LDAP properties

Use the $NCHOME/omnibus/etc/ldap.props properties file to define configuration settings for connecting to an LDAP repository.

The LDAP properties are described in the following table. You must verify the value of all these properties with the LDAP administrator, except for the ConfigCryptoAlg, ConfigKeyFile, and SSLKeyStoreLabel properties.

Tip: You can encrypt string values in a properties file by using property value encryption.
Tip:

Functionality delivered in fix pack
23If the LDAPBindPassword distinguished name password needs to be periodically updated to conform with security regulations, consider setting the Props.LiveUpdate property to TRUE. This supports dynamic updates to the LDAPBindPassword property without the need to stop or restart the ObjectServer.

Table 1. LDAP properties
Property Description
ConfigCryptoAlg string
Specifies the cryptographic algorithm to use for decrypting string values (including passwords) that were encrypted with the nco_aes_crypt utility and then stored in the properties file. Set the string value as follows.
  • When in FIPS 140–2 mode, use AES_FIPS.
  • When in non-FIPS 140–2 mode, you can use either AES_FIPS or AES. Use AES only if you need to maintain compatibility with passwords that were encrypted by using the tools that are provided in versions earlier than Tivoli Netcool/OMNIbus 7.2.1.

The value that you specify must be identical to the value used when you ran nco_aes_crypt with the -c setting to encrypt the string values.

Use this property with the ConfigKeyFile property.

ConfigKeyFile string

Specifies the path and name of the key file that contains the key that is used to decrypt encrypted string values (including passwords) in the properties file.

The key is used at run time to decrypt string values that were encrypted with the nco_aes_crypt utility. The key file that you specify must be identical to the file used to encrypt the string values when you ran nco_aes_crypt with the -k setting.

Use this property in conjunction with the ConfigCryptoAlg property.

DistinguishedName string Specifies the distinguished name (DN) that identifies the user that is being authenticated in the target LDAP server. A sample format that shows some of the attribute type-value pairs in the DN is:

cn=%s,o=string1,ou=string2,dc=string3,l=string4,st=string5,c=string6

Where:
  • cn is the common name value that must be entered as cn=%s. The %s variable is replaced by the ObjectServer user name.
  • o specifies your organization or company name.
  • ou specifies the organizational unit or department name.
  • dc specifies the domain component.
  • l specifies the locality or city of your organization.
  • st specifies your state or province.
  • c specifies the two-letter ISO code for your country.

Example distinguished names:

cn=%s,ou=Development,o=ABCcorp

cn=%s,ou=NOC,dc=ABCcorp,dc=com

cn=%s,ou=Operators,ou=NOC,l=london,o=ABCcorp

The default is cn=%s.

The attributes can be in uppercase or lowercase, for example, CN or cn. At a minimum, you must specify the common name setting (in the form cn=%s).

Hostname string Identifies the name of the host on which the LDAP server is running, and to which the ObjectServer connects. Acceptable values are:
  • A single host name.
  • A blank-separated list of host names, and optionally, port numbers, in the following format:

    host1[:port1] host2[:port2] ...

    You might find this format useful for specifying a failover configuration. Connections are attempted in the order that is given for the host names and port numbers. When the ObjectServer establishes a connection to an LDAP server, it remains connected to that server until the connection is no longer required, or until it fails. If a port number is not specified, the port number that is defined for the Port property is used.

Example entries are:

Hostname: 'server1'

Hostname: 'server2:1200'

Hostname: 'server1:800 server2:2000 server3'

The default is localhost.

LDAPBindDn string Specifies the distinguished name of the LDAP user account that is used for bind authentication. This value is used to establish a persistent connection to the LDAP server, and is used for subsequent authentication operations.

If you do not specify a value for this property, the ObjectServer uses an anonymous bind to LDAP.

The default is ''.

Use this property with the LDAPBindPassword property.

LDAPBindPassword string Specifies the password for LDAP bind authentication. The default is ''.

Use this property with the LDAPBindDn property.

Functionality delivered in fix pack
23When the Props.LiveUpdate property is set to TRUE, the LDAPBindPassword value can be updated in the property file whilst the ObjectServer is running. The new value is used the next time the ObjectServer makes a connection to the LDAP server, without the need for the ObjectServer to be stopped or restarted.

LDAPSearchBase string Specifies the base distinguished name that an LDAP search starts from. For example:

LDAPSearchBase: "ou=Tivoli,ou=SWG,o=ibm"

To specify that multiple DNs are searched, separate each DN with two semicolons (;;). For example:

LDAPSearchBase: "ou=WebGUI,ou=Tivoli,ou=SWG,o=ibm;;ou=OMNIbus,ou=Tivoli,ou=SWG,o=ibm;;ou=ITNM,ou=Tivoli,ou=SWG,o=ibm"

Note: If the distinguished name string contains a double quotation mark ("), use a backslash character (\) to escape it, for example, \".

The default is ''.

LDAPSearchFilter string Specifies a filter for an LDAP search. For example:

LDAPSearchFilter: "(cn=%s)"

The following special character conditions apply to filter strings:
  • The percent character (%) can be used only once in the filter string and only to specify the Tivoli Netcool/OMNIbus user name (%s).
  • Use the backslash character to escape double quotation marks (") in the filter string. For example, \" is sent to the LDAP server as ".
  • Use the backslash character (\) to escape backslash characters in the filter string. For example, \\ is sent to the LDAP server as \.
Note: Any escape sequences defined in this property are applied in Tivoli Netcool/OMNIbus before the values are passed to LDAP. They are separate to any escape sequences that are defined in the LDAP string filter specification.

The default is (cn=%s).

LDAPTimeout integer Specifies a timeout period (in seconds) for requests to the LDAP server.

If a request takes longer than the specified time, an error is logged.

The default is 60.

LDAPVersion integer Indicates the LDAP version that the server is running. Valid values are 2 and 3. The default is 3.
Port integer Specifies the port on which the LDAP server is listening. The default is 389.

Functionality delivered in fix pack
23Props.LiveUpdate

TRUE | FALSE
The default is FALSE.

When set to TRUE, the ObjectServer reads and processes any updates to the LDAPBindPassword property.

SSLEnabled TRUE | FALSE Determines whether SSL can be used for connections to the LDAP server. The default is FALSE.

On Windows only, if SSL is enabled for connections to the LDAP server, the following environment variable must be set for the ObjectServer to start successfully:

GSKIT_LOCAL_INSTALL_MODE=true

SSLKeyStoreLabel string Specifies the label of the server certificate for the ObjectServer if the LDAP server is expecting the ObjectServer to present a certificate for authentication. This certificate is held in the Tivoli Netcool/OMNIbus key database, and can be presented to the LDAP server when client authentication is required. If this property is not set and SSL is enabled, server authentication is used. This property is applicable only when the SSLEnabled property is set to TRUE.

The default is ''.

SSLPort integer Specifies the port on which the LDAP server is listening for SSL connections. This property is applicable only when the SSLEnabled property is set to TRUE.

The default is 636.