AUDIT LDAPDIRECTORY (Audit an LDAP directory server)
Use this command to audit an IBM Spectrum Protect™ controlled namespace on a Lightweight Directory Access Protocol (LDAP) server. The LDAP server and namespace are specified by using one or more LDAPURL options.
Restriction: Use this command only if you configured password authentication as described in Authenticating users by using an LDAP server. Information that is provided about the AUDIT LDAPDIRECTORY command applies only to environments in which password authentication is configured as described in Authenticating users by using an LDAP server.
Nodes and administrator user IDs that do not authenticate their passwords with the LDAP directory server are deleted with the AUDIT LDAPDIRECTORY FIX=YES command. Nodes or administrator user IDs that no longer exist in the IBM
Spectrum Protect database are also deleted.Before you issue this command,
ensure that the LDAPURL option
is specified in the dsmserv.opt file. See the LDAPURL option for more information.
If you specified more than one LDAPURL option
in the dsmserv.opt file, each option is validated
in the order in which they are placed. If the LDAPURL option
is not specified, the command fails.
Privilege class
You must have system privileges to issue this command.Syntax
.-Fix--=--No------. >>-AUDIT LDAPdirectory--+-----------------+---------------------> '-Fix--=--+-No--+-' '-Yes-' .-Wait--=--No------. >--+------------------+---------------------------------------->< '-Wait--=--+-No--+-' '-Yes-'
Parameters
- Fix
- This optional parameter specifies how the IBM
Spectrum Protect server resolves
inconsistencies between the database and the external directory. The
default is NO. You can specify the following values:
- No
- The server reports all inconsistencies but does not change the external directory.
- Yes
- The server resolves any inconsistencies that it can and suggests
further actions, if needed.Important: If there are LDAP entries that are shared with other IBM Spectrum Protect servers, choosing YES might cause those servers to become out-of-sync.
- Wait
- This optional parameter specifies whether to wait for the IBM
Spectrum Protect server to
complete processing this command in the foreground. The default is
NO. You can specify the following values:
- No
- The server processes this command in the background and you can continue with other tasks while the command is processing. Messages related to the background process are shown either in the activity log file or the server console, depending on where the messages are logged.
- Yes
- The server processes this command in the foreground. The operation
must complete before you can continue with other tasks. Messages are
shown either in the activity log file or the server console, or both,
depending on where the messages are logged.Restriction: You cannot specify WAIT=YES from the server console.
Example: Audit an LDAP directory and repair inconsistencies
Audit the LDAP directory that you specified in the LDAPURL option. The IBM Spectrum Protect server resolves some inconsistencies.audit ldapdirectory fix=yes
ANR2749W Admin ADMIN1 was located in the LDAP directory server but not in the database.
ANR2749W Admin ADMIN2 was located in the LDAP directory server but not in the database.
ANR2749W Admin NODE1 was located in the LDAP directory server but not in the database.
ANR2749W Admin NODE2 was located in the LDAP directory server but not in the database.
ANR2748W Node NODE1 was located in the LDAP directory server but not in the database.
ANR2748W Node NODE2 was located in the LDAP directory server but not in the database.
ANR2745I AUDIT LDAPDIRECTORY command completed: 4 administrator entries are only in the
LDAP directory server (not in the IBM Spectrum Protect server), 0 administrator entries
are only in the IBM Spectrum Protect server (not in the LDAP directory server), 2 node
entries are only in the LDAP directory server (not in the IBM Spectrum Protect server),
0 node entries are only in the IBM Spectrum Protect server, (not in the LDAP directory
server), 6 entries were deleted from the LDAP server in total.
Related commands
Command | Description |
---|---|
SET DEFAULTAUTHENTICATION | Specifies the default password authentication method for any REGISTER NODE or REGISTER ADMIN commands. |
SET LDAPPASSWORD | Sets the password for the LDAPUSER. |
SET LDAPUSER | Sets the user who oversees the passwords and administrators on the LDAP directory server. |