Using ldapsearch to test Tivoli Netcool/OMNIbus LDAP connection

Technote (FAQ)


Question

How can I test my Tivoli Netcool/OMNIbus to LDAP authentication, as configured in the $OMNIHOME/etc/ldap.props file, without restarting the Object Server?

Cause

ldapsearch is a search utility that can be used from the Object Server system to connect to the LDAP registry. This tests that it is possible to connect to the LDAP server, issue a query , and obtain results using your configuration. It doesn't authenticate a user or test that the user is correctly defined in the ObjectServer.

ldapsearch can be provided either by the operating system or from the LDAP vendor as a client.
AIX has an IBM directory server client installation for ldapsearch functionaltity
Linux has an OpenLDAP tools package which includes ldapsearch. Mozilla LDAP tools can also be installed.
Solaris and HP-UX can install Mozilla LDAP tools which includes ldapsearch.
Windows has an ldp executable which can perform ldapsearch. It might be included on the support tools CD or can be downloaded from Microsoft.

Options for ldapsearch differ for each installation, and some ldapsearch utilities may not include options to test SSL.

ldapsearch should return 1 result only, with details on the user.

Answer

Example 1) SSL and Non-SSL on AIX using DistinguishedName

Below is an example ldap.props file and ldapsearch command from AIX using the IBM Directory Server provided ldapsearch command connecting to Active Directory. Check your ldapsearch utility command help for options available in your installation. Your configuration will also differ based on your LDAP repository.

Sample ldap.props:
Hostname: 'mummra-sf.tivlab.austin.ibm.com'                    
Port: 389                              
DistinguishedName: '%s@test.mummra'            
LDAPBindDN: 'Administrator@test.mummra'                      
LDAPBindPassword: '@44:HfdzPwRaw9uixQadE0xwmBT7sfKDEWXMffYPNX+HuMQ=@'                  SSLEnabled: TRUE                        
SSLPort: 636                            
ConfigCryptoAlg: "AES"
ConfigKeyFile: "/opt/IBM/tivoli/netcool/etc/security/keys/key.out"
LDAPVersion: 3

Substitute the values for the LDAP properties from ldap.props as follows (note exact syntax will depend on your ldapsearch utility installed, check your ldapsearch help facility):

Using SSL:
ldapsearch -x -Z -v -K $NCHOME/etc/security/keys/omni.kdb -h Hostname -p SSLPort -D 'LDAPBindDN' -V LDAPVersion -w '?' -b "searchbase" "DistinguishedName"

Not Using SSL:
ldapsearch -x -v -h Hostname -p Port -D 'LDAPBindDN' -V LDAPVersion -w '?' -b "searchbase" "DistinguishedName"

You need to substitute an actual Object Server username for the %s variable in the DistinguishedName property. For example, substitute clgrimes for %s in %s@test.mummra using the DistinguishedName "userPrincipalName=clgrimes@test.mummra"

You will be prompted for the unencrypted LDAPBindPassword

Sample ldapsearch command using SSL:
/opt/IBM/ldap/V6.3/bin/ldapsearch -x -Z -v -K $NCHOME/etc/security/keys/omni.kdb -h 'mummra-sf.tivlab.austin.ibm.com' -p 636 -D 'Administrator@test.mummra' -w '?' -b "dc=test,dc=mummra" "userPrincipalName=clgrimes@test.mummra"

You will be prompted to enter the Active Directory LDAPBindPassword or password for the LDAPBindDN user.

Sample ldapsearch output using SSL:
Enter password ==>
ldap_ssl_set_fips_mode_np(1)
ldap_ssl_client_init( /opt/IBM/tivoli/netcool/etc/security/keys/omni.kdb, NULL, 0, &failureReasonCode )
ldap_ssl_init( mummra-sf.tivlab.austin.ibm.com, 636, NULL )
filter pattern: userPrincipalName=clgrimes@test.mummra
returning: ALL
filter is: (userPrincipalName=clgrimes@test.mummra)
CN=Christina Grimes,CN=Users,DC=test,DC=mummra
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=user
cn=Christina Grimes
sn=Grimes
givenName=Christina
distinguishedName=CN=Christina Grimes,CN=Users,DC=test,DC=mummra
instanceType=4
whenCreated=20110927133059.0Z
whenChanged=20111102181019.0Z
displayName=Christina Grimes
uSNCreated=204933
uSNChanged=209779
name=Christina Grimes
objectGUID=NOT ASCII
userAccountControl=512
badPwdCount=2
codePage=0
countryCode=0
badPasswordTime=129648021923593750
lastLogoff=0
lastLogon=129648021760000000
pwdLastSet=129616038595312500
primaryGroupID=513
objectSid=NOT ASCII
accountExpires=9223372036854775807
logonCount=0
sAMAccountName=clgrimes
sAMAccountType=805306368
userPrincipalName=clgrimes@test.mummra
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=test,DC=mummra
lastLogonTimestamp=129647310192343750
1 matches

Sample ldapsearch command without SSL:
/opt/IBM/ldap/V6.3/bin/ldapsearch -x -v -h 'mummra-sf.tivlab.austin.ibm.com' -p 389 -D 'Administrator@test.mummra' -w '?' -b "dc=test,dc=mummra" "userPrincipalName=clgrimes@test.mummra"

You will be prompted to enter the Active Directory LDAPBindPassword or password for the LDAPBindDN user.

