HP 3PAR OS 3.1.3 Command Line Interface Reference

ManualsBrandsHP ManualsSoftwareHP 3PAR Operating System Software

261

262

263

264

265

266

267

268

269

270

Table 3 Values for setauthparam Specifiers (continued)

Indicates the path name of the file containing the certificate

of the Certificate Authority that has issued the LDAP server's

ldap-ssl-cacert

certificate, or a “– “ to prompt you to enter the certificate

text.

Set this parameter to one of the following:ldap-StartTLS

• no – to not request the server use StartTLS . Default.

• try – to request the server use StartTLS but does not

require it to proceed.

• require – requests that the server uses StartTLS and

continues only when it succeeds.

The LDAP binding type must be one of the following:binding

• simple – use simple binding with the server.

• SASL - use a SASL mechanism that is expected by the

server, with the mechanism set by the sasl-mechanism

variable.

When using simple binding, the authentication process

attempts to bind the user to an entry in the server's Directory

user-dn-base

Information Tree (DIT). The Distinguished Name (DN) of

the entry is a concatenation of the value of user-attr, " = ",

the username, " , ", and the value of user-dn-base . If

group-obj is set to posixGroup, the value of

user-dn-base is also used as the base for searching for

the user's posixAccount entry, regardless of binding type.

Indicates the attribute used to form a DN for simple binding.

When the attribute ends with a back slash, the DN is the

user-attr

concatenation of the value of the user-attr variable

and the username . When the attribute does not end with

a back slash, it is as described for the user-dn-base

variable.

When the binding is SASL, the SASL mechanism must be

one supported by the LDAP server. The system allows the

mechanisms of PLAIN, DIGEST-MD5, and GSSAPI.

sasl-mechanism

Indicates the numeric IP address of the Kerberos server if

different from the LDAP server.

kerberos-server

The Kerberos realm.kerberos-realm

Set this value to 1 to allow LDAP users to set a public SSH

key with the setsshkey command (default 0). Clearing

allow-ssh-key

or setting the variable to 0 disables the setting of new keys

for LDAP users but any existing keys remain until they are

removed with the removesshkey variable. This parameter

only affects LDAP users, not local users.

Indicates the base of the subtree in the DIT in which to

search for objects that hold group information. It is mutually

exclusively with the accounts-dn variable.

groups-dn

Indicates the objectClass attribute of a group object.group-obj

The attribute in the group object that holds the group's

name.

group-name-attr

The attribute that holds the names of users in the group.member-attr

Indicates the base of the subtree in the DIT to search for

objects that hold account information. Multiple bases can

accounts-dn

setauthparam 263