The tarantella service Command
You use this command to manage service objects used for the following SGD
authentication mechanisms:
See 
Using Service Objects for more details about service objects.
Syntax
tarantella service delete | edit | list | new
Description
The following table shows the available subcommands for this command.
|
|
|
|---|
delete |
Deletes a service
object |
|
edit |
Edits a service object |
|
list |
Lists service objects and their attributes |
|
new |
Creates a new service
object |
|
|
Note - All commands include a --help option. You can use tarantella service subcommand --help to get help on
a specific command.
Examples
The following example lists all of the available service objects and their attribute
values.
$ tarantella service list
The following example deletes the mainldap service object.
$ tarantella service delete --name mainldap
tarantella service delete
Deletes a service object.
See Using Service Objects for more details about service objects.
Syntax
tarantella service delete { --name obj...
} | --file file
Description
The following table shows the available options for this command.
|
|
|---|
--name |
Specifies the name
of the service object to delete. This can be a space-separated list of
names. |
--file |
Specifies a file containing a batch of commands to delete service objects. |
|
Examples
The following example deletes the east service object.
$ tarantella service delete --name east
tarantella service edit
Edits one or more attributes for a service object.
See Using Service Objects for more details about service objects.
Syntax
tarantella service edit {
--name obj
[ --url url... ]
[ --position pos ]
[ --enabled 0|1 ]
[ --operation-timeout timeout ]
[ --base-domain domain ]
[ --default-domain domain ]
[ --black-list list ]
[ --white-list list ]
[ --security-mode ""|clientcerts]
[ --auth-mode kerberos|ssl ]
[ --site-aware 0|1 ]
[ --site-name name ]
[ --check-pwd-policy 0|1 ]
[ --pwd-expiry-warn-threshold threshold ]
[ --pwd-expiry-fail-threshold threshold ]
[ --domain-list domains ]
[ --password-update-mode ldapuser|ldapadmin]
[ --lookupcache-timeout timeout ]
[ --ad-alwaysusegc 0|1 ]
[ --suffix-mappings mappings ]
} | --file file
Description
The following table shows the available options for this command.
|
|
|---|
--name |
The name of
the service object to edit. See Name for more details. |
--url |
The URLs of the
LDAP directories or the URL of an Active Directory forest. The URL(s) must be
unique. Different service objects cannot use the same URL(s). See URLs for more details. |
--position |
A
number that specifies the position of the service object in the list of
service objects. The number 1 means first position in the list. |
--enabled |
Whether the service
object is enabled for use for authentication. See Enabled for more details. |
--operation-timeout |
Period of time,
in seconds, to wait for a directory server to respond to an LDAP
operation. See LDAP Operation Timeout for more details. |
--base-domain |
The domain that SGD uses for Active Directory authentication
if users only supply a partial domain when they log in. See Active Directory Base Domain for
more details. Applies only to Active Directory service objects. |
--default-domain |
The domain that SGD
uses for Active Directory authentication if users do not supply a domain when
they log in. See Active Directory Default Domain for more details. Applies only to Active Directory service
objects. |
--black-list |
A list of Active Directory servers which are never used for LDAP
queries. See Blacklists for more details. Applies only to Active Directory service objects. |
--white-list |
A
list of Active Directory servers which are always used for LDAP queries. Servers
not included in the list cannot be used. See Whitelists for more details. Applies only
to Active Directory service objects. |
--security-mode |
Whether client certificates are used to authenticate the
SSL connection to an Active Directory server. This option is only used if
--auth-mode is SSL. See SSL Connections to Active Directory for more details. Applies only to Active Directory service
objects. |
--auth-mode |
The mechanism used to secure the connection to an Active Directory server,
either Kerberos or SSL. Kerberos is used by default. See SSL Connections to Active Directory for more details. Applies
only to Active Directory service objects. |
--site-aware |
Enables site awareness for the service object.
