Prerequisites for configuring LDAP authentication on the portal server

IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Enable user authentication > LDAP user authentication through the portal server
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

Prerequisites for configuring LDAP authentication on the portal server

Before configuring LDAP authentication on the Tivoli Enterprise Portal Server, you must create the user accounts in the Tivoli Enterprise Portal and in the authenticating LDAP registry, and have the LDAP registry configuration parameters at hand.
Verify user IDs in the LDAP registry

Add or verify user IDs in the registry, but do not create an account for sysadmin until after you have enabled authentication and are already logged on to the Tivoli Enterprise Portal.

The default user name for the Tivoli Enterprise Portal Server extended services (TEPS/e) administrator is wasadmin. If this UID was added to the registry, have the user registry administrator either change the name or remove the entry. In a federated LDAP user registry, two entries with the same name cause a conflict.

A best practice is to not add sysadmin to the LDAP user registry. If the LDAP server is unavailable you cannot log onto the Tivoli Enterprise Portal using LDAP user accounts, but you can still log onto the portal using sysadmin because it is mapped to the default Tivoli Monitoring realm that is authenticated by the hub monitoring server.

Set up Tivoli Enterprise Portal user accounts.

Add the user IDs that you intend to authenticate with an LDAP registry. This can be done before or after the portal server has been configured for LDAP authentication. After LDAP configuration, you must return to the Administer Users window in the portal client to associate the user ID with its distinguished name from the LDAP user registry.

The sysadmin password

The IBM Tivoli Monitoring Windows installer creates a sysadmin user account in the Windows user registry on the hub monitoring server computer and prompts you to specify a password for that ID. The password is not required unless password authentication is enabled.

The installer does not set the "Password never expires" option when it creates the sysadmin account. If you do not set this option, the password will expire according to the security policy on the hub Tivoli Enterprise Monitoring Server and you will not be able to log in to the portal server. Use the Windows Administrative Tools to ensure that the "Password never expires" option is selected for the sysadmin user account.

LDAP configuration information

Obtain the information shown in the following table from the LDAP administrator before configuring the portal server for LDAP user authentication. The portal server and participating SSO applications must be configured to use the same LDAP user registry.

LDAP configuration parameters

Parameter Description
LDAP type One of the following types of LDAP servers can be defined to the portal server using the Tivoli Management Services installation and configuration utilities:

Active Directory Server 2000

Active Directory Server 2003

Active Directory Server 2008

Active Directory Server 2008 R2

Tivoli Directory Server 6.x

Other
Other is specified if you are configuring a different type of LDAP server, you are planning to enable TLS/SSL between the portal server and LDAP server, or you need to specify advanced LDAP configuration parameters besides those listed in this table. When you select Other, use the TEPS/e administration console to configure and modify the LDAP user registry details.
See Use the TEPS/e administration console.
LDAP base
This parameter specifies distinguished name (DN) for the base entry in the LDAP registry.
It is the starting point for user searches in the LDAP server. For example, for a user with a distinguished name of cn=John Doe,ou=Rochester,o=IBM,c=US, specify ou=Rochester,o=IBM,c=US for this parameter.
If you use the TEPS/e administration console to configure LDAP, this parameter is called Distinguished name of the base entry in the repository in the TEPS/e administration console.
LDAP DN base entry
The default value is o=ITMSSOEntry. However, best practice is to choose a value that is more meaningful for your organization.
Typically, you set this parameter to the distinguished name of the base entry in the LDAP registry for the portal server users. For example, for a user with a distinguished name of cn=John Doe,ou=Rochester,o=IBM,c=US, specify ou=Rochester,o=IBM,c=US for this parameter.
However, when multiple LDAP repositories are being configured for the portal server, use this field to define an additional distinguished name (DN) that uniquely identifies the set of LDAP users from this LDAP server. For example, the LDAP1 registry and the LDAP2 registry might both use o=ibm,c=us as their base entry. In this case, use this parameter to uniquely specify a different base entry for each LDAP server within the realm. For example, specify o=ibm1,c=us when configuring the LDAP1 registry and o=ibm2,c=us when configuring the LDAP2 registry.
If you have multiple LDAP registries, they cannot contain any overlapping user names.
The value of this parameter is displayed in the Tivoli Enterprise Portal Administer Users dialog when you list the distinguished names that can be mapped to Tivoli Enterprise Portal user IDs.
If you use the TEPS/e administration console to configure LDAP, this parameter is called Distinguished name of the base entrythat uniquely identifies this set of entries in the realm in the TEPS/e administration console.
LDAP bind ID This is the LDAP user ID for bind authentication, in LDAP notation, and must be authorized to search for LDAP users. The bind ID can be omitted if an anonymous user can search for LDAP users.
LDAP bind password This is the LDAP user password for LDAP bind authentication. This value can be omitted if an anonymous user can bind to your LDAP server. This value is encrypted by the installer.
LDAP port number This is the port number that the LDAP server is listening on. This value can be omitted if the port is 389.
LDAP host name This is the hostname or IP address of the LDAP server. It can be omitted if the LDAP server is on the same computer as the portal server. If you are using Microsoft Active Directory, use the hostname of a domain controller within the Active Directory Forest that is hosting the user accounts for the portal server.

