Use the chauthservice command to configure
the remote authentication service of the clustered system (system).
Syntax
chauthservice [ -enable { yes | no } ] [ -type { tip | ldap } ] [ -url url ] [ -username user_name ] [ -password [ password ] ] [ -sslcert file_name ] [ -refresh ]
Parameters
- -enable yes|no
- (Optional) Enables or disables the Lenovo Storage V7000 system's use of the remote authentication
server. When the enable parameter is set to no,
remote authentications are failed by the system, but local authentications
continue to operate normally.
- -type tip | ldap
- (Optional) Specifies the authentication service
type (TIP or native LDAP). An LDAP server must be configured. Before
changing -type, ensure that the remote authentication
type selected is properly configured.
Remember: - The remote authentication service must be enabled (-enable
yes) for this setting to come into effect.
- Before changing -type from ldap to tip,
ensure that all users configured for remote authentication have both
an SSH key and password configured.
- -url url
- (Optional - IBM Security Services only) Specifies the website address (URL) of
Security Services, which is referred to as TIP in the CLI. The host part of the URL must be a
valid numeric IPv4 or IPv6 network address. You can use the following characters in the URL:
- a - z
- A - Z
- 0 - 9
- _
- ~
- :
- [
- ]
- %
- /
The maximum length of the URL is 100 characters.
- -username user_name
- (Optional) Specifies the HTTP basic authentication user name.
The user name cannot start or end with a blank. The user name can
consist of a string of 1 - 64 ASCII characters with the exception
of the following characters:
- -password password
- (Optional) Specifies the HTTP basic authentication user password.
The password cannot start or end with a blank. It must consist of
a string of 6 - 64 printable ASCII characters. The password variable
is optional. If you do not provide a password, the system prompts
you and does not display the password that you type.
- -sslcert file_name
- (Optional) Specifies the name of the file that contains the SSL certificate, in privacy enhanced
mail (PEM) format, for the remote authentication server. The certificate file must be in valid PEM format and have a maximum length of 12
kilobytes.
- -refresh
- (Optional) Causes the Lenovo Storage V7000 to invalidate
any remote user authorizations that are cached on the system.
Use this when you modify user groups on the authentication service
and want the change to immediately take effect on the Lenovo Storage V7000 .
Note: If
you clear the cache, anyone using the system might have to log in
again (for example, if credentials are provided to one of the defined
LDAP servers).
Description
This
command can be used to select and enable a remote authentication service
for use with the system.
The system can be configured to authenticate users against IBM Security Services or using Lightweight Directory Access Protocol (LDAP).
Before enabling remote
authentication, ensure that the properties of the service are properly
configured on the system. It is not necessary to disable the remote
authentication service to change its properties. This command can
be used to configure the TIP properties. LDAP authentication can be
configured using the
chldap command, and LDAP servers
can be added to the system using the
mkldapserver command.
Remember: For the authentication type to be set
to LDAP with authorization enabled (true), an LDAP server must be
configured. For authentication type to be set to TIP with authorization
enabled (true), the TIP settings (URL, user name, password) must be
configured.
When
the authentication service is enabled or the configuration is changed,
the system does not test whether the remote authentication system
is operating correctly.
- To establish whether the system is operating correctly, issue
the lscurrentuser command for a remotely authenticated
user. If the output lists the user roles obtained from the remote
authentication server, remote authentication is operating successfully.
If the output is an error message, remote authentication is not working
correctly, and the error message describes the problem.
- To establish whether LDAP is operating correctly, in addition
to the lscurrentuser command, issue the testldapserver command.
The testldapserver command can be issued whether
or not remote authentication is enabled, and can be used to test the
connection to LDAP servers, as well as user authorization and authentication.
The website address in the
TIP
url parameter can have either of the following
formats:
- http://network_address:http
remote authentication service port number/path_to_service
- https://network_address:https remote
authentication service port number/path_to_service
The network address must be
an IPv4 or IPv6 address. Do not use the corresponding host name. For
example, if the system network IPv4 address is 9.71.45.108, you could
enter either of the following corresponding addresses:
http://9.71.45.108:16310/TokenService/services/Trust
https://9.71.45.108:16311/TokenService/services/Trust
To disable the remote
authentication service in a controlled manner when it is not available,
use the enable parameter with the no option.
An invocation
example
To fully configure and enable authentication with IBM Security Services:
chauthservice -url https://9.71.45.108:16311/TokenService/services/Trust
-sslcert /tmp/sslCACert.pem -username admin -password password -enable yes
The
resulting output:
No feedback
An invocation
example
To disable remote authentication:
chauthservice -enable no
The
resulting output:
No feedback
An invocation example
To
refresh the Lenovo Storage V7000 remote authorization cache:
chauthservice -refresh
The
resulting output:
No feedback