Articles in this section

See more

ldap modify

Sara Levy
Follow

This command modifies an existing LDAP connection.

Usage

ldap modify [--id ID]
            [--urls URI]
            [--port PORT]
            [--binddn BINDDN]
            [--bindpw BINDPW]
            [--basedn BASE_DN]
            [--group-searchbase GROUP_BASE_DN]
            [--method simple|anonymous]
            [--gid-number ATTRIBUTE_NAME]
            [--uid ATTRIBUTE_NAME]
            [--uid-number ATTRIBUTE_NAME]
            [--uid-member ATTRIBUTE_NAME]
            [--posix-account ATTRIBUTE_NAME]
            [--posix-group ATTRIBUTE_NAME]
            [--match-user ATTRIBUTE_NAME]
            [--use-tls]
            [--no-tls]

Options

--id ID

Specifies the LDAP configuration record to modify by ID.

--urls URI_LIST

Sets the URIs of the remote LDAP server's domain controllers (DCs) and their priority order.

Specify URI_LIST as a comma separated list of URIs in the format <scheme>://<address>. The order of listing defines the priority order. The DC with highest priority that has a good health status is used.

Examples:

  • --urls ldap://company-ad.com

  • --urls ldap://company-ad.com,ldap://company-ad2.com

  • --urls ldap://192.0.2.0,ldap://192.0.2.1,ldap://192.0.2.2

--port PORT

Sets the port of the remote LDAP server. Typical value: 389.

--binddn BINDDN

Sets the bind DN for authenticating to the LDAP server. The bind DN specifies the user with which VAST Cluster authenticates to the LDAP directory.

The format is a comma separated list of components. Each component is an attribute=value pair defining an object in the directory tree. The first component is a cn attribute component specifying the user object, the next component is its container and so on up the tree, with the last component representing the top level domain.

The following attributes can be specified:

  • cn: common name

  • ou: organizational unit

  • o: organization

  • c: country

  • dc: domain

For example, cn=admin,ou=users,dc=mydomain,dc=local specifies user 'admin' located in the 'users' container under the domain 'mydomain.local'.

--bindpw BINDPW

Sets the password used with the Bind DN to authenticate to the LDAP server.

This password must be set if method is set to simple.

--basedn BASE_DN

Specifies the entry in the LDAP directory tree to use as a starting point for user queries.

To maximize the speed of authentication queries, start the search in the lowest branch of the tree under which all users can be found. For example, if the entire directory must be queried, the search base must specify the root of the tree. However, if the search can be restricted to a specific organizational unit (OU), queries may be faster.

Specify BASE_DN as a comma separated list of components. Each component is an attribute=value pair defining an object in the directory tree. The first component defines the object at the lowest part of the tree that you want to use as the starting point of the search, the next component is its container and so on up the tree, with the last component representing the top level domain.

The following attributes can be specified:

  • cn: common name

  • ou: organizational unit

  • o: organization

  • c: country

  • dc: domain

For example, supposing your user accounts are all located in a container called 'users' under a domain 'mydomain.local'. If you want to set the users container as the starting point for search queries, you would enter: --basedn ou=users,dc=mydomain,dc=local

--group-searchbase GROUP_BASE_DN

(From VAST Cluster 3.0.1) Sets the entry in the LDAP directory tree to use as a starting point for group queries. See Base DN.

--method simple|anonymous

The authentication method the LDAP server uses to authenticate VAST Cluster as a client querying the LDAP database. Set the method according to how the LDAP server is configured to authenticate clients. The following options are available:

  • anonymous. The LDAP server accepts queries without any authentication.

  • simple. The LDAP server attempts to bind a specified user name to a matching LDAP user. If the LDAP bind succeeds, VAST Cluster is allowed access to perform the query. Set also Bind DN and Bind password.

--gid-number ATTRIBUTE_NAME

--uid ATTRIBUTE_NAME

--uid-number ATTRIBUTE_NAME

--uid-member ATTRIBUTE_NAME

--posix-account ATTRIBUTE_NAME

--posix-group ATTRIBUTE_NAME

(From VAST Cluster 1.2.4) If your LDAP server uses attributes that differ from the default RFC2307-compliant attribute set that is used to query the LDAP server, these options map those attributes to the attribute names used on the server you are connecting the cluster to. This is typically needed for Active Directory.

Example: uid=cn --posix-account user --posix-group group

--match-user ATTRIBUTE_NAME

Use this option to specify which attribute to use for matching users across providers during user refresh and user authentication.

use-tls

(From VAST Cluster 2.2.0) Enables TLS to secure communication between VAST Cluster and the LDAP server.

Important

The VAST Cluster TLS client is configured with the TLS_REQCERT configuration parameter set to never, which means it does not request the server's TLS certificate and ignores any certificate received. On the TLS server, make sure that TLS_REQCERT is not set to demand since VAST Cluster cannot connect to a server with TLS_REQCERT set to demand.

Verification of the server's TLS certificate will be added in a future release.

no-tls

(From VAST Cluster 2.2.0) Disables TLS secure communication between VAST Cluster and the LDAP server.

Example

vcli: admin> ldap modify --no-tls

Comments

0 comments

Article is closed for comments.