Integrating with the IAM Service
By default, IBM Cloud Pak® for Data user records are stored in an internal repository database. However, it is strongly recommended that you use an enterprise-grade password management solution, such as single sign-on (SSO) or LDAP.
If you use LDAP, you can choose between the following options:
Mechanism | Benefits | Drawbacks |
---|---|---|
LDAP integration provided by Cloud Pak for Data | You can use LDAP with or without SAML SSO. You can choose the level of integration with
the LDAP server. You can use LDAP to:
|
You can connect to a single LDAP server from each instance of Cloud Pak for Data. The LDAP configuration cannot be shared across Cloud Pak for Data instances or used by any other IBM® Cloud Paks on the cluster. |
LDAP integration provided by the Identity and Access Management Service (IAM Service) in IBM Cloud Pak foundational services | You can connect to multiple LDAP servers, and the connections can be used by multiple instances of Cloud Pak for Data or other IBM Cloud Paks on the cluster. | Do not use this method if you have multiple LDAP servers that must be isolated from each
other. For example, you maintain two instances of Cloud Pak for Data for different groups of users. Each group of users is managed by a different LDAP server, and you don't want the users to be able to see information about users in the other LDAP server. |
To use the LDAP integration provided by Cloud Pak for Data, see Connecting to your identity provider.
- Permissions you need for this task
- You must be either:
- A cluster administrator
- An administrator of the following projects:
- The project where IBM
Cloud Pak foundational services
is installed (
ibm-common-services
) - The project where the IBM Cloud Pak for Data platform operator is installed (either
ibm-common-services
orcpd-operators
) - The project where Cloud Pak for Data is installed
- The project where IBM
Cloud Pak foundational services
is installed (
- When you need to complete this task
- If you want to use the LDAP integration provided by the IAM Service, you must integrate Cloud Pak for Data with the IAM Service before you onboard users or create user
groups.
When you integrate with the IAM Service, you delegate all authentication to the IAM Service. If you onboard users before you integrate with the IAM Service, existing users might not be able to log in to Cloud Pak for Data.
Before you begin
Ensure that you source the environment variables before you run the commands in this task.
About this task
Contact IBM Software support to reset Cloud Pak for Data to the previous state.