Ldappasswd Sasl options | HP UX Identity Security Software guide

Table 6-20 General ldappasswd options (continued)

Option	Description
-K	Specifies the path, including the file name, of the private key database of the client. This can be the
	absolute or relative (to the server root) path.
	The -Koption must be used when the key database is not called key3.db or when the key database
	is not in the same directory as the certificate database (that is, the cert8.db file, the path for which
	is specified with the -Poption).
-N	Specifies the certificate name to use for certificate-based client authentication. For example:
	-N Server-Cert
	If this option is specified, then the -Zand -Woptions are required.
	If this option is specified, then the -Dand -woptions must not be specified, or certificate-based
	authentication will not occur, and the bind operation will use the authentication credentials specified
	by -Dand -w.
-P	Specifies the absolute path, including the file name, of the certificate database of the client. This
	option is used only with the -Zoption.
	When used on a machine where an SSL-enabled web browser is configured, the path specified on
	this option can be that of the certificate database for the browser. For example:
	-P /security/cert.db
	The client security files can also be stored on the Directory Server in the
	/etc/opt/dirsrv/slapd-instance_namedirectory. In this case, the -Poption would call out
	a path and file name similar to the following:
	-P /etc/opt/dirsrv/slapd-instance_name/client-cert.db
-p	Specifies the port number that the server uses. The default is 389. If -Zis used, the default is 636.
-Q	Specifies the token and certificate name, which is separated by a semicolon (:) for PKCS11.
-W	Specifies the password for the certificate database identified on the -Poption. For example:
	-W serverpassword
-w	Specifies the password associated with the distinguished name that is specified in the -Doption.
	For example:
	-w diner892
	The default is "", or anonymous.
	If a password is not sent on the command line and the server requires one, the command prompts
	for one. It is more secure not to provide a password on the command-line so that it does not show
	up in clear text in a listing of commands.
-Z	Specifies that SSL is to be used for the search request.
-ZZ	Specifies the Start TLS request. Use this option to make a cleartext connection into a secure one. If
	the server does not support Start TLS, the command does not need to be aborted; it will continue
	in cleartext.
-ZZZ	Enforces the Start TLS request. The server must respond that the request was successful. If the server
	does not support Start TLS, such as Start TLS is not enabled or the certificate information is incorrect,
	the command is aborted immediately.

6.7.4 ldappasswd SASL options

SASL mechanisms can be used to authenticate a user, using the -othe required SASL information.

To learn which SASL mechanisms are supported, search the root DSE. See the -boption in Table 6-3“Commonly-used ldapsearch options”.

6.7 ldappasswd 209

Image 209

HP UX Identity Security Software manual Ldappasswd Sasl options, General ldappasswd options

Contents

HP-UX Directory Server Version Page Table of Contents Table of Contents Table of Contents 3.4 3.3Nsssl3ciphers Nsslapd-state Nsslapd-backend 113 Schema reload plug-in Password Storage SchemesNsslapd-pluginEnabled Nsslapd-idl-switch Cn=ldbm database, cn=plugins, cn=config Cn=userRoot, cn=ldbm database, cn=plugins, cn=configNsMaxResponseDelay NsMaxTestResponseDelay 173 169 189 239 Finding and executing command-line scripts 215215 257 243247 Page Using Directory Server command-line utilities Directory Server configurationDirectory Server configuration Directory Server instance file reference Introduction Using Directory Server command-line scripts Ldif and schema configuration files Overview of the Directory Server configuration Directory Server Ldif configuration files Configuration attributes How the server configuration is organizedConfiguration of plug-in functionality Directory Server Ldif