Topic
9 replies Latest Post - ‏2012-10-11T20:29:19Z by SystemAdmin
SystemAdmin
SystemAdmin
6056 Posts
ACCEPTED ANSWER

Pinned topic LDAP configuration and INST_COMP_PLUGIN_RETURN_CODE:000

‏2012-09-27T12:36:55Z |
First I'll explain the environment and then explain how we have LDAP configured so it's easier to explain my questions.

We have 4 servers in the picture (I didn't install them in this, but I'm in charge of configuring them and managing them)

All servers are running Red Hat Linux 5.3
Server A: TEMS and TEPS are here
Server B: Managing Server is here
Server C: Warehouse is here
Server D: Transaction Reporter is here

For this question, I'm only working with Server A. So TEMS and TEPS have been installed, configured, and there's the basic agents installed. We want to be able to configure everything for LDAP so that we can assign groups and users inside the TEP Console so we can allow certain users to view specific views. So I configured the portal server(cq) and the monitoring server(ms) for LDAP with the assistance of our info security team. The configuration completes for both, but in the manage ITM console I see this error:

LDAP connection cannot be configured - verify firewall settings and LDAP connection parameters. To configure with updated LDAP parameters, reconfigure the Tivoli Enterprise Portal Server.
Tivoli Portal Server

INST_COMP_PLUGIN_RETURN_CODE:000

Along with that, if LDAP authentication is enabled for TEMS and TEPS, I can't log in with any ID that is in the LDAP repository or any that's locally defined within Server A.

If I disable LDAP authentication on TEMS, I can log in with no issues. My questions are:

1. To be able to use LDAP as the repository within TEPS, does LDAP authentication have to be enabled on both the monitoring server as well as the portal server?
2. What ports need to be opened other than 389(since I'm pretty sure that one is open)
3. Is this a problem with the Eclipse Help Server?

Thanks in advance.
Updated on 2012-10-11T20:29:19Z at 2012-10-11T20:29:19Z by SystemAdmin
  • Roseberry
    Roseberry
    311 Posts
    ACCEPTED ANSWER

    Re: LDAP configuration and INST_COMP_PLUGIN_RETURN_CODE:000

    ‏2012-09-27T12:59:15Z  in response to SystemAdmin
    Hi,
    Answer for question 1) is no. LDAP config for TEPS is independant of LDAP config for TEMS. Basically LDAP for TEPS is to allow SSO to other applications.
    Is a ldapsearch, on the linux box, with the values you use OK?
    I've encounterd a problem when with AD as the LDAP server and referrals are used.
    Was a OU specific to the TEPS/TEMS users created and used?

    • - - - - - - Luc Roseberry
    Tivoli Certified
    ITIL Master Certified
    Roseberry International
    http://www.roseberry-international.com
    • SystemAdmin
      SystemAdmin
      6056 Posts
      ACCEPTED ANSWER

      Re: LDAP configuration and INST_COMP_PLUGIN_RETURN_CODE:000

      ‏2012-09-27T13:15:10Z  in response to Roseberry
      We're using Tivoli Directory Server 6 for the LDAP server.

      I'm unable to do an ldapsearch, I don't think it's installed or it's locked down because when I try, I get -bash: ldapsearch: command not found.
  • SystemAdmin
    SystemAdmin
    6056 Posts
    ACCEPTED ANSWER

    Re: LDAP configuration and INST_COMP_PLUGIN_RETURN_CODE:000

    ‏2012-09-27T13:20:36Z  in response to SystemAdmin
    I'm going to get more information from Info Security when they're online.
    • Roseberry
      Roseberry
      311 Posts
      ACCEPTED ANSWER

      Re: LDAP configuration and INST_COMP_PLUGIN_RETURN_CODE:000

      ‏2012-09-27T13:31:44Z  in response to SystemAdmin
      I've found the following:

      APAR IZ26870 - LDAP CONNECTION MESSAGE DURING TEPS CONFIG 6.2FP1 UPGRADE

      Symptoms:

      During the upgrade to IBM Tivoli Monitoring 6.2.0 Fix Pack 1, you receive
      the following message during TEPS configuration:

      ***************************
      Response file information
      Callpoint postconfig response file content:
      Tivoli Portal Server
      LDAP connection cannot be configured - verify firewall setting
      and LDAP connection parameters. To configure with updated LDAP
      parameters, reconfigure the Tivoli Enterprise Server.
      Tivoli Enterprise Browser client
      INST_COMP_PLUGIN_RETURN_CODE:000

      WebHelp to Eclipse Help Converter

      After clicking OK, the user is still able to proceed with the
      installation. The user may see the message two more times before the
      installation moves on. The TEPS does configure and start after the
      upgrade.

