Name
vssat — configure authentication service (AT) and its options.
SYNOPSIS
-d DomainName -s server_URL -u user_base_DN -g group_base_DN -m admin_user_DN [-w admin_user_password] [-f trusted_CA_file_name] [-t rfc2307 | msad | {-c user_object_class -a user_attribute -q user_GID_attribute -un user_display_name_attribute -ui user_ID_attribute -ud user_description_attribute -x group_object_class -y group_attribute -z group_GID_attribute -gn group_display_name_attribute -gi group_ID_attribute -gd group_description_attribute [-k DN | UID]]}
-d DomainName
--groupname name --domain type:name --broker host:1556:nbatd
--prplname prpl_name --domain type:name --broker host:1556:nbatd
On UNIX systems, the directory path to this command is /usr/openv/netbackup/sec/at/bin
On Windows systems, the directory path to this command is install_path\NetBackup\sec\at\bin
DESCRIPTION
Use the vssat addldapdomain command to add an LDAP domain to the authentication broker. You must determine the information that is shown to add an LDAP domain:
The type of LDAP directory in use.
The type of LDAP directory dictates the type of scheme to use. Some of the possible types of LDAP directory types are: Microsoft Active Directory, OpenLDAP, iPlanet, and so on.
The URL to the LDAP directory.
For example, ldap:// my_ldap_host.mydomain.myenterprise.com:389 or ldaps:// my_ssl_ldap_host.mydomain.myenterperise.com. Be aware that an LDAP URL must start with ldap:// for non-SSL, or ldaps:// for SSL-enabled LDAP directory.
The distinguished name (DN) of the users container.
Normally, the users container is in one of the naming contexts. For most LDAP directories, you can use the ldapsearch utility, provided by the directory vendor, to find out the naming contexts. For example:
ldapsearch --group_object_class -h my_host --server_url base -- auth_type "" namingContexts
For Microsoft Active Directory, the users container resembles this example: cn=users,dc=domain_name,dc=enterprise_name,dc=com
The distinguished name (DN) of the groups container.
Normally, the groups container is in one of the naming contexts. For most LDAP directories, you can use the ldapsearch utility, provided by the directory vendor, to find out the naming contexts. For example:
ldapsearch --group_object_class -h my_host --server_url base -- auth_type "" namingContexts
For Microsoft Active Directory, the groups container looks like this example: cn=users,dc=domain_name,dc=enterprise_name,dc=com
The schema to facilitate users and groups.
If the enterprise has migrated their NIS data to the LDAP directory according to Request For Comments 2307, it must use the RFC 2307 schema. RFC 2307 uses the posixAccount object class to facilitate user objects. It uses the posixGroup object class to facilitate group objects. If the enterprise uses Microsoft Active Directory, it must use the Microsoft Active Directory schema. In this schema, the user object class facilitates both user objects and group objects.
If the enterprise uses neither RFC 2307 nor Microsoft Active Directory, you must determine the items shown:
The LDAP object class to facilitate user objects.
The LDAP object class to facilitate group objects.
The user attribute in the user object class to facilitate user name or ID.
Veritas uses the rules that are shown to construct the DN to the user entry: user_attribute=user_name,user_container_DN. For example, if the user attribute is configured to cn and users container DN is configured to dc=mydomain,dc=myenterprise,dc=com and the user name for the authenticate call is jdoe, the LDAP DN for jdoe is: cn=jdoe,dc=mydomain,dc=myenterprise,dc=com
The group identifier (GID) attribute in the user object class to identify the groups to which the given user belongs.
The group attribute in the group object class to facilitate group name.
Veritas uses the rules that are shown to construct the DN to the group entry: group_attribute=group_name,group_container_DN For example, if the group attribute is configured to cn and groups container DN is configured to dc=mydomain,dc=myenterprise, dc=com and the group name is adm, the LDAP DN for adm is: cn=adm,dc=mydomain,dc=myenterprise,dc=com.
The group ID attribute in the group object class to facilitate group ID for the given group.
You are not required to restart the broker after you add the LDAP domain.
Use the vssat listldapdomains command to list all the LDAP domains in the authentication broker. This command needs no additional parameters. An example of this command is shown in the examples section.
Use the vssat removeldapdomain to remove an LDAP domain from the authentication broker.
Use the vssat validategroup command to check the existence of a user group in domain provided.
Use the vssat validateprpl command to check the existence of a user in domain provided.
OPTIONS
- -a, --user_attribute user_attribute
Specify the user attribute within the user object class using the syntax that is shown: user_attribute=prplname,user_base_DN. The LDAP DN for jdoe is: cn=jdoe,dc=mydomain,dc=myenterprise,dc=com where:
The user_attribute is cn.
The prplname is jdoe.
The user_base_DN is dc=mydomain,dc=myenterprise,dc=com.
Do not use this option if you use the -t option.
- --broker host:1556:nbatd
The host and the port of the broker.
- -c, --user_object_class user_object_class
Specify the LDAP object class of the user object, which is posixAccount. If schema_type is defined, user_object_class should not be used. If schema_type is not defined, user_object_class should be used.
- -d, --domain DomainName
A symbolic name that uniquely identifies an LDAP domain.
- --domain type:name
The name of the domain that holds the group or the principal that you want to validate. Use the domain type ldap wherever required.