configuration files Access control for configuration entries Accessing and modifying server configurationConfiguration of databases Configuration of indexes Where Changing configuration attributesModifying configuration entries using Ldap Configuration changes requiring server restart Core server configuration attributes reference Nsslapd-accesslog Access log 1 cn=config Nsslapd-accesslog-list List of access log files Nsslapd-accesslog-level Access log levelNsslapd-accesslog-logbuffering Log buffering Attribute values for enabling or disabling access logging Default Value Syntax Directory String Example Nsslapd-accesslog-logging-enabled Access log enable loggingValid Values Valid Range SyntaxDirectoryString Example EntryDN Cn=config Valid RangeDisk space allowed to the access log is unlimited in size Syntax DirectoryString Example Nsslapd-accesslog-maxlogsize Access log maximum log size Nsslapd-accesslog-logrotationtime Access log rotation time SyntaxInteger Example Nsslapd-accesslog-mode Access log file permission Default Value Off Syntax DirectoryString Example ValidRange Through Default Value 600 Syntax Integer ExampleNsslapd-attribute-name-exceptions Nsslapd-auditlog Audit log Attribute values for enabling or disabling audit logging Nsslapd-auditlog-listProvides a list of audit log files EntryDN Entry DN Cn=config Valid Values Nsslapd-auditlog-logging-enabled Audit log enable loggingTurns audit logging on and off Disk space allowed to the audit log is unlimited in size Syntax Integer Example Nsslapd-auditlog-logrotationsynchour Valid Range Through Default Value Time between audit log file rotation is unlimited Nsslapd-auditlog-logrotationtime Audit log rotation timeSyntax Integer Example Nsslapd-auditlog-logrotationsyncmin None Read only Execute only Nsslapd-auditlog-maxlogsize Audit log maximum log sizeNsslapd-auditlog-mode Audit log file permission Nsslapd-certdir Certificate and key database directory Write access to the server user IDNsslapd-certmap-basedn Certificate map search base Write only Read and write Write and execute This read-only attribute is the config DN Nsslapd-configNsslapd-conntablesize Nsslapd-counters Default Value Syntax DirectoryString Example Nsslapd-ds4-compatible-schemaDefault Value Off Core server configuration reference Nsslapd-csnlogging Attribute values for enabling or disabling error logging Nsslapd-errorlog Error logNsslapd-errorlog-level Error log level This read-only attribute provides a list of error log files Nsslapd-errorlog-list Turns error logging on and off Nsslapd-errorlog-logging-enabled Enable error logging Disk space allowed to the error log is unlimited in size Time between error log file rotation is unlimited Nsslapd-errorlog-logrotationtime Error log rotation time Nsslapd-errorlog-maxlogsize Maximum error log size Nsslapd-groupevalnestlevel Nsslapd-errorlog-mode Error log file permissionNsslapd-idletimeout Default idle timeout Default Value Syntax Integer Example Nsslapd-idletimeout Nsslapd-ioblocktimeout IO block time outNsslapd-instancedir Instance directory Nsslapd-lastmod Track modification time Nsslapd-listenhost Listen to IP address Nsslapd-ldapilisten Enable Ldapi socketNsslapd-ldapifilepath Ldapi socket file path Nsslapd-localhost Local host Default Value SyntaxDirectoryString ExampleNsslapd-localuser Local user Nsslapd-lockdir Server lock file directory Nsslapd-maxdescriptors Maximum file descriptors Nsslapd-maxbersize Maximum message size Nsslapd-maxsasliosize Maximum Sasl packet size This attribute value is specified in bytes Nsslapd-maxthreadsperconn Maximum threads per connectionNsslapd-nagle Default Value Core server configuration reference Nsslapd-outbound-ldap-io-timeoutNsslapd-plugin Nsslapd-port Port number But the request is for this entry Nsslapd-readonly Read onlyNsslapd-referral Referral Nsslapd-reservedescriptors Reserved file descriptors Nsslapd-referralmode Referral mode Nsslapd-rewrite-rfc1274 Nsslapd-return-exact-case Return exact case Nsslapd-rootdn Manager DN Nsslapd-rootpw Root passwordDefault Value Syntax Nsslapd-saslpath Nsslapd-rootpwstoragescheme