Table 6-12 ldapmodify SSL options (continued)

Option

Description

-N

Specifies the certificate name to use for certificate-based client authentication. For example:

 

-N Server-Cert

 

If this option is specified, then the -Zand -Woptions are required. Also, if this option is specified,

 

then the -Dand -woptions must not be specified, or certificate-based authentication will not occur,

 

and the bind operation will use the authentication credentials specified on -Dand -w.

 

 

-P

Specifies the absolute path, including the file name, of the certificate database of the client. This

 

option is used only with the -Zoption. When used on a machine where an SSL-enabled web browser

 

is configured, the path specified on this option can be pointed to the certificate database for the web

 

browser. For example:

 

-P /security/cert.db

 

The client security files can be stored on the Directory Server in the

 

/etc/opt/dirsrv/slapd-instance_namedirectory. In this case, the -Poption calls out a path

 

and file name similar to the following:

 

-P /etc/opt/dirsrv/slapd-instance_name/client-cert.db

 

 

-Q

Specifies the token and certificate name, which is separated by a semicolon (:) for PKCS11.

 

 

-W

Specifies the password for the certificate database identified on the -Poption. For example:

 

-W serverpassword

 

 

-Z

Specifies that SSL is to be used for the directory request.

 

 

-ZZ

Specifies the Start TLS request. Use this option to make a cleartext connection into a secure one. If

 

the server does not support Start TLS, the command does not need aborted; it will continue in

 

cleartext.

 

 

-ZZZ

Enforces the Start TLS request. The server must respond that the request was successful. If the server

 

does not support Start TLS, such as Start TLS is not enabled or the certificate information is incorrect,

 

the command is aborted immediately.

 

 

6.5.4 ldapmodify SASL options

SASL mechanisms can be used to authenticate a user, using the -othe required SASL information.

To learn which SASL mechanisms are supported, search the root DSE. See the -boption in Table 6-3“Commonly-used ldapsearch options”.

Table 6-13 SASL options

Option

Description

-o

Specifies SASL options. The format is -osaslOption=value. saslOption can have one of six

 

values:

 

mech, the SASL authentication mechanism

 

authid, the user who is binding to the server (Kerberos principal)

 

authzid, a proxy authorization (ignored by the server since proxy authorization is not supported)

 

secProp, the security properties

 

realm, the Kerberos realm

 

flags

 

The expected values depend on the supported mechanism. The -ooption can be used multiple

 

times to pass all the required SASL information for the mechanism. For example:

 

-o "mech=DIGEST-MD5" -o "authzid=test_user" -o "authid=test_user"

 

 

See “ldapsearch SASL options” for the ldapsearch command for information on how to use SASL options with the ldapmodify command.

6.5 ldapmodify 203