      The message will occur regardless of the LDAP checkbox settings in the
      TEPS (or TEMS) configuration boxes.

      In the event this message occurs, the embedded WAS does not upgraded as it
      should. The version of eWAS contained in IBM Tivoli Monitoring 6.2.0
      Fix Pack 1 is 6.1.0.13.
      • - - - - - - Luc Roseberry
      Tivoli Certified
      ITIL Master Certified
      Roseberry International
      http://www.roseberry-international.com
      • SystemAdmin
        SystemAdmin
        6056 Posts
        ACCEPTED ANSWER

        Re: LDAP configuration and INST_COMP_PLUGIN_RETURN_CODE:000

        ‏2012-09-27T13:34:31Z  in response to Roseberry
        We're currently using Tivoli Monitoring 06.22.07.00
        • Roseberry
          Roseberry
          311 Posts
          ACCEPTED ANSWER

          Re: LDAP configuration and INST_COMP_PLUGIN_RETURN_CODE:000

          ‏2012-09-27T17:55:37Z  in response to SystemAdmin
          No mismatch 32/64 bits between platform and installed code?

          • - - - - - - Luc Roseberry
          Tivoli Certified
          ITIL Master Certified
          Roseberry International
          http://www.roseberry-international.com
          • SystemAdmin
            SystemAdmin
            6056 Posts
            ACCEPTED ANSWER

            Re: LDAP configuration and INST_COMP_PLUGIN_RETURN_CODE:000

            ‏2012-09-27T18:19:21Z  in response to Roseberry
            Not that I've seen. We're 64 bit across everything.

            I'm still waiting for info security to get back to me and they usually leave at 3:00PM EST so I might not have an update until tomorrow unfortunately.
  • SystemAdmin
    SystemAdmin
    6056 Posts
    ACCEPTED ANSWER

    Re: LDAP configuration and INST_COMP_PLUGIN_RETURN_CODE:000

    ‏2012-09-28T19:03:36Z  in response to SystemAdmin
    We tried a few more things today with our LDAP configuration but haven't really gotten anywhere. We realized we were trying to authenticate through TEMS and TEPS but read that won't work if both repositories are the same(which they are), so we tried to authenticate via just TEMS and then just with TEPS.

    1. When we authenticate via TEPS, we can log into the console, but when I open the user list, I can't do a user look up of the LDAP server. It seems like it's still local authentication

    2. When we authenticate via TEMS, we can't log into the console at all.

    Think it's time to open a PMR.
  • SystemAdmin
    SystemAdmin
    6056 Posts
    ACCEPTED ANSWER

    Re: LDAP configuration and INST_COMP_PLUGIN_RETURN_CODE:000

    ‏2012-10-11T20:29:19Z  in response to SystemAdmin
    Finally worked everything out and got LDAP authentication and user look up in TEPS working properly. For those who are curious, here's what I did. Also, don't think I mentioned this, but we are running Red Hat 5.3.

    1. Configure LDAP authentication for TEPS (cq agent). I had to have our info security guy do it because they didn't want to give out the bindid password :)
    2. Recycle BOTH TEPS agent and the Eclipse agent.
    3. Enable ISCLite by running /opt/IBM/ITM/li6263/iw/scripts/enableISCLite.sh
    4. Change the wasadmin ID by running /opt/IBM/ITM/li6263/iw/scripts/updateTEPSEPass.sh
    5. Log into the ISCLite/embedded WAS console via http://localhost:15205/ibm/console using wasadmin and newly changed password.
    6. Open security menu and configure a new realm pointing to the same repository that I configured the TEPS agent with
    7. Recycle TEPS AND Eclipse again
    8. You have to enable ISCLite again using step #3 (Not sure if this is a bug or not but every time I recycle the cq agent, I have to re-enable ISCLite)
    9. Log into TEPS console using sysadmin ID and password
    10. Create users. When doing a "find" have to type uid=<userid> in the distinguished name field and it finds it no problem now. Select and click ok and bam! all done.

    Actually pretty painless procedure over all, just kind of annoying have to modify scripts to make sure the ISCLite gets enabled any time CQ agent gets bounced.