AUDIT LDAPDIRECTORY (Audit an LDAP directory server)
Use this command to audit an IBM Spectrum Protect controlled namespace on a Lightweight Directory Access Protocol (LDAP) server. The LDAP server and namespace are specified by using one or more LDAPURL options.
Restriction: Use this command only if you configured
password authentication as described in
Authenticating IBM
Spectrum Protect users by using an LDAP
server. Information that is provided about the AUDIT LDAPDIRECTORY command
applies only to environments in which password authentication is configured as described in Authenticating IBM
Spectrum Protect users by using an LDAP
server.
Nodes and administrator user IDs that do not authenticate their passwords with
the LDAP directory server are deleted with the AUDIT LDAPDIRECTORY FIX=YES
command. Nodes or administrator user IDs that no longer exist in the IBM
Spectrum Protect database are also deleted.Before you issue this command,
ensure that the LDAPURL option
is specified in the dsmserv.opt file. See the LDAPURL option for more information.
If you specified more than one LDAPURL option
in the dsmserv.opt file, each option is validated
in the order in which they are placed. If the LDAPURL option
is not specified, the command fails.
Privilege class
You must have system privileges to issue this command.Syntax
Parameters
- Fix
- This optional parameter specifies how the IBM
Spectrum Protect server resolves
inconsistencies between the database and the external directory. The
default is NO. You can specify the following values:
- No
- The server reports all inconsistencies but does not change the external directory.
- Yes
- The server resolves any inconsistencies that it can and suggests
further actions, if needed.Important: If there are LDAP entries that are shared with other IBM Spectrum Protect servers, choosing YES might cause those servers to become out-of-sync.
- Wait
- This optional parameter specifies whether to wait for the IBM
Spectrum Protect server to
complete processing this command in the foreground. The default is
NO. You can specify the following values:
- No
- The server processes this command in the background and you can continue with other tasks while the command is processing. Messages related to the background process are shown either in the activity log file or the server console, depending on where the messages are logged.
- Yes
- The server processes this command in the foreground. The operation
must complete before you can continue with other tasks. Messages are
shown either in the activity log file or the server console, or both,
depending on where the messages are logged.Restriction: You cannot specify WAIT=YES from the server console.
Example: Audit an LDAP directory and repair inconsistencies
Audit the LDAP directory that you specified in the LDAPURL option. The IBM Spectrum Protect server resolves some inconsistencies.audit ldapdirectory fix=yes
ANR2749W Admin ADMIN1 was located in the LDAP directory server but not
in the database.
ANR2749W Admin ADMIN2 was located in the LDAP directory server but not
in the database.
ANR2749W Admin NODE1 was located in the LDAP directory server but not
in the database.
ANR2749W Admin NODE2 was located in the LDAP directory server but not
in the database.
ANR2748W Node NODE1 was located in the LDAP directory server but not
in the database.
ANR2748W Node NODE2 was located in the LDAP directory server but not
in the database.
ANR2745I AUDIT LDAPDIRECTORY command completed: 4 administrator
entries are only in the LDAP directory server (not in the IBM Spectrum
Protect server), 0 administrator entries are only in the IBM Spectrum
Protect server (not in the LDAP directory server), 2 node entries are
only in the LDAP directory server (not in the IBM Spectrum Protect
server), 0 node entries are only in the IBM Spectrum Protect server,
(not in the LDAP directory server), 6 entries were deleted from the
LDAP server in total.
Related commands
Command | Description |
---|---|
SET DEFAULTAUTHENTICATION | Specifies the default password authentication method for any REGISTER NODE or REGISTER ADMIN commands. |
SET LDAPPASSWORD | Sets the password for the LDAPUSER. |
SET LDAPUSER | Sets the user who oversees the passwords and administrators on the LDAP directory server. |