Adding LDAP configurations

You can add Lightweight Directory Access Protocol (LDAP) directories, SSL-enabled and non-SSL-enabled, to your Cloud Pak for Business Automation production deployments at any time.

About this task

To configure multiple LDAPs, you need to create a secret for each LDAP, re-create the LDAP bind secret, and update the Identity Management (IM) service. The following example shows the custom resource (CR) format for two LDAP configurations. The configuration parameter names and the ID values must be unique.

ldap_configuration:

ldap_configuration_<ldap_id1>:
  lc_ldap_id: <ldap_id1>

ldap_configuration_<ldap_id2>:
  lc_ldap_id: <ldap_id2>

For more information, see LDAP configuration.

If you want to enable SSL, then you need to create a separate secret for each LDAP. The LDAP certificates must be stored in the propertyfile/cert/ldap folder on the client where you connect to the cluster. The following paths show two certificates in the ldap folder. The ldap2-cert.crt file is the certificate for a new SSL-enabled LDAP.

/opt/ibm-cp-automation/scripts/cp4ba-prerequisites/project/<namespace>/propertyfile/cert/ldap/ldap-cert.crt
/opt/ibm-cp-automation/scripts/cp4ba-prerequisites/project/<namespace>/propertyfile/cert/ldap/ldap2-cert.crt

Procedure

  1. Run the following command to create an SSL secret for a new SSL-enabled LDAP.

    The following command generates the SSL secret (ibm-cp4ba-ldap2-ssl-secret) for the new LDAP that uses the ldap2-cert.crt certificate.

    oc create secret generic ibm-cp4ba-ldap2-ssl-secret \
  --from-file=tls.crt=/opt/ibm-cp-automation/cert-kubernetes/scripts/cp4ba-prerequisites/project/<namespace>/propertyfile/cert/ldap/ldap2-cert.crt \
  -n <namespace>
  2. Check in the OpenShift Container Platform to make sure that SSL secret is created.
  3. Re-create the ldap-bind-secret to contain the credentials for each LDAP.
    Note: The ldap-bind-secret can be shared across LDAPs, but SSL secrets must be unique.
    1. Delete the existing LDAP bind secret. 
      oc delete secret ldap-bind-secret
    2. Re-create the LDAP bind secret with multiple LDAP credentials. 
      oc create secret generic ldap-bind-secret \
  --from-literal=ldapUsername='cn=admin,dc=ibm,dc=edu' \
  --from-literal=ldapPassword='<yourLDAPPassword>' \
  --from-literal=ldap<ldap_id1>Username='cn=admin,dc=ibm,dc=edu' \
  --from-literal=ldap<ldap_id1>Password='<yourLDAPPassword>'
  --from-literal=ldap<ldap_id2>Username='cn=admin,dc=ibm,dc=edu' \
  --from-literal=ldap<ldap_id2>Password='<yourLDAPPassword>'
      Where:
      • ldapUsername is the LDAP_BIND_DN of the first LDAP used in the installation of the CP4BA deployment.
      • ldapPassword is the LDAP password of the first LDAP username that you used in the installation of the CP4BA deployment.
      • ldap<ldap_id1>Username is the LDAP_BIND_DN of the non-SSL-enabled LDAP that you want to add.
      • ldap<ldap_id1>Password is the LDAP password of the username for the non-SSL-enabled LDAP you want to add.
      • ldap<ldap_id2>Username is the LDAP_BIND_DN of the SSL-enabled LDAP that you want to add.
      • ldap<ldap_id2>Password is the LDAP password of the username for the SSL-enabled LDAP you want to add.
    3. Check that the LDAP bind secret is created properly in the cluster.
  4. Update the Cloud Pak for Business Automation CR with the new LDAP configuration to match the secrets that you created.

