Setting Up LDAP - the simple method

Learn how to set up LDAP and import users the simple way to access the Monitoring module of IBM Cloud Pak® for Multicloud Management. Setting up LDAP is a requirement for cluster native monitoring.

Most users do not require the use of multiple accounts. Using multiple accounts introduces considerable complexity. These steps use the default account, id-mycluster-account.

Note: The Monitoring module does not support LDAP groups. It requires that users are directly added to the team. For more information about API calls that can be made to script this, see IAM APIs.

Prerequisites

• You must set up an LDAP connection in IBM Cloud Pak® for Multicloud Management. From the navigation menu, select Administer > Identity & Access. Select Create Connection. The "LDAP Connection" page is displayed. For more information, see Configuring LDAP connection .

• Install the cloudctl CLI. For more information, see Installing IBM Cloud Pak CLI (cloudctl) . The instructions also include the step to install kubectl CLI. You might need to use the kubectl CLI to complete some steps.

Required user type or access level: Cluster administrator

Procedure

1. Log in to IBM Cloud Pak® for Multicloud Management as a cluster administrator.

   cloudctl login -a https://<cluster-domain-name>:443
   

2. Import users from the LDAP connection into IBM Cloud Pak® for Multicloud Management. Repeat the command for each LDAP user.

   cloudctl iam user-import -c <ldap_id> -u <user_id>
   

   You can use this command to find the LDAP ID:

   cloudctl iam ldaps
   

3. Onboard the LDAP users imported in step 2. Users are unable to access IBM Cloud Pak® for Multicloud Management until they are added to a team.

   cloudctl iam user-onboard id-mycluster-account -r MEMBER -u user1ID,user2ID,...
   

4. Create a team for the default account. Repeat as needed.

   cloudctl iam team-create <team_name>
   

   • To use the console, see Create teams.

5. Assign users to the created team with a role of Administrator, Operator, or Viewer. Repeat as needed for each user.

   cloudctl iam team-add-users <team_id> <role> -u user2
   

   You can use this command to find the TEAM ID:

   cloudctl iam teams
   

   • To use the console, see Add users to a team .

6. Add managed resources to the team.

   cloudctl iam resource-add <team_id> -r CRN
   

   For more information, see Add resources to a team .

   You can use this command to create namespace resources:

   kubectl create namespace <namespace_name>
   

   • To use the console, see Creating a namespace .

   You can use this command to find the associated CRN:

   cloudctl iam resources | grep <namespace_name>
   

• For more information about Identity and Access Management (IAM) concepts in IBM® Cloud Pak for Multicloud Management, see the IAM Guide .

• You can assign an IAM role to users or user groups when you add them to a team. For more information about IAM roles and actions, see the Role-based access control (RBAC) for clusters