocalUser: Set the value to true to allow local users to be assigned to the
role, or false if local users should not be assigned to the role. This field is not
applicable in classic zones.
AlwaysPermitLogin: Set the value to true to enable rescue rights for users
assigned to the role, or false if rescue rights should not be applied to the
role. This field is not applicable in classic zones.
auditLevel: Set the value to one of the following to specify whether auditing
is not requested, requested but not required, or required:
AuditIfPossible
AuditNotRequested
AuditRequired
This field is not applicable in classic zones.
description: Set the value to a text string that describes the role.
sysrights: Set the value to specify the system rights granted to the role. This
value is an integer from 0 to 15 that represents a combination of binary flags,
one for each right. This field is not applicable in classic zones.
timebox: Set the value to indicate the hours in the week when the role is
enabled. This value is a 42-digit hexadecimal number. When represented in
binary, each bit represents an hour of the week as described in the appendix
Appendix A, Timebox value format..
value
Required. Specifies the value to assign to the specified field. The data type and
valid values depend on the field.
Assign a dash (-) to a field to unset the field value.
You can specify the sysrights field to define the UNIX system rights that you want to grant
to the currently selected role. This field value is an integer from 0 to 15 that represents a
combination of binary flags, with one flag for each of the following UNIX system rights:
1Password login and non password (SSO) login are allowed.
2Non password (SSO) login is allowed.
4Account disabled in Active Directory can be used by sudo, cron, etc.
8Log in with non-restricted shell.
These values are added together to define the sysrights field value. For example, a
sysrights value of 6 indicates that the role is configured to allow single sign-on login and to
ignore disabled accounts (2+4). A value of 15 indicates that all UNIX system rights are
enabled (1+2+4+8). If the value is greater than 15, the role has Windows system rights
assigned instead.
291
Return value
This command returns nothing if it runs successfully.
Examples
The following example sets the system rights for the current role to allow SSO login (2) and
to provide a full shell (8):
set_role_field sysrights 10
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select roles:
After you have a role stored in memory, you can use the following commands to work with
that role:
delete_role deletes the selected role from Active Directory and from memory.
get_role_apps returns a Tcl list of the PAM applications associated with the currently
selected role.
get_role_commands returns a Tcl list of the UNIX commands associated with the
current role.
get_role_field reads a field value from the currently selected role.
list_role_rights returns a list of all UNIX commands and PAM application rights
associated with the current role.
save_role saves the selected role with its current settings to Active Directory.
292
set_rs_env_for_role
Use the set_rs_env_for_role command to assign a restricted shell environment to the
currently selected role that is stored in memory. You should note that a role can only have
one restricted shell environment assigned to it. If you assign a new restricted shell
environment to a role, the current restricted shell environmentif one existswill be
removed. In addition, a role cannot be defined with both privileged commands and a
restricted shell environment at the same time. If you assign a restricted shell environment to
the currently selected role, all privileged commands previously defined for the roleif
they existwill be removed from the role.
The set_rs_env_for_role command does not modify the data stored in Active Directory
for the restricted shell environment. If you run this command using ADEdit without saving
the role to Active Directory, your changes do not take effect.
You can only use the set_rs_env_for_role command if the currently selected zone is a
classic4 zone. The command does not work in other types of zones.
Zone type
Classic only
Syntax
set_rs_env_for_role environment
Abbreviation
srse
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
environment
string
Return value
This command returns nothing if it runs successfully.
Examples
set_rs_env_for_role rse1
293
This example sets the currently selected roles restricted shell environment to rse1, and
removes any existing restricted shell environment or privileged commands if they exist in
the role.
Related commands
The following commands perform actions related to this command:
select_rs_env retrieves a restricted shell environment from Active Directory and stores
it in memory.
After you have a restricted shell environment stored in memory, you can use the following
commands to work with that: restricted shell environment:
delete_rs_env deletes the current restricted shell environment from Active Directory
and from memory.
get_rse_field reads a field value from the current restricted shell environment.
set_rsc_field
Use the set_rsc_field command to set the value for a specified field for the currently
selected restricted shell command that is stored in memory. The set_rsc_field command
does not set the field value stored in Active Directory for the selected restricted command
field.
If you change any fields, you must save the restricted shell command using the
save_rs_command command for your changes to take effect in Active Directory. If you
select another restricted shell command or end the ADEdit session before saving the
currently selected restricted shell command, your changes will be lost.
You can only use the set_rsc_field command if the currently selected zone is a classic4
zone is the selected zone. The command does not work in other types of zones.
Zone type
Classic only
Syntax
set_rsc_field field value
294
Abbreviation
srscf
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
field
string
Required. Specifies the name of the field whose value you want to set.
The possible values are:
description: Text describing the restricted shell command.
cmd: The restricted shell command string or strings. You can use wild
cards or a regular expression.
path: The path to the commands location. You can use wild cards or a
regular expression.
form: An integer that indicates whether the cmd and path strings use
wild cards (0) or a regular expression (1).
dzsh_runas: A list of users and groups that can run this command in a
restricted shell environment (dzsh). Users can be listed by user name
or UID.
keep: A comma-separated list of environment variables from the
current users environment to keep.
del: A comma-separated list of environment variables from the
current users environment to delete.
add: A comma-separated list of environment variables to add to the
final set of environment variables.
pri: An integer that specifies the command priority for the restricted
shell command object.
umask: An integer that defines who can execute the command.
flags: An integer from 0 to 31 that specifies a combination of different
properties for the command.
createTime: The time and date this command was created, returned in
generalized time format.
modifyTime: The time and date this command was last modified,
returned in generalized time format.
dn: The commands distinguished name.
value
Required. Specifies the value you want to assign to the specified field.
The data type depends on the field specified.
Assign a dash (-) to a field to unset the field value.
295
Setting the cmd and path field values for a restricted command
You can specify the cmd and path strings using wild cards (*, ?, and !), or as a regular
expression. If you specify the cmd and path strings using wild cards, use an asterisk (*) to
match zero or more characters, the question mark (?) to match exactly one character, or the
exclamation mark (!) to negate matching of the specified string.
For both the cmd and path fields, the form field controls whether the specified string is
interpreted as a regular expression or as a string that includes wild cards.
Specifying the environment variables for a restricted command
You can use the keep, del, and add settings to control the environment variables used by the
commands specified by the cmd string. The keep and del settings are mutually exclusive.
The keep field only takes effect if the flag 16 is included in the setting for the flag field. The
del field only takes effect if the flag 16 is not included in the setting for the flag field.
Any environment variables kept or deleted are in addition to the default set of the users
environment variables that are either retained or deleted. The default set of environment
variables to keep is defined in the dzdo.env_keep configuration parameter in the
centrifydc.conf file. The default set of environment variables to delete is defined in the
dzdo.env_delete configuration parameter in the centrifydc.conf file. You can also add
environment variables to the final set of environment variables resulting from the keep or
del fields.
Specifying the restricted command priority
You can use the pri field to specify the command priority when there are multiple matches
for the restricted shell command object specified by wild cards. If there are multiple
commands specified by this restricted shell command object, the restricted shell command
with the higher command priority prevails.
Specifying the umask value for restricted commands
You can use the umask field to define who can execute the command. The umask field
specifies a 3-digit octal value that defines read, write, or execute permission for owner,
group, and other users. The left digit defines the owner execution rights, the middle digit
defines the group execution rights, and the right digit defines other execution rights. Each
digit is a combination of binary flags, one flag for each right as follows:
4 is read
2 is write
1 is execute
You add these values add together to define the rights available for each entity. For example,
a umask value of 600 indicates read and write permission (4+2) for the owner, but no
permissions for the group or other users. Similarly, a umask value of 740 indicates read,
write, execute permissions (4+2+1) for the owner, read permissions for the group, but no
permissions for other users.
296
You can use the flags field to define a combination of binary flags, with one flag for each of
the following properties:
1 to prevent nested command execution. If this flag value is not set, nested command
execution is allowed.
2 to require authentication with the users password. You cannot set this flag and the 4
flag simultaneously. If neither 2 nor 4 is set, authentication is not required.
4 to require authentication with the run-as users password
If you do not set the 2 flag or the 4 flag, authentication is not required.
8 to preserve group membership. If this flag value is not set, group membership is not
preserved.
16 to reset environment variables for the command, deleting the variables specified in
the dzdo.env_delete parameter and keeping the variables specified in the keep field. If
this flag is not set, the command removes the unsafe environment variables specified in
the dzdo.env_delete parameter along with any additional environment variables
specified by the del field.
You add these values together to define the setting for the flags field. For example, a flags
field value of 5 prevents nested command execution and requires authentication using the
run-as users password (1+4).
Return value
This command returns nothing if it runs successfully.
