Using a single point for authentication greatly reduces the amount of time spent on system administration. Lightweight Directory Access Protocol (LDAP) is a common choice for bringing multiple systems together. IBM® Tivoli® Directory Server provides LDAP authentication and more.
Several Rational products require some form of security and include LDAP as a choice for authentication. This series covers installation of Tivoli Directory Server for use with the IBM® Rational® Build Forge® management console and agent, IBM® Rational® ClearQuest®, and IBM® Rational® RequisitePro®. The Rational applications will each be configured to use Tivoli Directory Server, and the clients will be used to test the configurations.
For purposes of this series, we assume that you already have an IBM Flex License Server in place to allow use of the Rational products. We also assume a basic knowledge of the specific Rational software. All of the installations are done on the Microsoft® Windows® platform, and we use these versions of the applications:
- Tivoli Directory Server, Version 6.0
- Rational Build Forge, Version 7.0.0.077
- Rational ClearQuest, Version 7.0
- Rational RequisitePro, Version 7.0
This first article in this series starts with the preconditions for installation and setup for Tivoli Directory Server. After it is ready to use as the backend, you will install the Build Forge management console and agent components and then configure Build Forge to use your LDAP server.
Although it is possible to install both on the same machine, it is best to install Tivoli Directory Server and Build Forge on two different machines. Tivoli Directory Server Version 6.0 requires 2GB of free disk space and can be installed on these platforms:
- Microsoft Windows server versions 2003 Standard, Enterprise, Datacenter SP1and R2 (32- and 64-bit)
- IBM® AIX® Version 5.2 (Maintenance Level 5 and later) and 5.3 (Technology Level 1 and later)
- Red Hat Enterprise Linux® 4 and 5 (32- and 64-bit Intel,® AMD, IBM® System z,™ IBM ®Power PC®, and IBM® System i™)
- SUSE Linux Enterprise Server 9 and 10 (32- and 64-bit Intel, AMD, IBM System z, IBM Power PC, and IBM System i), Solaris 9 (SPARC) and 10 (SPARC and Windows Professional XP x64 Edition)
- HP-UX 11i v2 (PA-RISC and Integrity)
Build Forge requires 2 GB of free disk space and 1GB of RAM on the installed system. Build Forge Standard Edition can be installed on Red Hat Enterprise Linux 3 and Windows 2000, Windows Server 2003, and Windows XP Pro. Build Forge Enterprise Edition adds platform support for Fedora Core 3 and Solaris 9 or later.
- Choose a user name with eight characters or less on the Tivoli Directory Server machine. This is for the user who is running the server.
- For working through this example, use
TDSAdmin.
Set up the Tivoli Directory Server
Tivoli Directory Server is a product with many dependencies, so it installs a number of things automatically for you. These include the IBM®DB2® database and IBM® WebSphere® Application Server. Although it is possible to use other versions and even other database and application server products, we will stick with the provided default versions of DB2 and WebSphere Application Server for this example.
- Begin the installation of Tivoli Directory Server. When prompted for which components to install, select every component except the Global Security Kit (GSKit).
Figure 1. Installing Tivoli Directory Server
Note:
The GSKit is needed only for adding Secure Sockets Layer (SSL) and Transport Layer Security (TLS), which are outside of the scope of this article.
- When the installation is completed, click Finish in the installation wizard to close it.
- The Server Instance Administration Tool will launch automatically. (If it does not, click Start > Programs > IBM Tivoli Directory Server V6.0, and then click Install Administration Tool).
- Create a new directory server instance.
- For User name, type in the administrator user name that you created before installation:
TDSAdmin. - Under Install location, select the drive that you want to use.
- In the Encryption seed string field, type a string of your choice, but one that is at least 12 characters long.
Figure 2. Creating a directory server instance
- Tivoli Directory Server has already automatically installed the IBM DB2 database. Use the same user name for the DB2 instance name (Figure 4) as you did during installation:
TDSAdmin(it should default to the correct value).
Figure 3. Default instance name
- Check Configure admin DN and password and Configure database (Figure 4).
Figure 4. Configuring the admin DN and password
- DN (Distinguished Name) is the unique identifier for an LDAP entry. Leave cn=root for the DN, and type a password for the instance (Figure 5). When creating the new instance, use the DB2 system ID that you created, and provide a database name. If the database does not already exist, it will be created for you within the previously created DB2 instance.
Figure 5. Using the DB2 system ID
When you get to the end of the installation wizard, a new window appears to show progress. If the installation is successful, it should look something like Figure 6.
Figure 6. Progess dialog
- After finishing the installation, you will see that two new services have been added (Figure 7). Start them if they are not already launched.
Figure 7. Windows System Information console
Configure the Tivoli Directory Server
It is time to configure Tivoli Directory Server by using the Web Administration tool. It runs on top of the WebSphere Application Server that was installed automatically when you installed Tivoli Directory Server.
