Configuring LDAP by using the CLI

Edit online

You can use the command-line interface (CLI) to configure LDAP authentication in your Copy Services Manager environment.

About this task

The basic user registry is the default user-authentication method for Copy Services Manager. If you do not use the basic user registry, you can configure Copy Services Manager to use either an Active Directory Server or an LDAP Server-based authentication method.
Note: After LDAP authentication is configured, users from the basic user registry are still able to authenticate. It is recommended that you leave at least one user from the basic user registry with the administrator role. This user serves as a backup if there is ever a loss in communication to the LDAP servers.
Perform the following steps to configure LDAP authentication support by using the CLI:

Procedure

  1. Log in to Copy Services Manager CLI as a user with administrator privileges.
  2. You can choose to establish either an Active Directory or LDAP Server configuration.
    1. Enter the mkadcfg command to configure Copy Services Manager to use Active Directory server-based authentication. For more information about using this command, see the mkadcfg command help topic.
      Read syntax diagramSkip visual syntax diagram mkadcfg -help-h-? -server adserver ;? adservername:port -username username -passwordpassword -domain domain
      -help | -h | -?
      Lists help for the command. If you specify additional parameters and arguments, those parameters and arguments are ignored.
      -server adserver
      Specifies the Active Directory servers. The input format is adservername:port, for example, adServer1:636. Multiple backup Active Directory servers can be specified by using a semicolon to separate each server. If a port is not specified, the default port that is used is 389.
      -username username
      Specifies the user name that is required for accessing the Active Directory domain. Any domain user from the Active Directory server that is identified by the server parameter can be specified for this operation.
      -password password
      Specifies the password of the user who is specified with the username parameter. To hide the password, call the command without this option. The command prompts for the password, which is not echoed.
      -domain domain
      Specifies the domain of the user who is specified with the username parameter.
      Establishing an Active Directory server configuration
      Example: 
      csmcli> mkadcfg -server ADserver1.ibm.com:1234 -username admin -password 
passw0rd -domain ibm.com

      The following output is returned:

      IWNR4950I [Aug 11, 2015 9:28:06 AM] Successfully updated the LDAP 
configuration.
    2. Enter the mkldapcfg command to configure Copy Services Manager to use LDAP server-based authentication. For more information about using this command, see the mkldapcfg command help topic.
      Read syntax diagramSkip visual syntax diagram mkldapcfg -help-h-?-keyfilepathkeyfilepath -server ldapserver ;? ldapserver -baseDN ldapbase -bindDN ldapbinddn -password password
      -help | -h | -?
      Lists help for the command. If you specify additional parameters and arguments, those parameters and arguments are ignored.
      -keyfilepath keyfilepath
      Specifies the absolute path of the key file that holds the CA certificate. If multiple certificates are required, then include all of them in a single file to be provided as input. The file should be present on the system from which mkldapcf is initiated. This parameter is optional.
      Note: For information on how to create a file with multiple certificates, see Creating a file with multiple certificates for LDAP configuration.
      -server ldapserver
      Specifies the LDAP servers. The input format is ldapservername:port, for example, ldapserver1:636. Multiple backup LDAP servers can be specified by using a semicolon to separate each server. Multiple LDAP servers must be replicas of the primary LDAP server, or they can be any LDAP host with the same schema, which contains data that is mirrored from the same LDAP Data Interchange Format (LDIF) file. If a port is not specified, the default ports that are used are 389 for ldap:// and 636 for ldaps://.
      -baseDN ldapbase
      Specifies the LDAP base DN.
      -bindDN bindDN
      Specifies the binding DN of an LDAP user who has sufficient permissions to read user data.
      -password password
      Specifies the password of the user who is specified with bindDN parameter. To hide the password, call the command without this option. The command prompts for the password, which is not echoed.
      Establishing an LDAP server configuration without security
      Example: 
      csmcli> mkldapcfg -server ldapserver.ibm.com:1234
 -bindDN cn=root -baseDN ou=test,o=ibm,c=us -password passw0rd

      The following output is returned:

      IWNR4950I [Aug 11, 2015 8:45:21 AM] Successfully updated the
 LDAP configuration.
      Establishing an LDAP server configuration with security
      Example: 
      csmcli> -server ldapserver.ibm.com:1234 -bindDN cn=root
 -baseDN ou=test,o=ibm,c=us -keyfilepath c:\security\ldap.crt

      The following output is returned:

      Please enter a password:>
An LDAP configuration already exists. Are you sure you want to replace
 it?  [y/n]:y
IWNR4950I [Aug 11, 2015 8:45:21 AM] Successfully updated the LDAP
 configuration.
    Note: Only one authentication method can be used. For example, if you enter the mkadcfg command first, and then enter the mkldapcfg command later, the last command overwrites the previous configuration.

Results

When Copy Services Manager is configured to connect to the appropriate server, all LDAP users are authenticated through that server.