Information for SSO configuration
If you intend to configure SSO, work with the administrators for the other applications that plan to use single sign-on with the portal server, to determine the values for the parameters listed in the following table. Each participating SSO application must have the same value for these parameters.
SSO parameters
Parameter Description
Domain name
This is the Internet or Intranet domain for which SSO is configured, for example mycompany.com. Only applications available in this domain or its sub-domains are enabled for SSO. Example:
ibm.com
Realm name
A realm identifies a set of federated repositories in TEPS/e and other WebSphere Application Servers. You can choose your own realm name, but this value must be the same across all applications that are configured for SSO within the specified domain. Applications configured for the same domain name, but for a different realm name, cannot work as a part of the same SSO infrastructure.
Example:
ibm_tivoli_sso
Parent topic:
LDAP user authentication through the portal server

+
Search Tips | Advanced Search

Parameter	Description
LDAP type	One of the following types of LDAP servers can be defined to the portal server using the Tivoli Management Services installation and configuration utilities: Active Directory Server 2000 Active Directory Server 2003 Active Directory Server 2008 Active Directory Server 2008 R2 Tivoli Directory Server 6.x Other Other is specified if you are configuring a different type of LDAP server, you are planning to enable TLS/SSL between the portal server and LDAP server, or you need to specify advanced LDAP configuration parameters besides those listed in this table. When you select Other, use the TEPS/e administration console to configure and modify the LDAP user registry details. See Use the TEPS/e administration console.
LDAP base	This parameter specifies distinguished name (DN) for the base entry in the LDAP registry. It is the starting point for user searches in the LDAP server. For example, for a user with a distinguished name of cn=John Doe,ou=Rochester,o=IBM,c=US, specify ou=Rochester,o=IBM,c=US for this parameter. If you use the TEPS/e administration console to configure LDAP, this parameter is called Distinguished name of the base entry in the repository in the TEPS/e administration console.
LDAP DN base entry	The default value is o=ITMSSOEntry. However, best practice is to choose a value that is more meaningful for your organization. Typically, you set this parameter to the distinguished name of the base entry in the LDAP registry for the portal server users. For example, for a user with a distinguished name of cn=John Doe,ou=Rochester,o=IBM,c=US, specify ou=Rochester,o=IBM,c=US for this parameter. However, when multiple LDAP repositories are being configured for the portal server, use this field to define an additional distinguished name (DN) that uniquely identifies the set of LDAP users from this LDAP server. For example, the LDAP1 registry and the LDAP2 registry might both use o=ibm,c=us as their base entry. In this case, use this parameter to uniquely specify a different base entry for each LDAP server within the realm. For example, specify o=ibm1,c=us when configuring the LDAP1 registry and o=ibm2,c=us when configuring the LDAP2 registry. If you have multiple LDAP registries, they cannot contain any overlapping user names. The value of this parameter is displayed in the Tivoli Enterprise Portal Administer Users dialog when you list the distinguished names that can be mapped to Tivoli Enterprise Portal user IDs. If you use the TEPS/e administration console to configure LDAP, this parameter is called Distinguished name of the base entrythat uniquely identifies this set of entries in the realm in the TEPS/e administration console.
LDAP bind ID	This is the LDAP user ID for bind authentication, in LDAP notation, and must be authorized to search for LDAP users. The bind ID can be omitted if an anonymous user can search for LDAP users.
LDAP bind password	This is the LDAP user password for LDAP bind authentication. This value can be omitted if an anonymous user can bind to your LDAP server. This value is encrypted by the installer.
LDAP port number	This is the port number that the LDAP server is listening on. This value can be omitted if the port is 389.
LDAP host name	This is the hostname or IP address of the LDAP server. It can be omitted if the LDAP server is on the same computer as the portal server. If you are using Microsoft Active Directory, use the hostname of a domain controller within the Active Directory Forest that is hosting the user accounts for the portal server.