Manuals / HP / Computer Equipment / Software

HP UX Identity Security Software manual Ldappasswd Sasl options, General ldappasswd options

Models: UX Identity Security Software

1 272

Download 272 pages 6.51 Kb

Page 209

Table 6-20 General ldappasswd options (continued)

Option	Description
-K	Specifies the path, including the file name, of the private key database of the client. This can be the
	absolute or relative (to the server root) path.
	The -Koption must be used when the key database is not called key3.db or when the key database
	is not in the same directory as the certificate database (that is, the cert8.db file, the path for which
	is specified with the -Poption).
-N	Specifies the certificate name to use for certificate-based client authentication. For example:
	-N Server-Cert
	If this option is specified, then the -Zand -Woptions are required.
	If this option is specified, then the -Dand -woptions must not be specified, or certificate-based
	authentication will not occur, and the bind operation will use the authentication credentials specified
	by -Dand -w.
-P	Specifies the absolute path, including the file name, of the certificate database of the client. This
	option is used only with the -Zoption.
	When used on a machine where an SSL-enabled web browser is configured, the path specified on
	this option can be that of the certificate database for the browser. For example:
	-P /security/cert.db
	The client security files can also be stored on the Directory Server in the
	/etc/opt/dirsrv/slapd-instance_namedirectory. In this case, the -Poption would call out
	a path and file name similar to the following:
	-P /etc/opt/dirsrv/slapd-instance_name/client-cert.db
-p	Specifies the port number that the server uses. The default is 389. If -Zis used, the default is 636.
-Q	Specifies the token and certificate name, which is separated by a semicolon (:) for PKCS11.
-W	Specifies the password for the certificate database identified on the -Poption. For example:
	-W serverpassword
-w	Specifies the password associated with the distinguished name that is specified in the -Doption.
	For example:
	-w diner892
	The default is "", or anonymous.
	If a password is not sent on the command line and the server requires one, the command prompts
	for one. It is more secure not to provide a password on the command-line so that it does not show
	up in clear text in a listing of commands.
-Z	Specifies that SSL is to be used for the search request.
-ZZ	Specifies the Start TLS request. Use this option to make a cleartext connection into a secure one. If
	the server does not support Start TLS, the command does not need to be aborted; it will continue
	in cleartext.
-ZZZ	Enforces the Start TLS request. The server must respond that the request was successful. If the server
	does not support Start TLS, such as Start TLS is not enabled or the certificate information is incorrect,
	the command is aborted immediately.

6.7.4 ldappasswd SASL options

SASL mechanisms can be used to authenticate a user, using the -othe required SASL information.

To learn which SASL mechanisms are supported, search the root DSE. See the -boption in Table 6-3“Commonly-used ldapsearch options”.

6.7 ldappasswd 209

Image 209

HP UX Identity Security Software manual Ldappasswd Sasl options, General ldappasswd options

