Connecting to your LDAP server
It is strongly recommended that you configure a connection to an external
LDAP server. At a minimum, you can use the LDAP server to validate users' credentials. However, you
can also use your LDAP to manage access to the platform. The information that you specify when you
connect to your LDAP server determines whether you use the LDAP server for password management or
for access management.
- Required permissions
- To configure the connection to your LDAP server, you must have one of the following permissions:
- Administer platform
- Configure authentication
You can configure a connection to your LDAP server from the User management page.
Restriction: If you configure a connection to an LDAP server, all password management
tasks, such as changing or resetting passwords, must be completed by an LDAP administrator.
- Log in to the Cloud Pak for Data web client.
- From the menu, click .
- Click Configure LDAP.
- In the LDAP server information section, provide the following information
about your LDAP server:
Field Description LDAP protocol - If you are connecting to a secure port on your LDAP server, select ldaps://.
- If you are connecting to an unsecured port on your LDAP server, select ldap://.
LDAP hostname Enter the host name of the LDAP server. LDAP port Enter the port that you are connecting to. Standard ports are 389 for
ldapand 636 forldaps.User search base Enter the point in the LDAP tree from which users are searched. User search field Enter the LDAP attribute that is used to identify users. For example, cn, uid, or sAMAccountName.
If you plan to use LDAP and a SAML identity provider, ensure that you use the same attribute to identify users. This field should have the same value as the fieldToAuthenticate parameter in your SSO configuration.
Domain search user If your LDAP server requires authentication to perform lookups, enter the username of a user that can perform lookups on the LDAP server. Domain search password If you specified a Domain search user, specify the password for this user. - If you want to add LDAP groups to user groups, select Use LDAP
group and provide the following information about your LDAP server:
Field Description Group search base Enter the point in the LDAP tree from which groups are searched. Group search field Enter the LDAP attribute that is used to identify groups. For example, cn.
- If you want to use the LDAP server to manage access to the platform, provide the LDAP attributes
that map to the following values:
Field Description First name Enter the LDAP attribute that is used to identify a user's given name. For example, givenName. Last name Enter the LDAP attribute that is used to identify a user's surname. For example, sn. Email Enter the LDAP attribute that is used to identify a user's email address. For example, mail. Group membership If you selected Use LDAP group, enter the LDAP attribute that is used to identify all of the LDAP groups that a user is a member of. For example memberOf. Group member field If you selected Use LDAP group, enter the LDAP attribute that is used to identify all of the members of a given group. For example member. If you use Microsoft Active Directory and you want to enable the nested groups search, add the following extension ID to the LDAP attribute: :1.2.840.113556.1.4.1941:
For example: memberOf:1.2.840.113556.1.4.1941:
Important: If you use nested group search in Microsoft Active Directory, you must disable the default LDAP sync on log in option and enable the periodic sync job. For details, see Syncing Cloud Pak for Data with your LDAP server. - To verify that you can connect to your LDAP server, enter the following information in the
Test connection section:
Field Description Username Enter the username of a user that exists in one of the following locations: - The user search base
- The group search base
Password Enter the password for the specified user. Note: These credentials are not saved. - Click Test connection.
- After you verify that you can connect to your LDAP server, click Save.
Syncing Cloud Pak for Data with your LDAP server
Cloud Pak for Data provides two options for syncing
with your LDAP server:
- Sync on log in
- This option is available only if you have one of the following versions of Cloud Pak for Data installed:
- Version 3.5.1 patch 2 or later patches
- Version 3.5.2 patch 1 or later patches
- Version 3.5.3 or later refreshes
When you install any of the preceding versions of Cloud Pak for Data, this becomes the default sync method.
When this method is used, the platform syncs each user's data when the user logs in to Cloud Pak for Data:
- The first time that a user logs in to Cloud Pak for Data, the platform creates a user profile and assigns the user the correct user groups based on their LDAP group membership.
- If the user has logged in before, the platform updates the use group membership based on their LDAP group membership.
This is the recommended method for most environments. If you want to continue using this method, no additional action is required.
- Periodic sync job (default in Version 3.5.1 and Version 3.5.2)
- This is the default option if you have one of the following versions of Cloud Pak for Data installed:
- Version 3.5.1
- Version 3.5.1 patch 1
- Version 3.5.2
This option is required if you use nested groups in Microsoft Active Directory. However, this method can cause a lot of overhead for Cloud Pak for Data instances that have large LDAP groups.
If you want to use this method:
- Log in to Red Hat® OpenShift® Container Platform as a project
administrator:
oc login OpenShift_URL:port - Disable the sync on log in (
LDAP_SYNC_ON_LOGIN) by running the following command:oc patch configmap product-configmap \ --namespace <cpd-instance> \ --patch '{"data": {"LDAP_SYNC_ON_LOGIN" : "false"}}' - Delete the
usermgmtpods:oc delete pod \ --namespace <cpd-instance> \ -l component=usermgmt - Enable the periodic sync
job:
oc patch cj usermgmt-ldap-sync-cron-job \ --namespace <cpd-instance> \ --patch '{"spec": {"suspend": false}}'