The smldapsetup utility allows you to manage an LDAP policy store from the command line. Using smldapsetup, you can configure an LDAP policy store, generate an LDIF file, and remove policy store data and schema.
To use smldapsetup, specify a mode, which determines the action that smldapsetup will perform, and arguments, which contain the values that are used to configure the LDAP server.
The following table contains the modes you can use with smldapsetup and the arguments each mode uses:
|
Modes |
Arguments |
|---|---|
|
reg |
-hhost, -pportnumber, -duserdn, |
|
ldgen |
-hhost, -pportnumber, -duserdn, |
|
ldmod |
-hhost, -pportnumber, -duserdn, |
|
remove |
-hhost, -pportnumber, -duserdn, |
|
switch |
none |
|
revert |
-v |
|
status |
-v |
To use smldapsetup
Specifies the installed location of CA SiteMinder®.
smldapsetup mode arguments
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges.
Example: smldapsetup reg -hldapserver.mycompany.com -d”LDAP User”
-wMyPassword123 -ro=security.com
Note: When running smldapsetup, make sure that the LDAP user you specify has the appropriate administrator privileges to modify schema in the LDAP Directory Server. If this user does not have the proper privileges, then the LDAP server will not allow you to generate the policy store schema and to update or remove the policy store data. After running the smldapsetup command, this user appears in the Admin Username field on the Data tab of the Policy Server Management Console.
The mode indicates the action that smldapsetup performs. You can specify a mode to connect to the LDAP server, generate an LDIF file, configure an LDAP policy store and remove policy data.
The modes for smldapsetup include:
Tests the connection to the LDAP server. If the connection succeeds, smldapsetup configures the CA SiteMinder® LDAP server as its policy store using the -hhost, -pportnumber, -duserdn, -wuserpw, -rroot, -ssl1/0 and -ccertdb arguments.
Automatically detects supported LDAP servers and generates an LDIF file with the CA SiteMinder® schema. The generated file is used by smldapsetup ldmod to create the CA SiteMinder® schema. If the -e argument is specified, smldapsetup ldgen creates an LDIF file that can be used with ldmod to delete the CA SiteMinder® schema. Use the -m switch to skip automatic detection of LDAP servers. The ldgen mode requires the -f switch unless previously configured in reg mode.
Connects to the LDAP server and the CA SiteMinder® schema without populating the policy store with any data. It requires the LDAP modify program and the LDIF file, specified with the -fldif argument. If you specify the -hhost, -pport_number, -duserdn,-wuserpw, -rroot, -ssl1/0 and -ccertdb arguments, smldapsetup ldmod will modify the LDAP directory specified using these arguments. If you do not specify -hhost, -pportnumber, -duserdn, -wuserpw, -rroot, -ssl1/0 and -ccertdb, smldapsetup ldmod uses the LDAP directory previously defined using smldapsetup reg or the Policy Server Management Console.
Connects to the LDAP server, then removes all policy data stored under the CA SiteMinder® LDAP node that corresponds to the current version of smldapsetup. If you specify the -hhost, -pport_number, -duserdn,-wuserpw, -rroot, -ssl1/0 and -ccertdb arguments, smldapsetup remove will remove policy data from the LDAP directory specified by these arguments. If you do not specify -hhost, -pport, -duserdn, -wuserpw, -rroot, -ssl1/0 and -ccertdb, smldapsetup remove will remove the policy data from the LDAP directory previously defined using smldapsetup reg or the Policy Server Management Console.
Reconfigures the Policy Server to use LDAP rather than ODBC. It does not prepare the LDAP store or the LDAP connection parameters before making the change.
Reverts to ODBC policy store from LDAP. The only argument used with this mode is -v.
