Enabling LDAP user authentication on the management node

Enable LDAP user authentication to use the LDAP user base for user authentication in IBM® Spectrum Cluster Foundation.
Note: For a high availability environment, an LDAP client must be enabled on both the primary management node and the secondary management node. If you have a high availability environment setup, make sure to the complete the following steps on both management nodes.

Before you begin

Procedure

  1. Log in to the management node as root.
  2. Source the environment: 
    source /opt/pcm/bin/pcmenv.sh
  3. Run the LDAP client installation script. 
    pcmadmin system ldap --enable
    Note: The LDAP client installation script can also be run silently using the pcmadmin system ldap -f silent-ldap-config --enable command. Refer to pcmadmin for examples on how to specify your settings in the silent-ldap-config file.
  4. Specify LDAP parameters:
    1. Specify the URL of the LDAP server in the format ldap://LDAP_server_host:389, where LDAP_server_host can be either the LDAP server host name or IP address. For example:
      ldap://192.0.2.1:389
    2. Type the base domain where users and groups are retrieved from the LDAP server. For example:
      dc=example,dc=com
    3. Type the DN (distinguished name) of the LDAP user who was created in step 1 of Configuring an existing LDAP server for IBM Spectrum Cluster Foundation. IBM Spectrum Cluster Foundation uses this user to access the LDAP server to retrieve users and groups. For example:
      uid=Admin,ou=user,dc=admin,dc=ibm,dc=com
    4. Type the password for the mapped user.
  5. Determine whether to configure the management node as a login node. If the management node is configured as a login node, all configured LDAP users are able to SSH to the management node.
  6. Start all of the Web Portal services. 
    pcmadmin service start --service PCMD
pcmadmin service start --service WEBGUI
  7. Log in to the Web Portal as root.

Results

Once the LDAP client is successfully installed on the management node, any compute nodes that are provisioned from now on users can ssh into them. To ssh into compute nodes that were provisioned before LDAP was enabled, complete one of the following actions:
  • From the Web Portal, reboot or reinstall the nodes.
  • From the command line, use the updatenode command.
In IBM Spectrum Cluster Foundation , any nodes that are in a cluster before you enabled LDAP, cannot be accessed by an LDAP user. These nodes are only accessible to local operating system users. After you enable LDAP, all clusters must be re-created to be accessible to LDAP users. To re-create clusters, complete the following actions:
  1. Remove all existing clusters.
  2. Set all existing cluster templates to unpublished, and then publish the cluster templates again.
  3. Create the clusters again.
If for any reason an existing cluster cannot be removed, then the following is true:
  • LDAP users cannot access any server that is part of an existing cluster (a cluster that existed before LDAP was enabled).
  • LDAP users cannot access any new servers added to an existing cluster (a cluster that existed before LDAP was enabled).

In cases where an existing cluster cannot be removed, but you want LDAP users to have access to a cluster that uses the same template, you can re-create the cluster by copying the cluster template and republishing it.

What to do next