chauthservice

Use the chauthservice command to configure the remote authentication service of the system.

Syntax

Read syntax diagramSkip visual syntax diagram chauthservice -enableyesno-typetipldap-typeldap-urlurl-usernameuser_name-password'password'-sslcertfile_name-refresh

Parameters

-enable yes | no
(Optional) Enables or disables the system's use of the remote authentication server. When the enable parameter is set to no, remote authentications are failed by the system, but local authentications continue to operate normally.
-type ldap
(Optional) Specifies the authentication service type (Tivoli Integrated Portal or native LDAP). An LDAP server must be configured. Before you change -type, ensure that the remote authentication type that is selected is properly configured.(Optional) Specifies the authentication service type (which must be LDAP). An LDAP server must be configured.
Remember:
  • The remote authentication service must be enabled (-enable yes) for this setting to come into effect.
  • Before you change -type from ldap to tip, ensure that all users who are configured for remote authentication have both an SSH key and password configured.
Remember: The remote authentication service must be enabled (-enable yes) for this setting to come into effect.
-url url
(Optional - IBM® Security Services only) Specifies the website address (URL) of Security Services, which is referred to as TIP in the CLI. The host part of the URL must be a valid numeric IPv4 or IPv6 network address. You can use the following characters in the URL:
  • a - z
  • A - Z
  • 0 - 9
  • _
  • ~
  • :
  • [
  • ]
  • %
  • /
The maximum length of the URL is 100 characters.
This option is no longer used.
-username user_name
(Optional) Specifies the HTTP basic authentication user name. The user name cannot start or end with a blank. The user name can consist of a string of 1 - 64 ASCII characters except for the following characters:
  • %
  • :
  • "
  • ,
  • *
  • '
-password 'password'
(Optional) Specifies the HTTP basic authentication user password. The password cannot start or end with a blank. It must consist of a string of 6 - 64 printable ASCII characters. You must enclose the password in single quotation marks. The password variable is optional. If you do not provide a password, the system prompts you and does not display the password that you type. Do not enclose the password in single quotation marks if you use the prompt.
-sslcert file_name
(Optional) Specifies the name of the file that contains the SSL certificate, in privacy enhanced mail (PEM) format, for the remote authentication server. The certificate file must be in valid PEM format and have a maximum length of 12 KB.
-refresh
(Optional) Causes the system to invalidate any remote user authorizations that are cached on the system. Use this option when you modify user groups on the authentication service and want the change to immediately take effect on the system.
Note: If you clear the cache, anyone who uses the system might have to log in again (for example, if credentials are provided to one of the defined LDAP servers).

Description

The system authenticates remote users by using Lightweight Directory Access Protocol (LDAP).

Before you enable remote authentication, ensure that the properties of the service are properly configured on the system. It is not necessary to disable the remote authentication service to change its properties. LDAP authentication can be configured by using the chldap command, and LDAP servers can be added to the system by using the mkldapserver command.
Remember: For the authentication type to be set to LDAP with authorization enabled (true), an LDAP server must be configured.
When the authentication service is enabled, the system does not test whether the remote authentication system is operating correctly.
  • To establish whether the system is operating correctly, enter the lscurrentuser command for a remotely authenticated user. If the output lists the user roles that are obtained from the remote authentication server, remote authentication is operating successfully. If the output is an error message, remote authentication is not working correctly, and the error message describes the problem.
  • To establish whether LDAP is operating correctly, in addition to the lscurrentuser command, enter the testldapserver command. The testldapserver command can be entered whether or not remote authentication is enabled, and can be used to test the connection to LDAP servers, as well as user authorization and authentication.

To disable the remote authentication service in a controlled manner when it is not available, use the enable parameter with the no option.

Note: On a system where two person integrity (TPI) is enabled, you can't disable the remote authentication service if the minimum number of users that are required by TPI also includes remote users.

This command can be used to select and enable a remote authentication service for use with the system.

An invocation example

To fully configure and enable authentication with IBM Security Services:

chauthservice -url https://9.71.45.108:16311/TokenService/services/Trust
 -sslcert /tmp/sslCACert.pem -username admin -password 'password' -enable yes

The following text is displayed when the command runs:

No feedback