Examples
set_rsc_field description {This is the restricted command description}
This example sets the current restricted shell command description field to the This is
the restricted command description text string.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select the restricted shell command to
work with:
get_rs_commands returns a Tcl list of restricted shell commands in the current zone.
list_rs_commands lists to stdout the restricted shell commands in the current zone.
297
After you have a restricted shell command stored in memory, you can use the following
commands to work with that restricted shell command:
delete_rs_command deletes the selected command from Active Directory and from
memory.
set_rse_field
Use the set_rse_field command to set the value for a specified field in the currently
selected restricted shell environment that is stored in memory. The set_rse_field
command does not set the field value stored in Active Directory for this restricted shell
environment.
This command only sets the field value that is stored in memory. You must save the
restricted shell environment using the save_rs_env command for your changes to take
effect in Active Directory. If you select another restricted shell environment or end the
ADEdit session before saving the currently selected restricted shell environment, your
changes will be lost.
You can only use the set_rse_field command if the currently selected zone is a classic4
zone. The command does not work in other type of zones.
Zone type
Classic only
Syntax
set_rse_field field value
Abbreviation
srsef
Options
This command takes no options.
298
Arguments
This command takes the following argument:
Argument
Type
Description
field
string
Required. Specifies the name of the field whose value you want to set.
The only possible value is:
description: Text describing the restricted shell environment.
value
depends on
field
Return value
This command returns nothing if it runs successfully.
Examples
set_rse_field description {This string is the restricted shell description}
This example sets the description field for the current restricted shell environment to the
This string is the restricted shell description text string.
Related commands
Before you use this command, you must have a currently selected role stored in memory.
The following commands enable you to view and select the role to work with restricted
shell environments:
select_rs_env retrieves a restricted shell environment from Active Directory and stores
it in memory.
After you have a restricted shell environment stored in memory, you can use the following
commands to work with its fields:
delete_rs_env deletes the current restricted shell environment from Active Directory
and from memory.
get_rse_field reads a field value from the current restricted shell environment.
set_sd_owner
Use the set_sd_owner command to set the owner of a security descriptor (SD). This
command requires you to specify the security descriptor in SDDL (security descriptor
299
definition language) form and the security identifier (SID) of the owner. The command sets
and returns the updated security descriptor in SDDL form with the new owner.
Zone type
Not applicable
Syntax
set_sd_owner sddl_string owner_sid
Abbreviation
sso
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
sddl_string
string
owner_sid
string
Return value
This command returns an security descriptor in SDDL format if it runs successfully. The
security descriptor contains the new owner set by the command.
Examples
This example sets a new owner for a security descriptor. The security descriptor is the first
long string after the command. The SID of the new owner is the much shorter string at the
end of the command (shown in boldface).
set_sd_owner O:DAG:DAD:AI(A;;RCWDWOCCDCLCSWRPWPLOCR;;;DA)(OA;;CCDC;bf967aba0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a28500aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a28500aa003049e2;;PO)(A;;RCLCRPLO;;;AU)(OA;;CCDC;4828cc14-1437-45bc-9b07ad6f015e5f28;;AO)(OA;CIIOID;RP;4c164200-20c0-11d0-a76800aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c16420020c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a28500aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc141437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-902000c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac24079a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-
300
0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-902000c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;59ba2f4279a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a28500aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc141437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b42200a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a28500aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e00a0c983f608;bf967aba-0de6-11d0-a28500aa003049e2;ED)(OA;CIIOID;RCLCRPLO;;4828cc14-1437-45bc-9b07ad6f015e5f28;RU)(OA;CIIOID;RCLCRPLO;;bf967a9c-0de6-11d0-a28500aa003049e2;RU)(OA;CIIOID;RCLCRPLO;;bf967aba-0de6-11d0-a28500aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557d63ff4f3ccd8;;PS)(A;CIID;SDRCWDWOCCDCLCSWRPWPDTLOCR;;;EA)(A;CIID;LC;;;RU)(A;
CIID;SDRCWDWOCCLCSWRPWPLOCR;;;BA) S-1-5-21-1076040321-332654908-4680682871109
Related commands
The following commands perform actions related to this command:
301
set_user_password
Use the set_user_password command to set a new password for an Active Directory user
or computer in Active Directory.
Zone type
Not applicable
Syntax
set_user_password UPN password
Abbreviation
sup
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
UPN
string
Required. Specifies the user principal name (UPN) of the user or computer
whose password will be reset.
password
string
Return value
This command returns nothing if it runs successfully.
Examples
set_user_password adam.avery@acme.com {B4uC$work}
Related commands
None.
302
set_zone_computer_field
Use the set_zone_computer_field command to set the value for a specified field in the
currently selected zone computer stored in memory. The set_zone_computer_field
command does not set a field value stored in Active Directory for this zone computer.
If you change any fields, you must save the zone computer using the save_zone_computer
command for your changes to take effect in Active Directory. If you select another zone
computer or end the ADEdit session before saving the currently selected zone computer,
your changes will be lost.
Zone type
Classic and hierarchical
Syntax
set_zone_computer_field field value
Abbreviation
szcf
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
field
string
Required. Specifies the name of the field whose value want set. The possible
values are:
cpus: Set to a positive integer for the number of CPUs in the computer.
enabled: Set to 1 if the zone computer is enabled in the zone, or 0 if not.
value
Return value
This command returns nothing if it runs successfully.
Examples
set_zone_computer_field cpus 2
303
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and manage the zone computers:
get_zone_computers returns a Tcl list of the Active Directory names of all zone
computers in the current zone.
After you have a zone computer stored in memory, you can use the following commands to
work with that zone computer:
delete_zone_computer deletes the zone computer from Active Directory and from
memory.
set_zone_field
Use the set_zone_field command to set the value for a specified field in the currently
selected zone stored in memory. The set_zone_field command does not set a field value
stored in Active Directory for the selected zone.
If you change any fields, you must save the zone using the save_zone command for your
changes to take effect in Active Directory. If you select another zone or end the ADEdit
session before saving the currently selected zone, your changes will be lost.
This command is not applicable if the currently selected zone is a classic-computer zone.
You cannot set zone field values for classic-computer zones.
Zone type
Classic and hierarchical
Syntax
set_zone_field field value
304
Abbreviation
szf
Options
This command takes no options.
305
Arguments
This command takes the following arguments:
Argument
Type
Description
field
string
Required. Specifies the name of the field that you want to set. The possible
values are:
parent: Sets the distinguished name of his zones parent zone. This field is
only valid if the current zone is a hierarchical zone.
computers: Sets the UPN of computer group assigned to the selected
computer role. This field is only valid if the current zone is a computer role.
nisdomain: Sets the name of the NIS domain for NIS clients to use. If this field
is not set, the default is the zone name.
sfudomain: Sets the Windows domain name for the SFU zone. This field is
only valid if the current zone is a Services for UNIX zone.
uidnext: Sets the next UID to use when auto-assigning UID numbers to new
users created in the zone. Auto-assignment is deprecated. This field is only
valid if the current zone is a classic zone.
uidreserved: Sets the UID number or range of numbers (1-100, for example)
that are reserved.
defaultgid: Sets the default primary group to assign when a new user is
created. The value can be a GID value or include variables.
defaultgecos: Sets the default GECOS data to assign when a new user is
created. The value can be a string or include variables.
defaulthome: Sets the default home directory to assign when a new user is
created. The value can be a string that defines the path or include variables.
defaultshell: Sets the default shell to assign when a new user is created. The
value can be a string that defines the shell or include variables.
availableshells: Sets the shells available to choose from when adding a new
user to the zone. The value is a list of shell commands, separated by colons (:).
For example, /bin/bash:/bin/csh:/bin/ksh.
gidnext: Sets the next GID to use when auto-assigning GID numbers to new
groups created in the zone. Auto-assignment is deprecated. This field is only
valid if the current zone is a classic zone.
gidreserved: Sets the GID number or range of numbers (1-100) that are
reserved. This field is only valid if the current zone is a classic zone.
nssvar: Sets the NSS substitution variable to add to the zones list of
substitution variables using the form of variablename=value. To remove a
variable from the zones substitution variable list, specify nothing on the right
side of the equation (variablename=).
This field is only valid if the current zone is a hierarchical zone.
value
Required. Specifies the value to assign to the specified field. The data type
depends on the field specified.
Assign a dash (-) to a field to unset the field value.
306
Return value
This command returns nothing if it runs successfully.
