IBM Support

Configuring Active Directory for LDAP Authentication

How To


You can configure Windows Active Directory to authenticate administrator and node passwords for the IBM Spectrum Protect server. In this configuration, Active Directory is used as a Lightweight Directory Access Protocol (LDAP) server.


For general instructions about configuring IBM Spectrum Protect to use an Active Directory database, see  Authenticating users by using an Active Directory database.

This technote provides links to Microsoft® documents that might be useful during the configuration process.

Links for Configuring your LDAP Server

General Windows Server 2008

Active Directory Domain Services

Active Directory Certificate Services

General Windows Server 2003

Designing and Deploying Directory and Security Services

Active Directory Operations Guide

Designing a Public Key Infrastructure

Windows Server 2003 PKI Operations Guide

Synchronizing the IBM Spectrum Protect server and Active Directory server clocks
For Windows:
w32tm /config /update /manualpeerlist:<ntp server> /syncfromflags:MANUAL /reliable:YES
Enabling Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for LDAP
Get the root CA certificate used to sign the domain controller certificate from the CA
  1. Verify that the Domain Controller “Server Authentication” certificate was issued under "Certificates (Local Computer)" -> Personal -> Certificates.
  2. Verify that the “Issued by”/"Issuer" and “Issued to”/subject are the same and match the CA name.
  3. For Microsoft Certificate Services CAs, take one of the following actions:

Setting TLS/SSL (Schannel) cryptographic algorithms and protocols

Creating a user, or using an existing user for the Bind DN (LDAPUSER)
  • A User or InetOrgPerson object can be used.
  • You can use the dsquery user command to get the DN for SET LDAPUSER:
    dsquery user -name tsmuser
Creating an Organizational Unit (OU) to be used as the subtree (Base DN) for IBM Spectrum Protect
Delegate control of the new OU to the LDAPUSER
Active Directory password policy
The policy supports the following settings:
  • Enforce password history
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Complexity requirements
  • Storage of passwords by using reversible encryption
  • Account lockout duration
  • Account lockout threshold
  • Reset account lockout
Related articles:
Active Directory 2008 fine-grained password policy for users and groups
Previous password still works after you change passwords
Windows Active Directory users who change passwords when the "Enforce password history" policy is enabled can authenticate with the previous password for one hour. For more information, see the Microsoft site.

Troubleshooting Links and Instructions

Troubleshooting SSL/TLS or certificate issues
7 for full logging or 3 for warnings and errors
Value Description
0x0000 Do not log
0x0001 Log error messages
0x0002 Log warnings
0x0004 Log informational and success events
Troubleshooting TLS/SSL certificate or cryptography issues
Windows Active Directory cryptoAPI/capi2 operational event logging:
  1. Open Event Viewer.
  2. In the console tree, expand Event Viewer, expand Applications and Services Logs, expand Microsoft, expand Windows, and then expand CAPI2.
  3. Right-click Operational, and click Enable Log.

Document Location


[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEQVQ","label":"IBM Spectrum Protect"},"Component":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
13 March 2020