Configuring LDAP authentication

You can configure your Lightweight Directory Access Protocol (LDAP) connection to use the service that provides authentication, role-based access control, and user management for IBM Security QRadar® Suite Software.

Before you begin

Understand the information in Users and accounts and in User access, roles, and permissions.

Before installation, you select a value for the initial user of QRadar Suite Software that is set in the adminUser parameter.

The initial user and all other users that you are planning to add to QRadar Suite Software must have an email address in the LDAP directory. The email address must be stored in the mail attribute. If you add a user with no email address, the user might experience issues when they try to access QRadar Suite Software applications.

Warning: Do not add a user with the username admin to your identity provider, as that might cause issues with other services on your cluster.
Warning: Any user ID value that is used in QRadar Suite Software must be uniquely defined in only one of the connected identity providers. This restriction applies to the initial administrator and to any other user ID that is added to accounts later. If a duplicate user ID is encountered, QRadar Suite Software does not start correctly, and no users can access the system.

QRadar Suite Software uses the Identity and Access Management service of IBM Cloud Pak® foundational services. When your LDAP connection is configured, you can select users from your corporate enterprise environment and add them as QRadar Suite Software users.

As an alternative to the following procedure, you can use the deploy_openldap action to quickly provide authentication capabilities for QRadar Suite Software. For more information, see Deploying OpenLDAP.

Important: The OpenLDAP deployment action is intended only for demonstration purposes in a test environment and is not supported for use in a production environment.

About this task

To access the configuration of an LDAP connection to QRadar Suite Software, retrieve your login credentials for foundational services.

Retrieving the login credentials for foundational services

Before you configure your connection, you need the credentials for IBM Cloud Pak foundational services.

Before you begin

  • The Red Hat OpenShift CLI client helps you develop, build, deploy, and run your applications on any Red Hat OpenShift or Kubernetes cluster. It also includes the administrative commands for managing a cluster under the adm subcommand.

    1. Download Red Hat OpenShift CLI 4.10 or later from https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable-4.10/. The file to download is called openshift-client-<platform>-<version>.tar.gz.
    2. Extract the binary file that you downloaded by typing the following command, where <oc_cli_archive_file> is the name of the archive file that you downloaded.
      tar -xf <oc_cli_archive_file>
    3. Modify the permissions of the binary file by typing the following command, where <oc_cli_binary> is the name of the Red Hat OpenShift binary that you extracted from the archive.
      chmod 755 <oc_cli_binary>
    4. Move the binary file to the /usr/local/bin directory by typing the following command.
      mv <oc_cli_binary> /usr/local/bin/oc
      Tip: If this command returns a No such file or directory or Not a directory error message, create the /usr/local/bin directory by typing the following command.
      sudo mkdir /usr/local/bin
    5. Ensure that the Red Hat OpenShift CLI client is working by typing the following command.
      oc version
      Tip: MacOS users might see a message that this tool cannot be opened because it is from an unidentified developer. Close this message and go to System Preferences > Security & Privacy. On the General tab, click Open Anyway or Allow Anyway. Repeat the oc version command.
    1. Download Cloud Pak CLI from https://github.com/IBM/cloud-pak-cli/releases.
    2. Extract the binary file that you downloaded by typing the following command, where <archive_file> is the name of the archive file that you downloaded.
      tar -xf <archive_file>
    3. Modify the permissions of the binary file by typing the following command, where <binary_file> is the name of the Cloud Pak binary file that you extracted from the archive.
      chmod 755 <binary_file>
    4. Move the binary file to the /usr/local/bin directory by typing the following command.
      mv <binary_file> /usr/local/bin/cloudctl
    5. Ensure that Cloud Pak CLI is working by typing the following command.
      cloudctl version
      Tip: MacOS users might see a message that this tool cannot be opened because it is from an unidentified developer. Close this message and go to System Preferences > Security & Privacy. On the General tab, click Open Anyway or Allow Anyway. Repeat the cloudctl version command.

Procedure

  1. Log in to your Red Hat OpenShift Container Platform cluster by using either of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
    • Using a username and password.
      oc login <openshift_url> -u <username> -p <password>
    • Using a token.
      oc login --token=<token> --server=<openshift_url>
  2. Set the $CP4S_NAMESPACE environment variable by typing the following command, where <cp4s_namespace> is the namespace where you are installing QRadar Suite Software. 
    export CP4S_NAMESPACE=<cp4s_namespace>
  3. Set the $FS_NAMESPACE environment variable to your foundational services namespace by typing the following command. 
    export FS_NAMESPACE=$(oc get cm cp4s-config -o jsonpath="{.data.CSNamespace}" -n $CP4S_NAMESPACE)
  4. To export the foundational services cluster URL, run the following command: 
    export FOUNDATIONAL_SERVICES_URL=https://$(oc get route cp-console -n $FS_NAMESPACE -o jsonpath='{.spec.host}')
  5. To retrieve the admin username of the foundational services cluster, run the following command. 
    oc get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_username}' -n $FS_NAMESPACE | base64 -d | awk '{print $1}'
  6. To retrieve the foundational services cluster admin password, run the following command: 
    oc get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_password}' -n $FS_NAMESPACE | base64 -d | awk '{print $1}'
  7. Test logging in to the cluster using cloudctl by running the following command: 
    cloudctl login -a $FOUNDATIONAL_SERVICES_URL -u <username> -p <password> -n $CP4S_NAMESPACE

Configuring your LDAP connection

Configure and connect an LDAP directory by accessing the foundational services cluster console.

Procedure

  1. Log in to the foundational services admin console. Use the credentials obtained in the previous procedure.
  2. Configure and connect an LDAP directory through Admin Hub in your foundational services cluster.

    For more information, see the foundational services documentation Configuring an LDAP connection link to content that is hosted outside of the IBM Documentation collection, opens in a new tab.

What to do next

Verify the LDAP connection as the initial identity provider by logging in as the initial user to QRadar Suite Software.

Any subsequent LDAP connection that you configure can be verified by assigning it to a QRadar Suite Software account and adding users that exist in the LDAP directory.