AD 域单点登陆之 用户验证标识码 (七)

http://pic.dhe.ibm.com/infocenter/tivihelp/v3r1/index.jsp?topic=%2Fcom.ibm.itrc.doc_5.1.2%2Ftrc-install79.htm

 

Verifying the LDAP configuration

When the common.properties and ldap.properties files have been updated, reset the IBM Tivoli Remote Control application by clicking Admin > Reset Application. When the service has restarted launch the IBM Tivoli Remote Control application and at the logon page attempt to login using an Active Directory userid and password. If the entries in the LDAP properties file are correct you will be authenticated and will be logged on successfully.

IBM Tivoli Remote Control does this by connecting directly to LDAP therefore, any password changes within LDAP will be immediately effective as long as the LDAP password change has synchronised to the LDAP server which is set within the LDAP.properties file.

Note:

The default ADMIN userid within the IBM Tivoli Remote Control application will always authenticate against the TRC database regardless of whether LDAP authentication is enabled. This is to allow a mechanism for accessing the application, should there be a connectivity problem between IBM Tivoli Remote Control and LDAP.

 

Note:

If you cannot logon successfully check the trc.log file for connection errors. If you cannot make a connection verify the values used, against those when connecting to the LDAP browser, are correct and try again. When you can establish a connection, edit the common.properties file and update the property values with the correct values.

To determine the cause of the failure look in the trc.log file or the application log within the Admin menu.

• From the menu bar click Admin
• Click View application log
• Click CTRL+END to reach the end of the file

Some common errors are listed below. Please note that the presence of these errors indicates that there was a problem creating the initial connection between IBM Tivoli Remote Control and Active Directory.

AcceptSecurityContext error, data 525

Returns when username is invalid

AcceptSecurityContext error, data 52e

Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.

AcceptSecurityContext error, data 530

Logon failure: account logon time restriction violation. Returns only when presented with valid username and password/credential.

AcceptSecurityContext error, data 531

Logon failure user not allowed to log on to this computer. Returns only when presented with valid username and password/credential

AcceptSecurityContext error, data 532

Logon failure: the specified account password has expired. Returns only when presented with valid username and password/credential.

AcceptSecurityContext error, data 533

Logon failure account currently disabled. Returns only when presented with valid username and password/credential.

AcceptSecurityContext error, data 701

The user's account has expired. Returns only when presented with valid username and password/credential.

AcceptSecurityContext error, data 773

The user's password must be changed before logging on the first time. Returns only when presented with valid user-name and password/credential.

AcceptSecurityContext error, data 775

The referenced account is currently locked out and may not be logged on to. Returns even if invalid password is presented.

LDAP Authentication.exceptionmyserver.mydomain.com:389

Returns when the server name specified by ldap.connectionURL is unreachable.

Verifying Importation of Groups

When authentication is successful and you are logged on to the TRC server, complete the following step.

• From the IBM Tivoli Remote Control server menu bar click User groups->All User Groups

The groups defined in Active Directory should be displayed. Permissions will need to be defined for these groups by an administrator. See the IBM Tivoli Remote Control Administrator's Guide for details of editing a user group.