Sample ldapsearch output without SSL:
Enter password ==>
ldap_init(mummra-sf.tivlab.austin.ibm.com, 389)
filter pattern: userPrincipalName=clgrimes@test.mummra
returning: ALL
filter is: (userPrincipalName=clgrimes@test.mummra)
CN=Christina Grimes,CN=Users,DC=test,DC=mummra
<remaining output is the same as above>

Example 2) Non-SSL on Solaris using LDAPSearchBase
The LDAPSearchBase property was added in Omnibus 7.4 Fixpack 2 and later. Below is an example ldap.props file and ldapsearch command from native Solaris provided ldapsearch command connecting to Active Directory. Check your ldapsearch utility command help for options available in your installation. Your configuration will also differ based on your LDAP repository.

Sample ldap.props:
LDAPBindDN : “cn=Bind User,ou=Webtop,ou=Tivoli,ou=SWG,o=ibm”
LDAPSearchBase : “ou=Tivoli,ou=SWG,o=ibm”
LDAPBindPassword : “secretpass”
Hostname : ldapserver.ibm.com

Substitute the values for the LDAP properties from ldap.props as follows (note exact syntax will depend on your ldapsearch utility installed, check your ldapsearch help facility):

Using LDAPSearchBase:
ldapsearch -h <Hostname> -p <Port> -D "<LDAPBindDN>" -b "<LDAPSearchBase" -w <LDAPBindPassword> -x "cn=<username>"

You need to substitute an actual Object Server username for the cn=<username> option in the ldapsearch command. For example, substitute "User one" for username.

You will be prompted for the unencrypted LDAPBindPassword

Sample ldapsearch command using LDAPSearchBase:
ldapsearch -h ldapserver.ibm.com -D "cn=Bind User,ou=Webtop,ou=Tivoli,ou=SWG,o=ibm" -b "ou=Tivoli,ou=SWG,o=ibm" -w secretpass -x "cn=User one"

You will be prompted to enter the Active Directory LDAPBindPassword or password for the LDAPBindDN user.

Sample ldapsearch output using LDAPSearchBase:
 extended LDIF
#
# LDAPv3
# base <ou=Tivoli,ou=SWG,o=ibm> with scope subtree
# filter: cn=User One
# requesting: ALL
#

# User One, OMNIbus, Tivoli, SWG, ibm
dn: cn=User One,ou=OMNIbus,ou=Tivoli,ou=SWG,o=ibm
objectclass: top
objectclass: person
objectclass: organizationalPerson
description: User record
cn: User One
sn: One

# search resultsearch: 2
result: 0 Success

Sample Object Server log from a successful LDAP authentication:
on initialisation....
2013-01-02T16:12:49: Information: I-ALD-104-006: About to bind to LDAP server for user cn=Bind User,ou=Webtop,ou=Tivoli,ou=SWG,o=ibm
2013-01-02T16:12:49: Information: I-ALD-104-007: Successful bind to LDAP server for user cn=Bind User,ou=Webtop,ou=Tivoli,ou=SWG,o=ibm.

when a user logs in …
2013-01-02T09:07:43: Debug: D-UNK-000-000: secure-login@omnihost.hursley.ibm.com: Secure [User One]
2013-01-04T16:57:34: Debug: D-ALD-105-005: About to issue LDAP search with filter 'cn=User One'
2013-01-02T09:07:43: Information: I-ALD-104-012: LDAP search on user User One returned distingui
shed name cn=User One,ou=OMNIbus,ou=Tivoli,ou=SWG,o=ibm
2013-01-02T09:07:43: Information: I-ALD-104-006: About to bind to LDAP server for user cn=User One,ou=OMNIbus,ou=Tivoli,ou=SWG,o=ibm
2013-01-02T09:07:43: Information: I-ALD-104-007: Successful bind to LDAP server for user cn=User One,ou=OMNIbus,ou=Tivoli,ou=SWG,o=ibm.
2013-01-02T09:07:43: Debug: D-OBX-105-016: Authenticated logon for user User One on host devtest
43.hursley.ibm.com from application GET_LOGIN_TOKEN
2013-01-02T09:07:43: Information: I-OBX-104-007: User User One@omnihost.hursley.ibm.com logged
in successfully (connection ID 1)

If an error is reported, one of the configuration values in the ldap.props file or the command syntax might be incorrect.


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Netcool/OMNIbus

Software version:

7.3.0, 7.3.1, 7.4.0

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Software edition:

All Editions

Reference #:

1579907

Modified date:

2013-09-03

Translate my page

Machine Translation

Content navigation