Root password storage scheme Nsslapd-schemadir Nsslapd-schemacheck Schema checking Nsslapd-securePort Encrypted port number Nsslapd-schemareplaceNsslapd-securelistenhost Nsslapd-sizelimit Size limit Nsslapd-security Security Nsslapd-timelimit Time limit Default Value Syntax Integer Example Nsslapd-threadnumberNsslapd-threadnumber Thread number Indicates whether users may change their passwords PasswordChange Password changeNsslapd-tmpdir Nsslapd-versionstring PasswordExp Password expiration PasswordCheckSyntax Check password syntax PasswordHistory Password history PasswordGraceLimit Password expirationPasswordInHistory Number of passwords to remember Default Value Syntax Integer Example PasswordGraceLimit PasswordLockoutDuration Lockout duration PasswordIsGlobalPolicy Password policy and replicationPasswordLockout Account lockout PasswordMaxFailure Maximum password failures PasswordMaxAge Password maximum agePasswordMaxRepeats Password syntax Default Value Syntax Integer Example PasswordMaxFailure Default Value Syntax Integer Example PasswordMinAge PasswordMin8Bit Password syntaxPasswordMinAge Password minimum age PasswordMinCategories Password syntax PasswordMinAlphas Password syntaxPasswordMinDigits Password syntax PasswordMinLength Password minimum length PasswordMinTokenLength Password syntax PasswordMinLowers Password syntaxPasswordMinSpecials Password syntax PasswordStorageScheme Password storage scheme PasswordMinUppers Password syntaxPasswordMustChange Password must change PasswordWarning Send warning PasswordUnlock Unlock account Nsslapd-changelogdir 2 cn=changelog5,cn=config Nssslsessiontimeout 3 cn=encryption,cn=configNsslapd-changelogmaxage Max changelog age Nsslapd-changelogmaxentries Max changelog records Default Value Off Syntax DirectoryString Example Nsssl2 off Means disallow certificate-based authenticationNssslclientauth NsSSL2 5 cn=mapping tree,cn=config 4 cn=features,cn=configSuffix configuration attributes under cn=suffixName Nsssl3ciphers Nsslapd-backend Nsslapd-stateDetermines how the suffix handles operations To requests made by client applications NsDS5ReplicaChangeCount NsDS5FlagsNsDS5ReplicaBindDN NsDS5ReplicaId NsDS5ReplicaPurgeDelayNsDS5ReplicaLegacyConsumer NsDS5ReplicaName NsDS5ReplicaTombstonePurgeInterval NsDS5ReplicaReferralNsDS5ReplicaRoot NsState NsDS5ReplicaTypeNsDS5ReplicaReapActive Description NsDS5ReplConflict8.1 cn NsDS5ReplicaBusyWaitTime NsDS5ReplicaBindMethod NsDS5ReplicaChangesSentSinceStartup SchemaNsDS5ReplicaCredentials NsDS5ReplicaHost NsDS5ReplicaLastInitStart NsDS5ReplicaLastInitEndNsDS5ReplicaLastInitStatus Time NsDS5ReplicaLastUpdateStart NsDS5ReplicaLastUpdateEndNsDS5ReplicaLastUpdateStatus NsDS5ReplicaPort NsDS5ReplicaPriority Default Value SyntaxInteger ExamplensDS5ReplicaPort389 NsDS5ReplicaSessionPauseTime NsDS5BeginReplicaRefresh NsDS5ReplicatedAttributeList NsDS5ReplicaTimeoutValid Range Default Value SyntaxDirectoryString Example NsDS5ReplicaTransportInfo NsDS5ReplicaUpdateInProgressNsDS5ReplicaUpdateSchedule Sunday NsDS5ReplicaLastUpdateEndNsDS50ruv Nsds7NewWinUserSyncEnabled Nsds7NewWinGroupSyncEnabledNsds7DirectoryReplicaSubtree Nsds7DirsyncCookie Nsds7WindowsDomain 10 cn=monitorNsds7WindowsReplicaSubtree WinSyncInterval Connection table For exampleGreenwich Mean Time This is the number of completed operations Nssnmpenabled 12 cn=SNMP,cn=configThis attribute sets whether Snmp is enabled 11 cn=replication Nssnmplocation NssnmporganizationNssnmpcontact Nssnmpdescription Nssnmpmasterhost Snmp statistic attributesNssnmpmasterport Snmp statistic attributes Snmp statistic attributes 14 cn=tasks,cn=config Task invocation attributes for entries under cn=tasks Entry DN Default Value Syntax DirectoryString Example Ttl 14.2 cn=import,cn=tasks,cn=config NsFilename file1.ldif NsFilename file2.ldif Default Value Syntax Integer Example NsImportChunkSize 14.3 cn=export,cn=tasks,cn=config Valid Values Any DN Core server configuration reference Syntax Case-insensitive string Example NsUseOneFile true Default Value Syntax DN, multi-valued ExampleSyntax Case-insensitive