- -f, --server_trusted_ca_file trusted_CA_file_name
The complete path to the file that contains the trusted CA certificates in PEM format. You must use this parameter when the LDAP server URL starts with ldaps:// and the certificate authority that signed the LDAP server security certificate is other than the following:
CyberTrust
digicert
GeoTrust
Certification Services Division
VeriSign Trust Network
RSA Security Inc.
GlobalSign
Symantec Corporation
- -g, --group_base_dn group_base_DN
The LDAP-distinguished name for the group container. For example, ou=group,dc=mydomain,dc=myenterprise,dc=com.
- -gd, --group_description_attr group_description_attribute
Attribute name that defines the group's description in directory service.
- -gi, --group_id_attr group_ID_attribute
Attribute name that defines the group's unique identifier in directory service.
- -gn, --group_dispname_attr group_display_name_attribute
Attribute name that defines the group's display name in directory service.
- --groupname name
The name of the group that you want to validate.
- -k, --group_gid_attribute_type DN | UID
Specify the storage type of group GID attribute.
- -m, --admin_user admin_user_DN
This option is a string that contains the DN of the administrative user or any user that has search permission to the user container, or user subtree as specified by UserBaseDN. If the user container is searchable by anyone including an anonymous user, you can configure this option as an empty string. For example, --admin_user=. This configuration allows anyone to search the user container.
- --prplname prpl_name
The name of the principal that you want to validate.
- -q, --user_gid_attribute user_GID_attribute
Specify the attribute within the user object class to retrieve the groups the user belongs to. Do not use this option if you use the -t option.
- -s, -server_url server_URL
The URL of the LDAP directory server for the given domain. The LDAP server URL must start with either ldap:// or ldaps://. Starting with ldaps:// indicates that the given LDAP server requires SSL connection. For example ldaps://my-server.myorg.com:636.
- -t, --schema_type schema_type
Specify which type of LDAP schema to use. If you use the -t option, you must omit the following options: -a, -i, and -o. These values are set automatically based upon the schema type chosen. If you do not use -t, neither the rfc2307 nor the msad parameters are set automatically. You must provide the values yourself. Two default schema types are supported:
: The schema that is specified in RFC 2307. With RFC2307, use the schema that is shown:
User Object Class: posixAccount
User Search Attribute: uid
User unique ID attribute: uidNumber
User display name attribute: cn
User description attribute: description
User GID Attribute: gidNumber
Group Object Class: posixGroup
Group Search Attribute: cn
Group unique ID attribute: gidNumber
Group display name attribute: cn
Group description attribute: description
Group GID Attribute: memberUid
: Microsoft Active Directory schema. With Microsoft Active Directory, use the schema that is shown:
User Object Class: user
User Search Attribute: sAMAccountName
User unique ID attribute: objectSid
User display name attribute: displayName
User description attribute: description
User GID Attribute: memberOf
Group Object Class: group
Group Search Attribute: sAMAccountName
Group unique ID attribute: objectSid
Group display name attribute: displayName
Group description attribute: description
Group GID Attribute: cn
- -u, --user_base_dn user_base_DN
The LDAP-distinguished name for the user container. For example, ou=user,dc=mydomain,dc=myenterprise,dc=com.
- -ud, --user_description_attr user_description_attribute
Attribute name that defines the user's description in directory service.
- -ui, --user_id_attr user_ID_attribute
Attribute name that defines the user's unique identifier in directory service.
- -un, --user_dispname_attr user_display_name_attribute
Attribute name that defines the user's display name in directory service.
- -w, --admin_user_password admin_user_password
This attribute is a string that contains the bind password of the user that is specified in the -m option. If -m is an empty string, this option must also be an empty string. For example, --admin_user_password=. The password is passed in plain text but it is stored in encrypted form. If you have not provided the password for the -w option, NetBackup prompts for the password.
- -x, --group_object_class group_object_class
Specify the LDAP object class for the group object which is posixGroup. Do not use this option if you use the -t option.
- -y, --group_attribute group_attribute
Specify the group attribute within the group object class, using the syntax that is shown: group_attribute=group,group_base_DN. For example, the LDAP DN for adm is cn=adm,dc=mydomain,dc=myenterprise,dc=com where:
The group_attribute is cn.
The group is adm.
The group_base_DN is dc=mydomain,dc=myenterprise,dc=com.
Do not use this option if you use the -t option.
- -z, --group_gid_attribute group_GID_attribute
Specify the attribute within the group object class to retrieve the group. Do not use this option if you use the -t option.
EXAMPLES
Example 1: Use of the vssat command to list the LDAP domains in the authentication broker.
vssat listldapdomains Listldapdomains ---------------------- ---------------------- Found: 1 Domain Name: VSS Server URL: ldap://your_ldap_server.com SSL Enabled: No User Base DN: distinguish name of your user container User Object Class: posixAccount User Attribute: uid User GID Attribute: gidNumber Group Base DN: distinguish name of your group container Group Object Class: posixGroup Group Attribute: cn Group GID Attribute: gidNumber
Example 2: Stores the AT configuration parameters in a configuration file.
vssat addldapdomain --domainname MYADDOMAIN --server_url ldap:// my_ad_host.mydomain.myenterprise.com --user_base_dn cn=users,dc=mydomain, dc=myenterprise,dc=com --group_base_dn dc=users,dc=mydomain,dc=myenterprise, dc=com --schema_type msad --admin_user cn=Administrator,cn=users,dc= mydomain,dc=myenterprise,dc=com