rbactoldif Command

Purpose

Prints certain role-based access control (RBAC) and Domain role-based access control tables that are defined locally to standard output (stdout) in the LDIF format.

Syntax

rbactoldif -d baseDN [ -s tables ]

Description

The rbactoldif command reads data from locally defined RBAC tables and prints the result to stdout in LDIF format. If redirected to a file, the result can be added to an LDAP server with the ldapadd command or the ldif2db command.

The rbactoldif command reads the /etc/security/ldap/sectoldif.cfg file to determine what to name the authorization, role, privileged command, privileged device, and privileged file sub-trees that the data will be exported to. The rbactoldif command only exports data to the AUTHORIZATION, ROLE, PRIVCMD, PRIVDEV, and PRIVFILE types defined in the file. The names specified in the file will be used to create sub-trees under the base distinguished name (DN) specified with the -d flag. For more information, see the /etc/security/ldap/sectoldif.cfg file in AIX® Version 7.1 Files Reference .

Flags

Item	Description
-d baseDN	Specifies the base DN under which the RBAC data is placed.
-s tables	Specifies a set of tables to be read. If you do not specify the -s flag, all of the RBAC and Domain RBAC tables are read. Specify at least one of the following letters, each representing a table name: a Specifies the authorization table. c Specifies the privileged command table. d Specifies the privileged device table. e Specifies the domain table. f Specifies the privileged file table. o Specifies the domain object table. r Specifies the role table. t Specifies the trvi table.

Item

Description

-d baseDN

Specifies the base DN under which the RBAC data is placed.

-s tables

Specifies a set of tables to be read. If you do not specify the -s flag, all of the RBAC and Domain RBAC tables are read. Specify at least one of the following letters, each representing a table name:

a: Specifies the authorization table.
c: Specifies the privileged command table.
d: Specifies the privileged device table.
e: Specifies the domain table.
f: Specifies the privileged file table.
o: Specifies the domain object table.
r: Specifies the role table.
t: Specifies the trvi table.

Security

The rbactoldif command is owned by root and security group, with mode bits 500.

File Accessed

File	Mode
/etc/security/authorizations	r
/etc/security/roles	r
/etc/security/privcmds	r
/etc/security/privdevs	r
/etc/security/privfiles	r
/etc/security/.rbac_ids	r
/etc/security/domains	r
/etc/security/domobjs	r

Examples

To export all of the RBAC and Domain RBAC tables to LDIF format with base DN of cn=aixdata, use the following command:
```
rbactoldif -d cn=aixdata
```
To export only the authorization and role tables with base DN of cn=aixdata, use the following command:
```
rbactoldif -d cn=aixdata -s ar
```
To export only the domobjs tables with base DN of cn=aixdata, use the following command:
```
rbactoldif -d cn=aixdata -s o
```