IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Enable user authentication > LDAP user authentication through the portal server
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Use Manage Tivoli Enterprise Monitoring Services to configure the portal server for LDAP authentication
You can use Manage Tivoli Enterprise Monitoring Services to enable LDAP user authentication and single sign-on in the portal server, and optionally, to configure the LDAP server connection details.
You can use this utility to configure the LDAP server connection information, if all the following conditions are met:
- You are using Microsoft Active Directory Server or Tivoli Directory Server for your LDAP server.
- You do not plan to configure TLS/SSL between the portal server and the LDAP server.
- You do not need to configure any LDAP configuration parameters besides those listed in the Table 1 table.
For all other scenarios, use Manage Tivoli Enterprise Monitoring Services to enable LDAP user validation and SSO for the portal server and specify server type of Other. Then use the TEPS/e administration console to complete the LDAP configuration.
Configure the portal server to use an LDAP user registry involves adding LDAP information such as the bind ID and port number to the portal server configuration. At the same time, best practice is to enable single sign-on by specifying the realm name and Internet or intranet domain name used by the other applications participating SSO. For more information about these parameters, see Prerequisites for configuring LDAP authentication on the portal server.
You can also export the portal server's LTPA key or import the LTPA key from a participating SSO application if you have already decided which application will be the source of the LTPA key. (All participating SSO applications must use the same key). The export or import steps can also be performed at a later time if you want to concentrate on getting LDAP user authentication working or you don't have an LTPA key to import.
Have the configuration information for the LDAP server at hand, as well as the realm and Internet or intranet domain name for SSO.
To export or import LTPA keys, ensure that the portal server is running before beginning configuration. You will get a message that the portal server will be stopped during configuration, but the server is stopped only at the end of the configuration procedure after you click OK to close the last dialog. If you are importing an LTPA key, you need the key file and the password that was used when the key file was generated.
Take these steps to reconfigure the portal server for user validation with an LDAP registry, enable SSO, and optionally export or import LTPA keys.
Procedure
- Start Manage Tivoli Enterprise Monitoring Services on the computer where the portal server is installed:
- Click Start → Programs →IBM Tivoli Monitoring → Manage Tivoli Enterprise Monitoring Services.
- Where install_dir is the IBM Tivoli Monitoring installation directory, change to the install_dir/bin directory and run ./itmcmd manage [-h install_dir].
- Right-click Tivoli Enterprise Portal Server:
- Click Reconfigure, and click OK to accept the existing configuration and go to the second TEP Server Configuration window.
- Click Configure.
- In the LDAP Security area, select Validate User with LDAP?. On Linux and UNIX, the LDAP Security area is on the TEMS Connection tab.
- Optional: If you plan to use SSO, select Enable Single Sign On?.
- Select the LDAP type from the list:
- AD2000 for Active Directory Server 2000
- AD2003 for Active Directory Server 2003
- AD2008 for Active Directory Server 2008
- IDS6 for IBM Tivoli Directory Server Version 6.x.
- Other if your LDAP server is not one of those listed, you intend to customize the LDAP configuration for the Active Directory Server or Tivoli Directory Server, or you are configuring SSL communications to the LDAP server. After completing this procedure, start the TEPS/e administration console to complete the LDAP server configuration. See Use the TEPS/e administration console.
If you think you might need to edit the configuration of the Active Directory Server or Tivoli Directory Server at a later time, such as to configure TLS/SSL communications to the LDAP server, be sure to select Other and use the TEPS/e administration console to configure the server (skip step 6). Otherwise, any customization done in the TEPS/e administration console is lost the next time you reconfigure the portal server.
- If you selected AD2000, AD2003, or IDS6 as the LDAP type, complete the other fields to specify the LDAP server:
- LDAP base is the distinguished name (DN) for the base entry in the LDAP registry.
It is the starting point for user searches in the LDAP server. For example, for a user with a distinguished name of cn=John Doe,ou=Rochester,o=IBM,c=US, specify ou=Rochester,o=IBM,c=US for this parameter.
- LDAP DN base entry is typically set to the distinguished name of the base entry in the LDAP registry for portal server users. For example, for a user with a distinguished name of cn=John Doe,ou=Rochester,o=IBM,c=US, specify ou=Rochester,o=IBM,c=US for this parameter.
However, when multiple LDAP repositories are being configured for the portal server, use this field to define an additional distinguished name (DN) that uniquely identifies the set of LDAP users from this LDAP server. For example, the LDAP1 registry and the LDAP2 registry might both use o=ibm,c=us as their base entry. In this case, use this parameter to uniquely specify a different base entry for each LDAP server. For example, specify o=ibm1,c=us when configuring the LDAP1 registry and o=ibm2,c=us when configuring the LDAP2 registry.
