Connecting with the CPFS LDAP directory (OCP only)
Using the Zen administrative console for IBM Cloud Pak® foundational services (CPFS), you can manage users and user groups for your IBM® Concert instance deployed through Red Hat® OpenShift® Container Platform (OCP). This approach simplifies user management and role-based access to your Concert instance.
The final step to installing Concert software on your OCP deployment returns
admin credentials (cpadmin
) to access the Zen administrative console where you can
integrate with an external LDAP directory to add and manage users and roles in the cluster.
Before you begin
- Run the following command to retrieve critical details about your Concert instance that you'll need to manage users and user
groups from
CPFS.
Sample response:./ibm-concert-manage.sh get-concert-instance-details
The response includes theConcert Url: concert-concert-instance-308.apps.roja-ocp.cp.fyre.ibm.com Zen Administration URL: concert-concert-instance-308.apps.roja-ocp.cp.fyre.ibm.com/zen Concert Username: cpadmin Concert Password: <password>
Zen Administration URL
where you can manage users and access.
Instructions
- Log into the Zen Administration console by going to the unique URL and
cpadmin
credentials returned in the response to installing Concert software on your OCP cluster. - Go to .
- Click .
- In the New LDAP server connection page, enter the following details to set up your LDAP connection.
- LDAP connection
-
Enter the following details:
- Connection name: A unique name for the LDAP connection. The name must be 3 to 30 characters using alphanumeric characters only. Special characters are not supported.
- Server type: A list of directory server types to which you can connect. Select one from the list.
- Case insensitive user search: Set the value to
true
orfalse
to enable or disable case sensitivity for the LDAP username.
- LDAP authentication
-
Enter authentication information:
Base DN: The distinguished name of the search base. Example: dc=abc,dc=com. Format: 1 - 255 alphanumeric characters; Special characters that are allowed:=
.
,
-
Bind DN (optional): The user who is allowed to search the base DN. Example: cn=admin,dc=abc,dc=com. This parameter is optional. If no user is specified in theBind DN
parameter, the LDAP connection is established without authentication. Format: 0 - 255 alphanumeric characters; white space is allowed; Special characters that are allowed:=
.
,
-
:
@
(
)
_
\
Bind DN password: The password of the user who is mentioned in theBind DN
. This parameter is not required if you do not specify a user in the bind DN. A maximum of 255 characters are allowed.Note: The configuration of Base DN and Bind DN values must be set as case-sensitive and must be a full distinguished name (DN) path. The DN path, including spaces, commas, and other characters, must be the same as configured in the LDAP server.Example:Base DN : DC=mycompany,DC=com Bind DN : CN=Administrator,CN=Users,DC=mycompany,DC=com
ForBase DN
, the following values are invalid:- dc=mycompany,dc=com because
DC
is lowercase alphabet. - DC=mycompany, DC=com because there is a space between the parameters.
ForBind DN
, the following values are invalid:- cn=Administrator,cn=Users,dc=mycompany,dc=com because
CN
andDC
are lowercase alphabets. - CN=Administrator,DC=mycompany,DC=com because
CN=Users
parameter is missing. - CN=Administrator,CN=Users, DC=mycompany,DC=com because there is a space between the parameters.
- CN=administrator,CN=Users,DC=mycompany,DC=com because the
administrator
parameter value starts with a lowercase alphabet.Note: Microsoft Active Directory server does a strict check ofBase DN
andBind DN
values while it establishes a connection.
You can click Test connection to verify whether the LDAP connection details are valid.
- LDAP server
-
Enter the server URL for your connection.
- URL: The LDAP directory domain name or IP address, and the LDAP port number. The domain
name must begin with
ldap(s)://
. Example URL:ldap(s)://corpldap.abc.com:389
orldap://10.10.10.1:389
.For LDAP over SSL (LDAPS), you must use the domain name, and the URL must begin with
ldaps://
. Example URL:ldaps://corpldap.abc.com:636
.Note: If you are unable to connect to your LDAPS server by using the host name, add the IP address and host name of the LDAPS server in your local DNS. The LDAPS server host name must be resolvable from your master node.
- URL: The LDAP directory domain name or IP address, and the LDAP port number. The domain
name must begin with
- LDAP filters
-
Enter connection information.
- Group filter: The filter clause for searching groups. From foundational services version
3.23 and later, IM supports all the special characters but following are the validated and tested
special characters: white space,
=
;
.
,
&
%
()
{}
<>
|
!
- Group ID map: The filter maps a group name to an LDAP entry. Format: 1 - 255 alphanumeric
characters; Special characters that are allowed: white space,
*
:
=
;
.
,
&
%()
{}
- Group member ID map: The filter to map a user to a group. Format: 1 - 255 alphanumeric
characters; Special characters that are allowed: white space,
*
:
=
;
.
,
&
%
()
{}
- User filter: The filter clause for searching users. From foundational services version
3.23 and later, IM supports all the special characters but following are the validated and tested
special characters: white space,
=
;
.
,
&
%
()
{}
<>
|
!
- User ID map: The filter maps a username to an LDAP entry. Format: 1 - 255 alphanumeric
characters; Special characters that are allowed: white space,
*
:
=
;
.
,
&
%
()
{}
- Group filter: The filter clause for searching groups. From foundational services version
3.23 and later, IM supports all the special characters but following are the validated and tested
special characters: white space,
- Click Create.
Your cluster is now connected with your CPFS LDAP directory. Next, refer to Granting access to your Concert instance (OCP).