ldapcfg command

This command sets and displays the LDAP configuration settings for the CMM.

Note: Certificates used by the LDAP client are managed using the sslcfg command (see sslcfg command for information).

If command syntax is not correctly entered, or if a command fails to run, an error message is returned. See Common errors for a list of error messages that apply to all commands or ldapcfg command errors for a list of error messages that are specific to the ldapcfg command.

Table 1. ldapcfg command.

The command table is a multi-row, four-column table where each row describes a CMM CLI command option: column one lists command function, column two provides a detailed command description, column three shows command-option syntax, and column four lists valid command targets.

Function What it does Command Target (see paths in Command targets)
Display LDAP settings Displays the LDAP settings for the CMM. ldapcfg
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set LDAP security version Sets version of LDAP security used by the CMM.
Note:
  • If the version is set to v1, the following values must also be set:
    • A group filter using the -gf command option.
    • A group search attribute using the -gsa command option.
    • A login permission attribute using the -lpa command option.
  • If the version is set to v2, the LDAP name must also be set using the -t command option.
ldapcfg -v version

where version is:

  • v1 for old user permission model
  • v2 for the enhanced role-based security model
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set LDAP group filter Sets the group filter for the CMM that can be used for authentication during LDAP server login.
Note: For a group filter to be used, LDAP security must be set to v1 using the -v command option.
ldapcfg -gf "filter"

where "filter" is a quote-delimited string of up to 511 characters in length and consists of one or more group names. The colon (:) character is used to delimit multiple group names. Leading and trailing spaces in the group name are ignored. Consecutive spaces are treated as a single space. The wildcard character (*) is not supported for security reasons. A group name can be specified as a full domain name or by using the common name (cn) portion.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set LDAP group search attribute Sets the group search attribute that represents groups of user IDs stored on the LDAP server.

On Active Directory servers, the group search attribute is typically set to "memberOf". On eDirectory servers, it is typically set to "groupMembership".

In an OpenLDAP server environment, users are typically assigned to groups whose objectClass equals "PosixGroup". In this case, the group search attribute identifies members of a particular PosixGroup that is typically "memberUid".

Note: For a group search attribute to be used, LDAP security must be set to v1 using the -v command option.
ldapcfg -gsa "GSA"

where "GSA" is a quote-delimited string of up to 23 characters in length that contains only letters, digits, spaces, or the following characters:

  • - ( ) + , . / : ?
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set LDAP login permission attribute Sets the login permission attribute that is used to determine retrieve user permissions on the LDAP server.
Note: For a login permission attribute to be used, LDAP security must be set to v1 using the -v command option.
ldapcfg -lpa "permission"

where "permission" is a quote-delimited string of up to 23 characters in length that contains only letters, digits, spaces, or the following characters:

  • - ( ) + , . / : ?
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set LDAP name Sets the LDAP name for the CMM.
Note: For an LDAP name to be used, LDAP security must be set to v2 using the -v command option.
ldapcfg -t name

where name is an alphanumeric string up to 63 characters in length containing any character except for angle brackets ( < and > ) and spaces.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set LDAP server discovery method Sets the method to use for discovering LDAP servers that provide user authentication.
Note:
  • If the dns method is specified, the following values must also be set:
    • A domain name using the -dn command option.
    • A forest name using the -fn command option.
  • If the preconf method is specified, the following values must also be set:
    • An LDAP server hostname or IP address using the -i1, -i2, -i3, and -i4 command options.
    • A port for each LDAP server hostname or IP address using the -p1, -p2, -p3, and -p4 command options.
ldapcfg -server method

where method is:

  • dns for dynamic discovery
  • preconf to use an LDAP server that was manually pre-configured
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set LDAP server domain name Sets the search domain to use for Domain Controller (DC) dynamic discovery. ldapcfg -dn domain

where domain is an alphanumeric string up to 255 characters in length.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set LDAP server forest name Sets the forest name to use for Global Catalog (GC) dynamic discovery. ldapcfg -fn forestname

where forestname is an alphanumeric string up to 63 characters in length.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
First LDAP server host name or IP address - set Checks syntax and sets the first LDAP server host name or IP address to use for pre-configured LDAP server discovery.
Note: A port for this LDAP server hostname or IP address must be set using the -p1 command option.
ldapcfg -i1 hostname/ip_address

where hostname/ip_address is the first host name or IP address, up to 255 characters in length.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Second LDAP server host name or IP address - set Checks syntax and sets the second LDAP server host name or IP address to use for pre-configured LDAP server discovery.
Note: A port for this LDAP server hostname or IP address must be set using the -p2 command option.
ldapcfg -i2 hostname/ip_address

