.\"Modified from man(1) of FreeBSD, the NetBSD mdoc.template, and mdoc.samples. .\"See Also: .\"man mdoc.samples for a complete listing of options .\"man mdoc for the short list of editing options .\"/usr/share/misc/mdoc.template .Dd May 26 2004 \" DATE .Dt dsidentity 1 \" Program name and manual section number .Os Mac OS X .Sh NAME \" Section Header - required - don't modify .Nm dsidentity .Nd Add or remove identity user accounts. .Sh SYNOPSIS \" Section Header - required - don't modify .Nm .Op -vix .Ar -a identity .Op -s password .Op -d displayname .Op -j picture .Op -c comment .Op -u username .Op -p password .Pp .Nm .Op -vix .Ar -r identity .Op -u username .Op -p password .Pp options: .Bl -tag -width "123456789012345" -compact -offset indent .It Fl v verbose logging to stdout .It Fl i prompt for password as required .It Fl x use only authorization right for authentication .It Fl h display usage statement .El .Pp parameters: .Bl -tag -width "123456789012345" -compact -offset indent .It Fl a Ar identity add identity username .It Fl r Ar identity remove identity username .It Fl s Ar password identity user's password .It Fl d Ar displayname display name .It Fl j Ar picture user picture .It Fl c Ar comment comment .It Fl u Ar username admin username .It Fl p Ar password admin password .El .Pp .Sh DESCRIPTION \" Section Header - required - don't modify .Nm is a setuid tool that allows addition or removal of identity user accounts in Directory Services. The dsidentity tool creates a partial but valid system identity in the local Directory System. This identity is created with the intent to support remote sharing capabilities. Version 1.00 supports local shadowhash passwords as regular local user records. Kerberos support is planned to be added in a later version. By default the identity created will contain a new and unique UID and assigned Globally Unique ID (GUID). The identity created will have no privileges on the local system and will not be recognized by login window, ssh, or other unix programs. This identity will have no assigned home directory and shell will be set to /usr/bin/false to prevent remote logins. It is expected that after running dsidentity additional administration will be required to add the newly created identity to appropriate application access control lists in order to actually grant access to a system service. How this newly created identity is added to application access control lists may be application specific and therefore dsidentity does not perform this function. The authorization to use this tool will be obtained from either the authorization right "com.apple.allowidentityedit", the effective uid of the user running the tool, or the provided admin name and password. Only the authorization right will be used if the option "x" is provided. The password will be prompted for if either the admin username is provided with no password, no auth right is set and the euid is not zero, or the option "i" is specified. When adding a identity user, default values for displayname, picture, and comment will be provided as detailed below. Presented below is a discussion of possible parameters. Usage has three intents: add identity, remove identity, or display help. .Pp \" Inserts a space Options list and their descriptions: .Bl -tag -width -indent \" Differs from above in tag removed .It Fl v This enables the logging to stdout of the details of the operations. This can be redirected to a file. .It Fl i You will be prompted for a password to use in conjunction with the specified identity and admin usernames. .It Fl x This enforces using only the authorization right "com.apple.allowidentityedit" for authentication. .It Fl h Display usage statement. .El \" Ends the list .Pp \" Inserts a space Parameters list and their descriptions: .Bl -tag -width -indent \" Differs from above in tag removed .It Fl a Ar identity This is the defined recordname of the identity user that is to be added to the local Directory system. .It Fl r Ar identity This is the defined recordname of the identity user that is to be removed from the local Directory system. .It Fl s Ar password Password for the identity user record. Default value is empty string. .It Fl d Ar displayname Display (full) name of the identity user record. Default value is the identity value. .It Fl j Ar picture Picture used to represent the identity user record. Default value is "/Library/User Pictures/Animals/Dragonfly.tif". .It Fl c Ar comment Comment on the identity user usually given by the creator of the record. Default value is "Identity User". .It Fl u Ar username Username of a local administrator. .It Fl p Ar password Password for the local administrator. If this is not specified, you will be prompted for a password if required. .El \" Ends the list .Pp \" Inserts a space .Sh EXAMPLES .Pp .Bl -tag -width -indent \" Differs from above in tag removed .It Fl "add a identity user account" dsidentity -v -a buddy The identity user account "buddy" will be added. The following parameters displayname, picture, and comment will be set to their default values. .It Fl "remove a identity user account" dsidentity -v -r buddy -u admin The identity user account "buddy" will be removed given the correct authentication is supplied either through the auth rights, the euid of the user running the tool is zero, or the password provided interactively was correct and the user is indeed an admin user. .El \" Ends the list .Pp .Pp