Configuring an external LDAP server for platform authentication

The appliance administrator can use a NodeOS utility on the appliance to configure an external LDAP server for platform user authentication.

Before you begin

Before configuring external LDAP in the appliance, gather the following information:
Host of the LDAP server and port
For example: myserver.com and 389
Important: Make sure that the host of the LDAP server is pingable from all IAS nodes.
Distinguished Name/Domain Name (dn) of the LDAP directory
For example: myldaporg.com
Bind User information
The user id and password for the LDAP domain user that has access to query all user/group info. For example: myuseradmin and myadminpasswd
In addition, you should decide whether to use SSL or TLS to connect to the LDAP server. If an SSL method is chosen, fetch the CA-Certificate from your LDAP domain that is to be used by the appliance to encrypt communication with the external LDAP server. For example: myca-cert.pem

Procedure

  1. Log in to the first (node0101) or second (node0102) node of IAS as apuser or as another member of the ibmapadmin OS group.
  2. If you are using the SSL ldaps or starttls method, use the scp command to copy the CA-Certificate from your external machine into the appliance and keep it in a /tmp directory.
  3. If you are using the default SSL none method, run the ap_external_ldap.pl utility using the following argument: 
    ap_external_ldap.pl enable
   --host myserver.com --port 389 --search-base-dn "dc=myldaporg,dc=com"
   --searcher-dn "cn=myuseradmin,dc=myldaporg,dc=com" --searcher-password "myadminpasswd"
    If you want to use the SSL ldaps method, run the ap_external_ldap.pl utility using the following argument. Make sure you specify the SSL port of your LDAP server in the port option (For example: 636):
    ap_external_ldap.pl enable
   --host myserver.com --port 636 --search-base-dn "dc=myldaporg,dc=com"
   --searcher-dn "cn=myuseradmin,dc=myldaporg,dc=com" --searcher-password "myadminpasswd"
   --ssl-method ldaps --ca-cert /tmp/ myca-cert.pem
    If you want to use the SSL starttls method, run the ap_external_ldap.pl utility using the following argument. Make sure you specify the SSL port of your LDAP server in the port option (For example: 389):
    ap_external_ldap.pl enable
   --host myserver.com --port 389 --search-base-dn "dc=myldaporg,dc=com"
   --searcher-dn "cn=myuseradmin,dc=myldaporg,dc=com" --searcher-password "myadminpasswd"
   --ssl-method starttls --ca-cert /tmp/ myca-cert.pem
  4. Once the command successfully runs, you verify your setting by using the id command.
    For example, if user1 is a user ID from your LDAP database, then the following command returns the ID and group info of this user successfully:
    id user1
  5. In order for any users from your external LDAP server to log in to IAS, users from the directory need to be added to one of the OS groups of the appliance (if not already added to an OS group): 
    ap_external_ldap.pl usermod --group ibmapadmin|ibmapusers|none username

Results

Integrated Analytics System is now configured to use your organization's LDAP directory. Any valid user of your directory can log in to any of the nodes of the appliance using SSH. You can now remove the certificate that you may have uploaded into the /tmp directory of IAS.