When the portal server is configured
to authenticate users using the LDAP user registry, the user logs
into the portal server using the unique identifier (UID) value of
the relative distinguished name. This name is not necessarily the
same as the user ID known to the Tivoli® Enterprise Portal.
For this reason, Tivoli Enterprise Portal user
IDs must be mapped to LDAP distinguished names (which include the
UID).
Every entry in the LDAP user registry
has a distinguished name (DN). The DN is the name that uniquely identifies
an entry in the directory. A DN is made up of attribute=value pairs,
separated by commas, for example:
- cn=Jim Grey,ou=users,ou=SWG,o=IBM,c=US
- cn=Sally White,ou=users,ou=SWG,o=IBM,c=US
The order of the attribute value pairs is important. The DN contains
one component for each level of the directory hierarchy from the root
down to the level where the entry resides. LDAP DNs begin with the
most specific attribute, usually some sort of name, and continue with
progressively broader attributes, often ending with a country attribute.
The first component of the DN is referred to as the Relative Distinguished
Name (RDN).
It identifies an entry distinctly from any other entries that have
the same parent. In the examples above, the RDN
cn=Jim Grey separates
the first entry from the second entry, (with RDN
cn=Sally White).
These two example DNs are otherwise equivalent. These two users
would log into the
Tivoli Enterprise Portal as
Jim
Grey and
Sally White.
The default distinguished name for new users you create
for the
Tivoli Enterprise Portal has
the following structure:
- UID=tep_userid,O=DEFAULTWIMITMBASEDREALM
This distinguished name indicates that the
user is authenticated by the hub monitoring server. Using the procedure
in this topic, update the distinguished name for any Tivoli Enterprise Portal users
that are defined in the portal server's LDAP user registry to specify
their distinguished name in the LDAP user registry instead of UID=tep_userid,O=DEFAULTWIMITMBASEDREALM.
The default DN suffix for the TEPS/e user registry is o=defaultWIMFileBasedRealm.
The TEPS/e user registry
contains the wasadmin user ID for TEPS/e administration
console access: UID=wasadmin,o=defaultWIMFileBasedRealm.
Do not update the distinguished names for any Tivoli Enterprise Portal user
IDs that are using the o=defaultWIMFileBasedRealm suffix.
Before you begin
User IDs are mapped to LDAP distinguished names
in the Tivoli Enterprise Portal Administer
Users window by a user with administrator authority. The tacmd command
line interface can also be used to preform this mapping. For more
information, see the tacmd edituser command in
the IBM Tivoli Monitoring Command Reference.
If LDAP authentication is being configured through the Tivoli Enterprise Monitoring Server,
user IDs are mapped instead by editing the KGL_LDAP_USER_FILTER environment
variable in the Tivoli Enterprise Monitoring Server configuration
file.
About this task
Complete these steps to map
Tivoli Enterprise Portal user
IDs to LDAP distinguished names using the
Tivoli Enterprise Portal Administer
Users dialog window:
Procedure
- Log on to the portal using sysadmin or another user
account with full administrative authority.
- Click Administer Users.
- In the Administer Users window, right-click the row of
the user ID to map and select Modify User.
- In the Modify User dialog box, click Find to
locate the LDAP distinguished name to be associated with the Tivoli Enterprise Portal user
ID. Example:UID=TEPUSER,O=SS.
Note: - The default suffix
for LDAP distinguished names that are configured through the Tivoli Enterprise Portal Server configuration
utilities is o=ITMSSOEntry, however this value might
have been customized when the portal server was configured for LDAP.
- If
the selected LDAP distinguished name contains non-alphanumeric characters,
those characters must be escaped with a backslash before the mapping
is saved. For example, if a user ID contains a pound sign, #,
place a backslash before the pound sign, \#.
- Click OK to save the mapping and
return to the Administer Users window.
- Repeat steps 3 through 5 until you have mapped all the
users that you want to authenticate with the configured LDAP registry.
- Click OK to exit the Administer
Users window.
What to do next
Reconfigure the Tivoli Enterprise Portal browser
client for SSO if it will be launched by another application on the
same computer as the portal server. See Reconfiguring the browser client for SSO.
Verify that your Tivoli Enterprise Portal users
who have IDs that are mapped to LDAP distinguished names, can log
into the Tivoli Enterprise Portal client.
They must use their LDAP relative distinguished name to login. If
the users are not successful at logging into the Tivoli Enterprise Portal,
review the TEPS/e log
for diagnostic information. This is the SystemOut.log located
on the computer where the portal server is installed at install_dir\CNPSJ\profiles\ITMProfile\logs; install_dir/Platform/iw/profiles/ITMProfile/log.
Refer to the Roadmap for setting up the portal server to use an LDAP user registry and single sign-on for
additional steps to perform after Tivoli Enterprise Portal users
can be successfully authenticated by the portal server's LDAP user
registry.