Four simple steps for integrating Webtop with an LDAP Server.
How many distinct User IDs have you been issued by your employer? Probably too many to remember reliably. As businesses continue to move their employee’s daily tasks and services on-line the number and hence maintenance of those details increases not only for the users but also for the administrators. Luckily LDAP does provide some solace, offering a central repository for user details, a panacea with the hope of one user id for all your business applications.
Many of the Tivoli solutions integrate with LDAP servers of varying technologies, including Microsoft Active Directory and IBM Directory Server. This article focuses on the basic process to enable Netcool/Webtop 2.2 users and administrators to authenticate using their global user IDs.
The basic steps are:
- Understand the LDAP server and directory structure
- Update the Federated repository used by Webtop
- Assign Webtop roles to the LDAP groups
- Replicate LDAP users to the Netcool/OMNIbus ObjectServer database
Each of these steps is described below.
Note: The technique for integrating the WebGUI supplied with OMNIbus v7.3 is almost identical, but is made slightly less complex due to the default settings of the WebGUI.
The LDAP Server and Directory Structure
This example is based on the IBM LDAP server IBM Directory Server v6.1. A simple scenario with a single LDAP server running the system with hostname LDAP01 and listening on the default port, 389.
The directory structure will be unique to each company, in this scenario the users exist within the realm WTRealm, identified by cn=wtrealm,ou=admins,o=tivoli,c=edu.
Users definitions within this realm include the attribute uid that will be utilised for the Webtop user IDs.
Finally, Webtop operators and administrators will be a assigned to the LDAP groups WTOperators and WTAdmins, respectively.
Update the Webtop Federated repository
Once the LDAP Server set-up and properties are understood, the federated repository used by Webtop can be updated.
Webtop is a web application running within the Tivoli Integrated Portal, itself based on Embedded WebSphere Application Server, hence these steps are not specific to the Webtop application itself. It is the underlying authentication engine of the TIP that is updated during these steps.
The basic installation for Webtop 2.2 enables a file based repository located on the TIP, i.e Tivoli Integrate Portal. The default administrator user tipadmin is defined within that repository. This example will add the LDAP server to the federated repository so that Webtop can authenticate both file and LDAP based users.
The administrator must log-on with a user id that has TIP administration rights to complete the federated repository update and navigate through a number of pages:
- Security->Secure administration, application and infrastructure
- Select Available Realm Definitions: Federated Repositories and click Configure
- Select Add Base Entry to Realm
- Click Add Repository…
At this point the administrator can add the details of the new repository, the LDAP Server or servers. The minimum properties are:
- Identifier: IDS01 (alias for the LDAP servers)
- Directory type: IBM Directory Server v6 (The LDAP server type and version)
- Primary Hostname and port: LDAP01+389 (connection details to the LDAP Server)
- Bind Distinguished Name and password: cn=root (LDAP authentication details used by the TIP)
- Login properties: uid (the LDAP user attribute utilised as the Webtop log-in ID)
Optionally, the administrator could define failover LDAP servers and SSL connectivity details. This is outside the scope of this article.
On applying the repository definition dialogue, the user is prompted to add details on the distinguished name of the base entry, the value cn=wtrealm,ou=admins,o=tivoli,c=edu is used for these properties, as identified from analysis of the LDAP Server. THis configuration is demonstrated in the figure below.
Finally, on clicking OK, the updated repository details will be displayed, and the administrator will be prompted to save the updates.
TIP will need to be restarted for the updates to take affect. To restart TIP use the standard commands:
Assigning Webtop Roles to the LDAP Groups
On restarting TIP, the administrator will be able to view the LDAP groups and users from the TIP navigator Users and Groups options Manage Users and Manage Groups, demonstrated below.
To grant Webtop access to the LDAP users, Administrative Group Roles must be defined for the LDAP Groups. Click Add from the navigator Users and Groupsà Administrative Group Roles and type the LDAP Group name (case sensitive) in the Group Name entry box and highlight the relevant roles, as demonstrated below.
Apply and save these changes.
Replicate LDAP users to the Netcool/OMNIbus ObjectServer database
This final step is required to ensure that Webtop users can successfully execute any available tools. By replicating LDAP user information to the ObjectServer database, OMNIbus UIDs references can be added to alarms or journal entries. This feature was added with Webtop 2.2 Interim Fix 0004, and is included in Fix Pack 01 for Webtop 2.2. This synchronisation is enabled by default for the WebGUI shipped within Netcool/OMNIbus v7.3.
The synchronisation can be run as a one off task from the command line, or automated from the Webtop server. All users added to the ObjectServer database will be subscribed to a group, by default vmmusers but this can be user defined.
To run a one-off synchronisation, firstly configure WAAPI. The key properties in the configuration file $TIPHOME/products/ncw/waapi/etc/waapi.init define the authentication details waapi.user and waapi.password. The defined user must have Webtop Administration rights. In it’s most basic (and unsecure!) form the file may include the following details:
Assuming the default wappi.init file has been updated, the synchronisation can then be run as demonstrated in the figure below.
A regular update can be enabled from the property users.credentials.sync in the file $TIPHOME/profiles/TIPProfile/etc/webtop/server.init. Additionally, the default ObjectServer group, vmmusers, can be changed with the property users.credentials.sync.groupname within the same file.
Any changes to this file require a restart of the Webtop server, as described in the section “Update the Webtop Federated repository”. The synchronisation will run immediately on restarting the TIP. The figures below show the LDAP users and groups following a replication. Note the descriptions distinguish the LDAP and custom groups created by the synchronisation.
By default this synchronisation will occur every hour, but this frequency can be changed from the data sources definition file property ncwConfigCacheParameters resyncTime. The value is defined in seconds in the file $TIPHOME/profiles/TIPProfile/etc/webtop/datasources/ncwDataSourceDefinitions.xml. However, do note that this parameter does control the frequency of synchronisation of other OMNIbus objects, for example field conversions, and not just the user synchronisation. The default entry is as follows:
The time required for user management within an enterprise environment can be significantly reduced through the use of a well designed LDAP server and the integration of the various business applications. The steps detailed within this article enable Webtop users to authenticate using existing LDAP users, reducing the number of user/password combinations they need to remember, reducing the Webtop/OMNIbus administration effort and centralising user maintenance. This basic example can be developed, with the TIP supporting fail-over LDAP Servers, SSL connections and referrals to other LDAP servers.