- To start the WebSphere Application Server instance that Tivoli Directory Server will use, open a command prompt for the following:
C:\Program Files\IBM\LDAP\V6.0\appsrv\bin>startServer.bat server1
- Replace the path with yours if you did not use the default for the installation (Figure 8).
Figure 8. The command prompt window
- Now that WebSphere Application Server is running, you can access the Web Administration tool by opening this URL in a Web browser on your server:
http://localhost:12100/IDSWebApp/IDSjsp/Login.jsp
- Use
superadminfor the user name andsecretfor the password. These are the defaults. - Under Console administration, you will see a link to Manage console servers. Select it and add
localhostto the list of servers, leaving the Enable SSL encryption option unchecked (Figure 9).
Figure 9. Adding localhost to the list of console servers
Now that localhost has been added, it will appear as a server option on the login page.
- Log in to localhost by logging off the current session and then selecting localhost for the server as you log back in. Your administrator DN for localhost, if you left the default, is
cn=root. - Next, add a suffix to the server by selecting Server Administration > Manage Server Properties, and then selecting Suffixes.
- Type
o=jke.ibm.comin the suffix DN field, click Add, and then click OK. - Now go to Directory Management > Manage Entries, and select the new suffix in the list.
- Click the Add button.
Now you must create an entry for this suffix.
- To add an entry for a newly created suffix, click Directory management > Add an entry > Add.
- When the Add an entry window displays, select Organization from the Structural object classes list, and click Next. The Select auxiliary object classes window will display, but no other object classes are necessary, so just click Next.
- For this example, enter the Relative DN as
o=jke.ibm.comand leave the Parent DN blank. - Click Finish.
This will take you back to the Manage entries window, where you will see the newly added suffix in the list of top-level entries.
- Add an organizationalUnit with no Auxiliary Object Class. The Relative DN should be
ou=jke_us, and the Parent DN should already be o=jke.ibm.com. - Add a second organizationalUnit under jke_us, and for the Relative DN., use
ou=users. These new suffixes and organizational units enable you to add users. - Now, add a user to Tivoli Directory Server by going to Directory Management > Manage Entries and drilling down to the users group by selecting the suffix and units and then clicking the Expand button.
- When you have the user's organizationalUnit selected, add an inetOrgPerson.
- On the Enter the Attributes page, use the attributes and values that Table 1 shows.
Table 1. Attributes and values to enter
| Attribute | Value |
|---|---|
| Relative DN | Cn=Cid I. Oreo |
| cn | Cid I. Oreo |
| Parent DN | ou=users, ou=jke_us, o=jke.ibm.com |
| Sn | Oreo |
| Given name | Cid I. |
| cio@us.jke.ibm.com | |
| Uid | Cio |
| userPassword | Ldaptest |
- Click Finish.
You have now created an LDAP user on Tivoli Directory Server within a new organization.
Users who will log in using the Tivoli Directory Server need access to the Tivoli Directory Server keyfile on the server. Our copy defaulted to this:
C:\Program Files\IBM\LDAP\v6.0\etc\ldapkey.kdb |
- Share the directory so that the user running the applications on other machines can see the file.
These tasks are now finished:
- You have installed and configured Tivoli Directory Server.
- DB2 and WebSphere Application Server were automatically installed and configured during the Tivoli Directory Server installation.
- You added a user entry to the server and opened access for the Tivoli Directory Server keyfile.
Set up the Build Forge management console and agent
Now that Tivoli Directory Server has been installed, configured, and populated, you can install and set up Build Forge to use it for authentication. If you are installing the system to perform a trial or to test a specific feature, you may want to install the Build Forge management console and one Build Forge agent on the same machine. These two components are enough for a working Build Forge system, so that you can test the system without using additional machines. Someone installing for production would typically install the management console on one machine to control the other machines, which are set up with an appropriate version of the agent.
- Launch the Build Forge management console installation, and choose Next when it appears (Figure 10).
Figure 10. Build Forge setup
- Accept the License Agreement.
- Enter the installation location, and click Next (Figure 11).
Figure 11. Choosing the insall location
- Enter the License Host port (the default port is 80).
Important:
We are using an internal license server for this example. If you do not have an internal license server for Build Forge, you will need to deploy one and configure this after setting it up. Please consult your Build Forge documentation for this (see Resources for a link).
Figure 12. Configuring the license host
- Choose Use IBM Rational supplied database if you do not have an existing database
Note:
For DB2 to install properly, the user account must be for an administrator on the local machine.
Alternatively, you can connect to an existing database by selecting Datasource Name, Database Type (DB2, Oracle, MySQL, Sybase, SQLServer), Username, and Password. It is best to use the default database option because of a license problem that occurs with other databases (see Figure 13):>
Figure 13. Choosing the default database
- After the installation completes, you must reboot your system.
- If the Build Forge engine is not running, start it now.
- You will then need to launch the management console. The administrator user name and password is root for both.
Build Forge does not require that the user names are prepopulated into its repository. After a valid user name is supplied and access is granted, that user is automatically recognized by the Build Forge system. When the user is recognized, the only attributes that can be modified are the time zone, date format, and console login characteristics. All other information is governed by the LDAP directory. The Build Forge system will not use LDAP authentication until you create at least one LDAP domain.
