Skip to content

vadduser.1

Jump to bottom
Manvendra Bhangui edited this page Dec 13, 2024 · 9 revisions

NAME

vadduser - Add a new user to a virtual domain

SYNOPSYS

vadduser [ options ] address password

DESCRIPTION

vadduser adds a new user to a virtual domain. The account created is active. You can also create the user as inactive by specifying the -i option. An inactive account becomes active when the user logs in (using IMAP4 or POP3). You can use the vmoduser(1) command to make an account active or inactive. The username should be either alpha-numeric or have the characters '.', '-', '_'. The username, gecos and domain component cannot have the ':' character. The case is changed to lower case before adding to the database. For a clustered domain, the user is also added to the table hostcntrl on the control host. vadduser has setuid bit set and can be run by the root user, by user having uid/gid of the domain in /etc/indimail/users/assign or if the user has the gid of the domain as a supplementary group. Password is encrypted using crypt(3) and supports all encryption methods supported by crypt(3). The Directory Structure Layout's hashed component (See Below) is incremented by one.

The user's home dirctory has four components

Base Path

[step]
Directory Prefix

[step]
Domain Name

[step]
Hashed Component

If the domain was created using -B option to vadddomain, the Base Path is taken from the file .base_path file in the domains directory. Else the Base Path can be defined by the environment variable BASE_PATH. If this variable is not set, the value is taken from BASE_PATH defined in indimail.h. Base Path can be provided on the command line by the -B option. The -B to vadduser overrides environment variable and value in the .base_path file. If vfstab (-b option) is run periodically, -b option in vadduser can be used to balance optimally user creation across filesystems to distribute the load. The -b option overrides -B option, environment variable BASE_PATH and the file

The Directory Prefix depends on the first character of the username. It can have one of the five values

A2E: First character of username is a alphabet including and lying in between 'a' and 'e'

[step]
F2K: First character of username is a alphabet including and lying in between 'f' and 'k'

[step]
L2P: First character of username is a alphabet including and lying in between 'l' and 'p'

[step]
Q2S: First character of username is a alphabet including and lying in between 'q' and 's'

[step]
T2Zsym: First character of username is a alphabet including and lying in between 't' and 'z' or starts with a non alphabetic character.

The Domain Name component is derived from the virtual domain (domain component) of the username.

The Hashed Component is constructed using an adaptive directory structure which is automatically managed by the core indimail api functions "vadduser" and "vdeluser". This structure is known as Directory Structure Layout. For sites with 100 users or less, all user directories are stored in the virtual domain directory. For sites that go above 100 users the adaptive directory structure goes into effect. The basic idea is to break up the user Maildir directories across multiple directories and sub directories so that there are never more than 100 user directories in a single directory. You can look at this structure using the printdir(1) program.

The default directory setup allows for 62 directories in 3 levels and 100 user directories per directory. The total number of user directories is equal to 100 + (62 * 100) + (62 * 62 * 100) + (62 * 62 * 62 * 100) = over 24 million directories. This should be more than sufficient for any site and probably goes beyond the technology of directory structures.

If you are going to be storing large numbers of user directories, make sure you set your file system to have a higher than normal percentage of inodes. vadduser will automatically create these directories and sub directories as needed and populate each directory with up to 100 user accounts. As soon as a directory reaches 100 users it will create the next directory or sub directory and store the new users directory there.

Over a period of time, due to large no of deletions of users, the Directory Structure Layout for all users can be regenerated using the program vreorg(8).

OPTIONS

-v
Set verbose mode.

-e
Set the encrypted Password field This options disables the internal encryption routine which encrypts the password provided on the command line. This option sets the encrypted password field exactly as given on the command line without any encryption. It expects you to give a standard encrypted password or you can use this to set plaintext/salted password for CRAM authentication.

-r
Generates Random Password of length len. Need not give password on command line.

-h hash
Specify hash which is one of DES, MD5, SHA-256, SHA-512. Here ID is the id in /etc/shadow. See incrypt(1).

