D.101. tarantella service new

Creates a new service object.

By default, new service objects are enabled and added in the last position in the list of service objects.

See Section 2.8.4, “Using Service Objects” for more details about service objects.

Syntax

tarantella service new { 
                       --name obj 
                       --type ldap|ad 
                       --url url... 
                     [ --position pos ]
                     [ --enabled 0|1 ]
                     [ --operation-timeout timeout ]
                     [ --base-domain domain ]
                     [ --default-domain domain ]
                     [ --black-list list ]
                     [ --white-list list ]
                     [ --security-mode ""|clientcerts]
                     [ --auth-mode kerberos|ssl ]
                     [ --site-aware 0|1 ]
                     [ --site-name name ]
                     [ --check-pwd-policy 0|1 ]
                     [ --pwd-expiry-warn-threshold threshold ]
                     [ --pwd-expiry-fail-threshold threshold ]
                     [ --domain-list domains ]
                     [ --password-update-mode ldapuser|ldapadmin]
                     [ --lookupcache-timeout timeout ]
                     [ --ad-alwaysusegc 0|1 ]
                     [ --suffix-mappings mappings ]
                     } | --file file

Description

The following table shows the available options for this command.

Option

Description

--name

The name of the service object to create.

See Section A.2.2, “Name” for more details.

--type

The service object type, either LDAP or Active Directory.

See Section A.2.3, “Type” for more details.

--url

The URLs of the LDAP directories or the URL of an Active Directory forest.

The URL(s) must be unique. Different service objects cannot use the same URL(s).

See Section A.2.5, “URLs” for more details.

--position

A number that specifies the position of the service object in the list of service objects. The number 1 means first position in the list.

--enabled

Whether the service object is enabled for use.

See Section A.2.4, “Enabled” for more details.

--operation-timeout

Period of time, in seconds, to wait for a directory server to respond to an LDAP operation.

See Section 2.8.14, “LDAP Operation Timeout” for more details.

--base-domain

The domain that SGD uses for Active Directory authentication if users only supply a partial domain when they log in.

See Section A.2.8, “Active Directory Base Domain” for more details.

Applies only to Active Directory service objects.

--default-domain

The domain that SGD uses for Active Directory authentication if users do not supply a domain when they log in.

See Section A.2.9, “Active Directory Default Domain” for more details.

Applies only to Active Directory service objects.

--black-list

A list of Active Directory servers which are never used for LDAP queries.

See Section 2.8.9, “Blacklists” for more details.

Applies only to Active Directory service objects.

--white-list

A list of Active Directory servers which are always used for LDAP queries. Servers not included in the list cannot be used.

See Section 2.8.8, “Whitelists” for more details.

Applies only to Active Directory service objects.

--security-mode

Whether client certificates are used to authenticate the SSL connection to an Active Directory server. This option is only used if --auth-mode is SSL.

See Section 2.2.3.5, “SSL Connections to Active Directory” for more details.

Applies only to Active Directory service objects.

--auth-mode

The mechanism used to secure the connection to an Active Directory server, either Kerberos or SSL. Kerberos is used by default.

See Section 2.2.3.5, “SSL Connections to Active Directory” for more details.

Applies only to Active Directory service objects.

--site-aware

Enables site awareness for the service object. If --site-name is not set, SGD attempts to discover site information automatically by contacting the global catalog.

See Section 2.8.7, “Sites” for more details.

Applies only to Active Directory service objects.

--site-name

A site name for the service object. This option is only used if --site-aware is enabled.

See Section 2.8.7, “Sites” for more details.

Applies only to Active Directory service objects.

--check-pwd-policy

Whether a user's password policy should be checked at authentication time. This option is used to enable LDAP password expiry features.

See Section 2.8.5, “Password Expiry” for more details.

--pwd-expiry-warn-threshold

The period of time, in seconds, before password expiry where a warning message is shown on the webtop.

See Section 2.8.5, “Password Expiry” for more details.

--pwd-expiry-fail-threshold

The period of time, in seconds, before password expiry where authentication is denied for a user and they are forced to update their password.

See Section 2.8.5, “Password Expiry” for more details.

--domain-list

Defines a list of domains to be contacted when SGD starts.

See Section 2.8.12, “Domain Lists” for more details.

Applies only to Active Directory service objects.

--password-update-mode

Determines how aged passwords are handled.

The default setting is ldapuser, meaning that passwords are updated using the authenticated user credentials. This results in a password change.

A setting of ldapadmin means that passwords are updated using credentials of the service object. This results in a password reset.

See Section 2.8.6, “LDAP Password Update Mode” for more details.

Applies only to LDAP service objects.

--lookupcache-timeout

The length of time, in seconds, for which LDAP lookup cache entries on the SGD server are held.

See Section 2.8.13, “Lookup Cache Timeout” for more details.

--ad-alwaysusegc

Whether the global catalog is always be used for lookups. Enabling this option can speed up LDAP searches.

See Section 2.8.10, “Search Only the Global Catalog” for more details.

Applies only to Active Directory service objects.

--suffix-mappings

A list of mappings between domain names, used for Kerberos authentication.

Each entry should be of the form suffix=domain, for example test.east.example.com=east.example.com.

See Section 2.8.11, “Suffix Mappings” for more details.

Applies to Active Directory service objects and LDAP service objects that connect to Active Directory.

--file

Specifies a file containing a batch of commands to edit service object attributes.

Examples

The following example creates an LDAP service object called mainldap. The service object is set to third position in the list of service objects and is enabled by default.

$ tarantella service new \
--name mainldap --type ldap \ 
--url "ldap://main1.example.com;ldap://main2.example.com" \
--position 3 

The following example creates an Active Directory service object called east. The service object is in the last position in the list of service objects by default, and is set to disabled.

$ tarantella service new \
--name east --type ad \
--url "ad://east.example.com" \
--enabled 0