IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Enable user authentication > LDAP user authentication using Microsoft Active Directory
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Before you begin
You must have a working Active Directory environment and be familiar with the following Active Directory concepts:
- Organizational Units
- ADSI Edit MMC snap-in
- Group Policy Management
- User Administration
- Active Directory User Object Schema
You must have installed both the Tivoli Enterprise Monitoring Server and the Tivoli Enterprise Portal Server as explained in the IBM Tivoli Monitoring Installation and Setup Guide. Familiarize yourself with the introductory information in Enable user authentication.
You should work with your site's Active Directory administrator when deciding which LDAP users will be authorized for monitoring server or portal server authentication.
Best practice is that you also create an OU hierarchy that will contain your users. This will facilitate a Base name directory search and limit search time while increasing the performance of Tivoli Monitoring-to-LDAP user authentication. Figure 1 shows a sample configuration comprising an OU=ITMUsers hierarchy with containers ITMtepsUsers and ITMtemsUsers. With this schema, the base for searching for monitoring server users to authenticate will be CN=ITMtemsUsers,OU=ITMUsers,DC=company,DC=com, and the base for portal server users to authenticate will be CN=ITMtepsUsers,OU=ITMUsers,DC=company,DC=com.
Figure 1. Suggest LDAP user hierarchy for Tivoli Monitoring servers
You also need to be aware of your Active Directory user object/attribute schema. This information is required when coding your monitoring server's LDAP filter configuration and for the portal server's TEPS/e Repository Security login property. Figure 2 shows one user's possible account settings (this Tivoli Enterprise Portal Server user must also be authorized as a Tivoli Enterprise Monitoring Server user).
Figure 2. Portal server user properties
The configuration for TEPS/e LDAP user authentication requires that you specify Active Directory user object attribute Login Property, which will contain the matching user name (in this example, llassite). Figure 3 shows the Active Directory user class instance for user llassite.
Figure 3. LDAP user properties
You must make the TEPS/e uid LDAP user authentication property match the portal server's user account. To do this, edit the Active Directory's user/uid attribute for the llassite user, and set uid=llassite so the portal server's user account llassite will match uid=llassite in the CN=Lin Lassiter,CN=ITMtepsUsers,OU=ITMUsers,DC=company,DC=com LDAP object (which can be found by searching the directory beginning with the CN=ITMtepsUsers,OU=ITMUsers,DC=company,DC=com base record).
Figure 1, Figure 2, and Figure 3 are provided to give you an idea of the Active Directory properties that will be used for LDAP authentication. The knowledge of where LDAP users reside within Active Directory (the Base to query or search for Tivoli Monitoring users in the directory), and the User schema (the user object attribute that contains the exact user name used for authentication) are critical to successful configuration of either Tivoli Enterprise Monitoring Server or Tivoli Enterprise Portal Server LDAP user authentication.The portal server's user account's permissions for such Tivoli Monitoring features as applications, views, and groups will continue to be managed within the portal server's User Administration tool, as shown in Figure 4.
Figure 4. Tivoli Enterprise Portal Server user permissions
LDAP user authentication is available only for individual Tivoli Monitoring users and user groups. The enablement of LDAP authentication for individual Tivoli Monitoring users ensures maximum flexibility on both the IBM Tivoli Monitoring and LDAP sides. Scripting can be employed to maintain automated synchronization of Active Directory and Tivoli Monitoring users. Data-collection scripts for Active Directory user accounts can ensure that modifications to Active Directory accounts (for example, users added or deleted) are reflected back into the corresponding Tivoli Enterprise Portal users via the tacmd CLI..
Parent topic:
LDAP user authentication using Microsoft Active Directory