A user account must be ‘imported’ and set to valid before it can be used to access a web application secured by TAMeb. ‘Imported’ is in quotations because TAMeb uses the directory service to store a TAMeb object that shadows the directory service user object. The shadow object does not exist on any TAMeb server.
Using pdadmin, a user object can be imported using the following syntax:
pdadmin sec_master> user import <name> <dn>
(Tivoli Directory Server generally uses cn or dnqualifier; Active Directory uses samAccountName.) Double quote the dn if there are any spaces.
For example, enter the following on one line for a hypothetical employee:
pdadmin sec_master> user import <username> cn=u123456,ou=Workforce,dc=company,dc=com
After the account is imported, set it to valid with the following command:
pdadmin sec_master> user modify <username> account-valid yes
If account-valid = no, TAMeb will not allow access to secured applications. The account will have other rights and permissions as allowed by the directory server, including access to applications accessed through WebSEAL that are not secured.
To check the status of the account enter
pdadmin sec_master> user show <username>
Login ID: <username>
LDAP DN: cn=<username>,ou=Workforce,dc=company,dc=com
LDAP CN: <username>
LDAP SN: <lastname>
Description:
Is SecUser: yes
Is GSO user: no
Account valid: yes
Password valid: yes
Authorization mechanism: Default:LDAP
If the account has not been imported, an error message will be received:
pdadmin sec_master> user show fakeuser
Could not perform the administration request. Error: HPDMG0754W The entry was not found. If ... (status 0x14c012f2)
To show a user’s group membership – only groups imported into TAMeb:
pdadmin sec_master> user show-groups <username>
sales
credit
engineering