IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

Configuring the portal server for LDAP authentication using the TEPS/e administration console

You must use the Tivoli Enterprise Portal Server extended services (TEPS/e) administration console to configure LDAP server connection parameters if you specified Other as the LDAP type when you configured the portal server.

Before you begin

Start the TEPS/e administration console.

Attention: Best practice is to select the LDAP type of Other in the Manage Tivoli® Enterprise Monitoring Services utility of itmcmd command line interface before using the TEPS/e administration console to change the LDAP server configuration in order for any future changes to persist. For example, if you selected IDS6 as the LDAP type when you configured the portal server using the itmcmd command and you make changes to the LDAP connection parameters through the TEPS/e administration console, your changes are lost the next time you reconfigure the portal server.

Procedure

  1. In the TEPS/e administration console navigation tree, click Security → Global security.
  2. On the page that is displayed, ensure that Federated repositories is selected for Available realm definition, and click Configure.
  3. Configure the federated repository:
    1. Verify or enter the Realm Name value. A realm identifies a set of federated repositories in TEPS/e and other WebSphere® Application Servers. You can choose your own realm name but this value must be the same across all applications that are configured for SSO within an Internet or intranet domain. If you enabled single sign-on when you configured the portal server, this field displays the value your specified for the realm name. For details on specifying the domain, see step 9
    2. On the same page, click Add Base entry to Realm.
  4. On the Repository reference page, click Add repository and choose LDAP repository from the dropdown list. The page now displays the properties that can be configured for the portal server to LDAP connection.
  5. Provide the appropriate values for the following parameters:
    • For Repository identifier, enter a name for the repository that you find meaningful to identify the type of uses in the LDAP repository. For example, ITMtepUsers.
    • For Directory type, choose the type of LDAP server being used in your environment.
    • For Primary hostname, enter the fully qualified hostname or IP address of your LDAP server.
    • For Port, enter the port number of the LDAP server. The default value is 389.
    • For Bind distinguished name, enter the distinguished name for a user that is authorized to search for LDAP users. For example, cn=root. The bind ID can be omitted if an anonymous user can search for LDAP users.
    • For Bind password, enter the password for the user specified in the Bind distinguished name field. This value can be omitted if an anonymous user can bind to your LDAP server.
    If necessary, you can also customize other parameters on this page to match the capabilities of your LDAP server. For more information about the other parameters that can be configured on this panel, see the TEPS/e administration console online help.
  6. Click OK to accept the settings.
  7. On the Repository reference page, enter these values:
    • For Distinguished name of the base entry that uniquely identifies this set of entries in the realm, enter a value that uniquely identifies the set of LDAP user entries from the LDAP server for which you are configuring a connection.

      Typically, you set this parameter to the distinguished name of the base entry in the LDAP registry for the portal server users. For example, for a user with a distinguished name of cn=John Doe,ou=Rochester,o=IBM,c=US, specify ou=Rochester,o=IBM,c=US for this parameter.

      However, when multiple LDAP repositories are being configured for the portal server, use this field to define an additional distinguished name (DN) that uniquely identifies the set of LDAP users from this LDAP server. For example, the LDAP1 registry and the LDAP2 registry might both use o=ibm,c=us as their base entry. In this case, use this parameter to uniquely specify a different base entry for each LDAP server within the realm. For example, specify o=ibm1,c=us when configuring the LDAP1 registry and o=ibm2,c=us when configuring the LDAP2 registry.
      Note: If you have multiple LDAP registries, they cannot contain any overlapping user names.

      The value of this parameter is displayed in the Tivoli Enterprise Portal Administer Users dialog when you list the distinguished names that can be mapped to Tivoli Enterprise Portal user IDs.

      \
    • For Distinguished name of the base entry in this repository, enter the distinguished name (DN) for the base entry in the LDAP registry.

      It is the starting point for user searches in the LDAP server. For example, for a user with a distinguished name of cn=John Doe,ou=Rochester,o=IBM,c=US, specify ou=Rochester,o=IBM,c=US for this parameter. Typically, this parameter is the same as the LDAP base parameter, unless you customized the distinguished name of the base entry in the realm so that it does not match the distinguished name in the LDAP server.

  8. Click OK to accept the settings.
  9. To enable SSO, return to the Global security page and complete the following:
    1. Ensure that LTPA is selected as the authentication mechanism.
    2. Expand the Web Security option.
    3. Select the Single sign-on (SSO) link to complete the SSO configuration.
  10. On the Single sign-on (SSO) page, complete the following:
    1. Verify that SSO is enabled.
    2. Verify that the Domain Name parameter is correct. Domain name is the Internet or intranet domain for which SSO is configured, for example mycompany.com. Only applications available in this domain or its sub-domains are enabled for SSO. All participating SSO application must also be configured with the same realm name. If you enabled single sign-on when you configured the portal server, this field displays the value that you specified for the domain name.
    3. Select OK to accept the settings.
  11. To save the changes, click the Save option near the top of the screen, then log out from the administration console.
  12. If you want to export or import LTPA keys at this time, see the TEPS/e administration console steps in Importing and exporting LTPA keys.
    Note: If you export or import the keys now, you still need to perform the other steps listed in Roadmap for setting up the portal server to use an LDAP user registry and single sign-on before attempting to verify that SSO is working.
  13. Restart the Tivoli Enterprise Portal Server.
    Note: When the portal server is restarted, the TEPS/e administration console is disabled automatically. You must re-enable it before it can be used again by following the instructions in Starting the TEPS/e administration console.

What to do next

Map the Tivoli Enterprise Portal user IDs to the LDAP distinguished names. See Mapping Tivoli Enterprise Portal user IDs to LDAP distinguished names.

You must enable the administration console after a recycle of the portal server before you can start the console again.

Important: Any LDAP customization made within the TEPS/e administration console are overwritten and cleared any time the portal server is reconfigured unless you chose the LDAP type of Other during portal server installation or when using the Manage Tivoli Enterprise Monitoring Services utility of itmcmd command line interface to perform portal server configuration. When Other is chosen, the registry information is handled by TEPS/e and is not affected by these other configuration utilities. See step 5 in Using Manage Tivoli Enterprise Monitoring Services to configure the portal server for LDAP authentication and 6 in Using the Linux or UNIX command line to configure the portal server for LDAP authentication.
Parent topic: Using the TEPS/e administration console

Feedback