ldapcfg command

This command sets and displays the LDAP configuration settings for the advanced management module.

Table 1. ldapcfg command
Function What it does Command Valid targets
Display LDAP settings Displays the LDAP settings for the management module. ldapcfg 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set LDAP security version Sets version of LDAP security used by the management module.
Note:
  • If the version is set to v1, the following values must also be set:
    • A group filter using the -gf command option.
    • A group search attribute using the -gsa command option.
    • A login permission attribute using the -lpa command option.
  • If the version is set to v2, the LDAP name must also be set using the -t command option.
 ldapcfg -v version

where version is:

  • v1 for old user permission model
  • v2 for the enhanced role-based security model
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set LDAP group filter Sets the group filter for the management module that can be used for authentication during LDAP server login.
Note: For a group filter to be used, LDAP security must be set to v1 using the -v command option.
 ldapcfg -gf "filter"

where "filter" is a quote-delimited string of up to 511 characters in length and consists of one or more group names. The colon (:) character is used to delimit multiple group names. Leading spaces and trailing spaces are ignored. Consecutive spaces are treated as a single space. The wildcard character (*) is not supported for security reasons. A group name can be specified as a full domain name or by using the common name (cn) portion.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set LDAP group search attribute Sets the group search attribute that represents groups of user IDs stored on the LDAP server.

On Active Directory servers, the group search attribute is typically set to "memberOf". On eDirectory servers, it is typically set to "groupMembership".

In an OpenLDAP server environment, users are typically assigned to groups whose objectClass equals "PosixGroup". In this case, the group search attribute identifies members of a particular PosixGroup that is typically "memberUid".

Note: For a group search attribute to be used, LDAP security must be set to v1 using the -v command option.
 ldapcfg -gsa "GSA"

where "GSA" is a quote-delimited alphanumeric string of up to 23 characters in length.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set LDAP login permission attribute Sets the login permission attribute that is used to determine retrieve user permissions on the LDAP server.
Note: For a login permission attribute to be used, LDAP security must be set to v1 using the -v command option.
 ldapcfg -lpa "permission"

where "permission" is a quote-delimited alphanumeric string up to 23 characters in length.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set LDAP name Sets the LDAP name for the management module.
Note: For an LDAP name to be used, LDAP security must be set to v2 using the -v command option.
 ldapcfg -t name

where name is an alphanumeric string up to 63 characters in length containing any character except for angle brackets ( < and > ) and spaces.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set LDAP server discovery method Sets the method to use for discovering LDAP servers that provide user authentication.
Note:
  • If the dns method is specified, the following values must also be set:
    • A domain name using the -dn command option.
    • A forest name using the -fn command option.
  • If the preconf method is specified, the following values must also be set:
    • An LDAP server hostname or IP address using the -i1, -i2, and -i3 command options.
    • A port for each LDAP server hostname or IP address using the -p1, -p2, and -p3 command options.
 ldapcfg -server method

where method is:

  • dns for dynamic discovery
  • preconf to use an LDAP server that was manually pre-configured
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set LDAP server domain name Sets the search domain to use for Domain Controller (DC) dynamic discovery. ldapcfg -dn domain

where domain is an alphanumeric string up to 255 characters in length.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set LDAP server forest name Sets the forest name to use for Global Catalog (GC) dynamic discovery. ldapcfg -fn forestname

where forestname is an alphanumeric string up to 63 characters in length.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
First LDAP server host name or IP address - set Checks syntax and sets the first LDAP server host name or IP address to use for pre-configured LDAP server discovery.
Note: A port for this LDAP server hostname or IP address must be set using the -p1 command option.
 ldapcfg -i1 hostname/ip_address

where hostname/ip_address is the first host name or IP address, up to 255 characters in length.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Second LDAP server host name or IP address - set Checks syntax and sets the second LDAP server host name or IP address to use for pre-configured LDAP server discovery.
Note: A port for this LDAP server hostname or IP address must be set using the -p2 command option.
 ldapcfg -i2 hostname/ip_address

where hostname/ip_address is the second host name or IP address, up to 255 characters in length.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Third LDAP server host name or IP address - set Checks syntax and sets the third LDAP server host name or IP address to use for pre-configured LDAP server discovery.
Note: A port for this LDAP server hostname or IP address must be set using the -p3 command option.
 ldapcfg -i3 hostname/ip_address

where hostname/ip_address is the third host name or IP address, up to 255 characters in length.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Fourth LDAP server host name or IP address - set Checks syntax and sets the fourth LDAP server host name or IP address to use for pre-configured LDAP server discovery.
Note: A port for this LDAP server hostname or IP address must be set using the -p4 command option.
 ldapcfg -i4 hostname/ip_address

