Configuring Tivoli Netcool/OMNIbus to use LDAP for external authentication
Tivoli Netcool/OMNIbus supports external authentication of ObjectServer users whose passwords are stored in a Lightweight Directory Access Protocol (LDAP) compliant repository.
Before you begin
- If all users that require access to Tivoli Netcool/OMNIbus belong
to the same organizational unit, request the distinguished name template
for that organizational unit from your LDAP administrator. The template
provides the value of the DistinguishedName property
in the Tivoli Netcool/OMNIbus LDAP
properties file.
For example, in the template
cn=%s,ou=Development,o=ABCcorp
, the base distinguished name that all users belong to isou=Development,o=ABCcorp
and thecn
field maps to a user name in the ObjectServer user repository. When a user logs in to the ObjectServer, the ObjectServer replaces the%s
variable with the user name and submits the entire string to the LDAP server for authentication. - If the users belong to multiple organizational
units, you must configure the ObjectServer to do an LDAP search for
each user's distinguished name. Request the following information
from your LDAP administrator:
- The distinguished name of the root organizational unit for all
users or a list of the organizational units that each user belongs
to.
The distinguished name or list of organizational units provides the value of the LDAPSearchBase property in the Tivoli Netcool/OMNIbus LDAP properties file.
- A template to generate an LDAP search filter for each Tivoli Netcool/OMNIbus user.
The template (for example:
(cn=%s)
) provides the value of the LDAPSearchFilter property in the Tivoli Netcool/OMNIbus LDAP properties file.
- The distinguished name of the root organizational unit for all
users or a list of the organizational units that each user belongs
to.
- Confirm whether a bind distinguished name is required for write
operations, to obtain user and group information, or to perform searches.
- If a bind distinguished name is required, you must specify values for the LDAPBindDn and LDAPBindPassword properties in the Tivoli Netcool/OMNIbus LDAP properties file. The ObjectSever uses these values to make a persistent connection to the LDAP server and to issue authentication bind requests and searches.
- If the LDAPBindPassword property needs to be updated periodically, the Props.LiveUpdate property can be included in the file and set to TRUE. If this flag is set, the ObjectServer rereads the property file and uses the updated password without the need to stop or restart the ObjectServer.
- If a bind distinguished name is not required, remove or comment out the LDAPBindDn and LDAPBindPassword properties in the Tivoli Netcool/OMNIbus LDAP properties file. The ObjectServer then binds to LDAP anonymously.
- Review the Tivoli Netcool/OMNIbus LDAP properties file settings and request any other information that you require, such as the LDAP server host name and port number.
- Use the ldapsearch utility to test your configuration before implementing it in the ObjectServer.
CA certificates for all LDAP servers that the ObjectServer will connect to must be listed in the keystore.
For more information about setting up LDAP configuration of the ObjectServer, see this technote: https://www.ibm.com/support/pages/example-netcool-omnibus-objectserver-ldap-configuration
If you configured Tivoli Netcool/OMNIbus to operate in FIPS 140-2 mode with SSL, the LDAP interface must also be configured for FIPS 140-2 operation. Consult your LDAP administrator to verify that the required encryption support is in place for FIPS 140-2 operation.
About this task
You can configure the ObjectServer to act as an LDAP client so that users that connect to the ObjectServer have their passwords authenticated in an LDAP server. You can use a single LDAP server to authenticate all Tivoli Netcool/OMNIbus users, including users who access the desktop components.
User details are stored in the ObjectServer user repository and user entries are configured to authenticate externally. User passwords are not stored in the ObjectServer. When a user logs in to the ObjectServer, the ObjectServer locates the user entry in its repository and binds to the LDAP repository to authenticate the user.
- Tivoli Netcool/OMNIbus is not intended to be used to manage user accounts in LDAP, and so does not provide the capability to change passwords in an LDAP server.
- The LDAP module that is used by the ObjectServer connects to a single LDAP server instance. The Web GUI component, which is deployed in the Tivoli® Integrated Portal, can connect to multiple LDAP repositories.
Procedure
Action | More information |
---|---|
1. Configure the Tivoli Netcool/OMNIbus LDAP
properties file ($NCHOME/omnibus/etc/ldap.props)
with the settings that you obtained from your LDAP administrator. If authorization performance is a concern, and all the required users belong to a single organizational unit, use the DistinguishedName property to create a direct bind to LDAP. Otherwise, use the LDAPSearchBase and LDAPSearchFilter properties to perform a search for distinguished names. |
|
2. Configure the ObjectServer to use LDAP authentication by setting the Sec.ExternalAuthentication property to LDAP. Authorization is managed in the ObjectServer. | ObjectServer properties and command-line options |
3. SSL only: If a key database does not exist on the ObjectServer host, create one. | About the key database files |
4. SSL only: Ensure that the public CA certificates for all LDAP servers that the ObjectServer will connect to are added to the certificate key database. These certificates are required so that the ObjectServer can validate its connection to the LDAP server(s). |
Adding certificates from CAs |
5. SSL only: Ensure that the following SSL properties
are set in the ldap.props file:
|
LDAP properties |
6. Configure each Tivoli Netcool/OMNIbus external
user for external authentication. Use Netcool/OMNIbus Administrator
(nco_config) for this task or, in the SQL interactive
interface, use the CREATE USER command or the ALTER USER command. If
you use Netcool/OMNIbus Administrator, complete the following details
in the User Details pane:
If you use the SQL interactive interface, ensure that the user name is identical to the name stored in the external authentication repository, that no password is specified, and that the PAM keyword is set to TRUE. |
Creating and editing users |
7. Optional: Use the nco_keygen utility
and then nco_aes_crypt utility to encrypt the LDAP
password. After you have encrypted the password, reedit the ldap.props file
by setting the following properties:
|
Setting up property value encryption |
8. If Web GUI user
accounts are created in the ObjectServer by the synchronization process
with the LDAP server, and these users need access to desktop tools
(such as the Conductor and the event list), perform the following
tasks:
|
Creating and editing users |
9. Optional: Test the connection between the LDAP server and the ObjectServer by using an ldapsearch utility. | The following technote describes options for
using ldapsearch: http://www-01.ibm.com/support/docview.wss?uid=swg21579907 |