IBM® Tivoli® Storage Manager requires the server to identify authorized administrator IDs and nodes by using a password. You can authenticate administrator and node passwords with a Lightweight Directory Access Protocol (LDAP) directory server.
Restriction: Backup-archive clients must be at
V6.4 or
later to authenticate passwords with an LDAP directory server. Storage
agents authenticating node IDs with an LDAP directory server must
use a secure connection, such as Transport Layer Security (TLS) or
a virtual private network.
Figure 1. Configuring the server
to authenticate passwords with
an LDAP directory server
The first step in authenticating passwords with an LDAP directory
server is to complete the configuration tasks on the Tivoli Storage
Manager server and
the LDAP directory server. The following table shows you which steps
are accomplished on the two servers:
| Steps to authenticate passwords with an LDAP directory server | Where to complete the steps |
|---|---|
| 1. Set up an LDAP directory server | LDAP server |
| 2. Create the Base DN (distinguished name) | LDAP server |
| 3. Grant access to the Base DN to a specific user ID. | LDAP server |
| 4. Copy the trusted certificate from the LDAP directory server to the Tivoli Storage Manager server | LDAP server |
| 5. Import the trusted certificate from the LDAP directory server to the Tivoli Storage Manager server. If you already have a certificate on the LDAP directory server, you do not have to generate a new certificate. You can use the existing certificate to secure communication between the LDAP directory server and the Tivoli Storage Manager server. | Tivoli Storage Manager server |
| 6. Configuring the LDAPURL option | Tivoli Storage Manager server |
| 7. Define the user ID that administers node and administrator passwords with the LDAP directory server | Tivoli Storage Manager server |
| 8. Define the password for the user ID that administers node and administrator passwords | Tivoli Storage Manager server |
| 9. Update or register node or update or register administrator IDs to authenticate with an LDAP directory server | Tivoli Storage Manager server |
The LDAP directory server interprets letters differently from the Tivoli Storage Manager server. The LDAP directory server distinguishes the case that is used, either uppercase or lowercase. For example, the LDAP directory server can distinguish between secretword and SeCretwOrd. The Tivoli Storage Manager server interprets all letters for LOCAL passwords as uppercase.
The
following terms are used when describing the LDAP directory
server environment:
- Distinguished name (DN)
- A
unique name in an LDAP directory. The DN consists of the following
information. The information must be ordered in this way.
- The relative distinguished name (RDN)
- The organizational unit (ou)
- The organization (o)
- The country (c)
In this example, the value of the RDN on the first line is of an administrator whose user ID is jackspratt. The organizational unit (marketing), organization (corp.com), and country (us) comprise the DN.uid=jackspratt,ou=marketing,o=corp.com,c=us uid=cbukowski,ou=manufacturing,o=corp.com,c=us uid=abbynormal,ou=sales,o=corp.com,c=us - Bind
- To validate that a certificate is trusted between an LDAP server and another server.
- Bind DN
- The
distinguished name that is used to authenticate with the LDAP
server. (This is also the DN of the user ID that is defined in the Tivoli Storage
Manager SET
LDAPUSER command.) For example, if our SET LDAPUSER command
is:
then uid=jackspratt,ou=media,cn=security is the bind DN for the LDAP directory server.set ldapuser "uid=jackspratt,ou=media,cn=security" - Bind DN password
- The password that is associated with the bind DN.
