Valid on UNIX
The sepmdadm utility creates the definitions needed to run a PMDB. The sepmdadm utility is a script consisting of the CA ControlMinder and UNIX commands required to define a PMBD, to define the relationship of the PMDB to PMDBs above and below it, and to define its subscriber stations. By default, the user root is defined as the administrator and auditor of the PMDB. You must run the sepmdadm utility locally, although you can also run it through a remote shell. When you use sepmdadm to create a new PMDB, you probably want to follow up by pointing subscribers to the PMDB and by synchronizing the UIDs and GIDs.
You can run this utility in interactive or non‑interactive modes:
When creating a new PMDB with sepmdadm, you identify the stations that are the subscribers of the Policy Model. However, you must also update the parent_pmd token in each subscriber's seos.ini file with the name of the PMDB to which you have subscribed the station. If you do not do this, the subscribers do not accept updates from the PMDB.
By subscribing several stations to the same PMDB, and by subscribing one PMDB station to another, you can create a hierarchy of PMDBs.
This command has the following format:
sepmdadm options
Defines the CA ControlMinder administrator of the PMDB.
Defines the CA ControlMinder auditor of the PMDB.
Removes the specified Policy Model. This option shuts down the Policy Model daemon, removes the file protections from the database, and deletes the Policy Model directory with all its contents.
You cannot use this option with the -‑noconfirm option.
Specifies a station from which the administrators can administer PMDBs located on the local host. If you do not specify any stations, the administrators can only administer the PMDBs from the local host.
Defines the location of the groups file under NIS.
Displays the help screen.
Runs sepmdadm in interactive mode.
Specifies to run sepmdadm in local mode, meaning that you can create a PMDB when CA ControlMinder is not running.
Note: Unless you specify this option you must have CA ControlMinder running to use sepmdadm.
Performs NIS setup on the Policy Model. You must use this option if the PMDB is installed on a NIS server.
Specifies that the user is not asked to confirm answers. This option is useful when invoking sepmdadm from within a shell script in non‑interactive mode.
Specifies the name of the parent PMDB to which this PMDB is subscribed. If you use this parameter with the ‑subsconfig parameter, sepmdadm updates the parent_pmd token in the seos.ini file. If you use this parameter without the ‑‑subsconfig parameter, sepmdadm updates the parent_pmd token in the pmd.ini file.
Note: If you want to define multiple parent Policy Models, you must to use quotation marks. For example, to create a Policy Model and define its parent, use the following command:
sepmdadm --pmdname subs2 --admin abc123 --admin root --auditors abc123 --desktop pcp36949 \ --parentpmd "aa@pcp36949,bb@pcp36949"
Defines the location of the passwd file under NIS.
Specifies the PMDB to which sepass sends password updates. This option updates the passwd_pmd token in the [seos] section of the seos.ini file.
Note: You can use this parameter only when you also use the -‑subsconfig switch.
When creating a multi‑level Policy Model, set this parameter to the PMDB at the top of the pyramid, so that password changes can be propagated to all levels in the PMDB system.
Specifies the name of the PMDB to be created.
Specifies the CA ControlMinder password manager of the PMDB.
Specifies the directory in which CA ControlMinder is installed. Use this option only if CA ControlMinder is not installed in the default directory.
Specifies that the local station is a subscriber. When using this parameter, you must specify the parameters --parentpmd pmdbName and --passwdpmd pmdbName to update the relevant tokens in the seos.ini file.
Note: The parameters should follow the ‑subsconfig option when configuring a subscriber.
Specifies subscribers of this PMDB. They can be PMDBs or stations.
Defines the enterprise user administrator of the PMDB.
Defines the enterprise user auditor of the PMDB.
Specifies the enterprise user password manager of the PMDB.
Example: Create a PMDB using the command line
Suppose you have a station called bigcentral, where you want to maintain a PMDB for other stations to subscribe to. To create the PMDB at bigcentral, run sepmdadm there. This utility is located in the directory ACInstallDir/bin.
To create a PMDB on bigcentral named pmdb1 with workstat1 and workstat2 as subscribers and enterprise users adm1 and adm2 as administrators, run the following command from bigcentral:
sepmdadm --pmdname pmdb1 --subscriber workstat1 --subscriber workstat2 \
--xadmin adm1 --xadmin adm2
Example: Pointing subscriber stations to the PMDB
To establish a station as a subscriber to a PMDB, it is not sufficient to specify the subscriber's name at the PMDB's station; you must also perform a procedure at the subscriber station.
To subscribe the local station to a PMDB using the command line, you must use the parameters --parentpmd and --passwdpmd, in addition to the parameter --subsconfig.
For example, to subscribe the local station to the PMDB called pmdb2 located on HOST2 and to the password PMDB called master1 located on HOST1, enter the following command:
sepmdadm --subsconfig --parentpmd pmdb2@HOST2 --passwdpmd master1@HOST1
Copyright © 2013 CA Technologies.
All rights reserved.
|
|