Contents

HP-UX Directory Server Version Page Table of Contents Table of Contents Table of Contents 3.4 3.3Nsssl3ciphers Nsslapd-state Nsslapd-backend113 Schema reload plug-in Password Storage SchemesNsslapd-pluginEnabled Nsslapd-idl-switchCn=ldbm database, cn=plugins, cn=config Cn=userRoot, cn=ldbm database, cn=plugins, cn=configNsMaxResponseDelay NsMaxTestResponseDelay173 169189 239 Finding and executing command-line scripts 215215 257 243247 Page Using Directory Server command-line utilities Directory Server configurationDirectory Server configuration Directory Server instance file referenceIntroduction Using Directory Server command-line scriptsLdif and schema configuration files Overview of the Directory Server configurationDirectory Server Ldif configuration files Configuration attributes How the server configuration is organizedConfiguration of plug-in functionality Directory Server Ldif configuration filesAccess control for configuration entries Accessing and modifying server configurationConfiguration of databases Configuration of indexesWhere Changing configuration attributesModifying configuration entries using Ldap Configuration changes requiring server restart Core server configuration attributes referenceNsslapd-accesslog Access log 1 cn=configNsslapd-accesslog-list List of access log files Nsslapd-accesslog-level Access log levelNsslapd-accesslog-logbuffering Log buffering Attribute values for enabling or disabling access loggingDefault Value Syntax Directory String Example Nsslapd-accesslog-logging-enabled Access log enable loggingValid Values Valid RangeSyntaxDirectoryString Example EntryDN Cn=config Valid RangeDisk space allowed to the access log is unlimited in size Syntax DirectoryString Example Nsslapd-accesslog-maxlogsize Access log maximum log size Nsslapd-accesslog-logrotationtime Access log rotation timeSyntaxInteger Example Nsslapd-accesslog-mode Access log file permissionDefault Value Off Syntax DirectoryString Example ValidRange Through Default Value 600 Syntax Integer ExampleNsslapd-attribute-name-exceptions Nsslapd-auditlog Audit logAttribute values for enabling or disabling audit logging Nsslapd-auditlog-listProvides a list of audit log files EntryDNEntry DN Cn=config Valid Values Nsslapd-auditlog-logging-enabled Audit log enable loggingTurns audit logging on and off Disk space allowed to the audit log is unlimited in sizeSyntax Integer Example Nsslapd-auditlog-logrotationsynchour Valid Range Through Default ValueTime between audit log file rotation is unlimited Nsslapd-auditlog-logrotationtime Audit log rotation timeSyntax Integer Example Nsslapd-auditlog-logrotationsyncmin None Read only Execute only Nsslapd-auditlog-maxlogsize Audit log maximum log sizeNsslapd-auditlog-mode Audit log file permission Nsslapd-certdir Certificate and key database directory Write access to the server user IDNsslapd-certmap-basedn Certificate map search base Write only Read and write Write and executeThis read-only attribute is the config DN Nsslapd-configNsslapd-conntablesize Nsslapd-countersDefault Value Syntax DirectoryString Example Nsslapd-ds4-compatible-schemaDefault Value Off Core server configuration reference Nsslapd-csnloggingAttribute values for enabling or disabling error logging Nsslapd-errorlog Error logNsslapd-errorlog-level Error log level This read-only attribute provides a list of error log files Nsslapd-errorlog-listTurns error logging on and off Nsslapd-errorlog-logging-enabled Enable error loggingDisk space allowed to the error log is unlimited in size Time between error log file rotation is unlimited Nsslapd-errorlog-logrotationtime Error log rotation timeNsslapd-errorlog-maxlogsize Maximum error log size Nsslapd-groupevalnestlevel Nsslapd-errorlog-mode Error log file permissionNsslapd-idletimeout Default idle timeout Default Value Syntax Integer Example Nsslapd-idletimeout Nsslapd-ioblocktimeout IO block time outNsslapd-instancedir Instance directory Nsslapd-lastmod Track modification timeNsslapd-listenhost Listen to IP address Nsslapd-ldapilisten Enable Ldapi socketNsslapd-ldapifilepath Ldapi socket file path Nsslapd-localhost Local host Default Value SyntaxDirectoryString ExampleNsslapd-localuser Local user Nsslapd-lockdir Server lock