HMC Manual Reference Pages - CHHMCLDAP (1)

NAME

chhmcldap - change HMC LDAP configuration

Synopsis
Description
Options
Examples
Environment
Bugs
Author
See Also

SYNOPSIS

To set HMC LDAP configuration attributes:
chhmcldap -o s [--primary LDAP-server-URI]
[--backup LDAP-server-URI] [--basedn base-DN]
[--binddn bind-DN] [--bindpw bind-password]
[--timelimit time-limit]
[--bindtimelimit bind-time-limit]
[--automanage {0 | 1}]
[--auth {ldap | kerberos}]
[--loginattribute attribute]
[--hmcuserpropsattribute attribute]
[--hmcauthnameattribute attribute]
[--searchfilter LDAP-search-filter]
[--scope {one | sub}]
[--referrals {0 | 1}] [--starttls {0 | 1}]
[--hmcgroups group-names]
To remove an LDAP resource or the LDAP configuration from the HMC:
chhmcldap -o r
-r {backup | ldap | binddn | bindpw |
searchfilter | hmcgroups}

DESCRIPTION

chhmcldap changes the Hardware Management Console (HMC) Lightweight Directory Access Protocol (LDAP) client configuration.
By default, LDAP is not configured on the HMC. The HMC can only be configured as an LDAP client. To configure the HMC as an LDAP client, issue this command and specify both the primary LDAP server and the base Distinguished Name (DN) at a minimum.
The getfile command can be used to deploy an LDAP Certificate Authority (CA) certificate file on the HMC.

OPTIONS

-o The operation to perform. Valid values are s to set an HMC LDAP configuration attribute, and r to remove an LDAP resource or the LDAP configuration from the HMC.

-r The LDAP resource to remove. Valid values are backup to remove the backup LDAP server, ldap to unconfigure LDAP on the HMC, binddn to remove the bind Distinguished Name (DN), bindpw to remove the bind password, searchfilter to remove the LDAP search filter, and hmcgroups to remove the HMC user group configuration.
This option is required for a remove operation. This option is not valid for a set operation.

--primary The primary LDAP server. The Uniform Resource Identifier (URI) scheme may be ldap:// for LDAP over TCP, or ldaps:// for LDAP over SSL. The URI format is ldap://LDAP-server[:port-number] or ldaps://LDAP-server[:port-number]. LDAP-server can either be the host name or the IP address of the LDAP server. The port number is optional. If the port number is omitted, port 389 is used for the ldap:// scheme and port 636 is used for the ldaps:// scheme. If Start TLS is enabled, the URI must use the ldap:// scheme.
If LDAP is not configured on the HMC, both this option and the --basedn option must be specified to configure LDAP on the HMC.
This option is only valid for a set operation.

--backup The backup LDAP server. The URI scheme may be ldap:// for LDAP over TCP, or ldaps:// for LDAP over SSL. The URI format is ldap://LDAP-server[:port-number] or ldaps://LDAP-server[:port-number]. LDAP-server can either be the host name or the IP address of the LDAP server. The port number is optional. If the port number is omitted, port 389 is used for the ldap:// scheme and port 636 is used for the ldaps:// scheme. If Start TLS is enabled, the URI must use the ldap:// scheme.
This option is only valid for a set operation. Setting a backup LDAP server is optional.

--basedn The default base DN to use when performing LDAP operations. The base DN must be specified in LDAP format (e.g. dc=ldapclient,dc=example,dc=com).
If LDAP is not configured on the HMC, both this option and the --primary option must be specified to configure LDAP on the HMC.
This option is only valid for a set operation.

--binddn The DN to use for binding to the LDAP server when the LDAP server is configured to use non-anonymous binding. The bind DN must be specified in LDAP format (e.g. cn=admin,dc=yourorg,dc=com).
This option is only valid for a set operation.

--bindpw The password to use when binding to the LDAP server when the LDAP server is configured to use non-anonymous binding.
This option is only valid for a set operation.

--timelimit The LDAP search time limit in seconds. A value of 0 means there is no time limit. If this option is not specified when LDAP is configured, the search time limit is set to 30 seconds.
This option is only valid for a set operation.

