chldapconfig

Modifies LDAP configuration settings on the metadata server.

Read syntax diagramSkip visual syntax diagram
>>-chldapconfig--+--------+--+---------+------------------------>
                 +- -?----+  '- -quiet-'
                 +- -h----+
                 '- -help-'

>--+------------------+--+------------+--+----------+----------->
   '- -ip--IP_address-'  '- -user--dn-'  '- -passwd-'

>--+-------------------+--+--------------------------+---------->
   '- -secure--+-off-+-'  |              .-,----.    |
               '-on--'    |              V      |    |
                          '- –roledn--"----role-+--"-'

>--+-------------------------+--+-------------------------+----->
   '- –useridattr--attribute-'  '- –roleidattr--attribute-'

>--+--------------------------+--+-------------------------+---><
   '- –rolememattr--attribute-'  '- –cachetimeout--seconds-'

Parameters

–? | –h | –help
Displays a detailed description of this command, including syntax, parameter descriptions, and examples. If you specify a help option, all other command options are ignored.
–quiet
Turns off confirmation messages for this command.
–ip IP_address
Specifies the IP address of the LDAP server.
–user dn
Specifies the administrative LDAP user ID used to make authentication queries. This is the user ID that is used to sign into the LDAP server. This value does not represent the user IDs that have been created for SAN File System.
–passwd
Specifies the password corresponding to the administrative LDAP user ID. If you specify this parameter, you are prompted to supply the password and then confirm it.
–secure off | on
Specifies whether the LDAP connection is made using Secure Sockets Layer (SSL). You can specify one of the following values:
off
The LDAP connection uses a standard, insecure socket.
on
The LDAP connection uses Secure Sockets Layer (SSL). This is the initial value.
–roledn "roles"
Specifies an LDAP distinguished name (DN) that points to where the role definitions are located in the LDAP server. Within a distinguished name, you can specify one or more roles, separate by a comma. If you include spaces in this list, you must enclose the list in double quotation marks, for example, "ou=Roles,o=IBM,c=US".

To clear this value, specify empty double quotation marks (for example "").

Tip: If you clear this field, the administrative functions might become unusable.

The maximum length for the DN (the entire list of roles) is 256 characters.

–useridattr attribute
Specifies the LDAP attribute containing the login name. The initial value is uid. For Active Directory, the recommended value is sAMAccountName.
–roleidattr attribute
Specifies the LDAP attribute containing the name of the role. The initial value is cn. For Active Directory, the recommended value is description.
–rolememattr attribute
Specifies the LDAP attribute containing the members of the role. The initial value is roleOccupant. For Active Directory, the recommended value is member.
–cachetimeout seconds
Specifies the maximum age, in seconds, of items in LDAP cache. The initial value is 600.

The items in the LDAP cache are removed if the cache timeout is reached. You are then authenticated in the LDAP server rather than in a cache entry the next time you attempt to use the administrative functions.

Prerequisites

You must have Administrator privileges to use the command.

You must be logged in to the operating system on the engine hosting the master metadata server to run this command

Description

Attention: This command only changes settings on the metadata servers. It does not modify settings on the LDAP server. The settings on the metadata server must match the settings on the LDAP server exactly.
Restriction: You must change LDAP settings on the metadata server using a single chldapconfig command and then modify the same settings on the LDAP server, before issuing any other administrative commands. If you modify settings on the LDAP server first, the user authentication fails, and you will not be able to issue administrative commands.

Example

Modify LDAP settings The following example modifies the user ID, password, and base distinguished names (DN) on the metadata server to match the configuration on the LDAP server:
#sfscli chldapconfig -user cn=Administrator,dc=company,dc=com 
-roledn "cn = foo, ou = bar, c = us" -passwd
Are you sure you want to change LDAP configuration settings? Administrative
interfaces will not be usable until the LDAP server is modified to match. 
[y/n] Y
Enter new LDAP password:
Confirm new LDAP password:
The LDAP configuration was modified successfully.

Parent topic: Administrative commands

Related reference
statldap

Terms of use | Feedback
(C) Copyright IBM Corporation 2003, 2004. All Rights Reserved.