HP-UX Directory Server 8.1 configuration, command, and file reference

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

201

202

203

204

205

206

207

208

209

210

Table 6-12 ldapmodify SSL options (continued)

DescriptionOption

Specifies the certificate name to use for certificate-based client authentication. For example:

-N Server-Cert

If this option is specified, then the -Z and -W options are required. Also, if this option is specified,

then the -D and -w options must not be specified, or certificate-based authentication will not occur,

and the bind operation will use the authentication credentials specified on -D and -w.

-N

Specifies the absolute path, including the file name, of the certificate database of the client. This

option is used only with the -Z option. When used on a machine where an SSL-enabled web browser

is configured, the path specified on this option can be pointed to the certificate database for the web

browser. For example:

-P /security/cert.db

The client security files can be stored on the Directory Server in the

/etc/opt/dirsrv/slapd-instance_name directory. In this case, the -P option calls out a path

and file name similar to the following:

-P /etc/opt/dirsrv/slapd-instance_name/client-cert.db

-P

Specifies the token and certificate name, which is separated by a semicolon (:) for PKCS11.-Q

Specifies the password for the certificate database identified on the -P option. For example:

-W serverpassword

-W

Specifies that SSL is to be used for the directory request.

-Z

Specifies the Start TLS request. Use this option to make a cleartext connection into a secure one. If

the server does not support Start TLS, the command does not need aborted; it will continue in

cleartext.

-ZZ

Enforces the Start TLS request. The server must respond that the request was successful. If the server

does not support Start TLS, such as Start TLS is not enabled or the certificate information is incorrect,

the command is aborted immediately.

-ZZZ

6.5.4 ldapmodify SASL options

SASL mechanisms can be used to authenticate a user, using the -o the required SASL information.

To learn which SASL mechanisms are supported, search the root DSE. See the -b option in

Table 6-3 “Commonly-used ldapsearch options”.

Table 6-13 SASL options

DescriptionOption

Specifies SASL options. The format is -o saslOption=value. saslOption can have one of six

values:

• mech, the SASL authentication mechanism

• authid, the user who is binding to the server (Kerberos principal)

• authzid, a proxy authorization (ignored by the server since proxy authorization is not supported)

• secProp, the security properties

• realm, the Kerberos realm

• flags

The expected values depend on the supported mechanism. The -o option can be used multiple

times to pass all the required SASL information for the mechanism. For example:

-o "mech=DIGEST-MD5" -o "authzid=test_user" -o "authid=test_user"

-o

See “ldapsearch SASL options” for the ldapsearch command for information on how to use

SASL options with the ldapmodify command.

6.5 ldapmodify 203