--bindtimelimit The LDAP server bind time limit in seconds. If this option is not specified when LDAP is configured, the bind time limit is set to 30 seconds.
This option is only valid for a set operation.

--automanage Use this option to indicate whether the HMC should automatically manage remotely authenticated LDAP users. Valid values are 0 to disable automatic management, or 1 to enable automatic management.
When automatic management is enabled, an LDAP user can log in to the HMC. An HMC user will be automatically created for the LDAP user if the HMC user does not exist when the LDAP user logs in. If the HMC user already exists, it will be updated with the current user definition retrieved from the LDAP server when the LDAP user logs in.
If this option is not specified when LDAP is configured, automatic management is disabled.
This option is only valid for a set operation.

--auth The type of authentication to use for automatically managed LDAP users. Valid values are ldap to use LDAP authentication, or kerberos to use Kerberos authentication.
If kerberos is specified and Kerberos is not enabled on the HMC, LDAP users will not be able to log in to the HMC because the HMC will not be able to retrieve the user data from the LDAP server.
If this option is not specified when LDAP is configured, LDAP authentication will be used.
This option is only valid for a set operation.

--loginattribute The login attribute to use to authenticate LDAP users on the HMC. The value of the login attribute stored on the LDAP server is compared with the HMC user name. If a match is found on the LDAP server, then authentication with the LDAP server is attempted.
If this option is not specified when LDAP is configured, the login attribute is set to uid.
This option is only valid for a set operation.

--hmcuserpropsattribute The attribute to use to retrieve the user roles and properties from the LDAP server. These user roles and properties are used when the HMC user is created or updated for an automatically managed LDAP user.
If this option is not specified when LDAP is configured, this attribute is set to ibm-aixAdminPolicyEntry.
This option is only valid for a set operation.
For information about how to configure this attribute on your LDAP server, please refer to the GUI help text for the Users and Security > Systems and Console Security > Manage LDAP GUI task.

--hmcauthnameattribute The attribute to use to retrieve the remote user ID used in Kerberos authentication. When the HMC user is created or updated for an automatically managed LDAP user, the HMC user is assigned this remote user ID if Kerberos authentication is used.
If this option is not specified when LDAP is configured, this attribute is set to userPrincipalName.
This option is only valid for a set operation.

--searchfilter The filter to use for limiting the search of the LDAP server for user information. This is useful when you have a large number of LDAP users and you want to decrease the amount of time for retrieving the user information.
If this option is not specified when LDAP is configured, then no filter is set.
This option is only valid for a set operation.

--scope The search scope starting from base DN. Valid values are one to search one level or sub to search the subtree. This is useful when you want to search for users in different organizations.
If this option is not specified when LDAP is configured, the search scope is set to one level.
This option is only valid for a set operation.

--referrals Specifies whether automatic referral chasing is to be enabled or disabled. Valid values are 0 to disable automatic referral chasing, and 1 to enable it. If this option is not specified when LDAP is configured, automatic referral chasing is enabled.
This option is only valid for a set operation.

--starttls Specifies whether Start Transport Layer Security (TLS) is to be enabled or disabled. Valid values are 0 to disable Start TLS, and 1 to enable it. This option can only be enabled if the LDAP server supports the Start TLS protocol. When Start TLS is enabled, a connection is opened using the normal LDAP port. Then, when needed (for example when binding), the connection is converted to a SSL connection using the Start TLS protocol. This functionality exists, for example, in OpenLDAP. When Start TLS is enabled, the URI scheme ldap:// must be used.
If this option is not specified when LDAP is configured, Start TLS is disabled.
This option is only valid for a set operation.

--hmcgroups Specifies the name of one or more user groups allowed to log in to this HMC. Multiple group names must be comma separated. The user groups specified with this option will replace the current user groups configured for this HMC.
If this option is not specified when LDAP is configured, no HMC user groups will be configured and all LDAP users will be allowed to log in to this HMC.
This option is only valid for a set operation.

--help Display the help text for this command and exit.

