IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Enable user authentication > LDAP user authentication through the portal server

IBM Tivoli Monitoring, Version 6.3 Fix Pack 2


Map Tivoli Enterprise Portal user IDs to LDAP distinguished names

When the portal server is configured to authenticate users using the LDAP user registry, the user logs into the portal server using the unique identifier (UID) value of the relative distinguished name. This name is not necessarily the same as the user ID known to the Tivoli Enterprise Portal. For this reason, Tivoli Enterprise Portal user IDs must be mapped to LDAP distinguished names (which include the UID).

Every entry in the LDAP user registry has a distinguished name (DN). The DN is the name that uniquely identifies an entry in the directory. A DN is made up of attribute=value pairs, separated by commas, for example:

The order of the attribute value pairs is important. The DN contains one component for each level of the directory hierarchy from the root down to the level where the entry resides. LDAP DNs begin with the most specific attribute, usually some sort of name, and continue with progressively broader attributes, often ending with a country attribute. The first component of the DN is referred to as the Relative Distinguished Name (RDN). It identifies an entry distinctly from any other entries that have the same parent. In the examples above, the RDN cn=Jim Grey separates the first entry from the second entry, (with RDN cn=Sally White). These two example DNs are otherwise equivalent. These two users would log into the Tivoli Enterprise Portal as Jim Grey and Sally White.

The default distinguished name for new users you create for the Tivoli Enterprise Portal has the following structure:

This distinguished name indicates that the user is authenticated by the hub monitoring server. Using the procedure in this topic, update the distinguished name for any Tivoli Enterprise Portal users that are defined in the portal server's LDAP user registry to specify their distinguished name in the LDAP user registry instead of UID=tep_userid,O=DEFAULTWIMITMBASEDREALM.

The default DN suffix for the TEPS/e user registry is o=defaultWIMFileBasedRealm. The TEPS/e user registry contains the wasadmin user ID for TEPS/e administration console access: UID=wasadmin,o=defaultWIMFileBasedRealm.

Do not update the distinguished names for any Tivoli Enterprise Portal user IDs that are using the o=defaultWIMFileBasedRealm suffix.

User IDs are mapped to LDAP distinguished names in the Tivoli Enterprise Portal Administer Users window by a user with administrator authority. The tacmd command line interface can also be used to preform this mapping. See the tacmd edituser command in the Command Reference.

If LDAP authentication is being configured through the Tivoli Enterprise Monitoring Server, user IDs are mapped instead by editing the KGL_LDAP_USER_FILTER environment variable in the Tivoli Enterprise Monitoring Server configuration file.


Complete these steps to map Tivoli Enterprise Portal user IDs to LDAP distinguished names using the Tivoli Enterprise Portal Administer Users dialog window:


Procedure

  1. Log on to the portal using sysadmin or another user account with full administrative authority.

  2. Click Administer Users.

  3. In the Administer Users window, right-click the row of the user ID to map and select Modify User.

  4. In the Modify User dialog box, click Find to locate the LDAP distinguished name to be associated with the Tivoli Enterprise Portal user ID. Example:UID=TEPUSER,O=SS.

    • The default suffix for LDAP distinguished names that are configured through the Tivoli Enterprise Portal Server configuration utilities is o=ITMSSOEntry, however this value might have been customized when the portal server was configured for LDAP.

    • If the selected LDAP distinguished name contains non-alphanumeric characters, those characters must be escaped with a backslash before the mapping is saved. For example, if a user ID contains a pound sign, #, place a backslash before the pound sign, \#.

  5. Click OK to save the mapping and return to the Administer Users window.

  6. Repeat steps 3 through 5 until you have mapped all the users that you want to authenticate with the configured LDAP registry.

  7. Click OK to exit the Administer Users window.


What to do next

Reconfigure the Tivoli Enterprise Portal browser client for SSO if it will be launched by another application on the same computer as the portal server. See Reconfigure the browser client for SSO.

Verify that the Tivoli Enterprise Portal users who have IDs that are mapped to LDAP distinguished names, can log into the Tivoli Enterprise Portal client. They must use their LDAP relative distinguished name to login. If the users are not successful at logging into the Tivoli Enterprise Portal, review the TEPS/e log for diagnostic information. This is the SystemOut.log located on the computer where the portal server is installed at install_dir\CNPSJ\profiles\ITMProfile\logs; install_dir/Platform/iw/profiles/ITMProfile/log.

Refer to the Roadmap for setting up the portal server to use an LDAP user registry and single sign-on for additional steps to perform after Tivoli Enterprise Portal users can be successfully authenticated by the portal server's LDAP user registry.


Parent topic:

LDAP user authentication through the portal server

+

Search Tips   |   Advanced Search