chauthservice

Use the chauthservice command to configure the remote authentication service of the clustered system (system).

Syntax

Read syntax diagramSkip visual syntax diagram
>>- chauthservice -- --+---------------------+-- --------------->
                       '- -enable --+- yes-+-'      
                                    '- no--'        

>--+-----------------+-- --+---------------+-- ----------------->
   '- -type -- ldap -'     '- -url -- url -'      

>--+--------------------------+-- ------------------------------>
   '- -username -- user_name -'      

>--+-----------------------------+-- --------------------------->
   '- -password --+------------+-'      
                  '- password -'        

>--+-------------------------+-- --+------------+--------------><
   '- -sslcert -- file_name -'     '- -refresh -'   

Parameters

-enable yes | no
(Optional) Enables or disables the system's use of the remote authentication server. When the enable parameter is set to no, remote authentications are failed by the system, but local authentications continue to operate normally.
-type ldap
(Optional) Specifies the authentication service type (which must be LDAP). An LDAP server must be configured.
Remember: The remote authentication service must be enabled (-enable yes) for this setting to come into effect.
-url url
(Optional - IBM® Security Services only) Specifies the website address (URL) of Security Services, which is referred to as TIP in the CLI. The host part of the URL must be a valid numeric IPv4 or IPv6 network address. You can use the following characters in the URL:
  • a - z
  • A - Z
  • 0 - 9
  • _
  • ~
  • :
  • [
  • ]
  • %
  • /
The maximum length of the URL is 100 characters.
This option is no longer used.
-username user_name
(Optional) Specifies the HTTP basic authentication user name. The user name cannot start or end with a blank. The user name can consist of a string of 1 - 64 ASCII characters except for the following characters:
  • %
  • :
  • "
  • ,
  • *
  • '
-password password
(Optional) Specifies the HTTP basic authentication user password. The password cannot start or end with a blank. It must consist of a string of 6 - 64 printable ASCII characters. The password variable is optional. If you do not provide a password, the system prompts you and does not display the password that you type.
-sslcert file_name
(Optional) Specifies the name of the file that contains the SSL certificate, in privacy enhanced mail (PEM) format, for the remote authentication server. The certificate file must be in valid PEM format and have a maximum length of 12 KB.
-refresh
(Optional) Causes the system to invalidate any remote user authorizations that are cached on the system. Use this option when you modify user groups on the authentication service and want the change to immediately take effect on the system.
Note: If you clear the cache, anyone who uses the system might have to log in again (for example, if credentials are provided to one of the defined LDAP servers).

Description

The system authenticates remote users by using Lightweight Directory Access Protocol (LDAP).

Before you enable remote authentication, ensure that the properties of the service are properly configured on the system. It is not necessary to disable the remote authentication service to change its properties. LDAP authentication can be configured by using the chldap command, and LDAP servers can be added to the system by using the mkldapserver command.
Remember: For the authentication type to be set to LDAP with authorization enabled (true), an LDAP server must be configured.
When the authentication service is enabled, the system does not test whether the remote authentication system is operating correctly.
  • To establish whether the system is operating correctly, enter the lscurrentuser command for a remotely authenticated user. If the output lists the user roles that are obtained from the remote authentication server, remote authentication is operating successfully. If the output is an error message, remote authentication is not working correctly, and the error message describes the problem.
  • To establish whether LDAP is operating correctly, in addition to the lscurrentuser command, enter the testldapserver command. The testldapserver command can be entered whether or not remote authentication is enabled, and can be used to test the connection to LDAP servers, as well as user authorization and authentication.

To disable the remote authentication service in a controlled manner when it is not available, use the enable parameter with the no option.

An invocation example

To disable remote authentication, enter the following command:

chauthservice -enable no

The following text is displayed when the command runs:

No feedback

An invocation example

To refresh the system remote authorization cache, enter the following command:

chauthservice -refresh

The following text is displayed when the command runs:

No feedback
Parent topic: User management commands
Related reference:
chcurrentuser
chldap
chldapserver
chnaskey
chuser
chusergrp
lscurrentuser
lsldap
lsldapserver
lsuser
lsusergrp
mkldapserver
mkuser
mkusergrp
rmldapserver
rmuser
rmusergrp
testldapserver