IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Enable user authentication > LDAP user authentication using Microsoft Active Directory
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Enable and configure LDAP user authentication for the monitoring server, if desired
Skip this step: If you do not want to use an LDAP user to authenticate your monitoring server users.
User configuration for the Tivoli Enterprise Monitoring Server is completely separate from that for the Tivoli Enterprise Portal Server. TEPS/e is not involved.
None of the portal server's LDAP configuration or enablement affects the monitoring server's LDAP configuration or enablement. Monitoring server users are not required to be created nor exist within the Tivoli Enterprise Portal Administer Users list of users. Monitoring server users are required only if you wish to create userids that can be authenticated using the Security: Validate User option or if you wish to enable or prohibit SOAP requests to the monitoring server's SOAP server (see Configure Tivoli Monitoring Web Services (SOAP server)).
User authentication through the hub monitoring server provides the steps required to enable LDAP user authentication for the Tivoli Enterprise Monitoring Server. Additional comments are provided here for specific steps within this process.The monitoring server's userids are limited to 10 characters, dictating that the Active Directory user names you choose also not exceed 10 characters.
The monitoring server's LDAP configuration allows only one LDAP Base and one LDAP User filter (to query the LDAP directory for userid attributes). OU planning is recommended for creating the Active Directory Base and OU hierarchy that best meets your requirements. Use a Base that limits directory subtree searches while maximizing Active Directory's LDAP user authentication performance (see Figure 1).
- Step 5: see Figure 1.
Figure 1. LDAP configuration panel for monitoring server users
- Enter required LDAP user filter
- This defines the attribute that will be queried and collected for Tivoli Enterprise Monitoring Server LDAP authentication. The monitoring server ID used for login (tacmd login –s tems_name –u username –p password) will be checked against the matching, Active Directory-filtered User for authentication.
- LDAP user filter
- Example: (&(objectCategory=user)(userPrincipalName=%v@company.com)) where %v is a variable that IBM Tivoli Monitoring replaces with the userid entered at login.
This filter queries Active Directory, collecting all User objects from the specified Base. The userPrincipalName attribute values returned by this query will be parsed against the string %v@company.com, causing a comparison of the monitoring server userid with only the %v substitution portion of the userPrincipalName (in this case, userPrincipalName=llassite@company.com | userPrincipalName=%v@company.com == llassite).
- LDAP base
- IBM recommends you enter an LDAP Base that gives you visibility to the OU container that contains your Active Directory-defined monitoring server users.
- LDAP bind ID
- IBM recommends you enter an LDAP ID that can access your Active Directory's OU hierarchy to locate your Active Directory-defined portal server users.
- LDAP bind password
- The LDAP bind ID's password.
- LDAP port name
- This value is set for the default Active Directory LDAP port. Enter your LDAP-configured port number.
- LDAP host name
- A Domain Controller within the Active Directory Forest that is hosting the User accounts you created earlier for monitoring server LDAP user authentication. Your choice here should be driven by the hierarchy level within your Forest that owns the Tivoli Monitoring users' OU. Consider your selection here in light of possible issues with IBM Tivoli Monitoring LDAP user authentication due to Active Directory connectivity or replication failures of your Active Directory User objects.
Parent topic:
LDAP user authentication using Microsoft Active Directory