EXAMPLES

Configure LDAP on the HMC for the first time and enable Start TLS:
chhmcldap -o s --primary ldap://ldap.example.com --basedn
dc=example,dc=com --starttls 1
Set a backup LDAP server using the ldap:// URI scheme:
chhmcldap -o s --backup ldap://ldap2.example.com
Set the primary LDAP server using the ldaps:// URI scheme and port number 625:
chhmcldap -o s --primary ldaps://ldap.example.com:625
Set the bind DN and bind password:
chhmcldap -o s --binddn cn=admin,dc=yourorg,dc=com --bindpw secret
Enable automatic management of LDAP users and set the authentication type to Kerberos:
chhmcldap -o s --automanage 1 --auth kerberos
Set the LDAP search filter:
chhmcldap -o s --searchfilter "mail=*@yourcompany.com"
Set the LDAP search scope to subtree:
chhmcldap -o s --scope sub
Set the login attribute to notesshortname:
chhmcldap -o s --loginattribute notesshortname
Set both the time limit and bind time limit to 40 seconds and disable referrals:
chhmcldap -o s --timelimit 40 --bindtimelimit 40 --referrals 0
Configure this HMC to only allow users in groups group1 and group2 to log in:
chhmcldap -o s --hmcgroups group1,group2
Remove the backup LDAP server:
chhmcldap -o r -r backup
Unconfigure LDAP on the HMC:
chhmcldap -o r -r ldap

ENVIRONMENT

None

BUGS

None

AUTHOR

IBM Austin

HMC Manual Reference Pages - CHHMCLDAP (1)