If --site-name is not set, SGD attempts to discover site information automatically by contacting
the global catalog. See Sites for more details. Applies only to Active Directory service
objects. |
--site-name |
A site name for the service object. This option is only used
if --site-aware is enabled. See Sites for more details. Applies only to Active Directory service
objects. |
--check-pwd-policy |
Whether a user’s password policy should be checked at authentication time. This
option is used to enable LDAP password expiry features. See Password Expiry for more details. |
--pwd-expiry-warn-threshold |
The
period of time, in seconds, before password expiry where a warning message is
shown on the webtop. See Password Expiry for more details. |
--pwd-expiry-fail-threshold |
The period of time, in
seconds, before password expiry where authentication is denied for a user and they are
forced to update their password. See Password Expiry for more details. |
--domain-list |
Defines a list of
domains to be contacted when SGD starts. See Domain Lists for more details. Applies only to
Active Directory service objects. |
--password-update-mode |
Determines how aged passwords are handled. The default
setting is ldapuser, meaning that passwords are updated using the authenticated user credentials. This
results in a password change. A setting of ldapadmin means that passwords are updated
using the credentials of the service object. See LDAP Password Update Mode for more details. Applies only
to LDAP service objects. |
--lookupcache-timeout |
The length of time, in seconds, for which LDAP lookup
cache entries on the SGD server are held. See Lookup Cache Timeout for more details. |
--ad-alwaysusegc |
Whether
the global catalog is always be used for lookups. Enabling this option can
speed up LDAP searches. See Search Only the Global Catalog for more details. Applies only to Active Directory
service objects. |
--suffix-mappings |
A list of mappings between domain names, used for Kerberos authentication.
Each entry should be of the form suffix=domain, for example test.east.example.com=east.example.com. See Suffix Mappings for
more details. Applies only to Active Directory service objects. |
--file |
Specifies a file containing a
batch of commands to edit service object attributes. |
|
Examples
The following example disables the testldap service object.
$ tarantella service edit --name testldap --enabled 0
The following example changes the position of the mainldap service object to third
in the list of service objects.
$ tarantella service edit --name mainldap --position 3
tarantella service list
Lists the available service objects and their attributes.
See Using Service Objects for more details about service objects.
Syntax
tarantella service list { [ --name obj ]
[ --setting... ]
} | --file file
Description
The following table shows the available options for this command.
|
|
|---|
--name |
Specifies the name
of the service object to list. If no --name is specified, all service objects
and their attribute values are listed. |
--setting |
Names a service object attribute you want to
list the value for. If no --setting is specified, all attributes are listed
for the service object. |
--file |
Specifies a file containing a batch of commands to list
service objects and their attribute settings. |
|
Examples
The following example lists all service objects in their position order and their
attribute values.
$ tarantella service list
The following example lists the values of the URL and Enabled attributes for
the mainldap service object.
$ tarantella service list --name mainldap --url --enabled
The following example lists the all attribute values for the mainldap service object.
$ tarantella service list --name mainldap
tarantella service new
Creates a new service object.
By default, new service objects are enabled and added in the last position
in the list of service objects.
See Using Service Objects for more details about service objects.
Syntax
tarantella service new {
--name obj
--type ldap|ad
--url url...
[ --position pos ]
[ --enabled 0|1 ]
[ --operation-timeout timeout ]
[ --base-domain domain ]
[ --default-domain domain ]
[ --black-list list ]
[ --white-list list ]
[ --security-mode ""|clientcerts]
[ --auth-mode kerberos|ssl ]
[ --site-aware 0|1 ]
[ --site-name name ]
[ --check-pwd-policy 0|1 ]
[ --pwd-expiry-warn-threshold threshold ]
[ --pwd-expiry-fail-threshold threshold ]
[ --domain-list domains ]
[ --password-update-mode ldapuser|ldapadmin]
[ --lookupcache-timeout timeout ]
[ --ad-alwaysusegc 0|1 ]
[ --suffix-mappings mappings ]
} | --file file
Description
The following table shows the available options for this command.
|
|
|---|
--name |
The name of
the service object to create. See Name for more details. |
--type |
The service object type,
either LDAP or Active Directory. See Type for more details. |
--url |
The URLs of the LDAP
directories or the URL of an Active Directory forest. The URL(s) must be unique.
