Using Command-Line Programs
Command-line programs allow you to perform basic Active Directory administrative tasks directly from a UNIX shell or using a shell script. These commands use the underlying agent service library to enable you to perform administrative tasks, such as adding computers to an Active Directory domain, leaving the Active Directory domain, changing Active Directory passwords, and returning detailed Active Directory, network, and diagnostic information for a host computer.
Understanding When to use Command-Line Programs
Command-line programs are installed by default when you install the agent on a computer. Depending on the operating system, the commands are typically installed in one of the following directories:
/usr/sbin
/usr/bin
/usr/share/centrifydc/bin
In general, you should only use command-line programs when you must take action directly on a local computer. For example, if you want to join or leave a domain or set a new password while logged on to a shell, you may want to run a command interactively from that shell. You can also use command-line programs in scripts to perform administrative tasks programmatically.
Supported Command-Line Programs
IBM Security Verify Privilege Server Suite Free supports the following command-line programs:
| Program | Description |
|---|---|
| adcache | The adcache program enables you to manually clear the local cache on a computer or check a cache file for a specific key value. |
| adcheck | The adcheck program verifies whether a local computer meets the system requirements for joining an Active Directory domain. This command checks whether the computer has sufficient disk and memory, a supported operating system and patch level, required libraries, and network connectivity to an Active Directory domain. |
| adclient | The adclient program manages most agent operations, and is normally started automatically when a computer starts up. In most cases, you should only run adclient directly from the command line if IBM Security Support recommends you do so. |
| addebug | The addebug program starts or stops logging activity for agent operations. |
| addns | The addns program enables you to dynamically update DNS records on an Active Directory-based DNS server in environments where the DHCP server cannot update DNS records automatically. |
| adedit | The adedit program enables you to manage Active Directory and the agent through command-line commands and scripts. |
| adfinddomain | The adfinddomain program displays the domain controller associated with the Active Directory domain you specify. |
| adfixid | The adfixid program resolves UID and GID conflicts and enables you to change the ownership of a local user’s files to match the user and group IDs defined for the user in Active Directory. |
| adflush | The adflush program clears the cache on a local computer. |
| adid | The adid program displays the real and effective UIDs and GIDs for the current user or a specified user. |
| adinfo | The adinfo program displays summary or detailed diagnostic and configuration information for a computer and its Active Directory domain. |
| adjoin | The adjoin program adds a computer to an Active Directory domain. This command configures a local computer to use Active Directory. No changes are made to authentication services or configuration files on a computer until you run the adjoin command. This command requires you to be logged on as root. |
| adkeytab | The adkeytab program enables you to create and manage Kerberos key tables (*.keytab files) and coordinate changes with the Kerberos key distribution center (KDC) provided by Active Directory. |
| adleave | The adleave program enables you to remove a computer from its current Active Directory domain or from the Active Directory forest entirely. |
| adlicense | The adlicense program enables or disables licensed features on a local computer. This command requires you to be logged on as root. |
| adpasswd | The adpasswd program changes the Active Directory account password for a user from within a UNIX shell. |
| adquery | The adquery program enables you to query Active Directory for information about users and groups from the command line on an agent-managed computer. |
| adreload | The adreload program forces the adclient process to reload configuration properties in the /etc/centrifydc.conf file and in other files in the /etc/centrifydc directory. |
| adrmlocal | The adrmlocal program reports and removes local user names that duplicate Active Directory user names. |
Other commands that support IBM Security operations are also installed in the directory with the commands shown in the preceding list, but they are not applicable to IBM Security Verify Privilege Server Suite Free agents.
Displaying Usage Information and Man Pages
To display a summary of usage information for a command-line program, type the command and the --help or -h option. For example, to see usage information for the adleave command, type:
adleave --help
The usage information includes a list of options and arguments, and a brief description of each option.
For more complete information about any command, you can review the information in the command’s manual (man) page. For example, to see the manual page for the adleave command, type:
man adleave