Integrating with the IAM Service

By default, IBM® Cloud Pak for Data user records are stored in an internal repository database. However, it is strongly recommended that you use an enterprise-grade password management solution, such as single sign-on (SSO) or LDAP.

If you use LDAP, you can choose between the following options:

Mechanism	Benefits	Drawbacks
LDAP integration provided by Cloud Pak for Data	You can use LDAP with or without SAML SSO. You can choose the level of integration with the LDAP server. You can use LDAP to: Validate users' credentials Manage access to the platform	You can connect to a single LDAP server from each instance of Cloud Pak for Data. The LDAP configuration cannot be shared across Cloud Pak for Data instances or used by any other IBM Cloud Paks on the cluster.
LDAP integration provided by the Identity and Access Management Service (IAM Service) in IBM Cloud Pak® foundational services	You can connect to multiple LDAP servers, and the connections can be used by multiple instances of Cloud Pak for Data or other IBM Cloud Paks on the cluster.	Do not use this method if you have multiple LDAP servers that must be isolated from each other. For example, you maintain two instances of Cloud Pak for Data for different groups of users. Each group of users is managed by a different LDAP server, and you don't want the users to be able to see information about users in the other LDAP server.

To use the LDAP integration provided by Cloud Pak for Data, see Connecting to your identity provider.

Permissions you need for this task

You must be either:

A cluster administrator
An administrator of the following projects:
- The project where IBM Cloud Pak foundational services is installed (ibm-common-services)
- The project where the IBM Cloud Pak for Data platform operator is installed (either ibm-common-services or cpd-operators)
- The project where Cloud Pak for Data is installed

When you need to complete this task

If you want to use the LDAP integration provided by the IAM Service, you must integrate Cloud Pak for Data with the IAM Service before you onboard users or create user groups.

When you integrate with the IAM Service, you delegate all authentication to the IAM Service. If you onboard users before you integrate with the IAM Service, existing users might not be able to log in to Cloud Pak for Data.

About this task

Important: Integrating with the IAM Service is irreversible.

Contact IBM Software support to reset Cloud Pak for Data to the previous state.

Procedure

Log in to Red Hat® OpenShift® Container Platform as a user with sufficient permissions to complete the task:
```
oc login OpenShift_URL:port
```

Modify the Ibmcpd custom resource to add the

iamIntegration:
true

entry:

Run the following command to get the name of the platform custom resource:
```
oc get Ibmcpd -n Cloud-Pak-for-Data-project
```
By default, the custom resource name is ibmcpd-cr.
Run the following command to edit the platform custom resource:
```
oc edit Ibmcpd ibmcpd-cr
```

Add the iamIntegration: true entry to the custom resource:

apiVersion: cpd.ibm.com/v1
kind: Ibmcpd
metadata:
  name: ibmcpd-cr
  namespace: cpd-instance     # The project where Cloud Pak for Data is installed
spec:
  csNamespace: ibm-common-services
  version: 4.0.0
  license:
    accept: true
    license: Enterprise
  storageClass: RWX-storage-class     # The RWX storage class you specified during installation
  zenCoreMetadbStorageClass: RWO-storage-class     # The RWO storage class you specified during installation
  cloudpakfordata: true 
  iamIntegration: true

Note: In the preceding example, the cluster uses custom storage class names. Your custom resource file might use the storageVendor setting instead of the storageClass and zenCoreMetadbStorageClass settings.

Save your changes to the Ibmcpd custom resource. For example, if you are using vi, hit esc and enter :wq

Check the status of the ZenService custom resource:
```
oc get ZenService custom-resource-name -o jsonpath="{.status}"
```
The command triggers a reconciliation in the Zen operator:
```
{"conditions":[{"lastTransitionTime":"2021-06-20T01:05:55Z","message":"Running reconciliation",
"reason":"Running","status":"True","type":"Running"}],"url":"cloud-pak-for-data-URL",
"zenOperatorBuildNumber":"zen operator build 305","zenStatus":"InProgress"}
```
It might take up to 20 minutes for the process to complete if the IAM Service needs to be started and configured.
Tip: You can follow the logs generated by the Zen operator pod.
The location of the Zen operator pod depends on whether IBM Cloud Pak foundational services and the IBM Cloud Pak for Data platform operator are installed in the same project (ibm-common-services) or separate projects (cpd-operators).
```
oc logs -n project-name $(oc get pod -n project-name -l name=ibm-zen-operator -o jsonpath='{.items[0].metadata.name'}) -f
```

Wait for the ZenService custom resource to return the following status:

{"conditions":[{"ansibleResult":{"changed":22,"completion":"2021-06-12T06:57:56.861621","failures":0,
"ok":288,"skipped":324},"lastTransitionTime":"2021-06-20T01:05:55Z","message":"Awaiting next reconciliation",
"reason":"Successful","status":"True","type":"Running"}],"url":"cloud-pak-for-data-URL",
"zenOperatorBuildNumber":"zen operator build 305","zenStatus":"Completed"}

Confirm that the IAM Service is set up:
1. Go to the Cloud Pak for Data web client.
  Tip: If you don't know the URL, you can run the following command to get the route to the web client:
```
oc get ZenService lite-cr -o jsonpath="{.status.url}{'\n'}"
```
2. Verify that the login page includes the following options:
  - OpenShift authentication
  - IBM provided credentials (admin only)

Get the initial password for the admin user from the IAM Service:

oc extract -n ibm-common-services secret/platform-auth-idp-credentials --keys=admin_password --to=-

Results

You can log in to the web client and connect to one or more LDAP servers from the IBM Cloud Pak Administration Hub.