Examples
The following example sets the computer group associated with the currently selected
computer role to linux_machines in the domain acme.com:
set_zone_field computers linux_machines@acme.com
The following example sets the parent zone of the current zone to global in the domain
acme.com:
szf parent CN=global,CN=zones,CN=Centrify,CN=Program Data,DC=acme,DC=com
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a zone to work with:
After you have a zone stored in memory, you can use the following commands to work with
that zone:
delete_zone deletes the selected zone from Active Directory and memory.
get_child_zones returns a Tcl list of child zones, computer roles, or computer zones.
get_zone_nss_vars returns the NSS substitution variable for the selected zone.
save_zone saves the selected zone with its current settings to Active Directory.
set_zone_group_field
Use the set_zone_group_field command to set the value for a specified field in the
currently selected zone group stored in memory. The set_zone_group_field command
does not set a field value stored in Active Directory for the selected zone group.
If you change any fields, you must save the zone group using the save_zone_group
command for your changes to take effect in Active Directory. If you select another zone
group or end the ADEdit session before saving the currently selected zone group, your
changes will be lost.
307
Zone type
Classic and hierarchical
Syntax
set_zone_group_field field value
Abbreviation
szgf
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
field
string
Required. Specifies the name of the field that you want to set. The possible
values are:
name: Sets the text string for the group name.
gid: Sets the numeric identifier for the group (GID).
required: Specifies whether the zone group is required. Set the value to 1, y,
or Y if the group is required. Any other value is interpreted as not required.
If a group is required, users cannot remove the group from their active set of
groups.
value
depends Required. Specifies the value to assign to the specified field. The data type
on field depends on the field specified.
Assign a dash (-) to a field to unset the field value.
Return value
This command returns nothing if it runs successfully.
Examples
set_zone_group_field name managers
This example sets the current zone groups UNIX group name to managers.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select zone groups:
308
get_zone_groups returns a Tcl list of the Active Directory names of all zone groups in
the current zone.
After you have a zone group stored in memory, you can use the following commands to
work with that zone group:
delete_zone_group deletes the selected zone group from Active Directory and from
memory.
set_zone_user_field
Use the set_zone_user_field command to set the value for a specified field in the
currently selected zone user stored in memory. The set_zone_user_field command does
not set a field value stored in Active Directory for this zone user.
If you use ADEdit to change any field, you must save the zone user using the
save_zone_user command for your changes to take effect in Active Directory. If you select
another zone user or end the ADEdit session before saving the currently selected zone user,
your changes will be lost.
Zone type
Classic and hierarchical
Syntax
set_zone_user_field field value
Abbreviation
szuf
Options
This command takes no options.
309
Arguments
This command takes the following arguments:
Argument
Type
Description
field
string
Required. Specifies the name of the field y want set. The possible values are:
uname: Sets the text string to use for the UNIX user name.
If you are setting this field in a Service for UNIX (SFU) zone, this name must be
unique among all the SFU zones. If you duplicate a user name that exists in
another SFU zone, that user will be moved to the currently selected SFU zone
when you save the zone user.
uid: Sets the numeric identifier for the user (UID).
gid: Sets the numeric identifier for the users primary group (GID).
Set the value to 0x80000000 to indicate a private group (the users UID is
used as the GID).
gecos: Sets the text string to use for the users GECOS field.
home: Sets the text string that specifies the users home directory.
shell: Sets the text string that specifies the users default shell type.
enabled: Specifies whether user is enabled or not. This field is only valid in
classic zones. You can specify a value of 1, true, Y, or y to indicate that the user
is enabled for the zone. All other values specify disabled.
value
Required. Specifies the value to assign to the specified field. The data type
depends on the field specified.
Assign a dash (-) to a field to unset the field value.
Return value
This command returns nothing if it runs successfully.
Examples
set_zone_user_field uname buzz
This example sets the current zone users UNIX user name to buzz.
set_zone_user_field gid 0x80000000
This example sets the current zone users primary GID to the same value as the users UID.
Related commands
Before you use this command, you must have a currently selected zone stored in memory.
The following commands enable you to view and select a zone user:
get_zone_users returns a Tcl list of the Active Directory names of all zone users in the
current zone.
list_zone_users lists to stdout the zone users and their NSS data in the current zone.
310
select_zone_user retrieves a zone user from Active Directory and stores it in memory.
After you have a zone user stored in memory, you can use the following commands to work
with that zone user:
delete_zone_user deletes the selected zone user from Active Directory and from
memory.
get_zone_user_field reads a field value from the currently selected zone user.
save_zone_user saves the selected zone user with its current settings to Active
Directory.
show
Use the show command to display the current context of ADEdit. The command shows the
domains ADEdit is bound to, the objects that are currently selected, and all available data
for each selected object as it is stored in memory.
You should note that the command returns stored object data as it currently exists in
memory. If you use ADEdit commands to change objects, but have not yet saved the data
back to Active Directory, the information returned by the show command will not match
the object data stored in Active Directory.
Zone type
Not applicable
Syntax
show [all|bind|zone|user|computer|assignment|object|group|pamright|
dzcommand|nismap|role|license|rse|rscommand]
Abbreviation
None.
Options
This command takes no options.
311
Arguments
This command takes the following argument:
Argument
Type
Description
You can limit the information returned by specifying one of the following
arguments. If no argument is supplied, the default is all.
all returns the complete context of ADEditall of its current bindings and all
currently selected objects in memory.
bind returns ADEdits currently bound domains and the server bound in each
domain.
zone returns the currently selected zone.
user returns the currently selected user object.
computer returns the currently selected zone computer.
assignment returns the currently selected role assignment
object returns the currently selected Active Directory object.
group returns the currently selected zone group.
pamright returns the currently selected PAM application right.
dzcommand returns the currently selected UNIX command.
nismap returns the currently selected NIS map.
role returns the currently selected role.
license returns the forest list where valid licenses have been found (it only
reports the forests that have been queried).
rse returns the currently selected restricted shell environment.
rscommand returns the currently selected restricted shell command.
Return value
This command returns domain bindings and/or object data, depending on the supplied
argument.
Examples
show
This example returns information all bound domains and selected objects similar to this:
Bindings:
acme.com: calla.acme.com
Current zone:
CN=global,CN=Zones,CN=Centrify,CN=Program Data,DC=acme,DC=com
Current nss user:
adam.avery@acme.com:adam:10001:10001:%{u:samaccountname}:%{home}/
%{user}:%{shell}:
Related commands
None.
312
sid_to_escaped_string
Use the sid_to_escaped_string command to specify a security identifier (SID) and have it
converted to an escaped string format that works in an LDAP filter.
Zone type
Not applicable
Syntax
sid_to_escaped_string sid
Abbreviation
stes
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
sid
string
Return value
This command returns an escaped string form of the supplied security identifier.
Examples
sid_to_escaped_string S-1-5-21-2076040321-3326545908-468068287-1157
Related commands
The following commands perform actions related to this command:
principal_from_sid searches Active Directory for an security identifier and returns the
security principal associated with the security identifier.
313
sid_to_uid
Use the sid_to_uid command to specify a security identifier (SID) of an Active Directory
user to look up the Active Directory user in Active Directory. This command converts the
users security identifier to a numeric identifier for the user ID (the UID value). This
conversion process is the same process used to generate UIDs for Centrify Express users or
when you us Auto Zone to automatically generate UIDs for users.
Zone type
Not applicable
Syntax
sid_to_uid sid
Abbreviation
stu
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
sid
string
Return value
This command returns a numeric user ID.
Examples
sid_to_uid S-1-5-21-2076040321-3326545908-468068287-1157
Related commands
The following commands perform actions related to this command:
principal_from_sid searches Active Directory for an SID and returns the security
principal associated with the SID.
314
validate_license
Use the validate_license command to specify a path to the Centrify license container and
determine if there is a valid license. If there is a valid license, the command stores an
indicator in the ADEdit current context. If the command does not find a valid license, it
reports an error and exits.
ADEdit requires a valid license before a zone is created. The create_zone and
create_computer_role commands do an implicit search for a valid license. For example,
you can call create_zone and let it attempt to find the container and validate the license. If
that command fails to find a valid license, use validate_license to validate the license
container from an explicit path.
You can call the validate_license command multiple times. Successive indicators take
precedence. The command writes separate indicators for each forestthat is, each license
is valid for a forest. You can use the show license command to see the list of forests that have
been found to have a valid license.
Do not call validate_license before you bind to the domain.
The validate_license context is deleted when ADEdit exits.
Zone type
Not applicable
Syntax
validate_license path
Abbreviation
vl
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
path
string
Required. Specifies the path is the license containers distinguished name (DN).
Return value
This command returns nothing.
315
Examples
validate_license CN=Licenses,OU=Centrify,DC=acme,DC=com
Related commands
The following commands perform actions related to this command:
show with the license option lists all forests that have a valid license.
316
Chapter 6
add_user_to_group
Use the add_user_to_group command to add an Active Directory user to an Active
Directory group.
