Tivoli Netcool/OMNIbus supports external authentication of ObjectServer users whose passwords are stored in a Lightweight Directory Access Protocol (LDAP) compliant repository, such as Active Directory or Tivoli® Directory Services.
For example, in the template cn=%s,ou=Development,o=ABCcorp, the base distinguished name that all users belong to is ou=Development,o=ABCcorp and the cn field maps to a user name in the ObjectServer user repository. When a user logs in to the ObjectServer, the ObjectServer replaces the %s variable with the user name and submits the entire string to the LDAP server for authentication.
The distinguished name or list of organizational units provides the value of the LDAPSearchBase property in the Tivoli Netcool/OMNIbus LDAP properties file.
The template (for example: (cn=%s)) provides the value of the LDAPSearchFilter property in the Tivoli Netcool/OMNIbus LDAP properties file.
If you configured Tivoli Netcool/OMNIbus to operate in FIPS 140-2 mode with SSL, the LDAP interface must also be configured for FIPS 140-2 operation. Consult your LDAP administrator to verify that the required encryption support is in place for FIPS 140-2 operation.
You can configure the ObjectServer to act as an LDAP client so that users that connect to the ObjectServer have their passwords authenticated in an LDAP server. You can use a single LDAP server to authenticate all Tivoli Netcool/OMNIbus users, including users who access the desktop components.
User details are stored in the ObjectServer user repository and user entries are configured to authenticate externally. User passwords are not stored in the ObjectServer. When a user logs in to the ObjectServer, the ObjectServer locates the user entry in its repository and binds to the LDAP repository to authenticate the user.
Action | More information |
---|---|
1. Configure the Tivoli Netcool/OMNIbus LDAP
properties file ($NCHOME/omnibus/etc/ldap.props)
with the settings that you obtained from your LDAP administrator. If authorization performance is a concern, and all the required users belong to a single organizational unit, use the DistinguishedName property to create a direct bind to LDAP. Otherwise, use the LDAPSearchBase and LDAPSearchFilter properties to perform a search for distinguished names. |
|
2. Configure the ObjectServer to use LDAP authentication by setting the Sec.ExternalAuthentication property to LDAP. Authorization is managed in the ObjectServer. | ObjectServer properties and command-line options |
3. SSL only: If a key database does not exist on the ObjectServer host, create one. | About the key database files |
4. SSL only: Add the self-signed root certificate from the issuing CA of the LDAP server certificate to the key database. | Adding certificates from CAs |
5. SSL only: Ensure that the following SSL properties
are set in the ldap.props file:
|
LDAP properties |
6. Configure each Tivoli Netcool/OMNIbus external
user for external authentication. Use Netcool/OMNIbus Administrator
(nco_config) for this task or, in the SQL interactive
interface, use the CREATE USER command or the ALTER USER command. If
you use Netcool/OMNIbus Administrator, complete the following details
in the User Details pane:
If you use the SQL interactive interface, ensure that the user name is identical to the name stored in the external authentication repository, that no password is specified, and that the PAM keyword is set to TRUE. |
Creating and editing users |
7. Optional: Use the nco_keygen utility
and then nco_aes_crypt utility to encrypt the LDAP
password. After you have encrypted the password, reedit the ldap.props file
by setting the following properties:
|
Property value encryption |
8. If Web GUI user
accounts are created in the ObjectServer by the synchronization process
with the LDAP server, and these users need access to desktop tools
(such as the Conductor and the event list), perform the following
tasks:
|
Creating and editing users |
9. Optional: Test the connection between the LDAP server and the ObjectServer by using an ldapsearch utility. | The following technote describes options for
using ldapsearch: http://www-01.ibm.com/support/docview.wss?uid=swg21579907 |