You must use the Tivoli Enterprise
Portal Server extended services (TEPS/e)
administration console to configure LDAP server connection parameters
if you specified Other as the LDAP type when
you configured the portal server.
Before you begin
Start the TEPS/e administration
console.
Attention: Best practice is to select the LDAP type of Other in
the Manage Tivoli® Enterprise Monitoring Services utility
of itmcmd command line interface before using the TEPS/e administration
console to change the
LDAP server configuration in order for any future changes to persist.
For example, if you selected IDS6 as the LDAP
type when you configured the portal server using the itmcmd command
and you make changes to the LDAP connection parameters through the TEPS/e administration
console, your changes
are lost the next time you reconfigure the portal server.
Procedure
- In the TEPS/e administration
console navigation tree,
click Security → Global security.
- On the page that is displayed, ensure that Federated
repositories is selected for Available realm definition,
and click Configure.
- Configure the federated repository:
- Verify or enter the Realm Name value. A realm identifies a set of federated repositories
in TEPS/e and other WebSphere® Application
Servers. You can choose your own realm name but this value must be
the same across all applications that are configured for SSO within
an Internet or intranet domain. If you enabled single sign-on when
you configured the portal server, this field displays the value your
specified for the realm name. For details on specifying the domain,
see step 9
- On the same page, click Add Base entry to
Realm.
- On the Repository reference page,
click Add repository and choose LDAP
repository from the dropdown list. The
page now displays the properties that can be configured for the portal
server to LDAP connection.
- Provide the appropriate values for the
following parameters:
- For Repository identifier, enter a
name for the repository that you find meaningful to identify the type
of uses in the LDAP repository. For example, ITMtepUsers.
- For Directory type, choose the type
of LDAP server being used in your environment.
- For Primary hostname, enter the fully
qualified hostname or IP address of your LDAP server.
- For Port, enter the port number of
the LDAP server. The default value is 389.
- For Bind distinguished name, enter
the distinguished name for a user that is authorized to search for
LDAP users. For example, cn=root. The bind ID can
be omitted if an anonymous user can search for LDAP users.
- For Bind password, enter the password
for the user specified in the Bind distinguished name field.
This value can be omitted if an anonymous user can bind to your LDAP
server.
If necessary, you can also customize other parameters
on this page to match the capabilities of your LDAP server. For more
information about the other parameters that can be configured on this
panel, see the TEPS/e administration
console online
help.
- Click OK to accept the settings.
- On the Repository reference page, enter
these values:
- For Distinguished name of the base entry that uniquely
identifies this set of entries in the realm, enter a value
that uniquely identifies the set of LDAP user entries from the LDAP
server for which you are configuring a connection.
Typically, you
set this parameter to the distinguished name of the base entry in
the LDAP registry for the portal server users. For example, for
a user with a distinguished name of cn=John Doe,ou=Rochester,o=IBM,c=US,
specify ou=Rochester,o=IBM,c=US for this parameter.
However,
when multiple LDAP repositories are being configured for the portal
server, use this field to define an additional distinguished name
(DN) that uniquely identifies the set of LDAP users from this LDAP
server. For example, the
LDAP1 registry and the
LDAP2 registry
might both use
o=ibm,c=us as their base entry. In
this case, use this parameter to uniquely specify a different base
entry for each LDAP server within the realm. For example, specify
o=ibm1,c=us when
configuring the
LDAP1 registry and
o=ibm2,c=us when
configuring the
LDAP2 registry.
Note: If you have
multiple LDAP registries, they cannot contain any overlapping user
names.
The value of this parameter is displayed in the Tivoli Enterprise Portal Administer
Users dialog when you list the distinguished names that can be mapped
to Tivoli Enterprise Portal user
IDs.
\
- For Distinguished name of the base entry in this
repository, enter the distinguished name (DN) for the
base entry in the LDAP registry.
It is the starting point for user
searches in the LDAP server. For example, for a user with a distinguished
name of cn=John Doe,ou=Rochester,o=IBM,c=US, specify ou=Rochester,o=IBM,c=US
for this parameter. Typically, this parameter is the same as the
LDAP base parameter, unless you customized the distinguished name
of the base entry in the realm so that it does not match the distinguished
name in the LDAP server.
- Click OK to accept the settings.
- To enable SSO, return to the Global
security page and complete the following:
- Ensure that LTPA is selected
as the authentication mechanism.
- Expand the Web Security option.
- Select the Single sign-on (SSO) link
to complete the SSO configuration.
- On the Single sign-on (SSO) page,
complete the following:
- Verify that SSO is enabled.
- Verify that the Domain Name parameter
is correct. Domain name is the Internet or
intranet domain for which SSO is configured, for example mycompany.com.
Only applications available in this domain or its sub-domains are
enabled for SSO. All participating SSO application must also be configured
with the same realm name. If you enabled single sign-on when you configured
the portal server, this field displays the value that you specified
for the domain name.
- Select OK to accept the settings.
- To save the changes, click the Save option
near the top of the screen, then log out from the administration console.
- If you want to export or import LTPA keys at
this time, see the TEPS/e administration
console steps
in Importing and exporting LTPA keys.
- Restart the Tivoli Enterprise Portal Server.
Note: When
the portal server is restarted, the
TEPS/e administration
console is disabled
automatically. You must re-enable it before it can be used again by
following the instructions in
Starting the TEPS/e administration console.
What to do next
Map the
Tivoli Enterprise Portal user
IDs to the LDAP
distinguished names. See
Mapping Tivoli Enterprise Portal user IDs to LDAP distinguished names.
You
must enable the administration console after a recycle of the portal
server before you can start the console again.