Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

PowerScaleOneFS CLI Command Reference

PDF

isi auth ldap modify

Modifies an LDAP provider.

Syntax

isi auth ldap modify <provider-name>
  [--name <string>]
  [--base-dn <string>]
  [--server-uris <string>]
  [--add-server-uris <string>]
  [--remove-server-uris <string>]
  [--alternate-security-identities-attribute <string>]
  [--authentication {yes | no}]
  [--balance-servers {yes | no}]
  [--bind-dn <string>]
  [--bind-timeout <integer>]
  [--certificate-authority-file <string>]
  [--check-online-interval <duration>]
  [--cn-attribute <string>]
  [--create-home-directory {yes | no}]
  [--crypt-password-attribute <string>]
  [--email-attribute <string>]
  [--enabled {yes | no}]
  [--enumerate-groups {yes | no}]
  [--enumerate-users {yes | no}]
  [--findable-groups <string>]
  [--clear-findable-groups]
  [--add-findable-groups <string>]
  [--remove-findable-groups <string>]
  [--findable-users <string>]
  [--clear-findable-users]
  [--add-findable-users <string>]
  [--remove-findable-users <string>]
  [--gecos-attribute <string>]
  [--gid-attribute <string>]
  [--group-base-dn <string>]
  [--group-domain <string>]
  [--group-filter <string>]
  [--group-members-attribute <string>]
  [--group-search-scope <scope>]
  [--homedir-attribute <string>]
  [--home-directory-template <string>]
  [--ignore-tls-errors {yes | no}]
  [--listable-groups <string>]
  [--clear-listable-groups]
  [--add-listable-groups <string>]
  [--remove-listable-groups <string>]
  [--listable-users <string>]
  [--clear-listable-users]
  [--add-listable-users <string>]
  [--remove-listable-users <string>]
  [--login-shell <string>]
  [--member-lookup-method {default |  rfc2307bis}]
  [--member-of-attribute <string>]
  [--name-attribute <string>]
  [--netgroup-base-dn <string>]
  [--netgroup-filter <string>]
  [--netgroup-members-attribute <string>]
  [--netgroup-search-scope <scope>]
  [--netgroup-triple-attribute <string>]
  [--normalize-groups {yes | no}]
  [--normalize-users {yes | no}]
  [--nt-password-attribute <string>] 
  [--ntlm-support {all | v2only | none}]
  [--ocsp-server-uris <uri-list>]
  [--provider-domain <string>]
  [--require-secure-connection {yes | no}]
  [--restrict-findable {yes | no}]
  [--restrict-listable {yes | no}]
  [--search-scope <scope>]
  [--search-timeout <integer>]
  [--shadow-user-filter <string>]
  [--shadow-expire-attribute <string>]
  [--shadow-flag-attribute <string>]
  [--shadow-inactive-attribute <string>]
  [--shadow-last-change-attribute <string>]
  [--shadow-max-attribute <string>]
  [--shadow-min-attribute <string>]
  [--shadow-warning-attribute <string>]
  [--shell-attribute <string>]
  [--ssh-public-key-attribute <string>]
  [--tls-revocation-check-level {strict | allowNoSrc | allowNoData | none}]
  [--uid-attribute <string>]
  [--unfindable-groups <string>]
  [--clear-unfindable-groups]
  [--add-unfindable-groups <string>]
  [--remove-unfindable-groups <string>]
  [--unfindable-users <string>]
  [--clear-unfindable-users]
  [--add-unfindable-users <string>]
  [--remove-unfindable-users <string>]
  [--unique-group-members-attribute <string>]
  [--unlistable-groups <string>]
  [--clear-unlistable-groups]
  [--add-unlistable-groups <string>]
  [--remove-unlistable-groups <string>]
  [--unlistable-users <string>]
  [--clear-unlistable-users]
  [--add-unlistable-users <string>]
  [--remove-unlistable-users <string>]
  [--user-base-dn <string>]
  [--user-domain <string>]
  [--user-filter <string>]
  [--user-search-scope <scope>]
  [--template {default | rfc2307 | ad-idmu | ldapsam}
  [--bind-password <string>]
  [--set-bind-password]
  [--force | -f]
  [--verbose | -v]

Options

<provider-name>
Specifies the name of the LDAP provider to modify.
--name <string>
Specifies an new name for the authentication provider.
--base-dn <string>
Sets the root of the tree in which to search for identities. For example, CN=Users,DC=mycompany,DC=com.
--server-uris <string>
Specifies a list of LDAP server URIs to be used when accessing the server. Repeat this option to specify multiple list items.

