Topic
  • 9 replies
  • Latest Post - ‏2012-10-11T20:29:19Z by SystemAdmin
SystemAdmin
SystemAdmin
6056 Posts

Pinned topic LDAP configuration and INST_COMP_PLUGIN_RETURN_CODE:000

‏2012-09-27T12:36:55Z |
First I'll explain the environment and then explain how we have LDAP configured so it's easier to explain my questions.

We have 4 servers in the picture (I didn't install them in this, but I'm in charge of configuring them and managing them)

All servers are running Red Hat Linux 5.3
Server A: TEMS and TEPS are here
Server B: Managing Server is here
Server C: Warehouse is here
Server D: Transaction Reporter is here

For this question, I'm only working with Server A. So TEMS and TEPS have been installed, configured, and there's the basic agents installed. We want to be able to configure everything for LDAP so that we can assign groups and users inside the TEP Console so we can allow certain users to view specific views. So I configured the portal server(cq) and the monitoring server(ms) for LDAP with the assistance of our info security team. The configuration completes for both, but in the manage ITM console I see this error:

LDAP connection cannot be configured - verify firewall settings and LDAP connection parameters. To configure with updated LDAP parameters, reconfigure the Tivoli Enterprise Portal Server.
Tivoli Portal Server

INST_COMP_PLUGIN_RETURN_CODE:000

Along with that, if LDAP authentication is enabled for TEMS and TEPS, I can't log in with any ID that is in the LDAP repository or any that's locally defined within Server A.

If I disable LDAP authentication on TEMS, I can log in with no issues. My questions are:

1. To be able to use LDAP as the repository within TEPS, does LDAP authentication have to be enabled on both the monitoring server as well as the portal server?
2. What ports need to be opened other than 389(since I'm pretty sure that one is open)
3. Is this a problem with the Eclipse Help Server?

Thanks in advance.
Updated on 2012-10-11T20:29:19Z at 2012-10-11T20:29:19Z by SystemAdmin
  • Roseberry
    Roseberry
    311 Posts

    Re: LDAP configuration and INST_COMP_PLUGIN_RETURN_CODE:000

    ‏2012-09-27T12:59:15Z  
    Hi,
    Answer for question 1) is no. LDAP config for TEPS is independant of LDAP config for TEMS. Basically LDAP for TEPS is to allow SSO to other applications.
    Is a ldapsearch, on the linux box, with the values you use OK?
    I've encounterd a problem when with AD as the LDAP server and referrals are used.
    Was a OU specific to the TEPS/TEMS users created and used?

    • - - - - - - Luc Roseberry
    Tivoli Certified
    ITIL Master Certified
    Roseberry International
    http://www.roseberry-international.com
  • SystemAdmin
    SystemAdmin
    6056 Posts

    Re: LDAP configuration and INST_COMP_PLUGIN_RETURN_CODE:000

    ‏2012-09-27T13:15:10Z  
    • Roseberry
    • ‏2012-09-27T12:59:15Z
    Hi,
    Answer for question 1) is no. LDAP config for TEPS is independant of LDAP config for TEMS. Basically LDAP for TEPS is to allow SSO to other applications.
    Is a ldapsearch, on the linux box, with the values you use OK?
    I've encounterd a problem when with AD as the LDAP server and referrals are used.
    Was a OU specific to the TEPS/TEMS users created and used?

    • - - - - - - Luc Roseberry
    Tivoli Certified
    ITIL Master Certified
    Roseberry International
    http://www.roseberry-international.com
    We're using Tivoli Directory Server 6 for the LDAP server.

    I'm unable to do an ldapsearch, I don't think it's installed or it's locked down because when I try, I get -bash: ldapsearch: command not found.
  • SystemAdmin
    SystemAdmin
    6056 Posts

    Re: LDAP configuration and INST_COMP_PLUGIN_RETURN_CODE:000

    ‏2012-09-27T13:20:36Z  
    I'm going to get more information from Info Security when they're online.
  • Roseberry
    Roseberry
    311 Posts

    Re: LDAP configuration and INST_COMP_PLUGIN_RETURN_CODE:000

    ‏2012-09-27T13:31:44Z  
    I'm going to get more information from Info Security when they're online.
    I've found the following:

    APAR IZ26870 - LDAP CONNECTION MESSAGE DURING TEPS CONFIG 6.2FP1 UPGRADE

    Symptoms:

    During the upgrade to IBM Tivoli Monitoring 6.2.0 Fix Pack 1, you receive
    the following message during TEPS configuration:

    ***************************
    Response file information
    Callpoint postconfig response file content:
    Tivoli Portal Server
    LDAP connection cannot be configured - verify firewall setting
    and LDAP connection parameters. To configure with updated LDAP
    parameters, reconfigure the Tivoli Enterprise Server.
    Tivoli Enterprise Browser client
    INST_COMP_PLUGIN_RETURN_CODE:000

    WebHelp to Eclipse Help Converter

    After clicking OK, the user is still able to proceed with the
    installation. The user may see the message two more times before the
    installation moves on. The TEPS does configure and start after the
    upgrade.

    The message will occur regardless of the LDAP checkbox settings in the
    TEPS (or TEMS) configuration boxes.

