Integrating Cloud Pak System with LDAP servers

Cloud Pak System can integrate with Lightweight Directory Access Protocol (LDAP) servers that implement the LDAP Version 3 specification RFC 4511. Cloud Pak System currently supports IBM® Directory Server, Microsoft Active Directory, and Oracle LDAP Server.

Cloud Pak System reads user and group entries from LDAP servers. Cloud Pak System can search for users, groups, and users as static members of groups. The system does not support environments in which LDAP groups are organized as attributes of users, either static or dynamic.

Administrators with the Security administration role with permission to Manage security (Full permission) can register one or more LDAP groups on Cloud Pak System. If these administrators are also assigned the delegation role, they can grant security roles to users in those LDAP groups.

After LDAP groups are registered with Cloud Pak System, when users first successfully log in to the system, they are automatically registered with any LDAP groups to which they belong as group members. Those users are also assigned the same roles and permissions that the administrator gave to the group as a whole.
Note: When you delete LDAP groups, users in those groups are not automatically removed. Administrators must remove those users manually.

Administrators with the Security administration role with permission to Manage security (Full permission) can set configuration parameters for LDAP servers. Administrators with this role must also have the delegation security role to add LDAP users and groups to the Cloud Pak System user repository.

The delegation security role can be granted by selecting the Allow delegation when full permission is selected option on the Security and access > Users and Security and access > User Groups pages in the console.

Notes:
  • When you register LDAP user names and groups with Cloud Pak System and also when you log in to the system with a user ID, always consider case sensitivity. As a rule, use the same case as the corresponding attribute value on the LDAP server. LDAP user names that you create and that are used for logging in to the system can be case insensitive. The user name value that is used by Cloud Pak System is the attribute value that is returned from the LDAP server.
  • Duplicate user names in the LDAP directory are not supported.

Cloud Pak System delegates LDAP user authentication to the external LDAP server. The system needs only read access to the LDAP server to access LDAP user and group data.

LDAP user and group membership relationships are managed by the LDAP server, not Cloud Pak System. The system does not copy over any LDAP group membership information from the LDAP server. The group membership is not displayed when an LDAP user group is selected in the user interface or when you use the command-line interface to display the group membership.