Specify the LDAP server URI in the format ldaps://<server>:<port> for secure LDAP or ldap://<server>:<port> for non-secure LDAP.

The server can be specified as an IPv4 address, an IPv6 address, or a hostname.

If you do not specify a port number, the default port is used; 389 for secure LDAP or 636 for non-secure LDAP.

NOTE: If you specify non-secure LDAP, the bind password is transmitted to the server in clear text.
--add-server-uris <string>.
Adds an entry to the list of server URIs. Repeat this option to specify multiple list items.

The server to be added can be specified as an IPv4 address, an IPv6 address, or a hostname.

--remove-server-uris <string>
Removes an entry from the list of server URIs. Repeat this option to specify multiple list items.

The server to be removed can be specified as an IPv4 address, an IPv6 address, or a hostname.

--alternate-security-identities-attribute <string>
Specifies the name to be used when searching for alternate security identities. This name is used when OneFS attempts to resolve a Kerberos principal to a user.
--authentication {yes | no}
Enables or disables the use of this provider for authentication as well as identity. The default value is yes.
--balance-servers {yes | no}

Makes this provider connect to a random server on each request.

--bind-dn <string>
Specifies the distinguished name to use when binding to the LDAP server. For example, CN=myuser,CN=Users,DC=mycompany,DC=com.
--bind-timeout <integer>
Specifies the timeout in seconds when binding to the LDAP server.
--certificate-authority-file <path>
Specifies the path to the root certificates file for TLS connection. Required when --require-secure-connection is yes.
--check-online-interval <duration>
Specifies the time between provider online checks, in the format <integer>[{Y | M | W | D | H | m | s}].
--cn-attribute <string>
Specifies the LDAP attribute that contains common names. The default value is cn.
--create-home-directory {yes | no}
Specifies whether to create a home directory the first time a user logs in, if a home directory does not already exist for the user. The directory path is specified in the path template through the --home-directory-template command.
--crypt-password-attribute <string>
Specifies the LDAP attribute that contains UNIX passwords. This setting has no default value.
--email-attribute <string>
Specifies the LDAP attribute that contains email addresses. The default value is mail.
--enabled {yes | no}
Enables or disables this provider.
--enumerate-groups {yes | no}
Specifies whether to allow the provider to enumerate groups.
--enumerate-users {yes | no}
Specifies whether to allow the provider to enumerate users.
--findable-groups <string>
Specifies a list of groups that can be found in this provider if --restrict-findable is enabled. Repeat this option to specify multiple list items. If populated, groups that are not included in this list cannot be resolved in this provider. This option overwrites the entries in the findable groups list; to add or remove groups without affecting current entries, use --add-findable-groups or --remove-findable-groups.
--clear-findable-groups
Removes the list of findable groups.
--add-findable-groups <string>
Adds an entry to the list of findable groups that is checked if --restrict-findable is enabled. Repeat this option to specify multiple list items.
--remove-findable-groups <string>
Removes an entry from the list of findable groups that is checked if --restrict-findable is enabled. Repeat this option to specify multiple list items.
--findable-users <string>
Specifies a list of users that can be found in this provider if --restrict-findable is enabled. Repeat this option to specify multiple list items. If populated, users that are not included in this list cannot be resolved in this provider. This option overwrites the entries in the findable users list; to add or remove users without affecting current entries, use --add-findable-users or --remove-findable-users.
--clear-findable-users
Removes the list of findable users.
--add-findable-users <string>
Adds an entry to the list of findable users that is checked if --restrict-findable is enabled. Repeat this option to specify multiple list items.
--remove-findable-users <string>
Removes an entry from the list of findable users that is checked if --restrict-findable is enabled. Repeat this option to specify multiple list items.
--gecos-attribute <string>
Specifies the LDAP attribute that contains GECOS fields. The default value is gecos.
--gid-attribute <string>
Specifies the LDAP attribute that contains GIDs. The default value is gidNumber.
--group-base-dn <string>
Specifies the distinguished name of the entry at which to start LDAP searches for groups.
--group-domain <string>
Specifies the domain that this provider will use to qualify groups. The default group domain is LDAP_GROUPS.
--group-filter <string>
Sets the LDAP filter for group objects.
--group-members-attribute <string>
Specifies the LDAP attribute that contains group members. The default value is memberUid.
--group-search-scope <scope>
Defines the default depth from the base distinguished name (DN) to perform LDAP searches for groups.