Verifies that the LDAP policy store connection parameters are configured correctly. It requires the -v argument. If you specify the
-hhost, -pport_number, -duserdn, -wuserpw, -rroot,
-ssl1/0 and -ccertdb arguments, smldapsetup status tests the connection to the LDAP directory specified using these arguments. If you do not specify -hhost, -pport_number, -duserdn, -wuserpw,
-rroot, -ssl1/0 and -ccertdb, smldapsetup status verifies the connection to the LDAP directory previously defined using smldapsetup reg or the Policy Server Management Console.
From the Data tab in the Policy Server Management Console, you can view or change the settings you configured with the reg, switch and revert functions using a GUI interface. You must use smldapsetup to perform the ldgen, ldmod, remove, and status functions.
Arguments allow you to specify the information used by the modes to manage the LDAP policy store. If you do not specify arguments, smldapsetup uses the values configured in the Policy Server Management Console.
Note: smldapsetup does not allow spaces between an argument and its value. For example, the -h argument should be specified as follows:
smldapsetup ldmod -hldapserver.mycompany.com
The arguments you can specify in an smldapsetup call are listed below:
Specifies the fully qualified name of the LDAP server; the relative name, if the machines are in the same domain (-hldapserver); or the IP address (-h123.12.12.12). If you do not specify a host, smldapsetup uses the previously configured value as the default.
Example: -hldapserver.mycompany.com
Specifies a non-standard LDAP port. The LDAP port must be specified if the LDAP server is using a non-standard port or if you are moving a server to a new server that uses a different port, such as moving from a server using SSL to one that is not. If a port is not specified, the previous configuration values are used. If no previous port configuration has been specified, smldapsetup uses the default ports 389, if SSL is not being used, or 636, if SSL is being used.
Specifies the LDAP user name of a user with the power to create new LDAP directory schema and entries. This is not necessarily the user name of the LDAP server administrator. If you do not specify a user name, smldapsetup uses the previously configured name as the default.
Specifies the password for the user identified in the -d argument. If you do not specify a password, smldapsetup uses the previously configuration value.
Example: -wMyPassword123
Specifies the distinguished name of the node in the LDAP tree where CA SiteMinder® will search for the policy store schema. If you do not specify a root, smldapsetup uses the previously configured root.
Example: -ro=security.com
When specified with smldapsetup ldgen, generates an LDIF file that can delete the CA SiteMinder® schema. The generated file must be used with smldapsetup ldmod to remove the schema.
Skips automatic detection of LDAP servers and specify type of LDAP policy store where n is one of the following:
iPlanet v4 LDAP servers.
Active Directory LDAP servers.
Oracle Internet Directory.
iPlanet v5.
Sun Directory Servers.
Active Directory Application Mode (ADAM).
Specifies the absolute or relative path to an LDIF file from the directory in which smldapsetup is being executed.
Example: -f../siteminder/db/smldap.ldif
Default: if you do not specify a path, smldapsetup uses the current directory as the default.
Specifies the absolute or relative path, including filename and extension, of the ldapmodify command line utility. Ldapmodify is used to configure the server schema using the LDIF format commands. LDAP servers and CA SiteMinder® provide a copy of ldapmodify. If the utility is not in the default location, use this argument to specify its location.
Specify -ssl1 to use an SSL-encrypted connection to the LDAP server, and -ssl0 to use a non-SSL connection. If you do not specify a value for -ssl, smldapsetup uses the previously configured value. If the LDAP connection has not been configured before, the initial default value is 0.
This argument must be specified when using an SSL encrypted
(-ssl1) LDAP connection. Specifies the path of the directory where the SSL client Netscape certificate database file, which is usually called cert8.db, exists.
Example: If cert8.db exists in /app/siteminder/ssl, specify -c/app
/siteminder/ssl when running smldapsetup ldmod -f/app/siteminder/pstore.ldif -p81 -ssl1 -c/app/siteminder/ssl.
Note: For policy stores using an SSL-encrypted connection to Sun Java System LDAP, make sure the key3.db file exists in the same directory as cert8.db.
