eimadmin Command
Purpose
Manages Enterprise Identity Mapping (EIM) domains.
Syntax
eimadmin -a | -p | -l | -m | -e -D | -R | -I | -A | -C [-s switch] [-v verboseLevel] [-c accessType] [-f accessUserType] [-g registryParent] [-i identifier] [-j otherIdentifier] [-k URI] [-n description] [-o information] [-q accessUser] [-r registryName] [-t associationType] [-u registryUser] [-x registryAlias] [-y registryType] [-z registryAliasType] [-d domainDN] [-h ldapHost] [-b bindDN] [-w bindPassword] [-K keyFile [ -P keyFilePassword] [-N certificateLabel]] [-S connectType]
Description
The eimadmin command is an AIX® System Services Shell tool. An administrator can use it to define an EIM domain and prime the domain with registries, identifiers, and associations between identifiers and registry users. An administrator can also use eimadmin to give users (and other administrators) access to an EIM domain, or list or remove the EIM entities.
- By including information with command-line options on an eimadmin command
- By including information in an input file that an eimadmin command references
You can create the file manually or by exporting records from a database. The administrator directs utility processing by specifying a combination of command-line options.
- Add an object (-a)
- Purge an object (-d)
- List objects (-l)
- Modify attributes associated with objects (-m)
- Erase attributes (-e)
- Domains (-D)
- Registries (-R)
- Identifiers (-I)
- Associations (-A)
- Access authorities (-C)
- Each eimadmin command must include one action and one object type. Depending on the object and the action you are performing on it, EIM might require additional parameters.
- Some options are for multivalue attributes, which you can specify more than once. Other options are for single-value attributes, which you can specify only once. (If you repeat an option that is for a single-value attribute, eimadmin processes only the first value it encounters in the command.) Apart from these stipulations, the order in which you specify parameters is not important.
- You can code the parameters of the eimadmin command in several ways:
- Concatenate an action and an object, omitting the embedded hyphen:
-aD
- Include both hyphens, and separate the two options with a space:
-a -D
-a-D
- Concatenate an action and an object, omitting the embedded hyphen:
Flags
The eimadmin command takes the following action flags.
Item | Description |
---|---|
-a | Adds an object. (Creates an object definition and its attributes.) |
-e | Erases an attribute. (Clears a single-value attribute or removes a multivalue attribute.) |
-l | Lists an object. (Retrieves an object definition and its attributes.) |
-m | Modifies an attribute. (Alters an attribute of an existing object, either by changing a single-value attribute or adding a multivalue attribute.) |
-p | Purges an object. (Removes an object definition and its attributes.) |
The eimadmin command takes the following object flags.
Item | Description |
---|---|
-A | An association. This is a relationship between an identifier in the EIM domain and a user ID. |
-C | An access authority. This is an EIM-defined LDAP access control group. |
-D | A domain. This is a collection of identifiers, user registries, and associations between identifiers and user IDs, stored within an LDAP directory. |
-I | An identifier. This is the name of a person or entity participating in an EIM domain. |
-R | A registry. This is the name of a user registry. Associations are defined between identifiers and user IDs in the user registry. |
The eimadmin command takes the following processing control flags.
Item | Description |
---|---|
-s switch | The switch specifies
a value that affects the way the eimadmin command functions operate. You can specify the following value:
|
-v verboseLevel | The verboseLevel parameter
is an integer from 1 to 10 that controls the amount of trace detail
that the eimadmin command displays. (It
is for diagnosing problems in the eimadmin utility.) The default value of 0 indicates no trace information.
You can specify an integer value from 1 to 10, from the least to greatest
amount of trace information. The utility checks the value and displays
trace information defined for the level and all lower levels. The
following levels trigger specific information:
|
- You can specify these attributes as command options or as fields in input files. If you are specifying command options, you must enclose values with imbedded blanks within quotation marks (") or ('). Quotation marks are optional for single-word values. Specifying a multiword value without quotation marks in effect truncates the command line options; values after the first word are truncated.