file directoryNsslapd-maxdescriptors Maximum file descriptors Nsslapd-maxbersize Maximum message sizeNsslapd-maxsasliosize Maximum Sasl packet size This attribute value is specified in bytes Nsslapd-maxthreadsperconn Maximum threads per connectionNsslapd-nagle Default Value Core server configuration reference Nsslapd-outbound-ldap-io-timeoutNsslapd-plugin Nsslapd-port Port numberBut the request is for this entry Nsslapd-readonly Read onlyNsslapd-referral Referral Nsslapd-reservedescriptors Reserved file descriptors Nsslapd-referralmode Referral modeNsslapd-rewrite-rfc1274 Nsslapd-return-exact-case Return exact caseNsslapd-rootdn Manager DN Nsslapd-rootpw Root passwordDefault Value Syntax Nsslapd-saslpath Nsslapd-rootpwstoragescheme Root password storage schemeNsslapd-schemadir Nsslapd-schemacheck Schema checkingNsslapd-securePort Encrypted port number Nsslapd-schemareplaceNsslapd-securelistenhost Nsslapd-sizelimit Size limit Nsslapd-security SecurityNsslapd-timelimit Time limit Default Value Syntax Integer Example Nsslapd-threadnumberNsslapd-threadnumber Thread number Indicates whether users may change their passwords PasswordChange Password changeNsslapd-tmpdir Nsslapd-versionstringPasswordExp Password expiration PasswordCheckSyntax Check password syntaxPasswordHistory Password history PasswordGraceLimit Password expirationPasswordInHistory Number of passwords to remember Default Value Syntax Integer Example PasswordGraceLimitPasswordLockoutDuration Lockout duration PasswordIsGlobalPolicy Password policy and replicationPasswordLockout Account lockout PasswordMaxFailure Maximum password failures PasswordMaxAge Password maximum agePasswordMaxRepeats Password syntax Default Value Syntax Integer Example PasswordMaxFailureDefault Value Syntax Integer Example PasswordMinAge PasswordMin8Bit Password syntaxPasswordMinAge Password minimum age PasswordMinCategories Password syntax PasswordMinAlphas Password syntaxPasswordMinDigits Password syntax PasswordMinLength Password minimum lengthPasswordMinTokenLength Password syntax PasswordMinLowers Password syntaxPasswordMinSpecials Password syntax PasswordStorageScheme Password storage scheme PasswordMinUppers Password syntaxPasswordMustChange Password must change PasswordWarning Send warning PasswordUnlock Unlock accountNsslapd-changelogdir 2 cn=changelog5,cn=configNssslsessiontimeout 3 cn=encryption,cn=configNsslapd-changelogmaxage Max changelog age Nsslapd-changelogmaxentries Max changelog recordsDefault Value Off Syntax DirectoryString Example Nsssl2 off Means disallow certificate-based authenticationNssslclientauth NsSSL25 cn=mapping tree,cn=config 4 cn=features,cn=configSuffix configuration attributes under cn=suffixName Nsssl3ciphersNsslapd-backend Nsslapd-stateDetermines how the suffix handles operations To requests made by client applicationsNsDS5ReplicaChangeCount NsDS5FlagsNsDS5ReplicaBindDN NsDS5ReplicaId NsDS5ReplicaPurgeDelayNsDS5ReplicaLegacyConsumer NsDS5ReplicaNameNsDS5ReplicaTombstonePurgeInterval NsDS5ReplicaReferralNsDS5ReplicaRoot NsState NsDS5ReplicaTypeNsDS5ReplicaReapActive Description NsDS5ReplConflict8.1 cn NsDS5ReplicaBusyWaitTime NsDS5ReplicaBindMethodNsDS5ReplicaChangesSentSinceStartup SchemaNsDS5ReplicaCredentials NsDS5ReplicaHostNsDS5ReplicaLastInitStart NsDS5ReplicaLastInitEndNsDS5ReplicaLastInitStatus TimeNsDS5ReplicaLastUpdateStart NsDS5ReplicaLastUpdateEndNsDS5ReplicaLastUpdateStatus NsDS5ReplicaPortNsDS5ReplicaPriority Default Value SyntaxInteger ExamplensDS5ReplicaPort389NsDS5ReplicaSessionPauseTime NsDS5BeginReplicaRefreshNsDS5ReplicatedAttributeList NsDS5ReplicaTimeoutValid Range Default Value SyntaxDirectoryString Example NsDS5ReplicaTransportInfo NsDS5ReplicaUpdateInProgressNsDS5ReplicaUpdateSchedule Sunday NsDS5ReplicaLastUpdateEndNsDS50ruv Nsds7NewWinUserSyncEnabled Nsds7NewWinGroupSyncEnabledNsds7DirectoryReplicaSubtree Nsds7DirsyncCookieNsds7WindowsDomain 10 cn=monitorNsds7WindowsReplicaSubtree WinSyncIntervalConnection table For exampleGreenwich Mean Time This is the number of completed operationsNssnmpenabled 12 cn=SNMP,cn=configThis attribute sets whether Snmp is enabled 11 cn=replicationNssnmplocation NssnmporganizationNssnmpcontact NssnmpdescriptionNssnmpmasterhost Snmp statistic