NAME

CONTENTS

SYNOPSIS

DESCRIPTION

OPTIONS

EXAMPLES

ENVIRONMENT

BUGS

AUTHOR

SEE ALSO

-o	The operation to perform. Valid values are s to set an HMC LDAP configuration attribute, and r to remove an LDAP resource or the LDAP configuration from the HMC.
-r	The LDAP resource to remove. Valid values are backup to remove the backup LDAP server, ldap to unconfigure LDAP on the HMC, binddn to remove the bind Distinguished Name (DN), bindpw to remove the bind password, searchfilter to remove the LDAP search filter, and hmcgroups to remove the HMC user group configuration. This option is required for a remove operation. This option is not valid for a set operation.
--primary	The primary LDAP server. The Uniform Resource Identifier (URI) scheme may be ldap:// for LDAP over TCP, or ldaps:// for LDAP over SSL. The URI format is ldap://LDAP-server[:port-number] or ldaps://LDAP-server[:port-number]. LDAP-server can either be the host name or the IP address of the LDAP server. The port number is optional. If the port number is omitted, port 389 is used for the ldap:// scheme and port 636 is used for the ldaps:// scheme. If Start TLS is enabled, the URI must use the ldap:// scheme. If LDAP is not configured on the HMC, both this option and the --basedn option must be specified to configure LDAP on the HMC. This option is only valid for a set operation.
--backup	The backup LDAP server. The URI scheme may be ldap:// for LDAP over TCP, or ldaps:// for LDAP over SSL. The URI format is ldap://LDAP-server[:port-number] or ldaps://LDAP-server[:port-number]. LDAP-server can either be the host name or the IP address of the LDAP server. The port number is optional. If the port number is omitted, port 389 is used for the ldap:// scheme and port 636 is used for the ldaps:// scheme. If Start TLS is enabled, the URI must use the ldap:// scheme. This option is only valid for a set operation. Setting a backup LDAP server is optional.
--basedn	The default base DN to use when performing LDAP operations. The base DN must be specified in LDAP format (e.g. dc=ldapclient,dc=example,dc=com). If LDAP is not configured on the HMC, both this option and the --primary option must be specified to configure LDAP on the HMC. This option is only valid for a set operation.
--binddn	The DN to use for binding to the LDAP server when the LDAP server is configured to use non-anonymous binding. The bind DN must be specified in LDAP format (e.g. cn=admin,dc=yourorg,dc=com). This option is only valid for a set operation.
--bindpw	The password to use when binding to the LDAP server when the LDAP server is configured to use non-anonymous binding. This option is only valid for a set operation.
--timelimit	The LDAP search time limit in seconds. A value of 0 means there is no time limit. If this option is not specified when LDAP is configured, the search time limit is set to 30 seconds. This option is only valid for a set operation.
--bindtimelimit	The LDAP server bind time limit in seconds. If this option is not specified when LDAP is configured, the bind time limit is set to 30 seconds. This option is only valid for a set operation.
--automanage	Use this option to indicate whether the HMC should automatically manage remotely authenticated LDAP users. Valid values are 0 to disable automatic management, or 1 to enable automatic management. When automatic management is enabled, an LDAP user can log in to the HMC. An HMC user will be automatically created for the LDAP user if the HMC user does not exist when the LDAP user logs in. If the HMC user already exists, it will be updated with the current user definition retrieved from the LDAP server when the LDAP user logs in. If this option is not specified when LDAP is configured, automatic management is disabled. This option is only valid for a set operation.
--auth	The type of authentication to use for automatically managed LDAP users. Valid values are ldap to use LDAP authentication, or kerberos to use Kerberos authentication. If kerberos is specified and Kerberos is not enabled on the HMC, LDAP users will not be able to log in to the HMC because the HMC will not be able to retrieve the user data from the LDAP server. If this option is not specified when LDAP is configured, LDAP authentication will be used. This option is only valid for a set operation.
--loginattribute	The login attribute to use to authenticate LDAP users on the HMC. The value of the login attribute stored on the LDAP server is compared with the HMC user name. If a match is found on the LDAP server, then authentication with the LDAP server is attempted. If this option is not specified when LDAP is configured, the login attribute is set to uid. This option is only valid for a set operation.
--hmcuserpropsattribute	The attribute to use to retrieve the user roles and properties from the LDAP server. These user roles and properties are used when the HMC user is created or updated for an automatically managed LDAP user. If this option is not specified when LDAP is configured, this attribute is set to ibm-aixAdminPolicyEntry. This option is only valid for a set operation. For information about how to configure this attribute on your LDAP server, please refer to the GUI help text for the Users and Security > Systems and Console Security > Manage LDAP GUI task.
--hmcauthnameattribute	The attribute to use to retrieve the remote user ID used in Kerberos authentication. When the HMC user is created or updated for an automatically managed LDAP user, the HMC user is assigned this remote user ID if Kerberos authentication is used. If this option is not specified when LDAP is configured, this attribute is set to userPrincipalName. This option is only valid for a set operation.
--searchfilter	The filter to use for limiting the search of the LDAP server for user information. This is useful when you have a large number of LDAP users and you want to decrease the amount of time for retrieving the user information. If this option is not specified when LDAP is configured, then no filter is set. This option is only valid for a set operation.
--scope	The search scope starting from base DN. Valid values are one to search one level or sub to search the subtree. This is useful when you want to search for users in different organizations. If this option is not specified when LDAP is configured, the search scope is set to one level. This option is only valid for a set operation.
--referrals	Specifies whether automatic referral chasing is to be enabled or disabled. Valid values are 0 to disable automatic referral chasing, and 1 to enable it. If this option is not specified when LDAP is configured, automatic referral chasing is enabled. This option is only valid for a set operation.
--starttls	Specifies whether Start Transport Layer Security (TLS) is to be enabled or disabled. Valid values are 0 to disable Start TLS, and 1 to enable it. This option can only be enabled if the LDAP server supports the Start TLS protocol. When Start TLS is enabled, a connection is opened using the normal LDAP port. Then, when needed (for example when binding), the connection is converted to a SSL connection using the Start TLS protocol. This functionality exists, for example, in OpenLDAP. When Start TLS is enabled, the URI scheme ldap:// must be used. If this option is not specified when LDAP is configured, Start TLS is disabled. This option is only valid for a set operation.
--hmcgroups	Specifies the name of one or more user groups allowed to log in to this HMC. Multiple group names must be comma separated. The user groups specified with this option will replace the current user groups configured for this HMC. If this option is not specified when LDAP is configured, no HMC user groups will be configured and all LDAP users will be allowed to log in to this HMC. This option is only valid for a set operation.
--help	Display the help text for this command and exit.