    For a non-SSL-enabled LDAP, set the lc_ldap_ssl_enabled parameter to false and the lc_ldap_port parameter to 389. The following YAML example shows a non-SSL-enabled LDAP configuration, where the <ldap_id1> is 1.

    ldap_configuration_1:
  lc_ldap_id: 1
  lc_selected_ldap_type: "IBM Security Directory Server"
  lc_ldap_server: "seepage1.fyre.ibm.com"
  lc_ldap_port: "389"
  lc_bind_secret: "ldap-bind-secret"
  lc_ldap_base_dn: "DC=EXAMPLE,DC=COM"
  lc_ldap_ssl_enabled: false
  lc_ldap_ssl_secret_name: ""
  lc_ldap_user_name_attribute: "*:uid"
  lc_ldap_user_display_name_attr: "uid"
  lc_ldap_group_base_dn: "DC=EXAMPLE,DC=COM"
  lc_ldap_group_name_attribute: "*:cn"
  lc_ldap_group_display_name_attr: "cn"
  lc_ldap_group_membership_search_filter: "(|(&(objectclass=groupofnames)(member={0}))(&(objectclass=groupofuniquenames)(uniquemember={0})))"
  lc_ldap_group_member_id_map: "groupofnames:member"
  tds:
    lc_user_filter: "(&(uid=%v)(objectclass=ePerson))"
    lc_group_filter: "(&(cn=%v)(objectclass=groupofnames))"

    For a SSL-enabled LDAP, set the lc_ldap_ssl_enabled parameter to true and the lc_ldap_port parameter to 636. The following YAML example shows a SSL-enabled LDAP configuration, where the <ldap_id2> is 2 and the SSL secret name is ibm-cp4ba-ldap2-ssl-secret.

    ldap_configuration_2:
  lc_ldap_id: 2
  lc_selected_ldap_type: "IBM Security Directory Server"
  lc_ldap_server: "seepage1.fyre.ibm.com"
  lc_ldap_port: "636"
  lc_bind_secret: "ldap-bind-secret"
  lc_ldap_base_dn: "DC=EXAMPLE,DC=COM"
  lc_ldap_ssl_enabled: true
  lc_ldap_ssl_secret_name: "ibm-cp4ba-ldap2-ssl-secret"
  lc_ldap_user_name_attribute: "*:uid"
  lc_ldap_user_display_name_attr: "uid"
  lc_ldap_group_base_dn: "DC=EXAMPLE,DC=COM"
  lc_ldap_group_name_attribute: "*:cn"
  lc_ldap_group_display_name_attr: "cn"
  lc_ldap_group_membership_search_filter: "(|(&(objectclass=groupofnames)(member={0}))(&(objectclass=groupofuniquenames)(uniquemember={0})))"
  lc_ldap_group_member_id_map: "groupofnames:member"
  tds:
    lc_user_filter: "(&(uid=%v)(objectclass=ePerson))"
    lc_group_filter: "(&(cn=%v)(objectclass=groupofnames))"

    Make sure that the names for each LDAP are unique. If two or more LDAPs are SSL-enabled, use different secret names, for example ibm-cp4ba-ldap-ssl-secret and ibm-cp4ba-ldap2-ssl-secret. The secret name is entered as the value for the lc_ldap_ssl_secret_name parameters.

  5. Add the new LDAP user to the IM service.
    1. In the OpenShift Container Platform console, go to Networking > Routes > Identity Providers, search for cpd, and click the link under Location.

    2. Save the login credentials (username and password) in the ibm-iam-bindinfo-platform-auth-idp-credentials secret.

    3. Log in to IM and go to Identity Providers.
    4. Check that the new LDAP is added.
    5. Go to Access control > Add users, and add the user for the new LDAP.
    6. To onboard the user to the Zen service, assign a role.
  6. Optional: Add the new user as an admin user in Business Automation Navigator.
    1. Log in as the Navigator administrator.
    2. Go to Administrator > Settings > Admin Users, and add the new LDAP user.
  7. Optional: Configure access to the FNCM object stores.
    1. Log in to ACCE as the Content Platform Engine (CPE) administrator.
    2. Go to the ObjectStore > Security tab.
    3. Add the new user to a group with appropriate permissions, view-only or full control.