Syntax
add_user_to_group user group
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
user
string
Required. Specifies the user principal name (UPN) of the Active Directory user to
add.
group
string
Required. Specifies the UPN of the Active Directory group to which to add the
user.
Return value
This command returns nothing if it runs successfully.
Examples
add_user_to_group adam.avery@acme.com pubs@acme.com
create_aduser creates a new Active Directory user account and sets its password.
create_adgroup creates a new Active Directory group account and specifies its scope.
317
create_user creates a new zone user based on an existing Active Directory user, assigns
field values to the new user, and saves the new user to Active Directory.
create_group creates a new zone group based on an existing Active Directory group,
assigns it a UNIX name and group ID, and saves the new group to Active Directory.
remove_user_from_group removes an Active Directory user from an Active Directory
group.
convert_msdate
Use the convert_msdate command to specify a Microsoft date value from an Active
Directory object field such as pwdLastSet and convert it into a human-readable form.
Syntax
convert_msdate msdate
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
msdate
string
Return value
This command returns the day of the week, the day of the month, the time of day using a
24-hour clock, the time zone, and the year.
Examples
convert_msdate [get_object_field pwdLastSet]
318
create_adgroup
Use the create_adgroup command to create a new Active Directory group account with a
specified distinguished name (DN), sAMAccountName, and group scope.
Syntax
create_adgroup dn sam gscope
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
dn
string
sam
string
gscope
string
Required. Specifies the scope for the new group. The possible values are:
global
universal
local (for Domain local)
Return value
This command returns nothing if it runs successfully.
Examples
create_adgroup {CN=pubs,CN=Users,DC=acme,DC=com} pubs global
This example creates the group pubs with a global scope in the Active Directory Users
container.
create_adgroup {CN=ApacheAdmins,OU=Unix Groups,OU=Centrify,DC=acme,DC=com}
pubs global
This example creates the group ApacheAdmins in the organizational unit Unix
which is in the organizational unit Centrify.
Groups,
create_aduser creates a new Active Directory user account and sets its password.
319
create_user creates a new zone user based on an existing Active Directory user, assigns
field values to the new user, and saves the new user to Active Directory.
create_group creates a new zone group based on an existing Active Directory group,
assigns it a UNIX name and group ID, and saves the new group to Active Directory.
add_user_to_group adds an Active Directory user to an Active Directory group.
remove_user_from_group removes an Active Directory user from an Active Directory
group.
create_aduser
Use the create_aduser command to create a new Active Directory user account with a
specified distinguished name (DN), user principal name (UPN), sAMAccountName, and
password.
Syntax
create_aduser dn upn sam pw
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
dn
string
upn
string
sam
string
pw
string
Return value
This command returns nothing if it runs successfully.
Examples
create_aduser {CN=ulysses urkham,CN=Users,DC=acme,DC=com}
ulysses.urkham@acme.com ulysses.urkham {5$6fEr2B}
320
create_adgroup creates a new Active Directory group account and specifies its scope.
create_user creates a new zone user based on an existing Active Directory user, assigns
field values to the new user, and saves the new user to Active Directory.
create_group creates a new zone group based on an existing Active Directory group,
assigns it a UNIX name and group ID, and saves the new group to Active Directory.
add_user_to_group adds an Active Directory user to an Active Directory group.
remove_user_from_group removes an Active Directory user from an Active Directory
group.
create_assignment
Use the create_assignment command to create a new role assignment and saves it to
Active Directory.
Syntax
create_assignment upn role[/zonename]
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
upn
string
Required. Specifies the user principal name of the Active Directory user or group
to whom to assign the role.
role/[zonename]
string
Required. Specifies the name of the role to assign and (optional) the name of
the zone in which the role is assigned.
If the zone name is present, a slash(/) separates the role name and the zone
name. If the zone name isnt present, the role assignment occurs in the currently
selected zone.
Return value
This command returns nothing if it runs successfully.
Examples
create_assignment ulysses.urkham@acme.com servicereps/support
321
This example creates a role assignment that assigns the role servicereps to user Ulysses
Urkham in the zone support.
create_dz_command
Use the create_dz_command command to create a new UNIX privileged command in the
currently selected zone.
Syntax
create_dz_command name command description form dzdo_runas dzsh_runas pri
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
name
string
command
string
Required. Specifies the UNIX command string or strings. You can use wild cards
or a regular expression.
description
string
form
integer
Optional. Specifies whether the command and path strings use wild cards (0) or
a regular expression (1).
dzdo_runas
string
Optional. Specifies the list of users and groups that can run this command under
dzdo (similar to sudo). Users can be listed by user name or UID.
dzsh_runas
string
Optional. Specifies the list of users and groups that can run this command in the
restricted shell environment (dzsh). Users can be listed by user name or UID.
flags
integer
pri
integer
Optional. Specifies the command priority for the restricted shell command
object.
For more information about setting this field, see Specifying the command
priority on page 281.
322
Argument
Type
umask
integer
Description
Optional. Specifies an integer that defines who can execute the command.
For more information about setting this field, see Specifying the umask value
on page 281.
path
string
Optional. Specifies the path to the commands location. You can use wild cards,
a regular expression, or one of the following keywords:
USERPATH to set to the command path to the equivalent of the Standard user
path option.
SYSTEMPATH to set to the path to the equivalent of the Standard system path
option.
SYSTEMSEARCHPATH to set to the path to the equivalent of the System
search path option.
If you dont specify this argument, the default is USERPATH.
Return value
This command returns nothing if it runs successfully.
Examples
create_dz_command testvi vi {Test UNIX command vi} {} {sfapps:perez,cody} {}
{16}
create_group
Use the create_group command to create a new zone group for the currently selected
zone. This command creates the new group based on an existing Active Directory group. It
also assigns the new group a new UNIX profile that includes the UNIX group name and the
UNIX group numeric identifier (GID).
Syntax
create_group upn name gid
Options
This command takes no options.
323
Arguments
This command takes the following arguments:
Argument
Type
Description
upn
string
Required. Specifies the user principal name of the Active Directory group to use
as the basis for the new zone group.
name
string
Required. Specifies the UNIX group name of the new zone group.
For hierarchical zones only, specifying - unsets the name value.
gid
string
Required. Specifies the UNIX group ID to assign to the new zone group.
For hierarchical zones only, specifying - unsets the gid value.
Return value
This command returns nothing if it runs successfully.
Examples
create_group pubs@acme.com pubs 1094
create_aduser creates a new Active Directory user account and sets its password.
create_adgroup creates a new Active Directory group account and specifies its scope.
create_user creates a new zone user based on an existing Active Directory user, assigns
field values to the new user, and saves the new user to Active Directory.
add_user_to_group adds an Active Directory user to an Active Directory group.
remove_user_from_group removes an Active Directory user from an Active Directory
group.
create_nis_map
Use the create_nis_map command to create a new NIS map in the currently selected zone.
Syntax
create_nis_map map key:value comment
Options
This command takes no options.
324
Arguments
This command takes the following arguments:
Argument
Type
Description
map
string
key
string
value
string
comment
string
Return value
This command returns nothing if it runs successfully.
Examples
create_nis_map animals {{cat:1 {The cat says "Mew\!".}} {cow:1 {The cow says
"Moo\!".}}}
create_pam_app
Use the create_pam_app command to create a new PAM application access right in the
currently selected zone.
Syntax
create_pam_app name application description
Options
This command takes no options.
325
Arguments
This command takes the following arguments:
Argument
Type
Description
name
string
Required. Specifies the name to assign to the new PAM application access right.
application
string
Required. Specifies the name of the PAM application that is allowed to use the
adclient PAM authentication service. The name can be literal, or it can
Therefore, in a classic zone, you should always specify the same string for the
name and application arguments. In a hierarchical zone, you can specify
different strings for the arguments.
description
string
Return value
This command returns nothing if it runs successfully.
Examples
create_pam_app testvi vi {Test UNIX command vi}
create_role
Use the create_role command to create a new role definition in the currently selected
zone.
Syntax
create_role name description sysrights pamrights cmdrights allowlocal rsenv
Options
This command takes no options.
326
Arguments
This command takes the following arguments:
Argument
Type
Description
name
string
description
string
sysrights
integer
Specifies the system rights granted to the role. This value is an integer from 0 to
15 that represents a combination of binary flags, one for each right. This field is
not applicable in classic zones.
pamrights[/zonename] string
Specifies the PAM application rights to add to the currently selected role.
If the PAM application right that you want to add is defined in the current zone,
the zonename argument is optional. If the PAM application right is defined in a
zone other than the currently selected zone, the zonename argument is
required to identify the specific PAM application right to add.
cmdrights[/zonename] string
Specifies the UNIX command rights to add to the currently selected role.
