Microsoft Active Directory provides several
tools for your use in managing your site's LDAP environment; the following
two will prove particularly useful when linking it to IBM® Tivoli® Monitoring:
- ADSI Edit
- Use this Microsoft Management Console snap-in
to view your user object attributes and to confirm that the attributes
you are specifying for the Tivoli Enterprise Portal Server Login
properties and the Tivoli Enterprise Monitoring Server attributename=%v substitution
parameter are defined and available.
- LDP.exe
- Use
this tool to validate your monitoring server and portal server LDAP
configuration's Base settings. This tool allows you to connect, bind,
and query your LDAP environment from your workstation; see Figure 1.
LDP.exe for Windowx
XP is available from Microsoft at
this URL: http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en
This sample demonstrates the verification of a configuration
using:
LDAP filter object = (&(objectCategory=user)(uid=%v))
LDAP base = CN=ITMtemsUsers,OU=ITMUsers,DC=company,DC=com
Alternatively,
this sample demonstrates verification of a configuration using:
LDAP base = CN=ITMtepsUsers,OU=ITMUsers,DC=company,DC=com
Login properties = uid
To successfully configure
Microsoft Active Directory LDAP
authentication, either you need the Domain Administrator or you need
to get hold of two very useful tools that allow you to look at your
LDAP directory from the outside. These tools are:
- ldapsearch
- Use
this tool to test your connect strings from the command line and to
verify that you are pointing at the right location inside the LDAP
user registry. Figure 2 shows
sample ldapsearch output.
Ldapsearch for LDAP information contains additional information
about this command and its uses and options.
The
ldapsearch options
you specify (see
ldapsearch command-line options) are based on your site's
Tivoli Enterprise Monitoring Server LDAP
configuration:
- -h
- is the LDAP host name.
- -p
- is the LDAP port name.
- -b
- is the LDAP base value.
- -D
- is the LDAP bind ID.
- -w
- is the LDAP bind password.
Note: If you do not specify the -w option,
you will be required to enter the LDAP bind password from the keyboard.
Always specify the
ldapsearch -s sub option
because the monitoring server's LDAP client uses it when authenticating
Tivoli Monitoring users.
Replace
%v with the
Tivoli Monitoring user
ID when specifying the LDAP user filter (this string is the last part
of the
ldapsearch command line).
Example: To
verify user
sysadmin with the monitoring server LDAP
configuration shown in
Figure 1,
specify the following
ldapsearch command:
ldapsearch -h 192.168.1.241 -p 389 -b "DC=bjomain,CN=users,DC=bjomain,
DC=com"
-D "CN=Administator,CN=users,DC=bjomain,DC=com" -w admin10admin
-s sub "(mail=sysadmin@bjomain.com)"
Follow
this link to download a free version of ldapsearch: http://publib.boulder.ibm.com/infocenter/wasinfo/v4r0/index.jsp?topic=/com.ibm.support.was40.doc/html/Security/swg21113384.html
- ldapbrowser
- Use
this tool to graphically traverse the LDAP user registry and to spell
out the Distinguished Names and other parameters that you need to
complete the configuration. To verify that IBM Tivoli Monitoring can access
your LDAP user registry across the network, install the LDAP browser
on a Tivoli Monitoring server. Figure 1 shows
a sample ldapbrowser display.
The LDAP browser
also enables you to retrieve LDAP information from the portal server
itself.
Follow this link to download a free version of ldapbrowser: http://www.ldapbrowser.com/download.htm; then
click the LDAP Browser tab. ldapbrowser is
also available for both UNIX/Linux and Windows at this URL: http://www.mcs.anl.gov/~gawor/ldap/