Table 6.12. ldapmodify ssl options, Sasl options, Command-line utilities – Red Hat 8.1 User Manual

Table 6.12. ldapmodify SSL Options

Option

Description

-3

Specifies that hostnames should be checked in SSL
certificates.

-I

Specifies the SSL key password file that contains
the token:password pair.

-K

Specifies the path, including the filename, of the
private key database of the client. Either the
absolute or relative (to the server root) path can be
specified. The -K option must be used when the
key database has a different name than key3.db
or when the key database is not under the same
directory as the certificate database, the cert8.db
file (the path for which is specified with the -P
option).

-N

Specifies the certificate name to use for certificate-
based client authentication. For example:

-N Server-Cert

If this option is specified, then the -Z and -W
options are required. Also, if this option is specified,
then the -D and -w options must not be specified,
or certificate-based authentication will not occur,
and the bind operation will use the authentication
credentials specified on -D and -w.

-P

Specifies the absolute path, including the filename,
of the certificate database of the client. This option
is used only with the -Z option. When used on a
machine where an SSL-enabled web browser is
configured, the path specified on this option can be
pointed to the certificate database for the web
browser. For example:

-P /security/cert.db

The client security files can be stored on the
Directory Server in the
/etc/dirsrv/slapd-instance_name directory.
In this case, the -P option calls out a path and
filename similar to the following:

-P
/etc/dirsrv/slapd-instance_name/client-
cert.db

-Q

Specifies the token and certificate name, which is
separated by a semicolon (:) for PKCS11.

-W

Specifies the password for the certificate database
identified on the -P option. For example:

-W serverpassword

-Z

Specifies that SSL is to be used for the directory
request.

-ZZ

Specifies the Start TLS request. Use this option to
make a cleartext connection into a secure one. If the
server does not support Start TLS, the command
does not need aborted; it will continue in cleartext.

-ZZZ

Enforces the Start TLS request. The server must
respond that the request was successful. If the
server does not support Start TLS, such as Start
TLS is not enabled or the certificate information is
incorrect, the command is aborted immediately.

SASL Options

SASL mechanisms can be used to authenticate a user, using the -o the required SASL information.

To learn which SASL mechanisms are supported, search the root DSE. See the -b option in

Table 6.3,

Red Hat Directory Server 8.1 Configuration and Command Reference

191