The following values are valid:

default
Applies the setting in --search-scope.
NOTE:You cannot specify --search-scope=default. For example, if you specify --group-search-scope=default, the search scope is set to the value of --search-scope.
base
Searches only the entry at the base DN.
onelevel
Searches all entries exactly one level below the base DN.
subtree
Searches the base DN and all entries below it.
children
Searches all entries below the base DN, excluding the base DN.
--home-directory-template <path>
Specifies the path to use as a template for naming home directories. The path must begin with /ifs and can include special character sequences that are dynamically replaced with strings at home directory creation time that represent specific variables. For example, %U, %D, and %Z are replaced with the user name, provider domain name, and zone name, respectively. For more information, see the Home directories section.
--homedir-attribute <string>
Specifies the LDAP attribute that is used when searching for the home directory. The default value is homeDirectory.
--ignore-tls-errors {yes | no}
Specifies whether to continue secure connection when certificate errors occur. The default setting is no.
If TLS is enabled ( --require-secure-connection is set to yes) and --ignore-tls-errors is set to yes, the LDAP provider uses TLS regardless of errors. TLS may issue certificate verification errors but the LDAP provider continues to use the certificate and TLS communication. TLS logs the errors.
--listable-groups <string>
Specifies a list of groups that can be viewed in this provider if --restrict-listable is enabled. Repeat this option to specify multiple list items. If populated, groups that are not included in this list cannot be viewed in this provider. This option overwrites the entries in the listable groups list; to add or remove groups without affecting current entries, use --add-listable-groups or --remove-listable-groups.
--clear-listable-groups
Removes all entries from the list of viewable groups.
--add-listable-groups <string>
Adds an entry to the list of listable groups that is checked if --restrict-listable is enabled. Repeat this option to specify multiple list items.
--remove-listable-groups <string>
Removes an entry from the list of viewable groups that is checked if --restrict-listable is enabled. Repeat this option to specify multiple list items.
--listable-users <string>
Specifies a list of users that can be viewed in this provider if --restrict-listable is enabled. Repeat this option to specify multiple list items. If populated, users that are not included in this list cannot be viewed in this provider. This option overwrites the entries in the listable users list; to add or remove users without affecting current entries, use --add-listable-users or --remove-listable-users.
--clear-listable-users
Removes all entries from the list of viewable users.
--add-listable-users <string>
Adds an entry to the list of listable users that is checked if --restrict-listable is enabled. Repeat this option to specify multiple list items.
--remove-listable-users <string>
Removes an entry from the list of viewable users that is checked if --restrict-listable is enabled. Repeat this option to specify multiple list items.
--login-shell <path>
Specifies the pathname to the user's login shell, for users who access the file system through SSH.
--member-lookup-method {default | rfc2307bis

Sets the method by which group member lookups are performed. Use caution when changing this option directly.

--member-of-attribute <string>
Sets the attribute to be used when searching LDAP for reverse memberships. This LDAP value should be an attribute of the user type posixAccount that describes the groups in which the POSIX user is a member.
--name-attribute <string>
Specifies the LDAP attribute that contains UIDs, which are used as login names. The default value is uid.
--netgroup-base-dn <string>
Specifies the distinguished name of the entry at which to start LDAP searches for netgroups.
--netgroup-filter <string>
Sets the LDAP filter for netgroup objects.
--netgroup-members-attribute <string>
Specifies the LDAP attribute that contains netgroup members. The default value is memberNisNetgroup.
--netgroup-search-scope <scope>
Defines the depth from the base distinguished name (DN) to perform LDAP searches for netgroups.

