Configuring LDAP
After you install PowerVC, you can optionally configure it to work with an existing Lightweight Directory Access Protocol (LDAP) server.
Ensure that a supported LDAP server is installed and running in your environment if you plan to configure PowerVC with an LDAP server. See Hardware and software requirements for the list of supported LDAP servers. By default, PowerVC uses the local operating system to manage users and groups. See Configure operating system users and groups for details.
Notes:
- You might need to configure the firewall to allow LDAP or LDAPS traffic.
- Switching to LDAP restarts the HTTP service under which the identity service (Keystone) is running.
- If SELinux is enabled and in enforcing mode, ensure that it does not prevent the httpd service from accessing the CA certificate file or directory that you specify.
- LDAP servers typically limit the number of users and groups that can be returned for an LDAP query.This limit is configured on the LDAP server. Contact your LDAP administrator to obtain the current limit in your environment. It is highly recommended that appropriate user and group filters be part of your PowerVC LDAP configuration in order to limit the number of entities returned by LDAP searches and therefore avoid size limit errors.
- Use port 636 to establish secure connection with the LDAP server.
Use the
powervc-config identity repository
command to configure
LDAP or to switch back to using the local operating system. For instructions to use this command,
run powervc-config identity repository --help
. When you run this command, you must
provide information about your LDAP configuration. Be sure to specify a user or a group for the
initial administrator role assignment so that at least one user has administrator permissions.
Administrators
can then create additional role assignments as required. Note: If you switch between using LDAP and
the local operating system for your identity repository, all existing role assignments are removed
because they apply to users and groups that are no longer available. For example, if you switch from
the local operating system to LDAP, the users and groups that were defined in the local operating
system do not exist in LDAP. Therefore, the role assignments do not exist in LDAP.
See Table 1 for the types of information you will need to obtain from your LDAP administrator. By default, the LDAP server is configured in secure mode.
Attribute name | Description | Example |
---|---|---|
URL | The URL of the LDAP server. Multiple LDAP servers may be specified as a comma-separated list for redundancy. | ldap://129.32.200.252 |
Use TLS | Specifies whether or not to use StartTLS to secure the connection. This is not relevant for ldaps:// URLs. Warning: Choosing not to use TLS with an ldap:// URL is not secure and is highly discouraged. | y |
CA certificate file | Specifies the path and name of a PEM-formatted file in the local file system that contains the certificates of Certificate Authorities that should be trusted. Either this or "CA certificate directory" (see next attribute) is required for ldaps:// URLs or when using StartTLS on ldap:// URLs. | /etc/pki/tls/certs/ca-bundle.crt |
CA certificate directory | Specifies the local file system path of a directory that contains (in separate files) the certificates of Certificate Authorities which should be trusted. In addition, this directory must be managed using the OpenSSL c_rehash utility. Either this or "CA certificate file" (see previous attribute) is required for ldaps:// URLs or when using StartTLS on ldaps:// URLs. | /etc/pki/my-ca-dir |
Anonymous bind | If Anonymous bind is set to 'y', then a username and password are not required. Anyone could connect to the LDAP server and search, although the searchable data can be limited by the LDAP administrator. Specify y or n. | n |
User name | Maps to the user profile on the LDAP server. This user is used to authenticate to the LDAP server while configuring the LDAP server in a non-anonymous mode. | cn=Administrator,dc=ibm,dc=com |
Password | The LDAP attribute that maps to the user's password. | password |
User tree DN | The user tree name that uniquely identifies the user entry in the directory. | ou=people,dc=ibm,dc=com |
User filter | Limits which users are visible to PowerVC. LDAP servers typically limit the number of users and groups that can be returned for an LDAP query. This uses the standard LDAP filter syntax. | (|(uid=bob)(uid=joan)(uid=sam)) |
User object class | The object class that is supported by the LDAP server. Provide the object class property name used to configure the user in the LDAP server as input. This might change based on the LDAP configuration. | inetOrgPerson |
User ID attribute | The LDAP attribute that maps to the user ID. This attribute is often named uid. The characters can be a-z, A-Z, DBCS characters, period (.), dash (-), and underscore ( _ ). | uid |
User name attribute | The LDAP attribute to be used by PowerVC to search the user name. | uid |
User mail attribute | The LDAP attribute to be used by PowerVC to search for the user’s primary
email address. Note: This is not the user’s email address but the attribute as configured at
the LDAP server.
|
|
User description attribute | The LDAP attribute that contains a text description of the user. | description |
Group tree DN | The group tree name that uniquely identifies an entry in the directory. | ou=group,dc=ibm,dc=com |
Group filter | Limits which groups are visible to PowerVC. LDAP servers typically limit the number of users and groups that can be returned for an LDAP query. This uses the standard LDAP filter syntax. | (|(cn=admin)(cn=deployer)(cn=viewer)) |
Group object class | The object class of the group that uses the member attribute. This is the object class property name used to configure the groups in the LDAP server. This could change based on the LDAP configuration. | groupOfNames |
Group ID attribute | The LDAP attribute that maps to the name that is used to identify a group in the LDAP server. The characters can be a-z, A-Z, DBCS characters, period (.), dash (-), and underscore ( _ ). | gidNumber |
Group name attribute | The LDAP attribute that specifies the group name for a group entry. This attribute is often named cn. | cn |
Group member attribute | The LDAP attribute that specifies the names of group members for a group entry. This attribute is often named member. | member |
Group description attribute | The LDAP attribute that contains a text description of the group. | description |
Query scope | Indicates how deeply to search under the user and group tree DNs. Supported
values:
|
one |
Chase referrals | Indicates whether to follow LDAP referrals. Chasing referrals only works if anonymous binding is allowed by the domain controller to which the referral points. The default setting is False. Setting this value to True could decline due to processing overhead. If you experience delay logging into PowerVC, set this value to False. For more information, see LDAP referrals. | True |
|