HASH ID Description
DES - DES encryption (shouldn't be used)
MD5 1 MD5 encryption (shouldn't be used)
SHA-256 5 SHA256 encryption
SHA-512 6 SHA512 encryption

You can also set the environment variable PASSWORD_HASH to set the encryption method. The -h argument overrides the environment variable PASSWORD_HASH. The value of PASSWORD_HASH environment variable identifies the encryption method used and this then determines how the rest of the password string is interpreted. The following values of PASSWORD_HASH are supported:

PASSWORD_HASH Value	Description
0	DES encryption (shouldn't be used)
1	MD5 encryption (shouldn't be used)
2	SHA256 encryption
3	SHA512 encryption

-m scram
Sets the CRAM or SCRAM method for encryption. This will set SCRAM password in the scram field in indimail/indibak tables. For CRAM method, it will set clear text password when -C option is specified.

CRAM/SCRAM method	Description
-----------------	-----------
CRAM	Sets clear text password suitable for any
	CRAM method (CRAM-MD5, CRAM-SHA1, ...)
SCRAM-SHA-1	SHA1 encryption suitable for SCRAM-SHA-1.
SCRAM-SHA-256	SHA256 encryption suitable for SCRAM-SHA-256.

-C
Sets up authentication suitable for CRAM-MD5, CRAM-SHA1, CRAM-SHA224, CRAM-SHA256, CRAM-SHA384, CRAM-SHA512, CRAM-RIPEMD and DIGEST-MD5 methods. This works by storing the clear text credentials in the database. if the -m option is selected, this will additionally store a hex-encoded salted password for SCRAM methods, which can be used instead of clear text passwords by clients (for SCRAM authentication).

-S salt
Specify a base64 encoded salt to be used when generating SCRAM password. If not specified, this will be generated using libsodium/gsasl. Here base64 implies characters [0-9], [a-z], [A-Z] and the two characters [./].

-I iteration
Specify the iteration count to be used when generating SCRAM password. The default is 4096.

-c Comment
Set Comment (Sets the gecos comment field)

-d
Create the directory for the user. If this option is not given, the home directory is not created. It gets created when the user logs in either through IMAP4 or POP3 protocol.

-B base_path
Set the base path for the user's home directory. This overrides the base path defined in the domain's directory defined in /var/indimail/users/assign file, the environment variable BASE_PATH and the default base path /home/mail.

-b
Balances users across filesystems listed in fstab table as they are created. This option should be used if vfstab (with -b option) is enabled in cron. This option overrides the -B option.

-l users_per_level
By default, vadduser uses an adaptive directory structure based on a table dir-control which is automatically managed by vadduser(1), vdeluser(1) and vreorg(8). The basic idea is to break up the user Maildir directories across multiple directories and sub directories so that there are never more than 100 user directories in a single directory. Use this option to change the default compile time value of 100 users per directory.

-q [quota in bytes]
Set the hard quota limit for the user. If not supplied then the default system hard quota limit is set. The default limit is either 50M or what ever is set via --enable-hardquota. If set to NOQUOTA then the user will have no quota limit.

If the domain has domain limits set using vlimit(1), then domain limits apply. Also, this option will not be allowed if permission for creating quota is disabled in domain limits.

You can use the suffix k/K, m/M, g/G to specify quota in Kb, Mb or Gb.

-H hostid
For a clustered domain, this option can be used to create the user on a specific host having hostid as the hostid.

-M mdahost
For a clustered domain, this option can be used to create the user on a specific cluster having Mail Delivery Host as mdahost.

address
The new email address of the user. Requires the domain name as well as the user name. For example: user@domain.com. If the domain name is not specified the user is added to the default domain.

password
Set the password for the user. If the password is not supplied on the command line then vadduser will prompt standard in for the password. The password must be typed in twice.

The user is added to the inactive table indibak (except for RFC ids postmaster and abuse) and is treated as an inactive user until the user logs in, upon which the user record is moved to the active table indimail.

POST HANDLE

If the environment variable POST_HANDLE is set, vadduser executes the program defined by the POST_HANDLE environment variable, passing address as a parameter. If POST_HANDLE is not defined, the program/script /usr/libexec/indimail/vadduser will be executed with address as a parameter. The POST_HANDLE program is executed as the last step after all earlier steps have been successful.

RETURN VALUE

0 if all steps were successful, non-zero otherwise. If any of the steps fail, a diagnostic message is printed.

SEE ALSO

printdir(1), vreorg(8), vdeluser(1), vpasswd(1), vmoduser(1), vlimit(1),

Clone this wiki locally