    In the event this message occurs, the embedded WAS does not upgraded as it
    should. The version of eWAS contained in IBM Tivoli Monitoring 6.2.0
    Fix Pack 1 is 6.1.0.13.
    • - - - - - - Luc Roseberry
    Tivoli Certified
    ITIL Master Certified
    Roseberry International
    http://www.roseberry-international.com
  • SystemAdmin
    SystemAdmin
    6056 Posts

    Re: LDAP configuration and INST_COMP_PLUGIN_RETURN_CODE:000

    ‏2012-09-27T13:34:31Z  
    • Roseberry
    • ‏2012-09-27T13:31:44Z
    I've found the following:

    APAR IZ26870 - LDAP CONNECTION MESSAGE DURING TEPS CONFIG 6.2FP1 UPGRADE

    Symptoms:

    During the upgrade to IBM Tivoli Monitoring 6.2.0 Fix Pack 1, you receive
    the following message during TEPS configuration:

    ***************************
    Response file information
    Callpoint postconfig response file content:
    Tivoli Portal Server
    LDAP connection cannot be configured - verify firewall setting
    and LDAP connection parameters. To configure with updated LDAP
    parameters, reconfigure the Tivoli Enterprise Server.
    Tivoli Enterprise Browser client
    INST_COMP_PLUGIN_RETURN_CODE:000

    WebHelp to Eclipse Help Converter

    After clicking OK, the user is still able to proceed with the
    installation. The user may see the message two more times before the
    installation moves on. The TEPS does configure and start after the
    upgrade.

    The message will occur regardless of the LDAP checkbox settings in the
    TEPS (or TEMS) configuration boxes.

    In the event this message occurs, the embedded WAS does not upgraded as it
    should. The version of eWAS contained in IBM Tivoli Monitoring 6.2.0
    Fix Pack 1 is 6.1.0.13.
    • - - - - - - Luc Roseberry
    Tivoli Certified
    ITIL Master Certified
    Roseberry International
    http://www.roseberry-international.com
    We're currently using Tivoli Monitoring 06.22.07.00
  • Roseberry
    Roseberry
    311 Posts

    Re: LDAP configuration and INST_COMP_PLUGIN_RETURN_CODE:000

    ‏2012-09-27T17:55:37Z  
    We're currently using Tivoli Monitoring 06.22.07.00
    No mismatch 32/64 bits between platform and installed code?

    • - - - - - - Luc Roseberry
    Tivoli Certified
    ITIL Master Certified
    Roseberry International
    http://www.roseberry-international.com
  • SystemAdmin
    SystemAdmin
    6056 Posts

    Re: LDAP configuration and INST_COMP_PLUGIN_RETURN_CODE:000

    ‏2012-09-27T18:19:21Z  
    • Roseberry
    • ‏2012-09-27T17:55:37Z
    No mismatch 32/64 bits between platform and installed code?

    • - - - - - - Luc Roseberry
    Tivoli Certified
    ITIL Master Certified
    Roseberry International
    http://www.roseberry-international.com
    Not that I've seen. We're 64 bit across everything.

    I'm still waiting for info security to get back to me and they usually leave at 3:00PM EST so I might not have an update until tomorrow unfortunately.
  • SystemAdmin
    SystemAdmin
    6056 Posts

    Re: LDAP configuration and INST_COMP_PLUGIN_RETURN_CODE:000

    ‏2012-09-28T19:03:36Z  
    We tried a few more things today with our LDAP configuration but haven't really gotten anywhere. We realized we were trying to authenticate through TEMS and TEPS but read that won't work if both repositories are the same(which they are), so we tried to authenticate via just TEMS and then just with TEPS.

    1. When we authenticate via TEPS, we can log into the console, but when I open the user list, I can't do a user look up of the LDAP server. It seems like it's still local authentication

    2. When we authenticate via TEMS, we can't log into the console at all.

    Think it's time to open a PMR.
  • SystemAdmin
    SystemAdmin
    6056 Posts

    Re: LDAP configuration and INST_COMP_PLUGIN_RETURN_CODE:000

    ‏2012-10-11T20:29:19Z  
    Finally worked everything out and got LDAP authentication and user look up in TEPS working properly. For those who are curious, here's what I did. Also, don't think I mentioned this, but we are running Red Hat 5.3.

    1. Configure LDAP authentication for TEPS (cq agent). I had to have our info security guy do it because they didn't want to give out the bindid password :)
    2. Recycle BOTH TEPS agent and the Eclipse agent.
    3. Enable ISCLite by running /opt/IBM/ITM/li6263/iw/scripts/enableISCLite.sh
    4. Change the wasadmin ID by running /opt/IBM/ITM/li6263/iw/scripts/updateTEPSEPass.sh
    5. Log into the ISCLite/embedded WAS console via http://localhost:15205/ibm/console using wasadmin and newly changed password.
    6. Open security menu and configure a new realm pointing to the same repository that I configured the TEPS agent with
    7. Recycle TEPS AND Eclipse again
    8. You have to enable ISCLite again using step #3 (Not sure if this is a bug or not but every time I recycle the cq agent, I have to re-enable ISCLite)
    9. Log into TEPS console using sysadmin ID and password
    10. Create users. When doing a "find" have to type uid=<userid> in the distinguished name field and it finds it no problem now. Select and click ok and bam! all done.

    Actually pretty painless procedure over all, just kind of annoying have to modify scripts to make sure the ISCLite gets enabled any time CQ agent gets bounced.