esxcfg-auth

Section: Maintenance Commands (8)
Index Return to Main Contents

BSD mandoc
VMware ESX 4.0  

NAME

esxcfg-auth - VMware ESX Network Management Utility  

COPYRIGHT

VMware ESX is Copyright 1998-2009 VMware, Inc. All rights reserved.  

SYNOPSIS

esxcfg-auth [--probe]
               [--enablemd5]
               [--disablemd5]
               [--enableshadow]
               [--disableshadow]
               [--usepamqc <params>]
               [--usecrack <params>]
               [--enablead [--addomin <domain>] [--addc <server>]]
               [--disablead]
               [--enablenis [--nisdomain <domain>] [--nisserver <nisserver>]]
               [--disablenis]
               [--enablekrb5 [--krb5realm <realm>] [--krb5kdc <server>] [--krb5adminserver <server>]]
               [--disablekrb5]
               [--enableldap [--enableldapauth] [--ldapserver <server>] [--ldapbasedn <basedn>]]
               [--disableldap]  

DESCRIPTION

esxcfg-auth provides an easy way to configure your server to allow network based authentication as well as password complexity settings for your machine. It supports setting up your system to do authentication against an Active Directory Server, but not user management, as well as authentication against a NIS server, a Kerberos server, or an LDAP server. You can configure the way that passwords are stored and the complexity of the password when a user sets a new password.

This utility is experimental. It is likely to change.

 

OPTIONS

--probe
Calling esxcfg-auth with the probe option will print your current configuration to standard out. This is useful if you want to store your configuration for documentation or archival purposes. If it is invoked with other options, the changes those options would make are made. The resulting configuration is printed to standard out. In that case, the configuration data is not written to disk, and the command is equivalent to a dry run.
--enablemd5
This option sets the system to store the password in MD5 form. The default is shadow.
--disablemd5
This option restores the system to default password storage, which is shadow.
--enableshadow
Store user passwords using shadow information. This is the default manner in which passwords are stored if no format is specified.
--disableshadow
This option is useful to store the password in MD5 form. If you do not enable MD5 storage, the passwords will remain in shadow form.
--usepamqc
Enables the use of the pam_passwdqc PAM module for password complexity checking. It can be configured by passing a 6 value tuple as the value. The tuple is formed from the following information:
      - minimum length of a single character class password
      - minimum length of a password that has characters from 2 character classes
      - minimum number of words in a passphrase
      - minimum length of a password that has characters from 3 character classes
      - minimum length of a password that has characters from 4 character classes
      - maximum number of characters reused from the previous password
   This does not fully expose the abilities of this powerful PAM module. See the pam_passwdqc man page for more information on how to use this PAM module to enforce password rules on the user's password.
   If you pass a value of -1 for any of the six tuple values, that is understood as disable this option.  An example of a tuple is "-1 -1 8 8 8 4".
--usecrack

   Enables the use of the pam_cracklib PAM module for password complexity checking. It can be configured by passing a 6 value tuple as the value. The tuple is formed from the following information:
      - number of retries given to choose a new password
      - minimum length of the password
      - points for lowercase letters
      - points for uppercase letters
      - points for digital characters
      - points for other characters
   If you pass in a value of -1 for any of the fields in the tuple for the points in the character class, it is understood as being required.
--enablead
Sets up the Console OS to authenticate the user against an Active Directory server. addomain and addc are required with this option.
--addomain
Sets the domain against which the user is to be authenticated when authenticating against an Active Directory server.
--addc
Sets the domain controller against which the user's password should be checked.
--disablead
Reverts the changes required to authenticate the user against Active Directory.
--enablenis
This option can be used to setup the Console OS to authenticate the user against a NIS server. nisserver and nisdomain are required with this option.
--nisdomain
Specifies the domain name for the NIS server against which users should be authenticated.
--nisserver
Specifies the IP address where the NIS server is running.
--disablenis
Reverts the changes required to authenticate users against NIS.
--enablekrb5
Allows the user to be authenticated against a Kerberos Realm. With this option, --krb5realm and --krb5kdc options are needed.
--krb5realm
Defines the realm in which to authenticate the user.
--krb5kdc
Defines the Key Distribution Center for the Kerberos Realm.
--krb5adminserver
Defines the Administrative Server for the Kerberos 5 realm against which user should be checked.
--disablekrb5
Reverts the changes required to authenticate the user against a Keberos 5 Realm.
--enableldap
Enables the Console OS to attempt to get user credentials from an LDAP server.
--enableldapauth
Enables the Console OS to authenticate the user against an LDAP server.
--ldapserver
Sets the IP address of the server that is running the LDAP Directory.
--ldapbasedn
Sets the base DN with which to bind to the LDAP server.
--disableldap
Reverts the changes required to authenticate the user against an LDAP server.

 

Index

NAME
COPYRIGHT
SYNOPSIS
DESCRIPTION
OPTIONS
This document was created by man2html, using the manual pages. Brought to you by Bouke Groenescheij, www.jume.nl
Time: 15:25:08 GMT, May 26, 2009