string Example NsExportReplica true Syntax Case-insensitive string Example NsPrintKey false Syntax Case-insensitive string Example NsUseId2Entry true 14.4 cn=backup,cn=tasks,cn=configSyntax Case-insensitive string Example NsNoWrap false Syntax Case-insensitive string Example NsDumpUniqId true 14.5 cn=restore,cn=tasks,cn=config Syntax Case-exact string Example 14.6 cn=index,cn=tasks,cn=config NsIndexAttribute attributeindex1,index2 14.7 cn=schema reload task,cn=tasks,cn=config 14.8 cn=memberof task,cn=tasks,cn=config 15 cn=uniqueid generator,cn=config 112 Server plug-in functionality reference Server plug-in functionality reference1 7-bit check plug-in Attribute uniqueness plug-in ACL plug-inACL preoperation plug-in Boolean syntax plug-in Binary syntax plug-in Description Syntax for handling DNs Configurable Options Plug-in Name Chaining Database DN of Configuration EntryCase exact string syntax plug-in Case ignore string syntax plug-in Country string syntax plug-in Class of service plug-inDistinguished name syntax plug-in Dependencies None Performance Related Generalized time syntax plug-in Distributed numeric assignment plug-inDetails of distributed numeric assignment plug-in Plug-in Name Internationalization plug-in Http client plug-in Ldbm database plug-in Jpeg syntax plug-inLegacy replication plug-in Information Further Information Details of MemberOf plug-in MemberOf plug-inMulti-master replication plug-in OID syntax plug-in Password Storage SchemesOctet string syntax plug-in Postal address string syntax plug-in Password storage plugins Referential integrity postoperation plug-in PTA plug-in Roles plug-in Retro Changelog plug-inBoth presence and equality Applications Space insensitive string syntax plug-in Schema reload plug-inDetails of schema reload plug-in URI syntax plug-in Telephone syntax plug-inViews plug-in Resource Locators Account policy plug-in List of attributes common to all plug-insNsslapd-pluginPath This attribute specifies the full path to the plug-in Nsslapd-pluginInitfunc Nsslapd-pluginEnabledNsslapd-pluginType Nsslapd-pluginId Nsslapd-pluginVersion Attributes allowed by certain plug-insNsslapd-pluginVendor Nsslapd-pluginDescription Nsslapd-plugin-depends-on-named Nsslapd-pluginLoadGlobalNsslapd-plugin-depends-on-type NsLookthroughLimit Database plug-in attributes Nsslapd-cache-autosize-split Nsslapd-cache-autosize Platforms Nsslapd-dbcachesizeNsslapd-db-checkpoint-interval Nsslapd-db-circular-logging Default Value Database plug-in attributesNsslapd-db-debug Nsslapd-db-durable-transactions Nsslapd-db-idl-divisor Nsslapd-db-home-directory Nsslapd-db-logdirectory Automatically adjusted to the minimum valueNsslapd-db-logbuf-size Nsslapd-db-logfile-size Valid Range Bytes to 64 kilobytes Default ValueNsslapd-db-page-size Nsslapd-db-private-import-mem Nsslapd-db-transaction-batch-val Nsslapd-db-spin-count Nsslapd-dbncache Nsslapd-db-trickle-percentageNsslapd-db-verbose Nsslapd-exclude-from-export Nsslapd-idl-switchNsslapd-directory Nsslapd-import-cache-autosize Nsslapd-idlistscanlimitNsslapd-import-cachesize Default Value 600 Database plug-in attributes No access for other usersNsslapd-mode Memory to importCache Nsslapd-serial-lock Nsslapd-search-bypass-filter-testNsslapd-search-use-vlv-index Nsslapd-cachememsize Nsslapd-cachesize Nsslapd-suffix Nsslapd-readonlyNsslapd-require-index Database plug-in attributes This attribute provides the name of the attribute to index 5.1 cnNsSystemIndex NsMatchingRule NsIndexType Indexed attribute representing a subentry NsSubStrBegin NsSubStrMiddle NsSubStrEnd Encrypted attributes under the cn=config node NsEncryptionAlgorithm Database link plug-in attributes chaining attributesNsActiveChainingComponents Database link plug-in attributes chaining attributes Nspossiblechainingcomponents NsMaxResponseDelayNsMaxTestResponseDelay NsBindConnectionsLimit NsTransmittedControlsNsAbandonedSearchCheckInterval Default Value Syntax Integer Example NsBindTimeoutNsBindRetryLimit NsCheckLocalACI NsConcurrentOperationsLimit NsConcurrentBindLimitNsConnectionLife NsOperationConnectionsLimit