- The following special characters are not allowed in registryName, registryParent, or identifier:
, = + < > # ; \ *
Item | Description |
---|---|
-c accessType | Specifies the scope of access authority the
user has over the EIM domain. accessType must be one of the following values:
|
-f accessUserType | Specifies the type for the access user name. accessUserType must be one of the following types:
|
-g registryParent | Specifies the name of a system registry. An application registry is a subset of a system registry. If you are adding an application registry, you must use the -r option and the -g option. The -r value is the application registry you are defining. The -g option is the preexisting system registry. |
-i identifier | Specifies a unique identifier name. For example: John Day . |
-j otherIdentifier | Specifies a nonunique identifier name. For example: John . Note: You can specify this option multiple times
to assign multiple nonunique identifiers.
|
-k URI | Specifies the Universal Resource Identifier (URI) for the registry (if one exists). |
-n description | Specifies any text (that you provide) to associate
with the domain, registry, identifier, or association. Note: You
can define a user description only for target associations.
|
-o information | Specifies additional information to associate
with an identifier or association. Note: You can define user information
only for target associations. You can specify this option multiple
times to assign multiple pieces of information.
|
-q accessUser | Specifies the user distinguished name (DN) or the Kerberos identity with EIM access, depending on the accessUserType specified. |
-r registryName | Specifies the name of a registry. When you add a new registry, eimadmin treats the registry as a system registry unless you also specify the -g option. If you specify the -g option, eimadmin treats the registry as an application registry. |
-t associationType | Specifies the relationship between an identifier
and a registry. associationType must be
one of the following:
Note: You can specify this option multiple times to
define multiple relationships.
|
-u registryUser | Specifies the user ID of the user defined in the registry. |
-x registryAlias | Specifies another name for a registry. You must specify this option multiple times to assign multiple aliases. |
-y registryType | Specifies the type of registry. Predefined types
that eimadmin recognizes include the following:
|
-z registryAliasType | Specifies the type for a registry alias. You
can invent your own value or use one of the following suggested values:
Note: For a set of command line options or single input
data record, the eimadmin command recognizes
only the first specification of registryAliasType. However, the eimadmin command
does recognize multiple registry aliases and associates all of them
with the single registryAliasType.
|
The eimadmin command takes the following connection type flags.
Item | Description |
---|---|
-b bindDN | Specifies the distinguished name to use for the simple bind to LDAP. |
-d domainDN | Specifies the full distinguished name (DN) of
the EIM domain. domainDN begins with 'ibm-eimDomainName=' and consists of the following elements:
|
-h ldapHost | Specifies the URL and port for the LDAP server
controlling the EIM data. The format is:
|
-K keyFile | Specifies the name of the SSL key database file,
including the full path name. If the file cannot be found, it is assumed
to be the name of a RACF key ring that contains authentication certificates. This value
is required for SSL communications with a secure LDAP host (prefixed ldaps:// ). For example: |
-N certificateLabel | Specifies which certificate to use from the key database file or RACF key ring. If this option is not specified, the certificate marked as the default in the file or ring is used. |
-P keyFilePassword | Specifies the password required to access the
encrypted information in the key database file. Alternatively, you
can specify an SSL password stash file for this option by prefixing
the stash file name with file:// . For example: Note: The eimadmin command prompts for a key
file password if you specify the name of a key database file for the -K option but not the -P option on the command line.
|
-S connectType | Specifies the method of authentication to the
LDAP server. connectType must be one of
the following values:
|
-w bindPassword | Specifies the password associated with the bind DN. |
The connection information needed by the utility includes the EIM domain (-d) and its controlling server (-h), the identity (-b,-w; or -K,-P,-N) with which to authenticate (bind) to the server, and the authentication method (-S).
Connection Type/Host Type | Required Values | Optional Values |
---|---|---|
SIMPLE or CRAM-MD5/secure (ldaps:// ) |
-d, -h, -b, -w, -K, -P | -N |
SIMPLE or CRAM-MD5/nonsecure (ldap:// ) |
-d, -h, -b, -w | |
EXTERNAL/secure (ldaps:// ) |
-d, -h, -K, -P, -S | -N |
EXTERNAL/nonsecure (ldap:// ) |
unsupported | unsupported |
GSSAPI/secure (ldaps:// ) |
-d, -h, -K, -P, -S | -N |
GSSAPI/nonsecure (ldap:// ) |
-d, -h, -S |
- There are two exceptions to the preceding table:
- The domain option (-d) is not required for domain functions if the value is specified through an input file.
- An SSL key database file password or stash file (-P) is not required when -K specifies a RACF key ring.
- The eimadmin command prompts for the simple bind password if it is required and -w is not specified on the command line, and prompts for the SSL key database file password if it is required and -P is not specified on the command line.