If the UNIX command right that you want to add is defined in the current zone,
the zonename argument is optional. If the UNIX command right is defined in a
zone other than the currently selected zone, the zonename argument is
required to identify the specific UNIX command right to add.
allowlocal
Boolean Specifies whether local users can be assigned to the role. If this argument is
specified, local users can be assigned to the role.
This argument is only applicable if the zone is a hierarchical zone.
rsenv
string
Specifies a restricted shell environment for the role you are creating.
This argument is only applicable if the zone is a classic zone.
Return value
This command returns nothing if it runs successfully.
Examples
create_role dba {Database admins - US} 11 {{oracle} {ftp}} {{testvi} {ora-stp}}
create_rs_command
Use the create_rs_command command to create a new restricted shell command for the
currently selected restricted shell environment.
327
Syntax
create_rs_command rsc_name cmd description form dzsh_runas flags pri umask
path
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
rsc_name
string
cmd
string
Required. Specifies the restricted shell command string or strings. You can use
wild cards or a regular expression.
description
string
form
integer
Optional. Indicates whether the cmd and path strings use wild cards (0) or a
regular expression (1).
dzsh_runas
string
Optional. Specifies the list of users and groups that can run this command in a
restricted shell environment (dzsh). Users can be listed by user name or UID.
flags
string
pri
integer
Optional. Specifies the command priority for the restricted shell command
object.
For more information about setting this field, see Specifying the restricted
command priority on page 296.
umask
integer
Optional. Specifies an integer that defines who can execute the command.
For more information about setting this field, see Specifying the umask value
for restricted commands on page 296.
path
string
Optional. Specifies the path to the restricted command. You can use wild cards,
a regular expression, or one of the following keywords:
USERPATH to set to the command path to the equivalent of the Standard user
path option.
SYSTEMPATH to set to the path to the equivalent of the Standard system path
option.
SYSTEMSEARCHPATH to set to the path to the equivalent of the System
search path option.
If you dont specify this argument, the default is USERPATH.
Return value
This command returns nothing if it runs successfully.
328
Examples
create_rs_command test_id id {Sample restricted command description}
create_rs_env
Use the create_rs_env command to create a new restricted shell environment for the
currently selected zone.
Syntax
create_rs_env rse_name rse_description
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
rse_name
string
rse_description
string
Optional. Specifies the description for the new restricted shell environment.
Return value
This command returns nothing if it runs successfully.
Examples
create_rs_env restrictedenv This is a restricted shell environment
329
create_user
Use the create_user command to create a new zone user for the currently selected zone.
This command creates the new user based on an existing Active Directory user. It also
assigns the new user a new UNIX profile that includes the user name, user ID, primary
group ID, GECOS data, home directory, shell type, and role (or in classic zones whether
the user is enabled or disabled).
You can assign the new user a role in a non-classic zone or you can enable or disable the new
user in a classic zone. In a non-classic zone, create_user uses whatever role you specify to
create a new role assignment object that links the new zone user to the specified role.
Syntax
create_user UPN uname uid gid gecos home shell role
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
UPN
string
Required. Specifies the user principal name of the Active Directory user to use as
the basis for the new zone user.
uname
string
uid
string
gid
string
gecos
string
Required. Specifies the GECOS value (new user account information) for the new
zone user.
For hierarchical zones, you can specify a dash (-) for this argument if you dont
want to set the GECOS value.
You cant set the GECOS value if the currently selected zone is a classic zone.
home
string
Required. Specifies the home directory for the new zone user.
For hierarchical zones, you can specify a dash (-) for this argument if you dont
want to set the home directory.
330
Argument
Type
Description
shell
string
Required. Specifies the shell type for the new zone user.
For hierarchical zones, you can specify a dash (-) for this argument if you dont
want to set the shell type.
role
string or Required.
Boolean For classic zones, this argument determines whether to enable or disable the
value
new zone user. A value of 1, Y, or y enables the user. Any other value disables the
user.
For hierarchical zones, this argument identifies the role to assign to the new
zone user. You can specify a dash (-) for this argument if you dont want to set
the role. However, a role must be assigned before the new zone user has access
to computers in hierarchical zones.
Return value
This command returns nothing if it runs successfully.
Examples
create_user ulysses.urkham@acme.com ulysses 1005 - - %{home}/%{user} %{shell}
-
This example creates a zone user ulysses based on the Active Directory user
ulysses.urkham@acme.com. It sets a UID, does not set a GID or GECOS value by using
dashes, sets home and shell values, and does not set a role value (specified by using a dash).
create_aduser creates a new Active Directory user account and sets its password.
create_adgroup creates a new Active Directory group account and specifies its scope.
create_group creates a new zone group based on an existing Active Directory group,
assigns it a UNIX name and group ID, and saves the new group to Active Directory.
add_user_to_group adds an Active Directory user to an Active Directory group.
remove_user_from_group removes an Active Directory user from an Active Directory
group.
decode_timebox
Use the decode_timebox command to convert an internal timebox value that defines when
a role is enabled or disabled into a format that can be evaluated. The command converts the
internal hexadecimal value for a role timebox to a hexadecimal timebox value format as
described in Appendix A, Timebox value format.
The command returns a 168-bit value in hexadecimal format that delineates the hours of
the week from midnight Sunday to 11 PM Saturday in order from most-significant bit to
331
least-significant bit. If a bit is set to 1, its corresponding hour is enabled for the role. If set to
0, its corresponding hour is disabled.
This command is useful for deciphering the value returned by the get_role_field for the
timebox field.
Syntax
decode_timebox strTimeBox
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
strTimeBox
hex
A 42-digit hexadecimal timebox value. A value of zero disables all hours of the
week. A value of FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF enables all
hours of the week.
Return value
This command returns a decoded hexadecimal value that is the timebox value for a role.
Examples
>select_role test1
>get_role_field timebox
FFF7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>package require ade_lib
1.0
>decode_timebox [grf timebox]
This example returns the decoded 42 hexadecimal that indicates the role is disabled from
midnight to one on Sunday:
7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
modify_timebox defines an hour of the week and enables or disables that hour in the
timebox value.
332
encode_timebox
Use the encode_timebox command to convert a human-readable timebox value that defines
the when a role is enabled or disabled to an internal timebox value format.
The command converts the hexadecimal timebox value format described in Appendix A,
Timebox value format to the internal hexadecimal value for a role. The command accepts
a 168-bit value in hexadecimal format that delineates the hours of the week from midnight
Sunday to 11 PM Saturday from most-significant bit to least-significant bit. If a bit is set to
1, its corresponding hour is enabled for the role. If set to 0, its corresponding hour is
disabled.
This command is useful for setting the timebox field with the set_role_field command.
Syntax
encode_timebox strTimeBox
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
strTimeBox
hex
A 42-digit hexadecimal timebox value. A value of zero disables all hours of the
week. A value of FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF enables all
hours of the week.
Return value
This command returns a decoded hexadecimal value that is the timebox value for a role.
Examples
>package require ade_lib
>set tb 7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>encode_timebox $tb
This example returns the encoded 42 hexadecimal that indicates the role is disabled from
midnight to one on Sunday:
FFF7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
333
explain_groupType
Use the explain_groupType command to convert a groupType value from an Active
Directory object field into human-readable form.
Syntax
explain_groupType gt
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
gt
string
Return value
This command returns a hexadecimal version of the supplied value followed by the names of
any flags that are set in the value.
Examples
explain_groupType [get_object_field groupType]
The unseen value returned by get_object_field groupType in this example was 2147483644, which was converted to the hexadecimal value 80000004 and the name of the
set flag DOMAIN_LOCALSECURITY.
334
explain_ptype
Use the explain_ptype command to translate the account type for a role assignment into a
descriptive text string.
Syntax
explain_ptype pt
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
pt
string
Required. Specifies the ptype value returned for a role assignment that you
want to convert to a text string.
Return value
This command returns a text string that describes the type of account associated with a role
assignment.
Examples
select_role_assignment "lulu@acme.test/UNIX Login"
get_role_assignment_field ptype
a
explain_ptype a
The following table summarizes the descriptive names for different account types that can
be associated with a role assignment:
Account type
Field
335
Account type
Field
All AD users
explain_trustAttributes
Use the explain_trustAttributes command to convert a trustAttributes value from an
Active Directory object field into human-readable form.
Syntax
explain_trustAttributes ta
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
ta
string
Return value
This command returns a hexadecimal version of the supplied value followed by the names of
any flags that are set in the value.
Examples
explain_trustAttributes [get_object_field trustAttributes]
336
explain_trustDirection
Use the explain_trustDirection command to convert a trustDirection value from an
Active Directory object field into human-readable form.
Syntax
explain_trustDirection td
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
td
string
Return value
This command returns the English version of the trust direction specified by the
trustDirection value.