NsSizeLimit NsProxiedAuthorizationNsReferralOnScopedSearch NsBindMechanism NsTimeLimit Valid Values Empty NsFarmServerURLNsMultiplexorBindDN NsMultiplexorCredentials Encryption schemaNshoplimit NsUseStartTLS Nsslapd-changelogdir Retro changelog plug-in attributes Nsslapd-changelogmaxage Max changelog age Distributed numeric assignment plug-in attributesDnaFilter DnaMagicRegen DnaNextValue DnaMaxValueDnaNextRange Default Value Syntax Integer Example DnaNextValue DnaRangeRequestTimeoutDnaPrefix Bit systems DnaThreshold DnaScopeDnaSharedCfgDN DnaType MemberOf plug-in attributesMemberofattr Memberofgroupattr Account policy plug-in attributes Configuration files Backup filesOverview of Directory Server files Database files At setup for example, dc=example,dc=com Setup-ds-admin.plscript is runUsed internally by the database and should not be moved Deleted, or modified in any way Lock files Ldif filesLog files PID files Scripts Tools Access logging levels Access log reference Example 5-1 Example access log Default access logging contentConnection number File descriptor Slot number Error numberOperation number Method type Ldap request type Number of entriesElapsed time Ldap response type Unindexed search indicatorVLV-related entries Search scope Change sequence number Extended operation OIDAbandon message LDAPv3 extended operations supported by Directory Server Sasl multi-stage bind logging Access log content for additional access logging levelsMessage ID Options description Common connection codesConnection description Error log logging levels Error log referenceError log levels Common connection codes Error log levels Error log content Example 5-3 Error log excerpt Error log content for other log levels Into pending list Example 5-4 Replication error log entry Timestamp Pluginname message Timestamp function message Audit log reference Example 5-6 Config file processing log entryExample 5-7 Access control summary logging Ldap result codes Example 5-8 Audit log contentAudit log does not have any other log level to set Ldap result codes Ldap result codes Adminlimitexceeded LdapReferral Ldap Ldap Using special characters Finding and executing command-line utilitiesCommand-line utilities quick reference Commonly-used command-line utilities Ldapsearch syntax LdapsearchCommonly-used ldapsearch options Ldapsearch syntax Commonly-used ldapsearch options Ldapsearch SSL options Persistent search optionsCommonly-used ldapsearch options Persistent search options Additional SSL ldapsearch options Ldapsearch Sasl options Sasl options Description of CRAM-MD5 mechanism options Description of CRAM-MD5 mechanism options Do not permit mechanisms that allow anonymous accessDo not permit mechanisms susceptible to active attacks Require forward secrecy Maxbufsize Following UID. For example Description of DIGEST-MD5 Sasl mechanism optionsRequired Mech=DIGEST-MD5 Gives the Sasl Mechanism 10 Additional ldapsearch options Additional ldapsearch optionsDescription of Gssapi Sasl mechanism options 10 Additional ldapsearch options Ldapmodify syntax LdapmodifyCommonly-used ldapmodify options 11 Commonly-used ldapmodify options 12 ldapmodify SSL options Ldapmodify SSL options11 Commonly-used ldapmodify options 13 Sasl options Ldapmodify Sasl options12 ldapmodify SSL options 14 Additional ldapmodify options LdapdeleteAdditional ldapmodify options Commonly-used ldapdelete options Ldapdelete syntaxLdapdelete SSL options 15 Commonly-used ldapdelete options 17 Sasl options Ldapdelete Sasl options16 ldapdelete SSL options Additional ldapdelete options LdappasswdLdappasswd syntax 18 Additional ldapdelete options General ldappasswd options Ldappasswd-specific options19 ldappasswd-specific options 20 General ldappasswd options 20 General ldappasswd options Ldappasswd Sasl options Six values Ldappasswd examples21 Sasl options Example 6-3 User changing his own password Example 6-2 Directory Manager generating a users passwordLdif Ldif Dbscan Ldif command has the following formatLdif syntax Ldif options Dbscan examples Dbscan options23 Common options 24 Entry file