Managing passwords and logon procedures

Tivoli® Storage Manager requires the server to identify authorized administrator IDs and nodes by using a password. You can authenticate administrator and node passwords with a Lightweight Directory Access Protocol (LDAP) directory server.

Restriction: Backup-archive clients must be at V6.4 or later to authenticate passwords with an LDAP directory server. Storage agents that authenticate node IDs with an LDAP directory server must use a secure connection, such as Transport Layer Security (TLS) or a virtual private network.
Figure 1. Configuring the server to authenticate passwords with an LDAP directory server
Before you authenticate admin and node passwords with an LDAP directory server, you must configure the LDAP server and the Tivoli Storage Manager server. The graphic displays the steps that are documented in the table.
The first step in authenticating passwords with an LDAP directory server is to complete the configuration tasks on the Tivoli Storage Manager server and the LDAP directory server. The following table shows you which steps are accomplished on the two servers:
Table 1. The steps that are required to authenticate passwords with an LDAP directory server, and where the steps are configured
Steps to authenticate passwords with an LDAP directory server Where to complete the steps
1. Set up an LDAP directory server LDAP server
2. Create the Base DN (distinguished name) LDAP server
3. Create a user ID or identify an existing user ID that the Tivoli Storage Manager server can use LDAP server
4. Grant the user ID access to the Base DN LDAP server
5. Copy the trusted certificate from the LDAP directory server to the Tivoli Storage Manager server LDAP server
6. Import the trusted certificate from the LDAP directory server to the Tivoli Storage Manager server. If you already have a certificate on the LDAP directory server, you do not have to generate a new certificate. You can use the existing certificate to secure communication between the LDAP directory server and the Tivoli Storage Manager server. Tivoli Storage Manager server
7. Configuring the LDAPURL option Tivoli Storage Manager server
8. Define the user ID that administers node and administrator passwords with the LDAP directory server Tivoli Storage Manager server
9. Define the password for the user ID that administers node and administrator passwords Tivoli Storage Manager server
10. Update or register node or update or register administrator IDs to authenticate with an LDAP directory server Tivoli Storage Manager server

The LDAP directory server interprets letters differently from the Tivoli Storage Manager server. The LDAP directory server distinguishes the case that is used, either uppercase or lowercase. For example, the LDAP directory server can distinguish between secretword and SeCretwOrd. The Tivoli Storage Manager server interprets all letters for LOCAL passwords as uppercase.

The following terms are used to describe the LDAP directory server environment:
Distinguished name (DN)
A unique name in an LDAP directory. The DN can consist of the following information:
  • The user ID (uid)
  • The organizational unit (ou)
  • The organization (o)
  • The country (c)
  • The common name (cn)
  • The domain component (dc)
Restriction: You must use ou, cn, and dc with Windows Activity Directory.
The following example DN can be used on an LDAP directory server:
uid=jackspratt,ou=users,o=ibm.com,c=us
uid=cbukowski,ou=marketing,o=ibm.com,c=us
uid=abbysmith,ou=sales,o=ibm.com,c=us
In this example, the value of user ID is jackspratt. The organizational unit (users), organization (ibm.com), and country (us) comprise the DN.
The following example DN can be used on a Windows Active Directory server and other LDAP directory servers:
cn=Jack Spratt,cn=users,dc=storage,dc=us,dc=ibm,dc=com
In this example, the value of the first cn is for a user ID with a common name of Jack Spratt. The DN consists of the common names and the domain names.
Bind
To authenticate with a directory server by using credentials such as a password.
Bind DN
The distinguished name that is used to authenticate with the LDAP server. The distinguished name is also the DN of the user ID that is defined in the Tivoli Storage Manager SET LDAPUSER command. For example, if the following SET LDAPUSER command is used: 
set ldapuser "cn=Jack Spratt,cn=users,dc=storage,dc=us,dc=ibm,dc=com"
then uid=jackspratt,ou=media,cn=security is the bind DN for the LDAP directory server.
Bind DN password
The password that is associated with the bind DN.
Related tasks:
Naming Tivoli Storage Manager objects
Related reference:
LDAPURL
REGISTER ADMIN (Register an administrator ID)
SET LDAPPASSWORD (Set the LDAP password for the server)
SET LDAPUSER (Define the server administrator for the LDAP directory server)
REGISTER NODE (Register a node)
UPDATE ADMIN (Update an administrator)
UPDATE NODE (Update node attributes)