attributesNssnmpmasterport Snmp statistic attributesSnmp statistic attributes 14 cn=tasks,cn=configTask invocation attributes for entries under cn=tasks Entry DN Default Value Syntax DirectoryString Example Ttl 14.2 cn=import,cn=tasks,cn=configNsFilename file1.ldif NsFilename file2.ldif Default Value Syntax Integer Example NsImportChunkSize 14.3 cn=export,cn=tasks,cn=config Valid Values Any DN Core server configuration reference Syntax Case-insensitive string Example NsUseOneFile true Default Value Syntax DN, multi-valued ExampleSyntax Case-insensitive string Example NsExportReplica true Syntax Case-insensitive string Example NsPrintKey falseSyntax Case-insensitive string Example NsUseId2Entry true 14.4 cn=backup,cn=tasks,cn=configSyntax Case-insensitive string Example NsNoWrap false Syntax Case-insensitive string Example NsDumpUniqId true14.5 cn=restore,cn=tasks,cn=config Syntax Case-exact string Example 14.6 cn=index,cn=tasks,cn=configNsIndexAttribute attributeindex1,index2 14.7 cn=schema reload task,cn=tasks,cn=config14.8 cn=memberof task,cn=tasks,cn=config 15 cn=uniqueid generator,cn=config 112 Server plug-in functionality reference Server plug-in functionality reference1 7-bit check plug-in Attribute uniqueness plug-in ACL plug-inACL preoperation plug-in Boolean syntax plug-in Binary syntax plug-inDescription Syntax for handling DNs Configurable Options Plug-in Name Chaining Database DN of Configuration EntryCase exact string syntax plug-in Case ignore string syntax plug-inCountry string syntax plug-in Class of service plug-inDistinguished name syntax plug-in Dependencies None Performance RelatedGeneralized time syntax plug-in Distributed numeric assignment plug-inDetails of distributed numeric assignment plug-in Plug-in NameInternationalization plug-in Http client plug-inLdbm database plug-in Jpeg syntax plug-inLegacy replication plug-in Information Further InformationDetails of MemberOf plug-in MemberOf plug-inMulti-master replication plug-in OID syntax plug-in Password Storage SchemesOctet string syntax plug-in Postal address string syntax plug-in Password storage pluginsReferential integrity postoperation plug-in PTA plug-inRoles plug-in Retro Changelog plug-inBoth presence and equality ApplicationsSpace insensitive string syntax plug-in Schema reload plug-inDetails of schema reload plug-in URI syntax plug-in Telephone syntax plug-inViews plug-in Resource LocatorsAccount policy plug-in List of attributes common to all plug-insNsslapd-pluginPath This attribute specifies the full path to the plug-inNsslapd-pluginInitfunc Nsslapd-pluginEnabledNsslapd-pluginType Nsslapd-pluginIdNsslapd-pluginVersion Attributes allowed by certain plug-insNsslapd-pluginVendor Nsslapd-pluginDescriptionNsslapd-plugin-depends-on-named Nsslapd-pluginLoadGlobalNsslapd-plugin-depends-on-type NsLookthroughLimit Database plug-in attributesNsslapd-cache-autosize-split Nsslapd-cache-autosizePlatforms Nsslapd-dbcachesizeNsslapd-db-checkpoint-interval Nsslapd-db-circular-logging Default Value Database plug-in attributesNsslapd-db-debug Nsslapd-db-durable-transactionsNsslapd-db-idl-divisor Nsslapd-db-home-directoryNsslapd-db-logdirectory Automatically adjusted to the minimum valueNsslapd-db-logbuf-size Nsslapd-db-logfile-size Valid Range Bytes to 64 kilobytes Default ValueNsslapd-db-page-size Nsslapd-db-private-import-memNsslapd-db-transaction-batch-val Nsslapd-db-spin-countNsslapd-dbncache Nsslapd-db-trickle-percentageNsslapd-db-verbose Nsslapd-exclude-from-export Nsslapd-idl-switchNsslapd-directory Nsslapd-import-cache-autosize Nsslapd-idlistscanlimitNsslapd-import-cachesize Default Value 600 Database plug-in attributes No access for other usersNsslapd-mode Memory to importCacheNsslapd-serial-lock Nsslapd-search-bypass-filter-testNsslapd-search-use-vlv-index Nsslapd-cachememsize Nsslapd-cachesizeNsslapd-suffix Nsslapd-readonlyNsslapd-require-index Database plug-in attributes This attribute provides the name of the attribute to index 5.1 cnNsSystemIndex NsMatchingRule NsIndexTypeIndexed attribute representing a subentry NsSubStrBeginNsSubStrMiddle NsSubStrEndEncrypted attributes under the cn=config node NsEncryptionAlgorithm Database link plug-in attributes chaining attributesNsActiveChainingComponents