chauthservice
Use the chauthservice command to configure the remote authentication service of the system.
Syntax
Parameters
- -enable yes | no
- (Optional) Enables or disables the system's use of the remote authentication server. When the enable parameter is set to no, remote authentications are failed by the system, but local authentications continue to operate normally.
- -type ldap
- (Optional) Specifies the authentication service type (Tivoli Integrated Portal or native
LDAP). An LDAP server must be configured. Before you change -type, ensure that
the remote authentication type that is selected is properly configured.(Optional) Specifies the authentication service type (which must be LDAP). An LDAP server must be
configured.Remember:
- The remote authentication service must be enabled (-enable yes) for this setting to come into effect.
- Before you change -type from ldap to tip, ensure that all users who are configured for remote authentication have both an SSH key and password configured.
Remember: The remote authentication service must be enabled (-enable yes) for this setting to come into effect. - -url url
- (Optional - IBM® Security Services only) Specifies the
website address (URL) of Security Services, which is referred to as TIP
in the CLI. The host part of the URL must be a valid numeric IPv4 or IPv6 network address. You can
use the following characters in the URL:
a - z
A - Z
0 - 9
_
~
:
[
]
%
/
- -username user_name
- (Optional) Specifies the HTTP basic authentication user name. The user name cannot start or end
with a blank. The user name can consist of a string of 1 - 64 ASCII characters except for the
following characters:
%
:
"
,
*
'
- -password 'password'
- (Optional) Specifies the HTTP basic authentication user password. The password cannot start or end with a blank. It must consist of a string of 6 - 64 printable ASCII characters. You must enclose the password in single quotation marks. The password variable is optional. If you do not provide a password, the system prompts you and does not display the password that you type. Do not enclose the password in single quotation marks if you use the prompt.
- -sslcert file_name
- (Optional) Specifies the name of the file that contains the SSL certificate, in privacy enhanced mail (PEM) format, for the remote authentication server. The certificate file must be in valid PEM format and have a maximum length of 12 KB.
- -refresh
- (Optional) Causes the system to invalidate any remote user authorizations that are cached on the
system. Use this option when you modify user groups on the authentication service and want the
change to immediately take effect on the system. Note: If you clear the cache, anyone who uses the system might have to log in again (for example, if credentials are provided to one of the defined LDAP servers).
Description
The system authenticates remote users by using Lightweight Directory Access Protocol (LDAP).
Before you enable remote authentication, ensure that the properties of the service are properly
configured on the system. It is not necessary to disable the remote authentication service to change
its properties. LDAP authentication can be configured by using the chldap
command, and LDAP servers can be added to the system by using the mkldapserver
command.
Remember: For the authentication type to be set to LDAP with authorization
enabled (true), an LDAP server must be configured.
When the authentication service is enabled, the system
does not test whether the remote authentication system is operating correctly.
- To establish whether the system is operating correctly, enter the lscurrentuser command for a remotely authenticated user. If the output lists the user roles that are obtained from the remote authentication server, remote authentication is operating successfully. If the output is an error message, remote authentication is not working correctly, and the error message describes the problem.
- To establish whether LDAP is operating correctly, in addition to the lscurrentuser command, enter the testldapserver command. The testldapserver command can be entered whether or not remote authentication is enabled, and can be used to test the connection to LDAP servers, as well as user authorization and authentication.
To disable the remote authentication service in a controlled manner when it is not available, use the enable parameter with the no option.
Note: On a system where two person integrity (TPI) is enabled, you can't disable the remote
authentication service if the minimum number of users that are required by TPI also includes remote
users.
This command can be used to select and enable a remote authentication service for use with the system.
An invocation example
To fully configure and enable authentication with IBM Security Services:
chauthservice -url https://9.71.45.108:16311/TokenService/services/Trust
-sslcert /tmp/sslCACert.pem -username admin -password 'password' -enable yes
The following text is displayed when the command runs:
No feedback