options Example 6-13 Displaying the changelog file contents Example 6-8 Displaying VLV index file contentsExample 6-14 Dumping the index file uid.db4 with raw mode Example 6-7 Dumping the entry file Command-line scripts quick reference Finding and executing command-line scriptsSaveconfig Shell scripts in /opt/dirsrv/slapd-instancename Perl scripts in /opt/dirsrv/slapd-instancename Shell scriptsScripts in /opt/dirsrv/bin This section covers the following scripts Cl-dump Dumps and decodes the changelog 1 bak2db Restores a database from backupSyntax Bak2db options Cl-dump options Dbverify Checks for corrupt databasesOptions Dbverify options 5 db2ldif Exports database contents to Ldif 4 db2bak Creates a backup of a database Ldif2db Import 6 db2index Reindexes database index filesReindex cn and givenname in the database instance userRoot Db2index options Ldif2ldap Performs import operation over Ldap Pwdhash Prints encrypted passwordsLdif2db options 10 ldif2ldap options Repl-monitor Monitors replication status Monitor Retrieves monitoring information11 pwdhash options Syntax monitor Hostportbinddnbindpwdbindcert Restart-slapd Restarts the Directory Server Restoreconfig Restores Administration Server configurationSaveconfig Saves Administration Server configuration Stop-slapd Stops the Directory Server Start-slapd Starts the Directory ServerSuffix2instance Maps a suffix to a backend name Vlvindex Creates virtual list view indexes Restores a database from a backup 1 bak2db.pl Restores a database from backupPerl scripts Options Either the -nor the -soption must be specified 19 cl-dump.pl command options 3 db2bak.pl Creates a backup of a databaseCreates a backup of the database Cl-dump.pl Dumps and decodes the changelog 4 db2index.pl Creates and generates indexes 5 db2ldif.pl Exports database contents to Ldif 22 db2ldif.pl options Fixup-memberof.pl Regenerate memberOf attributes 24 ldif2db.pl options Ldif2db.pl Import23 fixup-memberof.pl options 24 ldif2db.pl options 25 Information extracted from access logsLogconv.pl Log converter 26 logconv.pl options 28 ns-accountstatus.pl options Ns-accountstatus.pl Establishes account status27 logconv.pl options to display occurrences Ns-inactivate.pl Inactivates an entry or group of entries Ns-activate.pl Activates an entry or group of entriesActivates an entry or group of entries 29 ns-activate.pl options 31 ns-newpwdpolicy.pl options Repl-monitor.pl Monitors replication statusShows in-progress status of replication 32 repl-monitor.pl options Where 33 schema-reload.pl options Schema-reload.pl Reload schema files dynamicallySchemadirectory script uses the default schema directory Verify-db.pl Check for corrupt databases Usage information Command, then it uses the default database directory34 verify-db.pl option Contacting HP How to contact HP technical supportInformation to collect before contacting HP HP authorized resellers Support and other resources Related informationHP-UX Directory Server documentation set Typographic conventions Troubleshooting resourcesHP-UX documentation set This document uses the following typographical conventions TIP Exports the contents of the database to Ldif Finding and executing the ns-slapd command-line utilitiesOverview of ns-slapd Utilities for exporting databases db2ldif Table A-1 db2ldif options Utilities for restoring and backing up databases ldif2dbImports Ldif files to the database Table A-2 ldif2db options Utilities for creating and regenerating indexes db2index Utilities for restoring and backing up databases archive2dbUtilities for restoring and backing up databases db2archive Table A-5 db2index options 247 Glossary Glossary Bind rule 249 CoS definition GSS-API 251 Ldap NIS 253 Proxy Sasl 255 Superuser 256 257 SymbolsStatistics for monitoring and optimizing directory Read-only monitoring configuration entries Suffix and replication configuration entries 259 Index 261 Database link plug-in configuration attributes Distributed numeric assignment plug-in configuration 263 Ldap NsDS5ReplicaChangesSentSinceStartup attribute 265 Page 267 Index 269 Index 271