Different service objects cannot use the same URL(s). See URLs for more details. |
--position |
A number
that specifies the position of the service object in the list of service
objects. The number 1 means first position in the list. |
--enabled |
Whether the service object
is enabled for use. See Enabled for more details. |
--operation-timeout |
Period of time, in seconds, to
wait for a directory server to respond to an LDAP operation. See LDAP Operation Timeout for
more details. |
--base-domain |
The domain that SGD uses for Active Directory authentication if users only
supply a partial domain when they log in. See Active Directory Base Domain for more details. Applies only
to Active Directory service objects. |
--default-domain |
The domain that SGD uses for Active
Directory authentication if users do not supply a domain when they log in. See
Active Directory Default Domain for more details. Applies only to Active Directory service objects. |
--black-list |
A list
of Active Directory servers which are never used for LDAP queries. See Blacklists for
more details. Applies only to Active Directory service objects. |
--white-list |
A list of Active
Directory servers which are always used for LDAP queries. Servers not included in
the list cannot be used. See Whitelists for more details. Applies only to Active Directory
service objects. |
--security-mode |
Whether client certificates are used to authenticate the SSL connection to
an Active Directory server. This option is only used if --auth-mode is SSL. See
SSL Connections to Active Directory for more details. Applies only to Active Directory service objects. |
--auth-mode |
The mechanism
used to secure the connection to an Active Directory server, either Kerberos or
SSL. Kerberos is used by default. See SSL Connections to Active Directory for more details. Applies only to Active
Directory service objects. |
--site-aware |
Enables site awareness for the service object. If --site-name is not
set, SGD attempts to discover site information automatically by contacting the global catalog. See
Sites for more details. Applies only to Active Directory service objects. |
--site-name |
A site
name for the service object. This option is only used if --site-aware is enabled. See
Sites for more details. Applies only to Active Directory service objects. |
--check-pwd-policy |
Whether a
user’s password policy should be checked at authentication time. This option is used
to enable LDAP password expiry features. See Password Expiry for more details. |
--pwd-expiry-warn-threshold |
The period of time,
in seconds, before password expiry where a warning message is shown on the
webtop. See Password Expiry for more details. |
--pwd-expiry-fail-threshold |
The period of time, in seconds, before password expiry
where authentication is denied for a user and they are forced to update
their password. See Password Expiry for more details. |
--domain-list |
Defines a list of domains to be
contacted when SGD starts. See Domain Lists for more details. Applies only to Active Directory service
objects. |
--password-update-mode |
Determines how aged passwords are handled. The default setting is ldapuser,
meaning that passwords are updated using the authenticated user credentials. This results in a
password change. A setting of ldapadmin means that passwords are updated using credentials of
the service object. This results in a password reset. See LDAP Password Update Mode for more details. Applies
only to LDAP service objects. |
--lookupcache-timeout |
The length of time, in seconds, for which LDAP
lookup cache entries on the SGD server are held. See Lookup Cache Timeout for more
details. |
--ad-alwaysusegc |
Whether the global catalog is always be used for lookups. Enabling this option
can speed up LDAP searches. See Search Only the Global Catalog for more details. Applies only to Active
Directory service objects. |
--suffix-mappings |
A list of mappings between domain names, used for Kerberos
authentication. Each entry should be of the form suffix=domain, for example test.east.example.com=east.example.com. See Suffix Mappings
for more details. Applies only to Active Directory service objects. |
--file |
Specifies a file containing
a batch of commands to edit service object attributes. |
|
Examples
The following example creates an LDAP service object called mainldap. The service object
is set to third position in the list of service objects and is
enabled by default.
$ tarantella service new \
--name mainldap --type ldap \
--url "ldap://main1.example.com;ldap://main2.example.com" \
--position 3
The following example creates an Active Directory service object called east. The service
object is in the last position in the list of service objects by
default, and is set to disabled.
$ tarantella service new \
--name east --type ad \
--url "ad://east.example.com" \
--enabled 0
