Use the setldapsearch subcommand to specify the
LDAP search criteria to use to find an LDAP user account to authenticate
against.
Synopsis
- installutil setldapsearch dbset_name cq_login cq_password [ –site site | –domain domain ]
"params"
- installutil setldapsearch dbset_name cq_login cq_password [
{–allsites | –site site }
| {–alldomains | –domain domain }
] –remove
Description
Use the setldapsearch subcommand
to specify the LDAP search criteria to use to find an LDAP user account
to authenticate against. The setldapsearch subcommand uses
the user name that a user enters in the Rational® ClearQuest® login
window. It is run once per domain, site, or both, if applicable.
Options and Arguments
- –site site
- Specifies that the parameter settings apply only to the site that
you specify. If you do not specify –site site,
the parameter settings apply to all sites.
- –site site –remove
- –allsites –remove
- Removes the existing settings for the specified subcommand. You
must specify –site or –allsites with –remove.
Use –site to remove the settings at one specific site. Use –allsites to
remove the settings at all sites.
- –domain domain
- Rational ClearQuest supports
environments where multiple LDAP configurations can be used to authenticate.
Use this option to specify that the parameter settings apply only
to the indicated domain. If you do not specify this option, the parameter
settings apply to all domains.
- –domain domain –remove
- –alldomains –remove
- Removes the existing settings for the specified subcommand. You
must specify –domain or –alldomains with –remove.
Use –domain to remove the settings at one specific domain.
Use –alldomains to remove the settings at all domains.
- params
- A string that consists of a subset of the arguments available
for use with the IBM® Tivoli® Directory Server Client
ldapsearch function. This string is not required when you specify –remove.
Within the ldapsearch string you must include the %login% parameter,
which resolves to the login name that the user enters. For more information
about the ldapsearch syntax, see IBM Tivoli Directory Administration
Guide, which is available in the IBM Publications
Center at http://www.ibm.com/shop/publications/order.
Arguments for ldapsearch function
- –b searchbase
- Identifies a distinguished name (DN) to use as the starting point
for the search. This option is required and must be specified with
the –s scope option, which defines the scope of the search.
If this argument contains any special character, such as a space,
backward slash, or double quotes, you must enclose the argument in
single quotes.
- filter
- A string representation of the filter to apply in the search.
Simple filters can be specified as attributetype = attributevalue.
For information about specifying more complex filters, see IBM Tivoli Directory Administration
Guide.
- attr
- The attribute that you want the search to return. This is the
attribute whose value matches the user's LDAP login name.
- -s scope
- Specifies the scope of the search. Acceptable values:
- base: base object
- one: one level
- sub: subtree
The default is sub.
Examples
In the following example, the
setldapsearch subcommand
specifies the search string to be used to search the LDAP directory
for the user record that corresponds to the user's login name. The
o (organization)
and
ou (organizational unit) indicate which DN to use as the
starting point for the search. The exact attributes required are specific
to the LDAP schema and might be different from the
o and
ou shown
here. The search string specifies to search for a user record whose
mail attribute
contains the same value as the user's login name.
installutil setldapsearch ldapreferr admin "" -domain Domain1 "-s sub -b
ou=bluepages,o=ibm.com mail=%login%"
The following example shows how to use a filter to narrow
the search. Microsoft Active Directory
allows LDAP administrators to mark user accounts as disabled. The
following example uses a filter to exclude disabled user accounts
from the search.
installutil setldapsearch dbset1 bob_admin bob_pw -Domain domain1 "-s sub -b
ou=my_org, dc=ldapmsft,dc=com (&(objectCategory=person)(sAMAccountName=%login%)
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"