where hostname/ip_address is the second host name or IP address, up to 255 characters in length.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Third LDAP server host name or IP address - set Checks syntax and sets the third LDAP server host name or IP address to use for pre-configured LDAP server discovery.
Note: A port for this LDAP server hostname or IP address must be set using the -p3 command option.
ldapcfg -i3 hostname/ip_address

where hostname/ip_address is the third host name or IP address, up to 255 characters in length.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Fourth LDAP server host name or IP address - set Checks syntax and sets the fourth LDAP server host name or IP address to use for pre-configured LDAP server discovery.
Note: A port for this LDAP server hostname or IP address must be set using the -p4 command option.
ldapcfg -i4 hostname/ip_address

where hostname/ip_address is the fourth host name or IP address, up to 255 characters in length.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
First LDAP server port number - set Sets the port number of the first LDAP server to use for pre-configured LDAP server discovery. ldapcfg -p1 port

where port is from 1 to 65535, inclusive. If you enter a value outside this range, an error will be displayed.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Second LDAP server port number - set Sets the port number of the second LDAP server to use for pre-configured LDAP server discovery. ldapcfg -p2 port

where port is from 1 to 65535, inclusive. If you enter a value outside this range, an error will be displayed.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Third LDAP server port number - set Sets the port number of the third LDAP server to use for preconfigured LDAP server discovery. ldapcfg -p3 port

where port is from 1 to 65535, inclusive. If you enter a value outside this range, an error will be displayed.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Fourth LDAP server port number - set Sets the port number of the fourth LDAP server to use for preconfigured LDAP server discovery. ldapcfg -p4 port

where port is from 1 to 65535, inclusive. If you enter a value outside this range, an error will be displayed.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set LDAP root distinguished name Sets the root distinguished name for the root entry of the LDAP directory tree that is used as the base object for all searches. ldapcfg -rd "name"

where "name" is up to 255 characters in length and contained within double-quotes. Names can contain any character, including spaces.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set LDAP UID search attribute Sets the UID search attribute that represents the user IDs stored on the LDAP server.

On Active Directory servers, the UID search attribute is typically set to "sAMAccountName". On Novell eDirectory and OpenLDAP servers, it is typically set to "uid".

ldapcfg -usa "UID"

where "UID" is up to 23 characters in length and contained within double-quotes. The UID can contain only letters, numbers, spaces, and the following characters: "-", "(", ")", "+", ",", ".", "/", ":", and"?".

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set LDAP server binding method Sets the binding method for initial connection to the LDAP server.
Note: If the binding method is set to cc, the following values must also be set:
  • A UID search attribute using the -usa command option
  • A client distinguished name using the -cd command option.
  • A client password using the -p and -cp command options.
ldapcfg -bm method

where method is:

  • cc for configured credentials
  • lc for login credentials
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set LDAP server to be used for authentication only Enables the authentication mode to use the LDAP server for authentication only with local authorization. This automatically disables the authentication mode that uses the LDAP Server for both authentication and authorization. ldapcfg -aom state

where state is enabled or disabled

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set LDAP client distinguished name Sets the client distinguished name (DN) for initial connection to the LDAP server.
Note: A client password must also be set using the -p and -cp command options.
ldapcfg -cd domain

where domain is an alphanumeric string up to 255 characters in length containing any character except for angle brackets ( < and > ) and spaces.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set LDAP client distinguished name password Sets the client distinguished name password for initial connection to the LDAP server.
Note: The passwords must be specified by both the -p and -cp command options and must match.
ldapcfg -p password

where password is an alphanumeric string up to 15 characters in length.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set (confirm) LDAP client distinguished name password Sets, for confirmation purposes, the client distinguished name password for initial connection to the LDAP server.
Note: The passwords must be specified by both the -p and -cp command options and must match.
ldapcfg -cp password

where password is an alphanumeric string up to 15 characters in length.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.

Example:

To display the CMM LDAP settings, while the Lenovo Flex System chassis is set as the persistent command environment, at the system> prompt, type
ldapcfg -T mm[p]
To enable the authentication mode to use the LDAP server for authentication only with local authorization, while the Lenovo Flex System chassis is set as the persistent command environment, at the system> prompt, type
ldapcfg -aom enabled -T mm[p]

The following example shows the information that is returned from these two commands:

system> ldapcfg -T mm[p]
-server dns
 Parameters for '-server dns' configuration:
   -dn dn
   -fn fn
 Parameters for '-server preconf' configuration:
   -i1
   -p1
   -i2
   -p2
   -i3
   -p3
   -i4
   -p4

Miscellaneous Parameters:
-rd
-usa
-bm lc
-aom enabled
 Parameters for '-bm cc' configuration:
   -cd

-v v1
 Parameters for '-v v1' configuration:
   -gf
   -gsa memberOf
   -lpa
 Parameters for '-v v2' configuration:
   -t
system> ldapcfg -aom enabled -T mm[p]
OK
system>