installutil setldapinit

Use the setldapinit subcommand to set the parameter string that is required to connect a HCL Compass database set to the LDAP directory used for authentication.

Synopsis

: installutil setldapinit dbset_name cq_login cq_password [ –site site | –domain domain ] "params"

: installutil setldapinit dbset_name cq_login cq_password [ { –allsites | –site site } | { –alldomains | –domain domain } ] –remove

Description

Use the setldapinit subcommand to set the parameter string that is required to connect a HCL Compass database set to the LDAP directory used for authentication. It is run once per domain, site, or both, if applicable.

Options and Arguments

–site site: Specifies that the parameter settings apply only to the site that you specify. If you do not specify –site site, the parameter settings apply to all sites.

–site site –remove
–allsites –remove: Removes the existing settings for the specified subcommand. You must specify –site or –allsites with –remove. Use –site to remove the settings at one specific site. Use –allsites to remove the settings at all sites.

–domain domain: HCL Compass supports environments where multiple LDAP configurations can be used to authenticate. Use this option to specify that the parameter settings apply only to the indicated domain. If you do not specify this option, the parameter settings apply to all domains.

–domain domain –remove
–alldomains –remove: Removes the existing settings for the specified domains. You must specify –domain or –alldomains with –remove. Use –domain to remove the settings at one specific domain. Use –alldomains to remove the settings at all domains.

params: A string that consists of a subset of the arguments available for use with the IBM® Tivoli® Directory Server Client ldapsearch function. This string is not required when you specify –remove. If any argument in the string contains a special character such as a space, backward slash, or double quotes, you must enclose the argument in single quotes.

Arguments for ldapsearch function

–h ldaphost: A host on which the LDAP server is running. The HCL Tivoli documentation describes several ways to specify multiple host names. Use single quotes to enclose a list of multiple host names, and use spaces to separate the host names.
–p ldapport: A TCP port where the LDAP server listens. The default LDAP port is 389. If you specify –Z and do not specify a port with –p, the default SSL port is 636.
–D bindname: Binds a user account to a distinguished name (DN) in the LDAP directory tree. The bindname argument is a distinguished name represented as a text string. If you do not specify –D, LDAP performs an anonymous user search.

Attention: The bindname and associated password (described next) should be a user account and password that do not expire. Else, you will need to reconfigure the bindname and password.
–w passwd: The password to use to authenticate the user account at the DN that you specify with the –D argument.
–Z: Indicates that a secure SSL connection is to be used to communicate with the LDAP server. This option is supported only when the SSL component, as provided by IBM's GSKit, is installed.
–K keyfile: The name of the SSL key database file (with extension of kdb). You must enclose the key database file name in single quotes. HCL Compass determines which platform it is running on and then selects the certificate store location from the –K string that matches that platform. The Platform choices are win: and unix:. You can override the –K setting by setting the RATL_SSL_KEYRING environment variable. If you do not specify –K or set the RATL_SSL_KEYRING environment variable, HCL Compass looks in the \Compass\Common directory for a file called ldapkey.kdb.
–P keyfilepw: The key database file password. This password is required to access the encrypted information in the key database file (which may include one or more certificates). If you do not specify this argument, GSKit looks in the directory that contains the key database file for a password stash file of the same name as the key database file with an extension of .sth. The .sth extension identifies a password stash file, which can contain an encrypted password that GSKit knows how to retrieve. If you do not specify –Z and –K, HCL Compass ignores the –P argument.
–N certificatename: The label associated with the client certificate in the key database file.
–R: Use this command-line argument to disable LDAP referral chasing when running the installutil setldapinit command to connect a HCL Compass database set to authenticate by using the LDAP directory server.

Attention: You might need to keep LDAP referral chasing enabled when connecting to a Microsoft™ Windows™ Active Directory server.
–S: The SSL security protocol.
–C: The SSL cipher.

Examples

In the following example, the setldapinit subcommand configures the dbset1 database set for LDAP authentication. The HCL Compass login user name is bob_admin and the login password is bob_pw. The host on which the LDAP server runs is ldap_host1. Depending on your LDAP environment, you might need to specify additional configuration settings. For example, if the LDAP server does not allow anonymous searches, ask your LDAP administrator to create an LDAP account with privileges that allow HCL Compass to perform the search of the LDAP directory as specified by the setldapsearch subcommand. Use the –D and –w options to specify the bindname and password of such a search account.