Examples
explain_trustDirection [get_object_field trustDirection]
337
explain_userAccountControl
Use the explain_userAccountControl command to convert a userAccountControl value
from an Active Directory object field into a human-readable form.
Syntax
explain_userAccountControl uac
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
uac
string
Return value
This command returns a hexadecimal version of the supplied value followed by the names of
any flags that are set in the value.
Examples
explain_userAccountControl [get_object_field userAccountControl]
returns:
10200 ADS_UF_NORMAL_ACCOUNT ADS_UF_DONT_EXPIRE_PASSWD
338
get_all_zone_users
Use the get_zone_users command to check Active Directory and return a list of zone
users defined within the specified zone and all of its parent zones. If executed in a script,
this command does not output its list to stdout, and no output appears in the shell where
the script is executed.
Note that this command does not use the currently selected zone to find its list of users. It
uses instead the zone specified as an argument for the command. It ignores the currently
selected zone. The selected zone remains the selected zone after the command executes.
Syntax
get_all_zone_users [-upn] zone_DN
Abbreviation
None.
Options
This command takes the following option:
Argument
Type
Description
-upn
string
Return user names in the Tcl list as universal principal names (UPNs).
Arguments
This command takes the following argument:
Argument
Type
Description
zone_DN
string
Required. The distinguished name (DN) of the zone for which to return users.
Return value
This command returns a Tcl list of zone users defined in the currently selected zone and all
of its parent zones. Each entry in the list is in the format sAMAccountName@domain. If a
zone user is an orphan user (its corresponding Active Directory user no longer exists), the
user is listed by its security identifier (SID) instead of the sAMAccountName.
339
If the -upn option is present, each entry in the returned Tcl list is a universal principal name
(UPN).
Examples
get_all_zone_users engineering
create_user creates a new zone user and user profile based on a specified Active
Directory user.
create_group creates a new zone group and group profile based on a specified Active
Directory group.
get_user_groups returns a Tcl list of groups to which a specified user belongs.
get_user_groups
Use the get_zone_groups command to check Active Directory for a specified user and
return a list of the groups to which the user belongs. If executed in a script, this command
does not output its list to stdout, and no output appears in the shell where the script is
executed.
Syntax
get_user_groups [-dn] [-z] user_DN|user_UPN
Abbreviation
None.
Options
This command takes the following options:
Option
Description
-dn
Return groups in the Tcl list as distinguished names (DNs) instead of user principal names
(UPNs).
-z
Restricts the Tcl list of groups to groups that belong to the current zone.
340
Arguments
This command takes the following argument:
Argument
Type
Description
user_DN|user_UPN
string
Required. The user whose groups to return. This argument may specify the user
with a distinguished name (DN) or a user principal name (UPN).
Return value
This command used without options returns a Tcl list of all groups listed in Active
Directory to which the specified user belongs. Each entry in the list is the user principal
name (UPN) of a group that you can use to look up that group.
If the -dn option is set, the Tcl list uses distinguished names (DNs) for groups.
If the -z option is set, the Tcl list is restricted to groups that belong to the currently selected
zone.
Note that the command will not return groups for domains that arent currently bound to
ADEdit. If the command finds one or more groups outside of the currently bound domains,
it will return a no binding message for each unbound domain in which it finds a users
group.
Examples
get_user_groups fred.forth@acme.com
create_group creates a new zone group and group profile based on a specified Active
Directory group.
create_user creates a new zone user and user profile based on a specified Active
Directory user.
get_all_zone_users returns a Tcl list of zone users for the specified zone and all of its
parent zones.
list_zones
Use the list_zones command to list the zones within a specified domain along with
information about each zone. If executed in a script, this command outputs its list to stdout
so that the output appears in the shell where the script is executed. The command does not
341
return a Tcl list back to the executing script. Use the ADEdit command get_zones to
return a Tcl list.
Syntax
list_zones domain
Options
This command takes no options.
Arguments
This command takes the following argument:
Argument
Type
Description
domain
string
Return value
This command returns a list to stdout of the zones within the specified domain. Each entry
in the list contains:
The zone type: tree (supported in Centrify Suite 2012 or later), classic3 or classic4
Examples
list_zones
342
lmerge
Use the lmerge command to merge and sort the specified lists. You specify the lists to
merge as arguments. You must enclose the list commands you want to merge in square
brackets.
Syntax
lmerge [list1] [list2] [list[...]]
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
[list1]
string
Specifies the list command that return the information you want to include first
in the merged results.
[list2)
string
Specifies the list command that return the information you want to include
second in the merged results.
[list[...]]
string
Specifies any additional list commands that return information you want to
include in the merged results.
Return value
This command returns nothing if it runs successfully.
Examples
lmerge [list_zone_users] [list_zone_computers] [list_roles]
This example returns a merged list of zone users, zone computers, and zone roles similar to
this:
fred@pistolas.org:fred:580398:648:%{u:displayName}:%{home}/%{user}:%{shell}:
lane@pistolas.org:lane:580397:648:%{u:displayName}:%{home}/%{user}:%{shell}:
maya@pistolas.org:maya:580320:648:%{u:displayName}:%{home}/%{user}:%{shell}:
ubu1$@pistolas.org: cpus(1) agentVersion(CentrifyDC 5.2.0): ubu1.pistolas.org
nic3$@pistolas.org: cpus(2) agentVersion(CentrifyDC 5.2.0): nic3.pistolas.org
always permit login
listed
UNIX Login
UnixAdminRights
Windows Login
You can specify the list arguments using full command names or abbreviations. For
example:
lmerge [lszc] [lspa]
343
modify_timebox
Use the modify_timebox command to modify a timebox value that defines the hours of a
week when a role is enabled or disabled. The command defines an hour of the week and
then enables or disables that hour in the timebox value. This command is very useful in the
set_role_field ADEdit command when setting the timebox field.
Execute this command multiple times on a timebox value to set more than one hour in the
value.
For more information about the timebox value format, read the Appendix A, Timebox
value format..
Syntax
modify_timebox strTimeBox day hour avail
Options
This command takes no options.
Arguments
This command takes the following arguments:
Argument
Type
Description
strTimeBox
hex
A 42-digit hexadecimal timebox value. A value of zero disables all hours of the
week. A value of FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF enables all
hours of the week.
day
integer
Required. The day of the week when the hour occurs. 0=Sunday, 1=Monday,
and so on to 6=Saturday.
hour
integer
Required. The hour of the day to enable or disable. Takes a value from 0 to 23. 0
is from midnight to 1 AM, 1 is from 1 AM to 2 AM, and so on to 23, which is from
11 PM to midnight.
avail
integer
Required. Whether to enable or disable the specified hour. 0=disable; all other
values=enable.
344
Return value
This command returns a hexadecimal value that is the timebox value after enabling or
disabling the specified hour of the week.
Examples
set tb 000000000000000000000000000000000000000000
set tb [modify_timebox $tb 6 23 1]
precreate_computer
Use the precreate_computer command to create a zone profile for a computer in Active
Directory before that computer uses adjoin to join the network through Active Directory.
The zone profile is usually created by adjoin when a computer joins the network, which is
why creating a zone profile before joining is called precreating a computer account.
The zone profile is part of an Active Directory computer object. If an Active Directory
computer object doesnt exist, precreate_computer can create one and then add a zone
profile to the new Active Directory computer object. The zone profile is in ADEdits
currently selected zone. precreate_computer can also specify a container where Active
Directory will store the new Active Directory computer object.
can create a service connection point (an Active Directory
serviceConnectionPoint child object) for a new Active Directory computer object. It can
also create a computer zone (a machine-level zone override, in essence a one-computer
zone) for the precreated computer.
precreate_computer
precreate_computer
345
can specify one or more trustees for the precreated computer. Each
trustee can be either a user or a group, and has the rights needed to join this computer to
the precreated computer account using adjoin.
precreate_computer
Syntax
precreate_computer samaccount@domain [-ad] [-scp] [-czone] [-all]
[-container rdn] [-dnsname dnsname] [-trustee upn [-trustee upn] ...]
Options
This command takes the following options:
Option
Description
-ad
-scp
Creates a service connection point for the Active Directory computer object.
-czone
--all
Creates an Active Directory computer object (if one doesnt exist already), a service
connection point for the computer object, and a computer zone for the computer object:
in essence all of the previous three options combined.
-container rdn
Stores the new Active Directory computer object (if created) in the Active Directory
container specified by rdn, which is the relative distinguished name (RDN) of the
container. The root of the specified Active Directory container is the distinguished name
(DN) of the current domain. precreate_computer appends the RDN to the root DN to come
up with the container DN.
-dnsname dnsname
Sets the DNS name for the computer account to the provided DNS name.
If this option isnt present, precreate_computer automatically sets the DNS name for the
computer account. It derives the DNS name from the computers sAMAccount name and
the domain name.