Database link plug-in attributes chaining attributesNspossiblechainingcomponents NsMaxResponseDelayNsMaxTestResponseDelay NsBindConnectionsLimit NsTransmittedControlsNsAbandonedSearchCheckInterval Default Value Syntax Integer Example NsBindTimeoutNsBindRetryLimit NsCheckLocalACINsConcurrentOperationsLimit NsConcurrentBindLimitNsConnectionLife NsOperationConnectionsLimitNsSizeLimit NsProxiedAuthorizationNsReferralOnScopedSearch NsBindMechanism NsTimeLimitValid Values Empty NsFarmServerURLNsMultiplexorBindDN NsMultiplexorCredentials Encryption schemaNshoplimit NsUseStartTLSNsslapd-changelogdir Retro changelog plug-in attributesNsslapd-changelogmaxage Max changelog age Distributed numeric assignment plug-in attributesDnaFilter DnaMagicRegenDnaNextValue DnaMaxValueDnaNextRange Default Value Syntax Integer Example DnaNextValue DnaRangeRequestTimeoutDnaPrefix Bit systemsDnaThreshold DnaScopeDnaSharedCfgDN DnaType MemberOf plug-in attributesMemberofattr MemberofgroupattrAccount policy plug-in attributes Configuration files Backup filesOverview of Directory Server files Database filesAt setup for example, dc=example,dc=com Setup-ds-admin.plscript is runUsed internally by the database and should not be moved Deleted, or modified in any wayLock files Ldif filesLog files PID filesScripts ToolsAccess logging levels Access log referenceExample 5-1 Example access log Default access logging contentConnection number File descriptorSlot number Error numberOperation number Method typeLdap request type Number of entriesElapsed time Ldap response type Unindexed search indicatorVLV-related entries Search scopeChange sequence number Extended operation OIDAbandon message LDAPv3 extended operations supported by Directory ServerSasl multi-stage bind logging Access log content for additional access logging levelsMessage ID Options description Common connection codesConnection description Error log logging levels Error log referenceError log levels Common connection codesError log levels Error log contentExample 5-3 Error log excerpt Error log content for other log levelsInto pending list Example 5-4 Replication error log entryTimestamp Pluginname message Timestamp function message Audit log reference Example 5-6 Config file processing log entryExample 5-7 Access control summary logging Ldap result codes Example 5-8 Audit log contentAudit log does not have any other log level to set Ldap result codesLdap result codes Adminlimitexceeded LdapReferral Ldap LdapUsing special characters Finding and executing command-line utilitiesCommand-line utilities quick reference Commonly-used command-line utilitiesLdapsearch syntax LdapsearchCommonly-used ldapsearch options Ldapsearch syntaxCommonly-used ldapsearch options Ldapsearch SSL options Persistent search optionsCommonly-used ldapsearch options Persistent search optionsAdditional SSL ldapsearch options Ldapsearch Sasl optionsSasl options Description of CRAM-MD5 mechanism options Description of CRAM-MD5 mechanism options Do not permit mechanisms that allow anonymous accessDo not permit mechanisms susceptible to active attacks Require forward secrecyMaxbufsize Following UID. For example Description of DIGEST-MD5 Sasl mechanism optionsRequired Mech=DIGEST-MD5 Gives the Sasl Mechanism 10 Additional ldapsearch options Additional ldapsearch optionsDescription of Gssapi Sasl mechanism options 10 Additional ldapsearch options Ldapmodify syntax LdapmodifyCommonly-used ldapmodify options 11 Commonly-used ldapmodify options12 ldapmodify SSL options Ldapmodify SSL options11 Commonly-used ldapmodify options 13 Sasl options Ldapmodify Sasl options12 ldapmodify SSL options 14 Additional ldapmodify options LdapdeleteAdditional ldapmodify options Commonly-used ldapdelete options Ldapdelete syntaxLdapdelete SSL options 15 Commonly-used ldapdelete options17 Sasl options Ldapdelete Sasl options16 ldapdelete SSL options Additional ldapdelete options LdappasswdLdappasswd syntax 18 Additional ldapdelete optionsGeneral ldappasswd options Ldappasswd-specific options19 ldappasswd-specific options 20 General ldappasswd options20 General ldappasswd options Ldappasswd Sasl optionsSix values Ldappasswd examples21 Sasl options Example 6-3 User changing his own password Example 6-2 