If the Tivoli® Enterprise Portal Server is
on Linux or UNIX, you can enable LDAP user authentication
and single sign-on in the portal server, and optionally, configure
the LDAP server connection details, by using the itmcmd command line
interface.
You can use the command line to configure
the LDAP server connection information, if all the following conditions
are met:
- You are using Microsoft Active
Directory Server or Tivoli Directory
Server for your LDAP server.
- You do not plan to configure TLS/SSL between the portal server
and the LDAP server.
- You do not need to configure any LDAP configuration parameters
besides those listed in the Table 1 table.
For all other scenarios, use the itmcmd command to enable LDAP
user validation and SSO for the portal server and specify server type
of
Other. Then use the
TEPS/e administration
console to complete the
LDAP configuration.
Configuring the portal
server to use an LDAP user registry involves adding LDAP information
such as the bind ID and port number to the portal server configuration.
At the same time, best practice is to enable single sign-on by specifying
the realm name and Internet or intranet domain name used by the other
applications participating SSO. For more information about these parameters,
see Prerequisites for configuring LDAP authentication on the portal server.
About this task
Complete these steps to configure the portal server from
the command line:
Procedure
- Log on to the computer where the Tivoli Enterprise Portal Server is
installed.
- At the command line, change to the install_dir/bin directory,
where install_dir is
the directory where you installed the product.
- Run the following command to start configuring the Tivoli Enterprise Portal Server: ./itmcmd
config -A cq. The message "Agent configuration
started..." is displayed, followed by a prompt:
Edit "Common event console for IBM Tivoli Monitoring" settings?
[ 1=Yes, 2=No ] (default is: 1)
- Enter 2. The following
prompt is displayed:
Will this agent connect to a TEMS? [1=YES, 2=NO] (Default is: 1):
- Accept the default values for this prompt and the prompts
that follow it until you see the following prompt. The
default values reflect the selections made during the original configuration.
LDAP Security: Validate User with LDAP ? (1=Yes, 2=No)(Default is: 2):
- Enter 1 to begin configuration
of LDAP authentication and provide the values for the LDAP parameters.
LDAP type: [AD2000, AD2003, AD2008, IDS6, OTHER](Default is: OTHER):
For
LDAP type, choose Other if your LDAP server
is not one of those listed or you intend to customize the LDAP configuration
for the Active Directory Server or Tivoli Directory
Server or you plan to configure TLS/SSL between the portal server
and the LDAP server. After completing this procedure, start the TEPS/e administration
console to complete the
LDAP server configuration. See Using the TEPS/e administration console. Important: If you think you might need to edit the
configuration of the Active Directory Server or Tivoli Directory Server at a later time, for
example configuring TLS/SSL communications to the LDAP server, be
sure to select Other and use the TEPS/e administration
console to configure
the server. Otherwise, any customization done in the TEPS/e administration
console is lost the next
time you reconfigure the portal server.
- If you did not specify type of Other,
you are prompted to enter additional LDAP configuration values. (see Table 1 for
more information about those parameters):
LDAP base: o=IBM
LDAP DN Base Entry(Default is: o=ITMSSOEntry): o=IBM
LDAP bind ID: cn=root
LDAP bind password:
Re-type: LDAP bind password:
LDAP Port number(Default is: 389):
LDAP host name(Default is: localhost): itmxseries04
- If you want to enable single sign-on as well
as LDAP authentication, enter 1 at the following
prompt; then provide the Realm name and Domain name.
Enable Single Sign On ? (1=Yes, 2=No)(Default is: 2):
- Realm name is a parameter shared across applications participating
in SSO. Applications configured for the same domain name, but for
a different realm name will not work as a part of the same SSO infrastructure.
- Domain name is the Internet or Intranet domain for which SSO
is configured, for example mycompany.com. Only applications available
in this domain or its sub-domains are enabled for SSO.
After the installer has completed the configuration, the
following message is displayed: Agent configuration completed...
- Recycle the portal server.
./itmcmd agent stop cq
./itmcmd agent start cq
What to do next
If you
chose Other as the LDAP type, the LDAP configuration
must be completed in the TEPS/e administration
console. See Using the TEPS/e administration console.
Once the LDAP registry
is completely configured, you can map the Tivoli Enterprise Portal user
IDs to the LDAP distinguished names to complete the LDAP configuration.
You must log on to the Tivoli Enterprise Portal with
the sysadmin user ID or a user ID that has the same administrative
authority and is not an LDAP user. See Mapping Tivoli Enterprise Portal user IDs to LDAP distinguished names.
If you enabled SSO, you will need to export
or import LTPA keys. Refer back to the Roadmap for setting up the portal server to use an LDAP user registry and single sign-on to
determine when to perform these steps.