CPU is a utility consisting of a set of plugins that allow an administrator to administer a wide range of different authentication backends. Current plugins include support for LDAP and a partially completed flat file plugin. Particularly neat features are listed at the bottom of this file. NORMAL INSTALLATION ------------------- Grab the latest source tarball from cpu.sf.net and do the following: ./configure make make install Your existing cpu.conf will no longer be overwritten. A full example is installed in $datadir/cpu.conf.doc along with test.ldif (for use with the -a switch). DEVELOPER INSTALLATION ---------------------- If you want to install the software, you will need the Autotools (automake > 1.5, autoconf > 2.54, libtool > 1.4). You can then grab the lates CVS (information available at cpu.sf.net) and compile/install as follows. ./bootstrap ./configure --enable-developer make make install If you do not specify either --with-ldap or --with-passwd (or both) at the command line CPU will be pretty useless to you. FILES ----- The following files are installed $sbindir/cpu - Main CPU binary $sysconfdir/cpu.conf - Configuration file for CPU, documented by man page $datadir/cpu.conf.doc - Full (unusable) configuration file with comments $datadir/test.ldif - Test ldif file for use with -a switch $mandir/man8/cpu.8 - Man page for CPU binary $mandir/man8/cpu-ldap.8 - Man page for LDAP usage with CPU $mandir/man5/cpu.conf.5 - Man page for CPU configuration file $libdir/libcputil.* - API functionality for CPU $libdir/libcpu_ldap.* - LDAP functionality for CPU *NOTE* This will only be installed if CPU detects the needed LDAP libraries at compile time or is compiled with --with-ldap $libdir/libcpu_passwd.* - Flatfile functionality for CPU *NOTE* This will only be installed if CPU is compiled with --with-flatfile and --enable-developer NOTES ----- If you receive an error messages like: cpu: error while loading shared libraries: libcputil.so.0: cannot open shared object file: No such file or directory or other errors indicating that a shared object file could not be opened this means one of two things. Either you didn't compile with --with-ldap or --with-flatfile, in which case as stated above, the appropriate libraries wouldn't have been compiled, or you installed the libraries in a place that the linker doesn't know about. In the former case, you will need to recompile with one of those options, either --with-ldap or --with-flatfile or both. In the latter case, you can do one of two things. Either update your ld.so.conf (or other appropriate file) and add the path where those libraries are installed (just $libdir). Or if you don't have root access you will need to set the environment variable LD_LIBRARY_PATH=$libdir. FEATURES -------- * TLS is supported * Post useradd and post userdel scripts supported * Account locking and unlocking * POSIX support of Username and Groupname entries (as well as allowing violations for things like adding Samba machine accounts) * Simple API is provided for writing new plugins * Each plugin has support for user{add,mod,del} and group{add,del,mod} * `cpu cat` displays users and groups in the appropriate backend in /etc/passwd style or /etc/group style format * Strong passwords of any length can be generated * libcrack can be used (specify --with-libcrack) to check passwords * The following hashes are supported: crypt, cleartext, sha1, salted sha1, md5, and salted md5 * You can take a user's existing shadow or password file entry and import it into LDAP * Several platforms including GNU/Linux, {Net,Open,Free}BSD, and Solaris are supported * LDAP attributes not supported by CPU directly can still be added with a user using the -a option and supplying an LDIF file. This file can also be used for user modifications, and group adds and modifications * Almost 100% compatible with the GNU shadow-utils package, so most scripts for using existing user{add,mod,del} and group{add,mod,del} can be modified for use with CPU easily * Support for scanning the USER_BASE and getting either the next linearly available uid or finding the next available random uid * Support for scanning the GROUP_BASE and getting either the next linearly available gid or finding the next available random gid * Add and delete user directories while adding them to LDAP * When a user is added to LDAP, their primary and secondary groups are searched for and if found, that user is added to them