user create

Creates a Verify Identity Access user.

Requires authentication (administrator ID and password) to use this command.

Syntax

user create [–gsouser] [–no-password-policy] [–account-valid] user_name dn cn sn password [groups]

Description

A user is a registered participant of the secure domain. A GSO user is a Verify Identity Access user that also has the authority to use single sign-on to work with web resources.

You can create users in the Active Directory Lightweight Directory Service (AD LDS) user registry. Create such users in the same AD LDS partition where the Verify Identity Access Management Domain information is stored.

The –gsouser option enables global sign-on capabilities. Users that are created in an Active Directory are automatically given the capability to own single sign-on credentials. This capability cannot be removed. When you use an LDAP user registry, this capability must be explicitly granted. After this capability is granted, it can be removed.

The –no-password-policy option allows the administrator to create the user with an initial password that is not checked by the existing global password policies. If this option is not present in the command, the password that is provided is checked against the global password policies. In this case, the user create command fails if the password is invalid, and the error message includes information about what conditions were not met.

However, if the administrator applies the password option on the user modify command, the -no-password-policy option is not available. Therefore, the modified password is always checked against the global password policy settings.

The –account-valid option allows the administrator to mark the account as valid. If this option is not present in the command, the account is left in the invalid state. To make the user account valid, you must use the user modify command to set the account-valid option to yes.

Options

–gsouser

Enables the global sign-on (GSO) capabilities for the user. Applies only to users created in an LDAP user registry.

–no-password-policy

Indicates that the password policy is not enforced during the creation of the user account. The nonenforcement does not affect password policy enforcement after user creation. (Optional)

–account-valid

Indicates that the account is valid. (Optional)

cn

Specifies the common name that is assigned to the user that is being created. For example: "Mary"

dn

Specifies the registry identifier that is assigned to the user that is being created. The registry identifier must be known before a new user account can be created. The registry identifier must be unique within the user registry. If the user registry is Active Directory, certain characters are not allowed. See Characters disallowed for distinguished names for the list of these characters.

The format for a distinguished name is like:

"cn=Mary Jones,ou=Austin,o=Tivoli,c=us"

groups

Specifies a list of groups to which the new user is assigned. The format of the group list is a parenthesized list of group names, which are separated by spaces. The groups must exist, or an error is displayed. Examples of groups: deptD4D and printerusers. (Optional)

password

Specifies the password that is set for the new user. Passwords must adhere to the password policies set by the administrator.

sn

Specifies the short name of the user that is being created. For example: "Jones"

user_name

Specifies the name for the user to create. This name must be unique. A valid username is an alphanumeric string that is not case-sensitive. If the user registry is Active Directory, certain characters are not allowed. See Characters disallowed for user and group name for the list of these characters. If the user is a GSO user, certain characters are not allowed. See Characters disallowed for GSO names for the list of these characters.

Note: Consider that you did not change the 7 - bit checking default value during configuration of the Sun web server. In this case, turn off checking so that non-ASCII characters can be stored in attributes.

Examples of usernames are dlucas, sec_master, "Mary Jones".

Return codes

0: The command was completed successfully.
1: The command failed. When a command fails, the pdadmin command provides a description of the error and an error status code in hexadecimal format (for example, 0x14c012f2). See "Error messages" in the IBM Documentation. This reference provides a list of the Verify Identity Access error messages by decimal or hexadecimal codes.

Examples

The following example, entered as one line, creates user dlucas:

pdadmin sec_master> user create –gsouser dlucas "cn=Diana 
Lucas,ou=Austin,o=Tivoli,c=US" "Diana Lucas" Lucas lucaspwd

The following example, entered as one line, creates user maryj:

pdadmin sec_master> user create –gsouser maryj "cn=Mary Jones,o=tivoli,c=us"
Mary Jones maryjpw