Use the setldapinit subcommand to set the parameter
string that is required to connect a Rational® ClearQuest® database
set to the LDAP directory used for authentication.
Synopsis
- installutil setldapinit dbset_name cq_login cq_password [ –site site | –domain domain ]
"params"
- installutil setldapinit dbset_name cq_login cq_password [
{ –allsites | –site site }
| { –alldomains | –domain domain }
] –remove
Description
Use the setldapinit subcommand
to set the parameter string that is required to connect a Rational ClearQuest database
set to the LDAP directory used for authentication. It is run once
per domain, site, or both, if applicable.
Options and Arguments
- –site site
- Specifies that the parameter settings apply only to the site that
you specify. If you do not specify –site site,
the parameter settings apply to all sites.
- –site site –remove
- –allsites –remove
- Removes the existing settings for the specified subcommand. You
must specify –site or –allsites with –remove.
Use –site to remove the settings at one specific site. Use –allsites to
remove the settings at all sites.
- –domain domain
- Rational ClearQuest supports
environments where multiple LDAP configurations can be used to authenticate.
Use this option to specify that the parameter settings apply only
to the indicated domain. If you do not specify this option, the parameter
settings apply to all domains.
- –domain domain –remove
- –alldomains –remove
- Removes the existing settings for the specified domains. You must
specify –domain or –alldomains with –remove.
Use –domain to remove the settings at one specific domain.
Use –alldomains to remove the settings at all domains.
- params
- A string that consists of a subset of the arguments available
for use with the IBM® Tivoli® Directory Server Client ldapsearch function.
This string is not required when you specify –remove. If any
argument in the string contains a special character such as a space,
backward slash, or double quotes, you must enclose the argument in
single quotes. For more information about the ldapsearch syntax,
see IBM Tivoli Directory Administration
Guide, which is available in the IBM Publications
Center at http://www.ibm.com/shop/publications/order.
Arguments for ldapsearch function
- –h ldaphost
- A host on which the LDAP server is running. The IBM Tivoli documentation describes
several ways to specify multiple host names. Use single quotes to
enclose a list of multiple host names, and use spaces to separate
the host names.
- –p ldapport
- A TCP port where the LDAP server listens. The default LDAP port
is 389. If you specify –Z and do not specify a port with –p,
the default SSL port is 636.
- –D bindname
- Binds a user account to a distinguished name (DN) in the LDAP
directory tree. The bindname argument is a distinguished
name represented as a text string. If you do not specify –D,
LDAP performs an anonymous user search.
Attention: The bindname and
associated password (described next) should be a user account and
password that do not expire. Else, you will need to reconfigure the
bindname and password.
- –w passwd
- The password to use to authenticate the user account at the DN
that you specify with the –D argument.
- –Z
- Indicates that a secure SSL connection is to be used to communicate
with the LDAP server. This option is supported only when the SSL component,
as provided by IBM's GSKit, is installed.
- –K keyfile
- The name of the SSL key database file (with extension of kdb).
You must enclose the key database file name in single quotes. Rational ClearQuest determines
which platform it is running on and then selects the certificate store
location from the –K string that matches that platform. The
Platform choices are win: and unix:. You can override
the –K setting by setting the RATL_SSL_KEYRING environment
variable. If you do not specify –K or set the RATL_SSL_KEYRING
environment variable, Rational ClearQuest looks
in the \Rational\Common directory for a file called ldapkey.kdb.
- –P keyfilepw
- The key database file password. This password is required to access
the encrypted information in the key database file (which may include
one or more certificates). If you do not specify this argument, GSKit
looks in the directory that contains the key database file for a password
stash file of the same name as the key database file with an extension
of .sth. The .sth extension identifies a password stash file, which
can contain an encrypted password that GSKit knows how to retrieve.
If you do not specify –Z and –K, Rational ClearQuest ignores
the –P argument.
- –N certificatename
- The label associated with the client certificate in the key database
file.
- –R
- Use this command-line argument to disable LDAP referral chasing
when running the installutil setldapinit command
to connect a Rational ClearQuest database
set to authenticate by using the LDAP directory server.
By default,
if an LDAP search returns a referral object, the LDAP libraries search
for the referral object until it is found. Rational ClearQuest versions
2003.06.15 and above support LDAP with referral chasing enabled on
the LDAP server as long as the base search path does not start at
the top of the LDAP directory tree. When setting up LDAP authentication
for a ClearQuest database
set, you might choose to temporarily disable referral chasing on the
LDAP server. Alternatively, you might choose to deploy a separate
LDAP server for ClearQuest with
referral chasing disabled.
Attention: You might
need to keep LDAP referral chasing enabled when connecting to a Microsoft Windows Active Directory server.
Examples
In the following example, the
setldapinit subcommand
configures the
dbset1 database set for LDAP authentication.
The ClearQuest login
user name is
bob_admin and the login password is
bob_pw.
The host on which the LDAP server runs is
ldap_host1.
installutil setldapinit dbset1 bob_admin bob_pw -domain Domain1 "-h ldap_host1 -p 389 -D uid=0A9701897,OU=bluepages,o=ibm.com -w pswd"
Depending
on your LDAP environment, you might need to specify additional configuration
settings. For example, if the LDAP server does not allow anonymous
searches, ask your LDAP administrator to create an LDAP account with
privileges that allow
Rational ClearQuest to
perform the search of the LDAP directory as specified by the
setldapsearch subcommand.
Use the
–D and
–w options to specify the bindname and
password of such a search account.