where hostname/ip_address is the fourth host name or IP address, up to 255 characters in length.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
First LDAP server port number - set Sets the port number of the first LDAP server to use for pre-configured LDAP server discovery. ldapcfg -p1 port

where port is from 1 to 65535, inclusive. If you enter a value outside this range, an error will be displayed.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Second LDAP server port number - set Sets the port number of the second LDAP server to use for pre-configured LDAP server discovery. ldapcfg -p2 port

where port is from 1 to 65535, inclusive. If you enter a value outside this range, an error will be displayed.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Third LDAP server port number - set Sets the port number of the third LDAP server to use for preconfigured LDAP server discovery. ldapcfg -p3 port

where port is from 1 to 65535, inclusive. If you enter a value outside this range, an error will be displayed.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Fourth LDAP server port number - set Sets the port number of the fourth LDAP server to use for preconfigured LDAP server discovery. ldapcfg -p4 port

where port is from 1 to 65535, inclusive. If you enter a value outside this range, an error will be displayed.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set LDAP root distinguished name Sets the root distinguished name for the root entry of the LDAP directory tree that is used as the base object for all searches. ldapcfg -rd "name"

where "name" is up to 255 characters in length and contained within double-quotes. Names can contain any character, including spaces.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set LDAP UID search attribute Sets the UID search attribute that represents the user IDs stored on the LDAP server.

On Active Directory servers, the UID search attribute is typically set to "sAMAccountName". On Novell eDirectory and OpenLDAP servers, it is typically set to "uid".

 ldapcfg -usa "UID"

where "UID" is up to 23 characters in length and contained within double-quotes. The UID can contain only letters, numbers, spaces, and the following characters: "-", "(", ")", "+", ",", ".", "/", ":", and"?".

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set LDAP server binding method Sets the binding method for initial connection to the LDAP server.
Note:
  • If the binding method is set to anon, a UID search attribute must be set using the -usa command option.
  • If the binding method is set to cc, the following values must also be set:
    • A UID search attribute using the -usa command option
    • A client distinguished name using the -cd command option.
    • A client password using the -p and -cp command options.
 ldapcfg -bm version

where version is:

  • anon for anonymous
  • cc for configured credentials
  • lc for login credentials
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set LDAP server to be used for authentication only Enables the authentication mode to use the LDAP server for authentication only with local authorization. This automatically disables the authentication mode that uses the LDAP Server for both authentication and authorization.

LDAP server authentication uses the settings configured by the groups command.

 ldapcfg -aom state

where state is enabled or disabled

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set LDAP client distinguished name Sets the client distinguished name (DN) for initial connection to the LDAP server.
Note: A client password must also be set using the -p and -cp command options.
 ldapcfg -cd domain

where domain is an alphanumeric string up to 255 characters in length containing any character except for angle brackets ( < and > ) and spaces.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set LDAP client distinguished name password Sets the client distinguished name password for initial connection to the LDAP server.
Note: The passwords must be specified by both the -p and -cp command options and must match.
 ldapcfg -p password

where password is an alphanumeric string up to 15 characters in length.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set (confirm) LDAP client distinguished name password Sets, for confirmation purposes, the client distinguished name password for initial connection to the LDAP server.
Note: The passwords must be specified by both the -p and -cp command options and must match.
 ldapcfg -cp password

where password is an alphanumeric string up to 15 characters in length.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Note: The -ds, -sd, and -sn options for the ldapcfg command have been deleted and replaced by the -dn and -fn command options. To implement this transition, the items specified for dynamic discovery have changed and must be modified to match the syntax required by the new command options.

Example:

To display the management module LDAP settings, while management module 1 is set as the persistent command environment, at the system:mm[1]> prompt, type 
                  ldapcfg
To enable the authentication mode to use the LDAP server for authentication only with local authorization, while management module 1 is set as the persistent command environment, at the system:mm[1]> prompt, type 
                  ldapcfg -aom enabled

The following example shows the information that is returned from these two commands:

               system:mm[1]> ldapcfg
-server preconf
 Parameters for '-server dns' configuration:
   -dn
   -fn test_fn
 Parameters for '-server preconf' configuration:
   -i1
   -p1
   -i2
   -p2
   -i3
   -p3
   -i4 192.168.1.23
   -p4 11

Miscellaneous Parameters:
-rd 11
-usa
-bm cc
-aom enabled
 Parameters for '-bm cc' configuration:
   -cd

-v v1
 Parameters for '-v v1' configuration:
   -gf
   -gsa
   -lpa
 Parameters for '-v v2' configuration:
   -t
system:mm[1]> ldapcfg -aom enabled
OK
system:mm[1]>
Parent topic: Command syntax