IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Enable user authentication > LDAP user authentication using Microsoft Active Directory

IBM Tivoli Monitoring, Version 6.3 Fix Pack 2


Active Directory LDAP verification tools

Microsoft Active Directory provides several tools for your use in managing your site's LDAP environment; the following two will prove particularly useful when linking it to IBM Tivoli Monitoring:

ADSI Edit

Use this Microsoft Management Console snap-in to view your user object attributes and to confirm that the attributes you are specifying for the Tivoli Enterprise Portal Server Login properties and the Tivoli Enterprise Monitoring Server attributename=%v substitution parameter are defined and available.

LDP.exe

Use this tool to validate your monitoring server and portal server LDAP configuration's Base settings. This tool allows you to connect, bind, and query your LDAP environment from your workstation; see Figure 1.

LDP.exe for Windowx XP is available from Microsoft at this URL: http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en

Figure 1. LDP query results

This sample demonstrates the verification of a configuration using:

Alternatively, this sample demonstrates verification of a configuration using:

To successfully configure Microsoft Active Directory LDAP authentication, either you need the Domain Administrator or you need to get hold of two very useful tools that allow you to look at your LDAP directory from the outside. These tools are:

ldapsearch

Use this tool to test your connect strings from the command line and to verify that you are pointing at the right location inside the LDAP user registry. Figure 2 shows sample ldapsearch output.
Ldapsearch for LDAP information contains additional information about this command and its uses and options.

The ldapsearch options you specify (see ldapsearch command-line options) are based on your site's Tivoli Enterprise Monitoring Server LDAP configuration:

-h

is the LDAP host name.

-p

is the LDAP port name.

-b

is the LDAP base value.

-D

is the LDAP bind ID.

-w

is the LDAP bind password.

If you do not specify the -w option, you will be required to enter the LDAP bind password from the keyboard.

Always specify the ldapsearch -s sub option because the monitoring server's LDAP client uses it when authenticating Tivoli Monitoring users. Replace %v with the Tivoli Monitoring user ID when specifying the LDAP user filter (this string is the last part of the ldapsearch command line).

Example: To verify user sysadmin with the monitoring server LDAP configuration shown in Figure 1, specify the following ldapsearch command:

    ldapsearch -h 192.168.1.241 -p 389 -b "DC=bjomain,CN=users,DC=bjomain,             DC=com" 
               -D "CN=Administator,CN=users,DC=bjomain,DC=com" -w admin10admin 
               -s sub "(mail=sysadmin@bjomain.com)"

Follow this link to download a free version of ldapsearch: http://publib.boulder.ibm.com/infocenter/wasinfo/v4r0/index.jsp?topic=/com.ibm.support.was40.doc/html/Security/swg21113384.html

ldapbrowser

Use this tool to graphically traverse the LDAP user registry and to spell out the Distinguished Names and other parameters that complete the configuration. To verify that IBM Tivoli Monitoring can access your LDAP user registry across the network, install the LDAP browser on a Tivoli Monitoring server. Figure 1 shows a sample ldapbrowser display.

The LDAP browser also enables you to retrieve LDAP information from the portal server itself.

Follow this link to download a free version of ldapbrowser: http://www.ldapbrowser.com/download.htm; then click the LDAP Browser tab. ldapbrowser is also available for both UNIX/Linux and Windows at this URL: http://www.mcs.anl.gov/~gawor/ldap/


Parent topic:

LDAP user authentication using Microsoft Active Directory

+

Search Tips   |   Advanced Search