Monitoring, Version 6.2
ldapsearch is an LDAP command-line tool available from many LDAP server vendors. You can save a lot of time by running ldapsearch to verify the LDAP information before configuring a hub monitoring server for LDAP authentication. You can also use it to troubleshoot problems you encounter with the configuration. Ideally, ldapsearch is run by the LDAP administrator.
The ldapsearch command operates something like the ping command. If the values you use as input to the command are correct, the command returns a version of the values you use in the search. If the values are not correct, the command returns either nothing, or an error message that can help you determine which value is involved, such as an incorrect password or a bad host name.
IBM Tivoli Directory Server (ITDS) ldapsearch is the best suited for Tivoli Monitoring. The ITDS ldapsearch supports GSKit SSL operations used in Tivoli Monitoring and has additional command-line options to support LDAP SSL searches. Tivoli Monitoring does not include ldapsearch with production installation. For information on IBM Tivoli Directory Server ldapsearch see http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.IBMDS.doc/commandref05.htm#ldapsrch.
ldp.exe is a Microsoft Windows LDAP search tool which has the same basic features as ldapsearch. It can be downloaded from Microsoft Website for your version of windows. ldp.exe is included in the Windows Server 2003 CD support tools. For information on using Microsoft Windows ldp command, see http://support.microsoft.com/kb/224543.
The following sections describe the command-line options for the ldapsearch tool and provide examples of its use for configurations with and without SSL enabled.
Table 62 shows the command line options and the corresponding LDAP setting parameters on the hub monitoring server.
| Option | Description | Corresponding Parameter in TEMS configuration file |
|---|---|---|
| -h host | The host name of LDAP server. | KGL_LDAP_HOST_NAME |
| -p port | The LDAP port number. | KGL_LDAP_PORT |
| -D dn | The LDAP bind ID
Do not use this command-line option if LDAP bind ID is not required. |
KGL_LDAP_BIND_ID |
| -w password | The LDAP bind password
Use the unecrypted value for the ldapsearch command-line option. Do not use this command-line option if LDAP bind ID is not required. |
KGL_LDAP_BIND_PASSWORD |
| -b base_dn | The LDAP base. | KGL_LDAP_BASE |
| -K keyfile | The LDAP key store file (used only with LDAP SSL). | KGL_KEYRING_FILE |
| -P key_pw | The LDAP key store password (used only with LDAP SSL).
Use the unecrypted value for the ldapsearch command-line option. |
KGL_KEYRING_PASSWORD decrypted value |
| -N key_name | The LDAP key store label (used only with LDAP SSL). | KGL_KEYRING_LABEL |
| Filter | LDAP user filter. Replace %v with Tivoli Enterprise Portal, SOAP, or tacmd user ID. | KGL_LDAP_USER_FILTER |
For a configuration with the following values for which SSL is not enabled and no bind ID and password are required:
| LDAP host name | ldap.itm62.com |
| LDAP port name | 389 |
| LDAP base | ou=itm62users,o=itm62.com |
| LDAP user filter | "(mail=%v@us.ibm.com)" |
you would use the follow command:
ldapsearch -h ldap.itm62.com -p 389 -b "ou=itm62users,o=itm62.com" -s sub "(mail=sysadmin@itm62.com)"
If the input values were correct, you would receive the following as output:
uid=12345678,ou=itm62users,o=itm62.com objectClass=person objectClass=organizationalPerson ... mail=sysadmin@itm62.com ...
For a configuration with SSL enabled and bind ID and password required, with the following values:
| LDAP host name | ldap.itm62.com |
| LDAP port name | 636 |
| LDAP bind ID | uid=1,ou=itm62users,o=itm62.com |
| LDAP bind password | itm62 |
| LDAP base | ou=itm62users,o=itm62.com |
| LDAP key store | C:\IBM\ITM\itm62keyfiles\keyfile.kdb |
| LDAP key stash | C:\IBM\ITM\itm62keyfiles\keyfile.sth |
| LDAP keystore label | BM_Tivoli_Monitoring_Certificate |
| LDAP keystore password | itm62 |
| LDAP user filter | "(mail=%v@us.ibm.com)" |
you would use the following command:
ldapsearch -h ldap.itm62.com -p 636 -D uid=1,ou=itm62users,o=itm62.com -w itm62 -b "ou=itm62users,o=itm62.com" -s sub -K C:\IBM\ITM\itm62keyfiles\keyfile.kdb -P itm62 -N "IBM_Tivoli_Monitoring_Certificate" "(mail=sysadmin@itm62.com)"
If the input values were correct, you would receive the following as output:
uid=12345678,ou=itm62users,o=itm62.com objectClass=person objectClass=organizationalPerson ... mail=sysadmin@itm62.com ...
[ Top of Page | Previous Page | Next Page | Contents | Index ]