This command modifies an existing LDAP connection.
Usage
ldap modify --id ID [--urls URI_LIST] [--enable-auto-discovery|--disable-auto-discovery] [--enable-use-ldaps|--disable-use-ldaps] [--port PORT] [--binddn BIND_DN] [--bindpw BIND_PASSWORD] [--basedn BASE_DN] [--group-searchbase GROUP_BASE_DN] [--query-groups-mode COMPATIBLE|RFC2307BIS_ONLY|RFC2307_ONLY|NONE] [--method anonymous|simple] [--domain-name DOMAIN_NAME] [--use-tls|--no-tls] [--vms-auth|--no-vms-auth] [--advanced-settings-templates AD|Open_LDAP] [--posix-attributes-source JOINED_DOMAIN|ALL_DOMAINS|SPECIFIC_DOMAINS|GC] [--domains-with-posix-attributes DOMAINS] [--enable-query-posix-attributes-from-gc|--disable-query-posix-attributes-from-gc] [--gid-number ATTRIBUTE_NAME] [--uid ATTRIBUTE_NAME] [--uid-number ATTRIBUTE_NAME] [--member-uid ATTRIBUTE_NAME] [--posix-account ATTRIBUTE_NAME] [--posix-group ATTRIBUTE_NAME] [--match-user ATTRIBUTE_NAME] [--username-property-name ATTRIBUTE_NAME] [--user-login-name ATTRIBUTE_NAME] [--group-login-name ATTRIBUTE_NAME] [--mail-property-name ATTRIBUTE_NAME] [--uid-member-value-property-name ATTRIBUTE_NAME]
Notice
--posix-attributes-source
and --domains-with-posix-attributes
are available starting with VAST Cluster 4.6.0-SP5.
Notice
--enable-query-posix-attributes-from-gc
and --disable-query-posix-attributes-from-gc
are deprecated starting with VAST Cluster 4.6.0-SP5.
Required Parameters
|
Identifies the LDAP configuration record to modify. |
Options
|
If AD domain auto-discovery is disabled, sets the URIs of the remote LDAP server's domain controllers (DCs) and their priority order. Specify |
|
Enables Active Directory domain auto-discovery. When auto-discovery is enabled, VAST Cluster automatically discovers and queries all domains and domain controllers in the Active Directory forest. |
|
Disables Active Directory domain auto-discovery. When auto-discovery is disabled, the LDAP URI ( |
|
Enables use of LDAP over TLS (LDAPS) for AD domain auto-discovery. When enabled, VAST Cluster connects to an alternative port (port 636 for the domain controller, port 3269 for the Global Catalog) and initiates a TLS handshake immediately afterwards. |
|
Disables use of LDAP over TLS (LDAPS) for AD domain auto-discovery. |
|
Sets the port of the remote LDAP server. Recommended values: |
|
Sets the bind DN for authenticating to the LDAP server. The bind DN specifies the user with which VAST Cluster authenticates to the LDAP directory. You can specify any user account that has read access to the domain. This bind DN must be set if The format is a comma separated list of components. Each component is an attribute=value pair defining an object in the directory tree. The first component is a cn attribute component specifying the user object, the next component is its container and so on up the tree, with the last component representing the top level domain. The following attributes can be specified: For example, |
|
Sets the password used with the bind DN to authenticate to the LDAP server. This password must be set if |
|
If AD auto-discovery is disabled, specifies the entry in the LDAP directory tree to use as a starting point for user queries. By default, this is also used as the starting point for group queries. Optionally, you can specify a different entry as the group base DN on To maximize the speed of authentication queries, start the search in the lowest branch of the tree under which all users can be found. For example, if the entire directory must be queried, the search base must specify the root of the tree. However, if the search can be restricted to a specific organizational unit (OU), queries may be faster. Specify The following attributes can be specified: For example, supposing your user accounts are all located in a container called 'users' under a domain 'mydomain.local'. If you want to set the users container as the starting point for search queries, you would enter: |
|
Sets the entry in the LDAP directory tree to use as a starting point for group queries. If not specified, the base DN is used. |
|
The mode for querying a user's auxiliary group memberships, when the auth provider is set as the source for group membership in the view policy:
|
|
The authentication method the LDAP server uses to authenticate VAST Cluster as a client querying the LDAP database. Set the method according to how the LDAP server is configured to authenticate clients. The following options are available:
|
|
Sets the fully qualified domain name (FQDN) of the domain to join. For example: - |
|
Enables TLS (STARTTLS) to secure communication between VAST Cluster and the LDAP server. When enabled, VAST Cluster connects to the standard port (port 389 for the domain controller, port 3268 for the Global Catalog) and performs a StartTLS operation as defined in RFC 4513. ImportantUse VAST Web UI to provide a TLS certificate. |
|
Disables TLS (STARTTLS) secure communication between VAST Cluster and the LDAP server. |
|
If this option is specified, the LDAP configuration being created will be the one used for VMS authentication. |
|
If this option is specified, the LDAP configuration being created will not be used for VMS authentication. This is the default setting. |
|
Sets the object classes that define user and group entries to preset values as defined in the template for Active Directory or Open LDAP standard. To enable SMB client connection to the cluster, map LDAP attributes to the AD schema by specifying |
|
Determines domains from which VAST Cluster queries POSIX attributes. Options include:
NoticeThis option is available starting with VAST Cluster 4.6.0-SP5. |
|
Provides a comma-separated list of the specific domains when For example: NoticeThis option is available starting with VAST Cluster 4.6.0-SP5. |
|
NoticeThis option is deprecated starting with VAST Cluster 4.6.0-SP5. Use Enables querying for POSIX attributes of users or groups from non-joined domains in the AD global catalog. When this option is specified, the AD global catalog must be configured with POSIX attributes. |
|
NoticeThis option is deprecated starting with VAST Cluster 4.6.0-SP5. Use Disables querying for POSIX attributes of users or groups from non-joined domains in the AD global catalog. This is the default setting. |
Attribute Mapping Options
If your LDAP server uses attributes that differ from the default RFC2307-compliant attribute set that is used to query the LDAP server, these options map those attributes to the attribute names used on the server you are connecting the cluster to. This is typically needed for Active Directory.
Example: uid=cn
--posix-account user
--posix-group group
|
The attribute of a group entry that contains the GID number of a group. Default: gidNumber Example for Active Directory: |
|
The attribute of a user entry that contains the user name. Default: uid Example for Active Directory: |
|
The attribute of a user entry that contains the UID number. Default: uidNumber |
|
The attribute of the group entry that contains names of group members. Example for Active Directory: |
|
The object class that defines a user entry. |
|
The object class that defines a group entry. |
|
Use this option to specify which attribute to use for matching users across providers during user refresh and user authentication. When querying a provider for a user that matches a user that was already retrieved from another provider, a user entry that contains a matching value in this attribute will be considered the same user as the user previously retrieved. Example: |
|
Overrides 'name' as the attribute to use for querying users in VMS user-initiated user queries. |
|
Specifies the attribute used to query AD for the user login name in NFS ID mapping. Applicable only with AD and NFSv4.1. For example: |
|
Specifies the attribute used to query AD for the group login name in NFS ID mapping. Applicable only with AD and NFSv4.1. For example: |
|
Specifies the attribute to use for the user's email address. |
|
Specifies the attribute which represents the value of the LDAP group's |
Example
vcli: admin> ldap modify --no-tls
Comments
0 comments
Article is closed for comments.