Object Type (Action) | Flags | Comments |
---|---|---|
D (a) |
|
Add a domain. |
D (p) |
|
Remove a domain. If the domain is not empty,
include -s RMDEPS . |
D (l) |
|
List domains. Specify -d* to
list all domains. |
D (m) |
|
Modify or add a domain attribute. |
D (e) |
|
Remove or clear a domain attribute. |
R (a) |
|
Add a registry. The value specified for -r is assumed to be a new system registry unless -g is also specified, in which case the -r value indicates a new application registry. |
R (p) |
|
Remove a registry. |
R (l) |
|
List registries. Return all registry entries in the domain that match the specified -r value search filter, which might contain the wild card *. |
R (m) |
|
Modify or add a registry attribute, including a registry alias. |
R (e) |
|
Remove or clear a registry attribute, including a registry alias. |
I (a) |
|
Add an identifier. |
I (p) |
|
Remove an identifier. |
I (l) |
|
List an identifier by unique identifier name. Return all identifier entries in the domain that matches the specified -i value search filter, which might contain the wild card *. |
I (l) |
|
List an identifier by nonunique identifier name. Return all identifier entries in the domain that have a nonunique identifier matching the specified -j value search filter, which might contain the wild card *. |
I (m) |
|
Modify or add an identifier attribute. |
I (e) |
|
Remove or clear an identifier attribute. |
A (a) |
|
Add an association. You can repeat the -t option to add multiple associations types. The -n and -o flags are relevant only to TARGET associations. |
A (p) |
|
Remove an association. You can repeat the -t option to remove multiple associations types. |
A (l) |
|
List associations. Return all associations in the domain for specified -i unique identifier. Specify a -t value to limit the entries returned to the given association type. |
A (m) |
|
Modify or add an association attribute. The -n and -o flags are relevant only to TARGET associations. |
A (e) |
|
Remove or clear an association attribute. The -n and -o flags are relevant only to TARGET associations. |
C (a) |
|
Add access. For access type REGISTRY, provide a specific -r registry value, or a wild card * indicating access to all registries in the domain. |
C (p) |
|
Remove access. For access type REGISTRY, provide a specific -r registry value, or a wild card * indicating access to all registries in the domain. |
C (l) |
|
List access by type. For access type REGISTRY, provide a specific -r registry value, or a wild card * indicating access to all registries in the domain. |
C (l) |
|
List access by user. |
Exit Status
The eimadmin command returns one of the following exit codes upon completion:
Item | Description |
---|---|
0 | Successful. |
4 | One or more errors encountered but, if you specified an input file, all records were processed. |
8 | A severe error occurred that caused processing to stop before reaching the end of an input file, if specified. |
Examples
- To list a single domain, type:
This returns something similar to the following output:eimadmin -lD -h ldap://my.server -b "cn=EIM admin,o=MyCompany,c=US" -d "ibm-eimDomainName=My Employees,o=My Company,c=US"
domain name: My Employees domain DN: ibm-eimDomainName=My Employees,o=My Company,c=US description: employees in my company
- To list a single registry, type:
This returns something similar to the following output:eimadmin -lR -r MyRegistry
registry: MyRegistry registry kind: APPLICATION registry parent: MySystemRegistry registry type: RACF description: my racf registry URI: ldap://some.big.host:389/profileType=User,cn=RACFA,o=My Company,c=US registry alias: TCPGROUP registry alias type: DNSHostName
- To list identifiers, type:
This returns something similar to the following output:eimadmin -lI -i "J.C.Smith"
unique identifier: J.C.Smith other identifier: J.C.Smith other identifier: Joseph other identifier: Joe description: 004321 information: D01 information: 1990-04-11
- To list target associations, type:
This returns something similar to the following output:eimadmin -lA -i "J.C.Smith" -t target
unique identifier: J.C.Smith registry: MyRegistry registry type: RACF association: target registry user: SMITH description: TSO information: 1989-08-01 information: ADMIN1
- To list accesses, type:
This returns something similar to the following output:eimadmin -lC -c admin
access user: cn=JoeUser,o=My Company,c=us access user: cn=admin1,o=My Company,c=us access user: cn=admin2,o=My Company,c=us
Location
/usr/bin/eimadmin
Security
- They have a bind distinguished name and password defined at the LDAP server containing the EIM domain
- Their bind distinguished name has one of the EIM authorities:
- EIM administrator
- EIM registries administrator
- EIM registry X administrator
- EIM identifiers administrator
Standard Error
The eimadmin command issues a message to prompt for a password or to indicate an error. Do not expect to receive a message for successful completion unless you use an input file. When processing records in an input file, eimadmin issues an informational message as the process starts and stops, in addition to a progress message every 50 records.