If you have multiple LDAP registries, they cannot contain any overlapping user names.
The value of this parameter is displayed in the Tivoli Enterprise Portal Administer Users dialog when you list the distinguished names that can be mapped to Tivoli Enterprise Portal user IDs.
- LDAP bind ID is the LDAP user ID for bind authentication, in LDAP notation, and must be authorized to search for LDAP users. The bind ID can be omitted if an anonymous user can search for LDAP users.
- LDAP bind password is the LDAP user password for LDAP bind authentication. This value can be omitted if an anonymous user can bind to your LDAP server. This value is encrypted by the installer.
- LDAP port number that the LDAP server is listening on. This value can be omitted if the port is 389.
- LDAP host name, which can be omitted if the LDAP server is on the same computer as the portal server. Default: localhost.
- Click OK.
- If you selected Enable Single Sign On?, the Single Sign On dialog is displayed with Realm name and Domain name fields and Import Keys and Export Keys buttons.
- If you are not enabling single sign-on at this time, click OK to close any other portal server configuration dialogs and go to step 12
- For SSO, specify the realm and domain in the Single Sign On dialog:
- Realm name is a parameter shared across applications participating in SSO. Applications configured for the same domain name, but for a different realm name will not work as a part of the same SSO infrastructure.
- Domain name is the Internet or Intranet domain for which SSO is configured, for example mycompany.com. Only applications available in this domain or its sub-domains are enabled for SSO.
- At this time, you can export the portal server's LTPA key if you want it to be the key used by all other participating SSO applications. Click Export Keys and complete the following steps:
- Navigate to the directory where you want to create the file or change the file type, or both. The directory displayed initially, on Windows, is ITM_dir\InstallITM; and on Linux and UNIX, it is the Root directory.
- Type a name for the file that the LTPA key should be placed in and click Save.
- In the Export keys window, type a password to use to encrypt the file, and click OK. You see a console window while the file is created and encrypted, and then you are returned to the Single Sign On window.
After the LDAP configuration is complete, provide the key file and password to the administrators of the applications that launch Tivoli Enterprise Portal, use the dashboard data provider in IBM Dashboard Application Services Hub, or use the IBM Tivoli Monitoring charting web service.
- If another participating SSO application is providing the LTPA key, you can import it now if you have the key file and the password that was used to encrypt the key. Click Import Keys and complete the following steps:
- In the Open window that is displayed, navigate to the directory where the key file is located. The directory displayed initially, on Windows, is ITM_dir\InstallITM; and on Linux and UNIX, it is the Root directory.
- Type the name of the file that you want to import, and click Open. You see a console window while the file is created and encrypted, and then you are returned to the Single Sign On window. Repeat the import process to import keys from additional participating servers.
- Type the password required to decrypt the file, and click OK. You see a console window while the file is created and encrypted, and then you are returned to the Single Sign On window.
- Repeat the import process to import keys from additional participating servers.
- Click OK.
- If you are prompted to reconfigure the warehouse connection information, answer No. After some processing of the configuration settings, the Common Event Console Configuration window is displayed. Sometimes this window does not open in the foreground and is hidden by other windows. If processing seems to be taking longer than expected, minimize other windows and look for the configuration window. When the Common Event Console Configuration window is displayed, click OK.
- If necessary, recycle the portal server by selecting Tivoli Enterprise Portal Server and clicking Recycle or by stopping, then starting the portal server.
What to do next
If you chose Other as the LDAP type, the LDAP configuration must be completed in the TEPS/e administration console. See Use the TEPS/e administration console.
Otherwise, for all other LDAP types, follow steps 1 and 2 in the procedure above to check if Validate User with LDAP? is still selected. If it is not selected then an error occurred when the configuration utility attempted to connect to the LDAP server and LDAP validation was disabled. If it is disabled, check the install_dir/logs/ConfigureLDAPRepo.log file.
Once the LDAP registry is completely configured, you can map the Tivoli Enterprise Portal user IDs to the LDAP distinguished names to complete the LDAP configuration. You must log on to the Tivoli Enterprise Portal with the sysadmin user ID or a user ID that has the same administrative authority and is not an LDAP user. See Map Tivoli Enterprise Portal user IDs to LDAP distinguished names.
If you enabled SSO, you will need to export or import LTPA keys. Refer back to the Roadmap for setting up the portal server to use an LDAP user registry and single sign-on to determine when to perform these steps.
Parent topic:
LDAP user authentication through the portal server