IBM Tivoli Monitoring, Version 6.3

Active Directory LDAP verification tools

Microsoft Active Directory provides several tools for your use in managing your site's LDAP environment; the following two will prove particularly useful when linking it to IBM® Tivoli® Monitoring:

Use this Microsoft Management Console snap-in to view your user object attributes and to confirm that the attributes you are specifying for the Tivoli Enterprise Portal Server Login properties and the Tivoli Enterprise Monitoring Server attributename=%v substitution parameter are defined and available.
Use this tool to validate your monitoring server and portal server LDAP configuration's Base settings. This tool allows you to connect, bind, and query your LDAP environment from your workstation; see Figure 1.

LDP.exe for Windowx XP is available from Microsoft at this URL:

Figure 1. LDP query results
This graphic shows the results obtained when using the LDP utility to query your site's LDAP user registry for user information.
This sample demonstrates the verification of a configuration using:
LDAP filter object = (&(objectCategory=user)(uid=%v))
LDAP base = CN=ITMtemsUsers,OU=ITMUsers,DC=company,DC=com
Alternatively, this sample demonstrates verification of a configuration using:
LDAP base = CN=ITMtepsUsers,OU=ITMUsers,DC=company,DC=com
Login properties = uid
To successfully configure Microsoft Active Directory LDAP authentication, either you need the Domain Administrator or you need to get hold of two very useful tools that allow you to look at your LDAP directory from the outside. These tools are:
Use this tool to test your connect strings from the command line and to verify that you are pointing at the right location inside the LDAP user registry. Figure 2 shows sample ldapsearch output.

Ldapsearch for LDAP information contains additional information about this command and its uses and options.

The ldapsearch options you specify (see ldapsearch command-line options) are based on your site's Tivoli Enterprise Monitoring Server LDAP configuration:
is the LDAP host name.
is the LDAP port name.
is the LDAP base value.
is the LDAP bind ID.
is the LDAP bind password.
Note: If you do not specify the -w option, you will be required to enter the LDAP bind password from the keyboard.
Always specify the ldapsearch -s sub option because the monitoring server's LDAP client uses it when authenticating Tivoli Monitoring users. Replace %v with the Tivoli Monitoring user ID when specifying the LDAP user filter (this string is the last part of the ldapsearch command line).
Example: To verify user sysadmin with the monitoring server LDAP configuration shown in Figure 1, specify the following ldapsearch command:
ldapsearch -h -p 389 -b "DC=bjomain,CN=users,DC=bjomain,
           -D "CN=Administator,CN=users,DC=bjomain,DC=com" -w admin10admin 
           -s sub "("

Follow this link to download a free version of ldapsearch:

Use this tool to graphically traverse the LDAP user registry and to spell out the Distinguished Names and other parameters that you need to complete the configuration. To verify that IBM Tivoli Monitoring can access your LDAP user registry across the network, install the LDAP browser on a Tivoli Monitoring server. Figure 1 shows a sample ldapbrowser display.

The LDAP browser also enables you to retrieve LDAP information from the portal server itself.

Follow this link to download a free version of ldapbrowser:; then click the LDAP Browser tab. ldapbrowser is also available for both UNIX/Linux and Windows at this URL: