installutil setldapinit

Use the setldapinit subcommand to set the parameter string that is required to connect a Rational® ClearQuest® database set to the LDAP directory used for authentication.

Synopsis

: installutil setldapinit dbset_name cq_login cq_password [ –site site | –domain domain ] "params"

: installutil setldapinit dbset_name cq_login cq_password [ { –allsites | –site site } | { –alldomains | –domain domain } ] –remove

Description

Use the setldapinit subcommand to set the parameter string that is required to connect a Rational ClearQuest database set to the LDAP directory used for authentication. It is run once per domain, site, or both, if applicable.

Options and Arguments

–site site: Specifies that the parameter settings apply only to the site that you specify. If you do not specify –site site, the parameter settings apply to all sites.

–site site –remove
–allsites –remove: Removes the existing settings for the specified subcommand. You must specify –site or –allsites with –remove. Use –site to remove the settings at one specific site. Use –allsites to remove the settings at all sites.

–domain domain: Rational ClearQuest supports environments where multiple LDAP configurations can be used to authenticate. Use this option to specify that the parameter settings apply only to the indicated domain. If you do not specify this option, the parameter settings apply to all domains.

–domain domain –remove
–alldomains –remove: Removes the existing settings for the specified domains. You must specify –domain or –alldomains with –remove. Use –domain to remove the settings at one specific domain. Use –alldomains to remove the settings at all domains.

params: A string that consists of a subset of the arguments available for use with the IBM® Tivoli® Directory Server Client ldapsearch function. This string is not required when you specify –remove. If any argument in the string contains a special character such as a space, backward slash, or double quotes, you must enclose the argument in single quotes. For more information about the ldapsearch syntax, see IBM Tivoli Directory Administration Guide, which is available in the IBM Publications Center at http://www.ibm.com/shop/publications/order.

Arguments for ldapsearch function

–h ldaphost: A host on which the LDAP server is running. The IBM Tivoli documentation describes several ways to specify multiple host names. Use single quotes to enclose a list of multiple host names, and use spaces to separate the host names.
–p ldapport: A TCP port where the LDAP server listens. The default LDAP port is 389. If you specify –Z and do not specify a port with –p, the default SSL port is 636.
–D bindname: Binds a user account to a distinguished name (DN) in the LDAP directory tree. The bindname argument is a distinguished name represented as a text string. If you do not specify –D, LDAP performs an anonymous user search.
Attention: The bindname and associated password (described next) should be a user account and password that do not expire. Else, you will need to reconfigure the bindname and password.
–w passwd: The password to use to authenticate the user account at the DN that you specify with the –D argument.
–Z: Indicates that a secure SSL connection is to be used to communicate with the LDAP server. This option is supported only when the SSL component, as provided by IBM's GSKit, is installed.
–K keyfile: The name of the SSL key database file (with extension of kdb). You must enclose the key database file name in single quotes. Rational ClearQuest determines which platform it is running on and then selects the certificate store location from the –K string that matches that platform. The Platform choices are win: and unix:. You can override the –K setting by setting the RATL_SSL_KEYRING environment variable. If you do not specify –K or set the RATL_SSL_KEYRING environment variable, Rational ClearQuest looks in the \Rational\Common directory for a file called ldapkey.kdb.
–P keyfilepw: The key database file password. This password is required to access the encrypted information in the key database file (which may include one or more certificates). If you do not specify this argument, GSKit looks in the directory that contains the key database file for a password stash file of the same name as the key database file with an extension of .sth. The .sth extension identifies a password stash file, which can contain an encrypted password that GSKit knows how to retrieve. If you do not specify –Z and –K, Rational ClearQuest ignores the –P argument.
–N certificatename: The label associated with the client certificate in the key database file.
–R: Use this command-line argument to disable LDAP referral chasing when running the installutil setldapinit command to connect a Rational ClearQuest database set to authenticate by using the LDAP directory server.
By default, if an LDAP search returns a referral object, the LDAP libraries search for the referral object until it is found. Rational ClearQuest versions 2003.06.15 and above support LDAP with referral chasing enabled on the LDAP server as long as the base search path does not start at the top of the LDAP directory tree. When setting up LDAP authentication for a ClearQuest database set, you might choose to temporarily disable referral chasing on the LDAP server. Alternatively, you might choose to deploy a separate LDAP server for ClearQuest with referral chasing disabled.

Attention: You might need to keep LDAP referral chasing enabled when connecting to a Microsoft Windows Active Directory server.

Examples

In the following example, the setldapinit subcommand configures the dbset1 database set for LDAP authentication. The ClearQuest login user name is bob_admin and the login password is bob_pw. The host on which the LDAP server runs is ldap_host1.

installutil setldapinit dbset1 bob_admin bob_pw -domain Domain1 "-h ldap_host1 -p 389 -D uid=0A9701897,OU=bluepages,o=ibm.com -w pswd"