The following values are valid:

default
Applies the setting in --search-scope.
NOTE: You cannot specify --search-scope=default. For example, if you specify --group-search-scope=default, the search scope is set to the value of --search-scope.
base
Searches only the entry at the base DN.
onelevel
Searches all entries exactly one level below the base DN.
subtree
Searches the base DN and all entries below it.
children
Searches all entries below the base DN, excluding the base DN.
--netgroup-triple-attribute <string>
Specifies the LDAP attribute that contains netgroup triples. The default value is nisNetgroupTriple.
--normalize-groups {yes | no}
Normalizes group names to lowercase before lookup.
--normalize-users {yes | no}
Normalizes user names to lowercase before lookup.
--nt-password-attribute <string>
Specifies the LDAP attribute that contains Windows passwords. A commonly used value is ntpasswdhash.
--ntlm-support {all | v2only | none}
For users with NTLM-compatible credentials, specifies which NTLM versions to support.

The following values are valid:

all
v2only
none
--ocsp-server-uris <uri-list>
Specifies the location of revocation information for TLS certificates. This is an optional parameter to use with --tls-revocation-check-level. Revocation information is contained in Online Certificate Status Protocol (OCSP) responder URIs. If this option is not set, then the LDAP provider looks for the OCSP responder URI within the certificates.
The <uri-list> is a comma-separated list of URIs.
--provider-domain <string>
Specifies the domain that this provider will use to qualify user and group names.
--require-secure-connection {yes | no}
Specifies whether to require a TLS connection.
--restrict-findable {yes | no}
Specifies whether to check this provider for filtered lists of findable and unfindable users and groups.
--restrict-listable {yes | no}
Specifies whether to check this provider for filtered lists of viewable and unviewable users and groups.
--search-scope <scope>
Defines the default depth from the base distinguished name (DN) to perform LDAP searches.

The following values are valid:

base
Searches only the entry at the base DN.
onelevel
Searches all entries exactly one level below the base DN.
subtree
Searches the base DN and all entries below it.
children
Searches all entries below the base DN, excluding the base DN itself.
--search-timeout <integer>
Specifies the number of seconds after which to stop retrying and fail a search. The default value is 100.
--shadow-user-filter <string>
Sets the LDAP filter for shadow user objects.
--shadow-expire-attribute <string>
Sets the attribute name that indicates the absolute date to expire the account.
--shadow-flag-attribute <string>

Sets the attribute name that indicates the section of the shadow map that is used to store the flag value.

--shadow-inactive-attribute <string>

Sets the attribute name that indicates the number of days of inactivity that is allowed for the user.

--shadow-last-change-attribute <string>
Sets the attribute name that indicates the last change of the shadow information.
--shadow-max-attribute <string>
Sets the attribute name that indicates the maximum number of days a password can be valid.
--shadow-min-attribute <string>
Sets the attribute name that indicates the minimum number of days between shadow changes.
--shadow-warning-attribute <string>

Sets the attribute name that indicates the number of days before the password expires to warn the user.

--shell-attribute <string>
Specifies the LDAP attribute that is used when searching for a user's UNIX login shell. The default value is loginShell.
--ssh-public-key-attribute <string>
Sets the attribute name used that contains the user's SSH Public Key.
--tls-revocation-check-level {strict | allowNoSrc | allowNoData | none}
When TLS is enabled, enforces additional verifications of certificates received from the LDAP server in the TLS handshake. Valid values are:
strict
Requires valid and current revocation information for all certificates received from the LDAP server in the TLS handshake. If any certificates do not comply, the LDAP provider ends the TLS session.
allowNoSrc
Accepts certificates from the LDAP server if no revocation retrieval information is available for them. A warning is logged for such certificates. Otherwise, the LDAP provider ends the TLS session if either of the following is true for any certificate:
  • It is not possible to retrieve the revocation information
  • The revocation state indicates that the certificate is not valid and current
allowNoData
Accepts certificates from the LDAP server if it is not possible to retrieve the revocation state. A warning is logged for such certificates. If revocation state is successfully retrieved, then it must indicate that the certificate is valid and current. Otherwise the LDAP provider ends the TLS session.
none
No revocation checking is performed. This is the default setting.

Also see --ocsp-server-uris.

