Preparing the Content Cortex Platform directory server
You set up and configure a directory server to provide the authentication repository for your Content Cortex Platform container environment. This task applies only when you are preparing to deploy containers as part of a new Content Cortex domain.
About this task
Check the IBM Software Product Compatibility Report for the appropriate versions of supporting software.
- At least one of the directory service repositories that are used with the Content Cortex domain must support groups as well as users.
- IBM Virtual Member Manager is not supported for container environments.
When you prepare your environment, record the settings so that these values are available to enter into the custom resource YAML file for deployment and configuration. For lists of the parameters that you need to collect, see Configuration reference.
- LDAP
-
Lightweight directory access protocol (LDAP) is a protocol that helps users find data about organizations, persons, and more. LDAP has two main goals. One is to store data in the directory server repository and the other is to authenticate users to access the directory. LDAP is used with a directory server repository to manage the users that access the Content Cortex domain and the groups. The directory server helps define the permissions that those users are given. For more information, see Directory servers.
- Identity provider
-
Also, in your container environment, you can use an external OIDC/OAuth identity provider to manage authentication in the following two scenarios:
- Internal users of your content repository
- For internal users, you configure a managed user realm and set identity rules that govern which sets of users have access to your domain, based on email suffix or address. This configuration can apply both with and without an external share configuration. This configuration also requires a basic LDAP service for default configuration and admin user access to the domain.
- External users with whom you want to share limited access to items in your content repository
- Similarly, for external users, you configure an authentication realm for managing the external
users. You can combine external share OIDC/OAuth user authentication with traditional LDAP user
management for internal users, or use an identity provider for both internal and external users. If
you want to use LDAP authentication for both internal and external users, see Configuring the external
user LDAP realm.Important: With an identity provider, user registration is by the user email address. The email address must be unique not only across all managed users, but also must not collide with the short name of any LDAP user or group. Configuration settings that are called identity rules can restrict which email addresses can be registered as managed users and control which users can register themselves.
- Internal user provisioning with an identity provider
- You can use an identity provider to manage your users. For details, see topic Identity provider configuration parameters.
- Multiple LDAP support
- You can specify multiple LDAP providers for a container deployment. The initialization service covers a single LDAP provider, but you can manually add more providers by using the multi LDAP section in the custom resource file.
Procedure
To prepare your directory server:
| Directory server type | Configuration steps |
|---|---|
| IBM Security Verify Directory | Configure IBM Security Verify Directory |
| Windows Active Directory | Configure Windows Active Directory |
| Oracle Directory Server Enterprise Edition | Configure Oracle Directory Server Enterprise Edition |
| Oracle Internet Directory | Configure Oracle Internet Directory |
| Oracle Unified Directory | Configure Oracle Unified Directory |
| Novell eDirectory | Configure Novell eDirectory |
| CA eTrust | Configuring CA Directory |
| SCIM | Configuring SCIM Directory |
For details on the users and groups to consider, see the following information: Creating Content Platform Engine directory server accounts.