IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Enable user authentication > LDAP user authentication through the portal server
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Use the Linux or UNIX command line to configure the portal server for LDAP authentication
If the Tivoli Enterprise Portal Server is on Linux or UNIX, you can enable LDAP user authentication and single sign-on in the portal server, and optionally, configure the LDAP server connection details, using the itmcmd command line interface.
You can use the command line to configure the LDAP server connection information, if all the following conditions are met:
- You are using Microsoft Active Directory Server or Tivoli Directory Server for your LDAP server.
- You do not plan to configure TLS/SSL between the portal server and the LDAP server.
- You do not need to configure any LDAP configuration parameters besides those listed in the Table 1 table.
For all other scenarios, use the itmcmd command to enable LDAP user validation and SSO for the portal server and specify server type of Other. Then use the TEPS/e administration console to complete the LDAP configuration.
Configure the portal server to use an LDAP user registry involves adding LDAP information such as the bind ID and port number to the portal server configuration. At the same time, best practice is to enable single sign-on by specifying the realm name and Internet or intranet domain name used by the other applications participating SSO. For more information about these parameters, see Prerequisites for configuring LDAP authentication on the portal server.
Complete these steps to configure the portal server from the command line:
Procedure
- Log on to the computer where the Tivoli Enterprise Portal Server is installed.
- At the command line, change to the install_dir/bin directory, where install_dir is the directory where you installed the product.
- Run the following command to start configuring the Tivoli Enterprise Portal Server: ./itmcmd config -A cq. The message "Agent configuration started..." is displayed, followed by a prompt:
Edit "Common event console for IBM Tivoli Monitoring" settings? [ 1=Yes, 2=No ] (default is: 1)
- Enter 2. The following prompt is displayed:
Will this agent connect to a TEMS? [1=YES, 2=NO] (Default is: 1):
- Accept the default values for this prompt and the prompts that follow it until you see the following prompt. The default values reflect the selections made during the original configuration.
LDAP Security: Validate User with LDAP ? (1=Yes, 2=No)(Default is: 2):
- Enter 1 to begin configuration of LDAP authentication and provide the values for the LDAP parameters.
LDAP type: [AD2000, AD2003, AD2008, IDS6, OTHER](Default is: OTHER):For LDAP type, choose Other if your LDAP server is not one of those listed or you intend to customize the LDAP configuration for the Active Directory Server or Tivoli Directory Server or you plan to configure TLS/SSL between the portal server and the LDAP server. After completing this procedure, start the TEPS/e administration console to complete the LDAP server configuration. See Use the TEPS/e administration console.
If you think you might need to edit the configuration of the Active Directory Server or Tivoli Directory Server at a later time, for example configuring TLS/SSL communications to the LDAP server, be sure to select Other and use the TEPS/e administration console to configure the server. Otherwise, any customization done in the TEPS/e administration console is lost the next time you reconfigure the portal server.
- If you did not specify type of Other, you are prompted to enter additional LDAP configuration values. (see Table 1 for more information about those parameters):
LDAP base: o=IBM LDAP DN Base Entry(Default is: o=ITMSSOEntry): o=IBM LDAP bind ID: cn=root LDAP bind password: Re-type: LDAP bind password: LDAP Port number(Default is: 389): LDAP host name(Default is: localhost): itmxseries04
- To enable single sign-on as well as LDAP authentication, enter 1 at the following prompt; then provide the Realm name and Domain name.
Enable Single Sign On ? (1=Yes, 2=No)(Default is: 2):
- Realm name is a parameter shared across applications participating in SSO. Applications configured for the same domain name, but for a different realm name will not work as a part of the same SSO infrastructure.
- Domain name is the Internet or Intranet domain for which SSO is configured, for example mycompany.com. Only applications available in this domain or its sub-domains are enabled for SSO.
After the installer has completed the configuration, the following message is displayed: Agent configuration completed...
- Recycle the portal server.
./itmcmd agent stop cq ./itmcmd agent start cq
What to do next
If you chose Other as the LDAP type, the LDAP configuration must be completed in the TEPS/e administration console. See Use the TEPS/e administration console.
Once the LDAP registry is completely configured, you can map the Tivoli Enterprise Portal user IDs to the LDAP distinguished names to complete the LDAP configuration. You must log on to the Tivoli Enterprise Portal with the sysadmin user ID or a user ID that has the same administrative authority and is not an LDAP user. See Map Tivoli Enterprise Portal user IDs to LDAP distinguished names.
If you enabled SSO, you will need to export or import LTPA keys. Refer back to the Roadmap for setting up the portal server to use an LDAP user registry and single sign-on to determine when to perform these steps.
Parent topic:
LDAP user authentication through the portal server