LDAP isolation

There is a growing need for IBM® Cloud Private users to be able to authenticate across multiple LDAPs. Sometimes large organizations might have an LDAP domain controller for different global regions or subsidiaries.

Users can have a mix of directory types such as AD, Tivoli, OpenLDAP etc.

Users can configure multiple directories in the LDAP configuration on IBM Cloud Private. IBM Cloud Private uses Websphere Liberty Server OpenID Connect Opens in a new tab as an authentication service which does administration and authentication against the appropriate directory.

Multiple LDAP registration

As a cluster administrator, you can configure multiple LDAP domains by adding multiple directory entries to the LDAP configuration in server.xml.

Open LDAP server.xml AD Tivoli IBM Cloud Private Persist LDAP config Configure each LDAP WebSphere Liberty Multiple LDAP registration

In a multiple domain configured environment, a new user administration on IBM Cloud Private platform enforces a selection of appropriate domains and the user is added to the team.

The user profile and the domain name is maintained by IBM Cloud Private which is further used for user management. The ability to chose domain before selecting users for a team allows administrator to isolate teams with a specific domain.

Note: User credentials are passed by IBM Cloud Private to Websphere Liberty OIDC server which resolves the user domain and authenticates the user with a matching domain.

For more information, see Teams.