- Log into the Build Forge management console as the admin user (Figure 14).
Figure 14. Logging in to the Build Forge Management console
- Select Administration from the top of the left navigation menu (Figure 15).
Figure 15. Selecting Build Forge Administration
- Select LDAP from the bottom of the left navigation menu (Figure 16).
Figure 16. Selecting LDAP administration
- Click the Add LDAP Domain button in the right panel (Figure 17).
Figure 17. Adding the LDAP server
- Enter the information for the LDAP server. Here is the information that you need for the domain:
- Domain Name: Enter whatever you want to call your domain. We use JKE_US for this example. Note that our server already has three domains in it, including this one.
-
Host and Port:
<yourldapserver:389> -
Search Base:
<ou=users,ou=jke_us, o=jke.ibm.com> -
Unique Identifier:
<mail=%> -
Display Name:
<cn> -
Distinguished Name:
<dn> -
Group Unique Identifier:
<mail=%> - Save the LDAP domain.
The next part of this article shows how to test the LDAP configuration for a domain in Build Forge. The steps for authenticating with a user account in the LDAP server are also included.
- Select Administration from the top of the left navigation menu (Figure 18).
Figure 18. Selecting LDAP administration
- Select LDAP from the bottom of the left navigation menu (Figure 19).
Figure 19. Administering LDAP
- Select a domain (Figure 20).
Figure 20. Selecting an LDAP domain
- Click Test LDAP Domain (Figure 21).
Figure 21. Testing the LDAP domain
- Confirm the test by clicking OK (Figure 22).
Figure 22. Confirming the test
- Verify that the domain passes the test. Build Forge queries the LDAP server, verifying that it can make a connection by using the configuration information that you have supplied. If the test is successful, a check mark will appear by the Test LDAP Domain button (Figure 23).
Figure 23. LDAP domain has been tested
- Log out of Build Forge (Figure 24).
Figure 24. Invoking the Logout command
- Log into Build Forge by using an LDAP account.
- Supply a valid LDAP user name and password, using the JKE US domain (Figure 25).
Figure 25. Logging in to the JKE US domain
Note:
The system remembers LDAP users after they log in once. LDAP users appear on user lists only after they have logged in at least once.
Figure 26. List of LDAP users
You have successfully completed the installation of Rational Build Forge and configured it to use accounts that are set up on Tivoli Directory Server for LDAP authentication.
Learn
- Take a look at a demo of Build Forge
- Attend a live demo of Build Forge
- Attend a Webcast on Build and Release Management with Build Forge
- Consult the IBM Tivoli Directory Server documentation for further information.
- Check the Rational Build Forge documentation for technical resources and best practices for Rational Software Delivery Platform products.
- Visit the Rational software area on developerWorks for technical resources and best practices for Rational Software Delivery Platform products.
- Subscribe to the developerWorks Rational zone newsletter. Keep up with developerWorks Rational content. Every other week, you'll receive updates on the latest technical resources and best practices for the Rational Software Delivery Platform.
- Subscribe to the Rational Edge newsletter for articles on the concepts behind effective software development.
- Browse the technology bookstore for books on these and other technical topics.
Get products and technologies
- Find more resources for build and release engineers and managers in the Build Forge area of the developerWorks Rational zone, including articles and whitepapers, links to training, discussion forums, product documentation and support.
- Download
trial versions of IBM Rational software.
Discuss
- Participate in the discussion forum.
- Talk to an IBM Rational Build Forge Specialist: call me – email us
- Seeking answers or advice about good build and release management practices? Are you a Build Forge user looking to connect with others? Post in the Build and release Management/Build Forge forum on developerWorks.
Chris Hardee is a Staff Software Engineer and has been at IBM for 5 years. Chris currently works on the Rational Desktop System and Integration Test Team, which is responsible for ensuring quality in workflows that pass through multiple IBM software products. Chris graduated from North Carolina State University with a B.S. in Computer Science.
A software quality professional, Breun Reed has learned testing from the ground up. His experiences in Rational included supporting functional and system level testing for IBM Rational ClearCase, IBM Rational ClearCase Multisite, and 3rd-party integration testing during the McKinley SR4, SR5, Baltic 7.0, and Baltic 7.0.1 releases. Currently a Software Quality Engineer at IBM Rational Software, he works on the Rational System Verification Test Desktop Integrations team as a focal point (lead) on the Software Development Governance GreenThread effort. Breun attended Tennessee State University where he earned his B.S. in Computer Science. After college, Breun joined IBM, where he has worked for 4 years within IBM Rational. He continues to develop tests scenarios and serves as a source of information and advice for those new to Rational solutions.
Comments (Undergoing maintenance)
Table of contents
Next steps from IBM
My developerWorks community
Tags
Use the slider bar to see more or fewer tags.
Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere).
My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).
Popular article tags |
My article tagsSkip to tags list
Popular article tags |
My article tags
