Connecting with the CPFS LDAP directory (OCP only)

Using the Zen administrative console for IBM Cloud Pak® foundational services (CPFS), you can manage users and user groups for your IBM® Concert instance deployed through Red Hat® OpenShift® Container Platform (OCP). This approach simplifies user management and role-based access to your Concert instance.

The final step to installing Concert software on your OCP deployment returns admin credentials (cpadmin) to access the Zen administrative console where you can integrate with an external LDAP directory to add and manage users and roles in the cluster.

Before you begin

  • Run the following command to retrieve critical details about your Concert instance that you'll need to manage users and user groups from CPFS.
    ./ibm-concert-manage.sh get-concert-instance-details
    Sample response:
    Concert Url: concert-concert-instance-308.apps.roja-ocp.cp.fyre.ibm.com
    Zen Administration URL: concert-concert-instance-308.apps.roja-ocp.cp.fyre.ibm.com/zen
    Concert Username: cpadmin
    Concert Password: <password>
    The response includes the Zen Administration URL where you can manage users and access.

Instructions

Note: The following steps assume you have already installed Concert software on your OCP cluster, and that you have successfully retrieved your unique Zen Administration URL and credentials.
  1. Log into the Zen Administration console by going to the unique URL and cpadmin credentials returned in the response to installing Concert software on your OCP cluster.
  2. Go to Administration > Identity providers.
  3. Click New Connection.
  4. In the New LDAP server connection page, enter the following details to set up your LDAP connection.
    LDAP connection

    Enter the following details:

    • Connection name: A unique name for the LDAP connection. The name must be 3 to 30 characters using alphanumeric characters only. Special characters are not supported.
    • Server type: A list of directory server types to which you can connect. Select one from the list.
    • Case insensitive user search: Set the value to true or false to enable or disable case sensitivity for the LDAP username.
    LDAP authentication

    Enter authentication information:

    Base DN: The distinguished name of the search base. Example: dc=abc,dc=com. Format: 1 - 255 alphanumeric characters; Special characters that are allowed:
    • =
    • .
    • ,
    • -
    Bind DN (optional): The user who is allowed to search the base DN. Example: cn=admin,dc=abc,dc=com. This parameter is optional. If no user is specified in the Bind DNparameter, the LDAP connection is established without authentication. Format: 0 - 255 alphanumeric characters; white space is allowed; Special characters that are allowed:
    • =
    • .
    • ,
    • -
    • :
    • @
    • (
    • )
    • _
    • \
    Bind DN password: The password of the user who is mentioned in the Bind DN. This parameter is not required if you do not specify a user in the bind DN. A maximum of 255 characters are allowed.
    Note: The configuration of Base DN and Bind DN values must be set as case-sensitive and must be a full distinguished name (DN) path. The DN path, including spaces, commas, and other characters, must be the same as configured in the LDAP server.
    Example:
     Base DN : DC=mycompany,DC=com
     Bind DN : CN=Administrator,CN=Users,DC=mycompany,DC=com
    For Base DN, the following values are invalid:
    • dc=mycompany,dc=com because DC is lowercase alphabet.
    • DC=mycompany, DC=com because there is a space between the parameters.
    For Bind DN, the following values are invalid:
    • cn=Administrator,cn=Users,dc=mycompany,dc=com because CN and DC are lowercase alphabets.
    • CN=Administrator,DC=mycompany,DC=com because CN=Users parameter is missing.
    • CN=Administrator,CN=Users, DC=mycompany,DC=com because there is a space between the parameters.
    • CN=administrator,CN=Users,DC=mycompany,DC=com because the administratorparameter value starts with a lowercase alphabet.
      Note: Microsoft Active Directory server does a strict check of Base DN and Bind DN values while it establishes a connection.

    You can click Test connection to verify whether the LDAP connection details are valid.

    LDAP server

    Enter the server URL for your connection.

    • URL: The LDAP directory domain name or IP address, and the LDAP port number. The domain name must begin with ldap(s)://. Example URL: ldap(s)://corpldap.abc.com:389 or ldap://10.10.10.1:389.

      For LDAP over SSL (LDAPS), you must use the domain name, and the URL must begin with ldaps://. Example URL: ldaps://corpldap.abc.com:636.

      Note: If you are unable to connect to your LDAPS server by using the host name, add the IP address and host name of the LDAPS server in your local DNS. The LDAPS server host name must be resolvable from your master node.
    LDAP filters

    Enter connection information.

    • Group filter: The filter clause for searching groups. From foundational services version 3.23 and later, IM supports all the special characters but following are the validated and tested special characters: white space, = ; . , & % () {} <> | !
    • Group ID map: The filter maps a group name to an LDAP entry. Format: 1 - 255 alphanumeric characters; Special characters that are allowed: white space, * : = ; . , & %() {}
    • Group member ID map: The filter to map a user to a group. Format: 1 - 255 alphanumeric characters; Special characters that are allowed: white space, * : = ; . , & % () {}
    • User filter: The filter clause for searching users. From foundational services version 3.23 and later, IM supports all the special characters but following are the validated and tested special characters: white space, = ; . , & % () {} <> | !
    • User ID map: The filter maps a username to an LDAP entry. Format: 1 - 255 alphanumeric characters; Special characters that are allowed: white space, * : = ; . , & % () {}
  5. Click Create.

Your cluster is now connected with your CPFS LDAP directory. Next, refer to Granting access to your Concert instance (OCP).