D.99. tarantella service edit

Edits one or more attributes for a service object.

See Section 2.8.4, “Using Service Objects” for more details about service objects.

Syntax

tarantella service edit {
                       --name obj
                     [ --url url... ]
                     [ --position pos ]
                     [ --enabled 0|1 ]
                     [ --operation-timeout timeout ]
                     [ --base-domain domain ]
                     [ --default-domain domain ]
                     [ --black-list list ]
                     [ --white-list list ]
                     [ --security-mode ""|clientcerts]
                     [ --auth-mode kerberos|ssl ]
                     [ --site-aware 0|1 ]
                     [ --site-name name ]
                     [ --check-pwd-policy 0|1 ]
                     [ --pwd-expiry-warn-threshold threshold ]
                     [ --pwd-expiry-fail-threshold threshold ]
                     [ --domain-list domains ]
                     [ --password-update-mode ldapuser|ldapadmin]
                     [ --lookupcache-timeout timeout ]
                     [ --ad-alwaysusegc 0|1 ]
                     [ --suffix-mappings mappings ]
                     } | --file file

Description

The following table shows the available options for this command.

Option

Description

--name

The name of the service object to edit.

See Section A.2.2, “Name” for more details.

--url

The URLs of the LDAP directories or the URL of an Active Directory forest.

The URL(s) must be unique. Different service objects cannot use the same URL(s).

See Section A.2.5, “URLs” for more details.

--position

A number that specifies the position of the service object in the list of service objects. The number 1 means first position in the list.

--enabled

Whether the service object is enabled for use for authentication.

See Section A.2.4, “Enabled” for more details.

--operation-timeout

Period of time, in seconds, to wait for a directory server to respond to an LDAP operation.

See Section 2.8.14, “LDAP Operation Timeout” for more details.

--base-domain

The domain that SGD uses for Active Directory authentication if users only supply a partial domain when they log in.

See Section A.2.8, “Active Directory Base Domain” for more details.

Applies only to Active Directory service objects.

--default-domain

The domain that SGD uses for Active Directory authentication if users do not supply a domain when they log in.

See Section A.2.9, “Active Directory Default Domain” for more details.

Applies only to Active Directory service objects.

--black-list

A list of Active Directory servers which are never used for LDAP queries.

See Section 2.8.9, “Blacklists” for more details.

Applies only to Active Directory service objects.

--white-list

A list of Active Directory servers which are always used for LDAP queries. Servers not included in the list cannot be used.

See Section 2.8.8, “Whitelists” for more details.

Applies only to Active Directory service objects.

--security-mode

Whether client certificates are used to authenticate the SSL connection to an Active Directory server. This option is only used if --auth-mode is SSL.

See Section 2.2.3.5, “SSL Connections to Active Directory” for more details.

Applies only to Active Directory service objects.

--auth-mode

The mechanism used to secure the connection to an Active Directory server, either Kerberos or SSL. Kerberos is used by default.

See Section 2.2.3.5, “SSL Connections to Active Directory” for more details.

Applies only to Active Directory service objects.

--site-aware

Enables site awareness for the service object. If --site-name is not set, SGD attempts to discover site information automatically by contacting the global catalog.

See Section 2.8.7, “Sites” for more details.

Applies only to Active Directory service objects.

--site-name

A site name for the service object. This option is only used if --site-aware is enabled.

See Section 2.8.7, “Sites” for more details.

Applies only to Active Directory service objects.

--check-pwd-policy

Whether a user's password policy should be checked at authentication time. This option is used to enable LDAP password expiry features.

See Section 2.8.5, “Password Expiry” for more details.

--pwd-expiry-warn-threshold

The period of time, in seconds, before password expiry where a warning message is shown on the webtop.

See Section 2.8.5, “Password Expiry” for more details.

--pwd-expiry-fail-threshold

The period of time, in seconds, before password expiry where authentication is denied for a user and they are forced to update their password.

See Section 2.8.5, “Password Expiry” for more details.

--domain-list

Defines a list of domains to be contacted when SGD starts.

See Section 2.8.12, “Domain Lists” for more details.

Applies only to Active Directory service objects.

--password-update-mode

Determines how aged passwords are handled.

The default setting is ldapuser, meaning that passwords are updated using the authenticated user credentials. This results in a password change.

A setting of ldapadmin means that passwords are updated using the credentials of the service object.

See Section 2.8.6, “LDAP Password Update Mode” for more details.

Applies only to LDAP service objects.

--lookupcache-timeout

The length of time, in seconds, for which LDAP lookup cache entries on the SGD server are held.

See Section 2.8.13, “Lookup Cache Timeout” for more details.

--ad-alwaysusegc

Whether the global catalog is always be used for lookups. Enabling this option can speed up LDAP searches.

See Section 2.8.10, “Search Only the Global Catalog” for more details.

Applies only to Active Directory service objects.

--suffix-mappings

A list of mappings between domain names, used for Kerberos authentication.

Each entry should be of the form suffix=domain, for example test.east.example.com=east.example.com.

See Section 2.8.11, “Suffix Mappings” for more details.

Applies to Active Directory service objects and LDAP service objects that connect to Active Directory.

--file

Specifies a file containing a batch of commands to edit service object attributes.

Examples

The following example disables the testldap service object.

$ tarantella service edit --name testldap --enabled 0

The following example changes the position of the mainldap service object to third in the list of service objects.

$ tarantella service edit --name mainldap --position 3