Directory Manager generating a users passwordLdif LdifDbscan Ldif command has the following formatLdif syntax Ldif optionsDbscan examples Dbscan options23 Common options 24 Entry file optionsExample 6-13 Displaying the changelog file contents Example 6-8 Displaying VLV index file contentsExample 6-14 Dumping the index file uid.db4 with raw mode Example 6-7 Dumping the entry fileCommand-line scripts quick reference Finding and executing command-line scriptsSaveconfig Shell scripts in /opt/dirsrv/slapd-instancenamePerl scripts in /opt/dirsrv/slapd-instancename Shell scriptsScripts in /opt/dirsrv/bin This section covers the following scriptsCl-dump Dumps and decodes the changelog 1 bak2db Restores a database from backupSyntax Bak2db optionsCl-dump options Dbverify Checks for corrupt databasesOptions Dbverify options5 db2ldif Exports database contents to Ldif 4 db2bak Creates a backup of a databaseLdif2db Import 6 db2index Reindexes database index filesReindex cn and givenname in the database instance userRoot Db2index optionsLdif2ldap Performs import operation over Ldap Pwdhash Prints encrypted passwordsLdif2db options 10 ldif2ldap optionsRepl-monitor Monitors replication status Monitor Retrieves monitoring information11 pwdhash options Syntax monitorHostportbinddnbindpwdbindcert Restart-slapd Restarts the Directory Server Restoreconfig Restores Administration Server configurationSaveconfig Saves Administration Server configuration Stop-slapd Stops the Directory Server Start-slapd Starts the Directory ServerSuffix2instance Maps a suffix to a backend name Vlvindex Creates virtual list view indexesRestores a database from a backup 1 bak2db.pl Restores a database from backupPerl scripts Options Either the -nor the -soption must be specified19 cl-dump.pl command options 3 db2bak.pl Creates a backup of a databaseCreates a backup of the database Cl-dump.pl Dumps and decodes the changelog4 db2index.pl Creates and generates indexes 5 db2ldif.pl Exports database contents to Ldif22 db2ldif.pl options Fixup-memberof.pl Regenerate memberOf attributes24 ldif2db.pl options Ldif2db.pl Import23 fixup-memberof.pl options 24 ldif2db.pl options 25 Information extracted from access logsLogconv.pl Log converter 26 logconv.pl options 28 ns-accountstatus.pl options Ns-accountstatus.pl Establishes account status27 logconv.pl options to display occurrences Ns-inactivate.pl Inactivates an entry or group of entries Ns-activate.pl Activates an entry or group of entriesActivates an entry or group of entries 29 ns-activate.pl options31 ns-newpwdpolicy.pl options Repl-monitor.pl Monitors replication statusShows in-progress status of replication 32 repl-monitor.pl optionsWhere 33 schema-reload.pl options Schema-reload.pl Reload schema files dynamicallySchemadirectory script uses the default schema directory Verify-db.pl Check for corrupt databasesUsage information Command, then it uses the default database directory34 verify-db.pl option Contacting HP How to contact HP technical supportInformation to collect before contacting HP HP authorized resellersSupport and other resources Related informationHP-UX Directory Server documentation set Typographic conventions Troubleshooting resourcesHP-UX documentation set This document uses the following typographical conventionsTIP Exports the contents of the database to Ldif Finding and executing the ns-slapd command-line utilitiesOverview of ns-slapd Utilities for exporting databases db2ldifTable A-1 db2ldif options Utilities for restoring and backing up databases ldif2dbImports Ldif files to the database Table A-2 ldif2db optionsUtilities for creating and regenerating indexes db2index Utilities for restoring and backing up databases archive2dbUtilities for restoring and backing up databases db2archive Table A-5 db2index options 247 GlossaryGlossary Bind rule249 CoS definitionGSS-API 251 LdapNIS 253 ProxySasl 255 Superuser256 257 SymbolsStatistics for monitoring and optimizing directory Read-only monitoring configuration entries Suffix and replication configuration entries259 Index 261 Database link plug-in configuration attributesDistributed numeric assignment plug-in configuration 263 LdapNsDS5ReplicaChangesSentSinceStartup attribute 265 Page 267 Index 269 Index 271