Integrating with the IAM Service

By default, IBM Cloud Pak® for Data user records are stored in an internal repository database. However, it is strongly recommended that you use an enterprise-grade password management solution, such as single sign-on (SSO) or LDAP.

If you use LDAP, you can choose between the following options:

Mechanism Benefits Drawbacks
LDAP integration provided by Cloud Pak for Data You can use LDAP with or without SAML SSO.
You can choose the level of integration with the LDAP server. You can use LDAP to:
  • Validate users' credentials
  • Manage access to the platform
You can connect to a single LDAP server from each instance of Cloud Pak for Data.

The LDAP configuration cannot be shared across Cloud Pak for Data instances or used by any other IBM® Cloud Paks on the cluster.

LDAP integration provided by the Identity and Access Management Service (IAM Service) in IBM Cloud Pak foundational services You can connect to multiple LDAP servers, and the connections can be used by multiple instances of Cloud Pak for Data or other IBM Cloud Paks on the cluster. Do not use this method if you have multiple LDAP servers that must be isolated from each other.

For example, you maintain two instances of Cloud Pak for Data for different groups of users. Each group of users is managed by a different LDAP server, and you don't want the users to be able to see information about users in the other LDAP server.

To use the LDAP integration provided by Cloud Pak for Data, see Connecting to your identity provider.

Permissions you need for this task
You must be either:
  • A cluster administrator
  • An administrator of the following projects:
    • The project where IBM Cloud Pak foundational services is installed (ibm-common-services)
    • The project where the IBM Cloud Pak for Data platform operator is installed (either ibm-common-services or cpd-operators)
    • The project where Cloud Pak for Data is installed
When you need to complete this task
If you want to use the LDAP integration provided by the IAM Service, you must integrate Cloud Pak for Data with the IAM Service before you onboard users or create user groups.

When you integrate with the IAM Service, you delegate all authentication to the IAM Service. If you onboard users before you integrate with the IAM Service, existing users might not be able to log in to Cloud Pak for Data.

Before you begin

Best practice: You can run the commands in this task exactly as written if you set up environment variables. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

About this task

Important: Integrating with the IAM Service is irreversible.

Contact IBM Software support to reset Cloud Pak for Data to the previous state.

Procedure

  1. Run the cpd-cli manage login-to-ocp command to log in to the cluster as a user with sufficient permissions to complete this task. For example:
    cpd-cli manage login-to-ocp \
    --username=${OCP_USERNAME} \
    --password=${OCP_PASSWORD} \
    --server=${OCP_URL}
    Tip: The login-to-ocp command takes the same input as the oc login command. Run oc login --help for details.
  2. Run the following command to integrate with the IAM Service:
    cpd-cli manage setup-iam-integration \
    --enable=true \
    --cpd_instance_ns=${PROJECT_CPD_INSTANCE}

    The command triggers a reconciliation in the Zen operator.

    It might take up to 20 minutes for the process to complete if the IAM Service needs to be started and configured.

  3. Wait for the setup-iam-integration command to return Succeeded.
  4. To confirm that the integration is complete, confirm that the following command returns true:
    oc get zenservice lite-cr \
    -n ${PROJECT_CPD_INSTANCE} \
    -o jsonpath='{.spec.iamIntegration}'
  5. Get the initial password for the admin user from the IAM Service:
    oc get secret platform-auth-idp-credentials \
    -n ${PROJECT_CPFS_OPS} \
    -o jsonpath='{.data.admin_password}' | base64 --decode;