user create

Syntax

user create [–gsouser] [–no-password-policy] user_name dn cn sn password [groups]

Description

A user is a registered participant of the secure domain. A GSO user is a Security Access Manager user that additionally has the authority to use single sign-on to work with web resources.

You can create users in the Active Directory Lightweight Directory Service (AD LDS) user registry. You must create such users in the same AD LDS partition where the Access Manager Management Domain information is stored.

The –gsouser option enables global sign-on capabilities. Users that are created in an Active Directory are automatically given the capability to own single sign-on credentials. This capability cannot be removed. When you use an LDAP user registry, this capability must be explicitly granted. After this capability is granted, it can be removed.

The –no-password-policy option allows the administrator to create the user with an initial password that is not checked by the existing global password policies. If this option is not present in the command, the password that is provided is checked against the global password policies. In this case, the user create command fails if the password is invalid, and the error message includes information about what conditions were not met.

However, if the administrator applies the password option on the user modify command, the -no-password-policy option is not available. Therefore, the modified password is always checked against the global password policy settings.

Options

–gsouser

Enables the global sign-on (GSO) capabilities for the user. Applies only to users created in an LDAP user registry.

–no-password-policy

Indicates that password policy is not enforced during the creation of the user account. The non-enforcement does not affect password policy enforcement after user creation. (Optional)

cn

Specifies the common name that is assigned to the user that is being created. For example: "Mary"

dn

Specifies the registry identifier that is assigned to the user that is being created. The registry identifier must be known before a new user account can be created. The registry identifier must be unique within the user registry. If the user registry is Active Directory, certain characters are not allowed. See Characters disallowed for distinguished names for the list of these characters.

The format for a distinguished name is like:

"cn=Mary Jones,ou=Austin,o=Tivoli,c=us"

groups

Specifies a list of groups to which the new user is assigned. The format of the group list is a parenthesized list of group names, which are separated by spaces. The groups must exist, or an error is displayed. Examples of groups: deptD4D and printerusers. (Optional)

password

Specifies the password that is set for the new user. Passwords must adhere to the password policies set by the administrator.

sn

Specifies the short name of the user that is being created. For example: "Jones"

user_name

Specifies the name for the user to create. This name must be unique. A valid user name is an alphanumeric string that is not case-sensitive. If the user registry is Active Directory, certain characters are not allowed. See Characters disallowed for user and group name for the list of these characters. If the user is a GSO user, certain characters are not allowed. See Characters disallowed for GSO names for the list of these characters.

Note: Consider that you did not change the 7 - bit checking default value during configuration of the Sun web server. In this case, turn off checking so that non-ASCII characters can be stored in attributes.

Examples of user names are dlucas, sec_master, "Mary Jones".

Return codes

0

The command completed successfully.

1

The command failed. When a command fails, the pdadmin command provides a description of the error and an error status code in hexadecimal format (for example, 0x14c012f2). See "Error messages" in the IBM Knowledge Center. This reference provides a list of the Security Access Manager error messages by decimal or hexadecimal codes.

See also