-trustee upn
Gives the user or group specified by upn (the UPN of the user or group) permission to join
a computer to the precreated computer account. precreate_computer may have multiple trustee options, each specifying a different user or group, to specify multiple users and
groups as trustees.
346
Arguments
This command takes the following argument:
Argument
Type
Description
samaccount@domain
string
Required. The name of the computer and the domain to join. The computer
name is a sAMAccount name in the form of <computer>$. An example:
engserv$@acme.com
Return value
This command returns nothing if it runs successfully.
Examples
precreate_computer redhat$@acme.com -trustee adam.avery@acme.com
-trustee martin.moore@acme.com
This example precreates a zone profile for the computer redhat$@acme.com and
specifies as trustees Adam Avery and Martin Moore. It precreates the zone profile in
whatever zone is currently selected in ADEdit.
remove_user_from_group
Use the remove_user_from_group command to remove an Active Directory user from an
Active Directory group.
Syntax
remove_user_from_group user group
Options
This command takes no options.
347
Arguments
This command takes the following arguments:
Argument
Type
Description
user
string
Required. The user principal name (UPN) of the Active Directory user to remove.
group
string
Required. The UPN of the Active Directory group from which to remove the user.
Return value
This command returns nothing if it runs successfully.
Examples
remove_user_from_group adam.avery@acme.com pubs@acme.com
create_aduser creates a new Active Directory user account and sets its password.
create_adgroup creates a new Active Directory group account and specifies its scope.
create_user creates a new zone user and user profile based on an existing Active
Directory user.
create_group creates a new zone group and group profile based on an existing Active
Directory group.
add_user_to_group adds an Active Directory user to an Active Directory group.
348
Appendix A
Hex string
The timebox value is a 42-character (21-byte) hexadecimal value stored as a string. When
the hex value is converted to a binary value, its 168 bits each map to a single hour within the
week. If a bit is set to 1, its corresponding hour is enabled for the role. If set to 0, its
corresponding hour is disabled.
After you define the 168 bits using a hexadecimal value, you can usee the encode_timebox
function to convert the value into an internal format that specifies when a role is available to
use.
Hour mapping
Each day of the week takes three bytes (24 bits) to specify how its hours are enabled or
disabled. The following tables show how the hours of a day are mapped to the bits within
each of a days three bytes.
349
Hour mapping
Byte 0
Hour
Bit
12-1 AM
0 (least-significant bit)
1-2 AM
2-3 AM
3-4 AM
4-5 AM
5-6 AM
6-7 AM
7-8 AM
7 (most-significant bit)
Byte 1
Hour
Bit
8-9 AM
0 (least-significant bit)
9-10 AM
10-11 AM
11-12 AM
12-1 PM
1-2 PM
2-3 PM
3-4 PM
7 (most-significant bit)
Byte 2
Hour
Bit
4-5 PM
0 (least-significant bit)
5-6 PM
6-7 PM
7-8 PM
8-9 PM
9-10 PM
10-11 PM
11-12 PM
7 (most-significant bit)
350
Day mapping
Day mapping
Each of the seven days in a week have three bytes within the 21-byte timebox value. These
bytes are in chronological order from most-significant byte to least-significant byte. (Note
that this is the opposite of chronological bit order within each byte, which is LSB to MSB.)
The starting point of a week is 4 PM on Saturday afternoon.
The table below shows how each days three bytes (0-2) map to the timebox values bytes,
listed here in order from most-significant byte to least-significant byte.
Day byte
Saturday, byte 2
20 (most-significant byte)
Sunday, byte 0
19
Sunday, byte 1
18
Sunday, byte 2
17
Monday, byte 0
16
Monday, byte 1
15
Monday, byte 2
14
Tuesday, byte 0
13
Tuesday, byte 1
12
Tuesday, byte 2
11
Wednesday, byte 0
10
Wednesday, byte 1
Wednesday, byte 2
Thursday, byte 0
Thursday, byte 1
Thursday, byte 2
Friday, byte 0
Friday, byte 1
Friday, byte 2
Saturday, byte 0
Saturday, byte 1
0 (least-significant byte)
351
Appendix B
What it does
is_dz_enabled
manage_dz
352
You can use the set_role_field command to set other field values in a classic zone.
Individual commands specify these types of limitations.
What it does
clear_rs_env_from_role
Removes the restricted shell environment from the currently selected role
that is stored in memory.
delete_rs_env
get_role_rs_env
Gets the restricted shell environment from the currently selected role that is
stored in memory.
get_rs_envs
Gets the list of restricted environments that are defined within the currently
selected zone.
get_rse_cmds
Gets a Tcl list of restricted shell commands associated with the currently
selected restricted shell environment.
get_rse_field
Gets the value for a specified field from the restricted shell environment
stored that is stored in memory.
list_rs_envs
Prints a list of restricted shell environments defined for the currently selected
zone to stdout.
new_rs_env
Creates a new restricted shell environment for the current zone, stores it in
memory, and sets it to be the currently selected restricted shell environment.
353
Command
What it does
save_rs_env
select_rs_env
Retrieves a restricted shell environment for the currently selected zone from
Active Directory, stores it in memory, and sets it to be the currently selected
restricted shell environment for other ADEdit commands.
set_rs_env_for_role
set_rse_field
Sets the value for a specified field in the currently selected restricted shell
environment stored in memory.
What it does
delete_rs_command
Deletes the currently selected restricted shell command from Active Directory
and from memory.
get_role_rs_commands
Returns a Tcl list of restricted shell commands associated with the currently
selected role.
get_rs_commands
Checks Active Directory and returns a Tcl list of restricted shell commands
defined for the currently selected zone.
get_rsc_field
Gets the value for a specified field from the currently selected restricted shell
command that is stored in memory.
list_rs_commands
Prints a list of restricted shell commands defined for the currently selected
zone to stdout.
new_rs_command
save_rs_command
select_rs_command
set_rsc_field
Sets the value for a specified field for the currently selected restricted shell
command that is stored in memory.
354
The classic zone that the computer is a member of must have authorization enabled
before you can create role definitions and role assignments.
The role assignment is only valid on the computer where you have made the assignment.
The role definition you use must be defined in the classic zone that the computer is a
member of.