Enables you to use smldapsetup to set up or modify a key store if you are storing key information in a different LDAP directory. If you specify -k, smldapsetup checks to see if the Policy Server is pointing to the key store before performing any functions. If the Policy Server is not pointing to the key store, smldapsetup issues a warning. If you specify -k1, in conjunction with smldapsetup ldgen and the other arguments for a new policy store, smldapsetup creates a separate key store in the location you specify. If you do not specify -k or -k1, smldapsetup will modify the policy store.
Enables verbose mode for troubleshooting. With -v, smldapsetup logs its command-line arguments and configuration entries as it performs each step in the LDAP migration.
Specifies the distinguished name of an account that should be used by CA SiteMinder® to make modifications to the policy store. This argument allows an administrator account to retain control of the CA SiteMinder® schema while enabling another account that will be used for day-to-day modifications of CA SiteMinder® data. When a change is made using the Administrative UI, the account specified by this argument is used. Be sure to enter the entire DN of an account when using this argument.
Enables quiet mode for no questions to be asked.
Creates a 6.x upgrade schema file (LDIF).
Use the -x argument with ldmod to generate replication indexes for another 5.x Sun Java System Directory Server Enterprise Edition (formerly Sun ONE/iPlanet) LDAP directory server.
This option allows you to specify a suffix other than the default parent suffix when configuring the 6.x Policy Server's schema in a Sun Java System Directory Server Enterprise Edition (formerly Sun ONE/iPlanet) LDAP directory server.
Example: assume the following:
ou=Apps,o=test.com is the Policy Store root.
o=test.com is the root suffix.
ou=netegrity,ou=Apps,o=test.com is the sub suffix.
If you do not use the -s parameter with smldapsetup, the Policy Server assigns ou=Apps,o=test.com as a parent suffix of ou=netegrity,ou=Apps,o=test.com. To change this and have the appropriate parent suffix set, run smldapsetup using the -s parameter while specifying o=test.com.
Displays the help message.
Note: If the arguments contain spaces, you must enter double quotes around the entire argument. For example, if the name of the CA SiteMinder® administrator is LDAP user, the argument for smldapsetup would be: -d”LDAP user".
In a Sun Java System Directory Server Enterprise Edition (formerly Sun ONE/iPlanet) directory server, smldapsetup creates the ou=Netegrity, root sub suffix and PolicySvr4 database.
The directory root you specified in the Root DN field on the Data tab of the Policy Server Management Console. This variable has to be either an existing root suffix or sub suffix.
Example: If your root suffix is dc=netegrity,dc=com then running smldapsetup produces the following in the directory server:
Example: If you want to place the policy store under ou=apps,dc=netegrity,dc=com, then ou=apps,dc=netegrity,dc=com has to be either a root or sub suffix of the root suffix dc=netegrity,dc=com.
If it is a sub suffix, then running smldapsetup produces the following:
Note: For more information about root and sub suffixes, see the Sun Microsystems documentation.
To remove the CA SiteMinder® policy store data and schema from an LDAP directory, you must first delete the data, then remove the schema.
Important!
To remove the policy store using smldapsetup
Specifies the installed location of CA SiteMinder®.
smldapsetup remove -hLDAP_IP_Address -pLDAP_Port -d LDAP_Admin -wLDAP_Admin_Password -rLDAP_Base_DN -v
Example: smldapsetup remove -h192.169.125.32 -p552 -d"cn=directory manager" -wfirewall -rdc=ad,dc=test,dc=com -v
Note: Removing the policy store data may take a few moments.
smldapsetup ldgen -e -fldif
Specifies the name of the LDIF file you are generating.
Example: smldapsetup ldgen -e -fdelete.ldif
smldapsetup ldmod -fldif
Specifies the name of the LDIF file you generated using smldapsetup ldgen
-e.
Example: smldapsetup ldmod -fdelete.ldif
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|