Deploying OpenLDAP

Provide authentication capabilities for QRadar® Suite SoftwareIBM Security QRadar Suite Software by deploying an instance of OpenLDAP with users.

Before you begin

Install the command-line interface (CLI) utility cpctl from the cp-serviceability pod. For more information, see Installing the cpctl utility.

To deploy an instance of the OpenLDAP chart in the QRadar Suite Software namespace, run the deploy_openldap action.

During installation or upgrade, you set the adminUser value for the initial user of QRadar Suite Software. You must add this value to the OpenLDAP deployment.

This OpenLDAP deployment must not be used when an existing Lightweight Directory Access Protocol (LDAP) is configured.

Important: The OpenLDAP deployment is intended to be used only for demonstration purposes in a test environment and is not supported for use in a production environment.
Warning:
  • Do not add a user ID with the value admin to your identity provider as that might cause issues with other services on your cluster.
  • Any user ID value that is used in QRadar Suite Software must be uniquely defined in only one of the connected identity providers. This restriction applies to the initial administrator and to any other user ID that is added to accounts later. If a duplicate user ID is encountered, QRadar Suite Software does not start correctly, and no users can access the system.

About this task

The OpenLDAP deployment does not provide persistence of users within QRadar Suite Software.

You can rerun the deploy_openldap action to include more users.

Procedure

  1. To make sure that the list of available cpctl actions is up to date, enter the following command. 
    cpctl load
    The cpctl load command retrieves all of the available actions that can be run on QRadar Suite Software. The actions are cached to your local environment.
  2. To run the deploy_openldap action, enter the following command. 
    cpctl tools deploy_openldap --token <token> --operation <operation> --ldap_usernames <username>  --ldap_password <password>
    The command has the following parameters.
    Parameter Description
    --token The cluster administrator token. Log in as the admin user and generate the token by running the oc whoami -t command.
    --operation The action operation. The operation can be set to either install or uninstall. The install option is the default option.
    --ldap_usernames A comma-separated list of OpenLDAP user names that are added during the installation. The parameter defaults to cp4s-demo.
    --ldap_password The OpenLDAP password for the user names that are specified by the --ldap_usernames parameter. The parameter defaults to cp4s-demo.
    Important: One password applies to all users.

Example

To use the deploy_openldap action, run the following commands.
  • To install OpenLDAP with a list of usernames, run the command:
    cpctl tools deploy_openldap --token $(oc whoami -t) --ldap_usernames 'user1,user2,user3' --ldap_password myCustomPassword
  • To uninstall OpenLDAP, run the command:
    cpctl tools deploy_openldap --token $(oc whoami -t) --operation uninstall

What to do next

Verify the LDAP connection as the initial identity provider by logging in as the initial user.