The following code snippet illustrates the commands to execute in ADEdit to make
computer-specific role assignments in classic zones:
bind ajuba.net
package require ade_lib
1.0
select_zone cn=cls,cn=zones,dc=ajuba,dc=net
get_zone_field type
classic4
precreate_computer rhelqa$@ajuba.net
get_zone_computers
{comp5$@ajuba.net} {rhelqa$@ajuba.net}
create_zone classic-computer rhelqa.ajuba.net@cn=cls,cn=zones,dc=ajuba,dc=net
select_zone rhelqa.ajuba.net@cn=cls,cn=zones,dc=ajuba,dc=net
new_role_assignment user5@ajuba.net
set_role_assignment_field role role1/cls
save_role_assignment
You can then get the classic-computer zones by running the get_child_zones command
when the classic zone is selected. For example:
select_zone cn=cls,cn=zones,dc=ajuba,dc=net
get_child_zones
rhelqa.ajuba.net@CN=c122,CN=Zones,DC=ajuba,DC=net
comp5.ajuba.net@CN=c122,CN=Zones,DC=ajuba,DC=net
355
Appendix C
Abbreviation
acr
ame
amewc
aov
add_pamapp_to_role app[/zonename]
apr
ase
ade_lib
crse
convert_msdate msdate
ccr
356
Command syntax
Abbreviation
ade_lib
cz
decode_timebox strTimeBox
delegate_zone_right right principal_upn
delete_dz_command
dldzc
dlme
delete_nis_map
dlnm
delete_object
dlo
delete_pam_app
dlpam
delete_role
dlr
delete_role_assignment
dlra
delete_rs_command
dlrsc
delete_rs_env
dlrse
delete_sub_tree dn
delete_zone
dlz
delete_zone_computer
dlzc
delete_zone_group
dlzg
delete_zone_user
dlzu
dn_from_domain domain_name
dnfd
dntp
domain_from_dn domain_name
dfdn
encode_timebox strTimeBox
explain_groupType gt
explain_ptype pt
explain_sd sddl_string
explain_trustAttributes ta
explain_trustDirection td
explain_userAccountControl uac
get_adinfo domain|zone|host
adinfo
gbi
gcz
get_dz_commands
gdzc
357
Command syntax
Abbreviation
get_dzc_field field
gdzcf
ggm
get_nis_map
gnm
get_nis_map_field field
gnmf
get_nis_map_with_comment
gnmwc
get_nis_maps
gnms
get_object_field field
gof
get_object_field_names
gofn
go
get_pam_apps
gpam
get_pam_field
gpf
get_parent_dn DN
gpd
get_pwnam unix_name
gpn
get_rdn DN
grdn
get_role_apps
grap
get_role_assignment_field field
graf
get_role_assignments [-upn]
gra
get_role_commands
grc
get_role_field field
grf
get_role_rs_commands
grrsc
get_role_rs_env
grrse
get_roles
getr
get_rs_commands
grsc
get_rs_envs
grse
get_rsc_field field
grscf
get_rse_cmds
grsec
get_rse_field field
grsef
gsg
get_zone_computer_field field
gzcf
get_zone_computers
gzc
get_zone_field field
gzf
get_zone_group_field field
gzgf
get_zone_groups
gzg
ade_lib
358
Command syntax
Abbreviation
get_zone_nss_vars
gznv
get_zone_user_field field
gzuf
get_zone_users [-upn]
gzu
get_zones domain
gz
getent_passwd
gep
ade_lib
guid_to_id guid
help command_pattern
is_dz_enabled
idze
joined_get_user_membership user_UPN
jgum
jntp
jug
list_dz_commands
lsdzc
list_nis_map
lsnm
list_nis_map_with_comment
lsnmwc
list_nis_maps
lsnms
list_pam_apps
lspa
list_role_assignments [-upn]
lsra
list_role_rights
lsrr
list_roles
lsr
list_rs_commands
lsrsc
list_rs_envs
lsrse
list_zone_computers
lszc
list_zone_groups
lszg
list_zone_users [-upn]
lszu
list_zones domain
manage_dz -on|-off
mnz
mvo
new_dz_command name
newdzc
new_nis_map map
newnm
new_object dn
newo
new_pam_app name
newpam
359
Command syntax
Abbreviation
new_role name
newr
new_role_assignment upn
newra
new_rs_command name
newrsc
new_rs_env name
newrse
new_zone_computer sAMAccountName@domain
newzc
new_zone_group AD_group_UPN
newzg
new_zone_user AD_user_UPN
newzu
ade_lib
pop
pfs
principal_to_dn principal_upn
ptd
pti
push
quit
remove_command_from_role command[/zonename]
rcfr
rov
remove_pamapp_from_role app[/zonename]
rpamfr
rsa
rno
save_dz_command
svdzc
save_nis_map
svnm
save_object
svo
save_pam_app
svpam
save_role
svr
save_role_assignment
svra
save_rs_command
svrsc
save_rs_env
svrse
save_zone
svz
save_zone_computer
svzc
save_zone_group
svzg
save_zone_user
svzu
select_dz_command command
sldzc
360
Command syntax
Abbreviation
select_nis_map map
slnm
slo
select_pam_app name
slpam
select_role role
slr
select_role_assignment principal/role[/zone]
slra
select_rs_command rs_cmd
slrsc
select_rs_env rse
slrse
select_zone path
slz
select_zone_computer sAMAccountName@domain
slzc
select_zone_group AD_group_UPN
slzg
select_zone_user user
slzu
sdzcf
ade_lib
set_ldap_timeout timeout_in_seconds
set_object_field field value
sof
spf
sraf
srf
set_rs_env_for_role environment
srse
srscf
srsef
sso
sup
szcf
szf
szgf
szuf
stes
sid_to_uid sid
stu
validate_license path
vl
361
Index
A
abbreviations 23
Active Directory 16
creating new objects 29
examining properties 29
object context 19
adclient 17, 27
add_command_to_role command 69
add_map_entry command 71, 72
add_object_value command 74
add_pamapp_to_role command 75
add_sd_ace command 76
AddUnixUsers 57
add_user_to_group command 317
ADEdit
administration scope 15
components 18
context commands 21, 35
examples of use 14
execution 22
execution modes 15
features 14
interactive mode 15, 19
operating environment 16
purpose 11
scripting 15
stateful nature 26
syntax 22
Tcl script execution 15
typical logic flow 25
ADEdit application 19
ADEdit script 19, 32
as executable file 15
execution as a UNIX-executable file 34
execution using ADEdit 33
ade_lib commands
including 19
installation 22
ade_lib Tcl library 12, 16, 19, 317
adflush 17
administration tools
conflicts 17, 20
adquery 14, 15
adupdate 14, 15
argc 47
arguments 22
argv 47
argv0 47
B
bind command 26, 79
binding
authentication 19
difference from joining 27
logic flow 25
scope 27
C
Centrify website 13
classic and tree 69
classic3 85
classic4 12, 85
command history 15, 23
commands
Active Directory objects 41
arguments 22
Centrify CLI programs 17
context setting 35
general-purpose 35
new object 29
options 23
results 23
security descriptor 43
selection 28
utility 42
zone management 36
zone users 36, 37, 38, 39, 40, 41
computer zone 85
computer-report 59
context 19
cautions 20
examining 29
362
persistence 20
pushing 31
pushing and popping 20
selection as part of 29
convert_msdate command 318
create_adgroup command 319
create_aduser command 320
create_assignment command 321
CreateChildZones 51
create_computer_role command 82
create_group command 322, 323, 324, 325, 326, 327,
329, 343
CreateParentZone 49
create_user command 330
create_zone command 84
credentials 27
D
delegate_zone_right command 87
delete_dz_command command 89
delete_map_entry command 90
delete_nis_map command 92
delete_object command 93
delete_pam_app command 94
delete_role command 96
delete_role_assignment command 97
delete_sub_tree command 101
delete_zone command 102
delete_zone_computer command 104
delete_zone_group command 105
delete_zone_user command 31, 107
DirectManage Access Manager console 17
dn_from_domain command 108
dn_to_principal command 109
documentation
additional 13
domain
binding 26
domain binding 15
domain controller 16, 18, 19, 26
selection 26
domain_from_dn command 110
E
errors 23
explain_groupType command 334, 335
explain_sd command 111
Index
G
general-purpose commands 35
get_adinfo command 114
get_bind_info command 30, 115
GetChildZones 68
get_child_zones command 117
GetComputers 64
get_dzc_field command 120
get_dz_commands command 118
getent_passwd command 180, 181
get_group_members command 124
GetGroups 67
get_nis_map command 125, 128
get_nis_map_field command 127
get_nis_maps command 130
get_object_field command 131
get_objects command 135
getopt 48
example 48
get_pam_apps command 137
get_pam_field command 138
get_parent command 140
get_pwnam command 141
get_rdn command 142
get_role_apps command 143
get_role_assignment_field command 145
get_role_assignments command 147
get_role_commands command 148
get_role_field command 150, 349
get_roles command 155
get_schema_guid command 165
GetUsers 67
get_zone_computer_field command 166
get_zone_computers command 168
get_zone_field command 169
get_zone_group_field command 171
get_zone_groups command 173
get_zone_nss_vars command 174
GetZones 66
get_zones command 28, 178
get_zone_user_field command 30, 31, 175
get_zone_users command 177
363
J
joined_get_user_membership command 184
joined_name_to_principal command 185
joined_user_in_group command 186
K
Kerberos credentials cache 27
L
LDAP queries
execution time interval 28
ldapsearch 15
list_dz_commands command 188
list_nis_map command 189, 191
list_nis_maps command 192
list_pam_apps command 194
list_role_assignments command 195
list_role_rights command 197
list_roles command 199
list_zone_computers command 203
list_zone_groups command 205
list_zones command 341
list_zone_users command 206
M
MakeRole 53
MktDept.sh 47
modify_timebox command 331, 333, 344, 349
multi-master data store 16
my_create_aduser 46, 47
N
NA
Not applicable 69
new_dz_command command 209, 210, 242
new_nis_map command 212
new_object command 213
new_pam_app command 215
new_role command 216
new_role_assignment command 218
new_zone_computer command 223
new_zone_group command 225
objects
commands to manage 41
default fields 29
deletion 30
logic flow 24
modification 30
persistence 29
reading 25
saving 20, 31
selected in context 29
selection 28
types to work with 28
options 23
P
password
enclosing in braces for Tcl handling 27
persistence 29
pop command 20, 31, 228
precreate_computer command 345
principal_from_sid command 229
principal_to_dn command 230, 232
privileged commands 53
provision 57
push command 20, 31, 233
Q
quit command 234
R
remove_command_from_role command 235
remove_object_value command 236
remove_pamapp_from_role command 238
remove_sd_ace command 240
remove_user_from_group command 347
rfc 86
Role_apacheAdmin.txt 53
roles 53
S
save_dz_command command 243
save_nis_map command 244
save_object command 246
save_pam_app command 247
364
U
UNIX commands 17
users.txt 57
utility commands 42
V
validate_license 315
W
wildcard characters 24
Z
zone
create child 50
creation 29, 49, 50
Zone type 69
zone type 85
classic3 85
classic4 85
computer 85
tree 85
T
Tcl
core commands 19
interpreter 19
Index
365