--uid-attribute <string>
Specifies the LDAP attribute that contains UID numbers. The default value is uidNumber.
--unfindable-groups <string>
Specifies a group that cannot be found in this provider if --restrict-findable is enabled. Repeat this option to specify multiple list items. This option overwrites the entries in the unfindable groups list; to add or remove groups without affecting current entries, use --add-unfindable-groups or --remove-unfindable-groups.
--clear-unfindable-groups
Removes all entries from the list of unfindable groups.
--add-unfindable-groups <string>
Adds an entry to the list of unfindable groups that is checked if --restrict-findable is enabled. Repeat this option to specify multiple list items.
--remove-unfindable-groups <string>
Removes an entry from the list of unfindable groups that is checked if --restrict-findable is enabled. Repeat this option to specify multiple list items.
--unfindable-users <string>
Specifies a user that cannot be found in this provider if --restrict-findable is enabled. Repeat this option to specify multiple list items. This option overwrites the entries in the unfindable users list; to add or remove users without affecting current entries, use --add-unfindable-users or --remove-unfindable-users.
--clear-unfindable-users
Removes all entries from the list of unfindable groups.
--add-unfindable-users <string>
Adds an entry to the list of unfindable users that is checked if --restrict-findable is enabled. Repeat this option to specify multiple list items.
--remove-unfindable-users <string>
Removes an entry from the list of unfindable users that is checked if --restrict-findable is enabled. Repeat this option to specify multiple list items.
--unique-group-members-attribute <string>
Specifies the LDAP attribute that contains unique group members. This attribute is used to determine which groups a user belongs to if the LDAP server is queried by the user’s DN instead of the user’s name. This setting has no default value.
--unlistable-groups <string>
Specifies a group that cannot be listed in this provider if --restrict-listable is enabled. Repeat this option to specify multiple list items. This option overwrites the entries in the unlistable groups list; to add or remove groups without affecting current entries, use --add-unlistable-groups or --remove-unlistable-groups.
--clear-unlistable-groups
Removes all entries from the list of unviewable groups.
--add-unlistable-groups <string>
Adds an entry to the list of unviewable groups that is checked if --restrict-listable is enabled. Repeat this option to specify multiple list items.
--remove-unlistable-groups <string>
Removes an entry from the list of unviewable groups that is checked if --restrict-listable is enabled. Repeat this option to specify multiple list items.
--unlistable-users <string>
Specifies a user that cannot be viewed in this provider if --restrict-listable is enabled. Repeat this option to specify multiple list items. This option overwrites the entries in the unlistable users list; to add or remove users without affecting current entries, use --add-unlistable-users or --remove-unlistable-users.
--clear-unlistable-users
Removes all entries from the list of unviewable users.
--add-unlistable-users <string>
Adds an entry to the list of unviewable users that is checked if --restrict-listable is enabled. Repeat this option to specify multiple list items.
--remove-unlistable-users <string>
Removes an entry from the list of unviewable users that is checked if --restrict-listable is enabled. Repeat this option to specify multiple list items.
--user-base-dn <string>
Specifies the distinguished name of the entry at which to start LDAP searches for users.
--user-domain <string>
Specifies the domain that this provider will use to qualify users. The default user domain is LDAP_USERS.
--user-filter <string>
Sets the LDAP filter for user objects.
--user-search-scope <scope>
Defines the depth from the base distinguished name (DN) to perform LDAP searches for users. The valid values are as follows:

The following values are valid:

default
Applies the setting in --search-scope.
NOTE: You cannot specify --search-scope=default. For example, if you specify --user-search-scope=default, the search scope is set to the value of --search-scope
base
Searches only the entry at the base DN.
onelevel
Searches all entries exactly one level below the base DN.
subtree
Searches the base DN and all entries below it.
children
Searches all entries below the base DN, excluding the base DN.
--template {default | rfc-2307 | ad-idmu | ldapsam}
Specifies a template to be used to configure the LDAP provider. The templates provide pre-selected attributes. The templates provide pre-selected attributes. The templates are: RFC 2307, Active Directory Identity Management for UNIX (ad-idmu), and LDAP for Samba (ldapsam).
--bind-password <string>
Sets the password for the distinguished name that is used when binding to the LDAP server. To set the password interactively, use the --set-bind-password option instead.
--set-bind-password
Interactively sets the password for the distinguished name that is used when binding to the LDAP server. This option cannot be used with --bind-password.
{--force | -f}
Specifies to ignore warnings when creating or modifying an LDAP provider.
{--verbose | -v}
Displays detailed information.

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\