Configuring LDAP connection
Configure an LDAP (Lightweight Directory Access Protocol) connection for your IBM® Cloud Private cluster.
You must connect an LDAP directory with your IBM Cloud Private cluster. You can then add users from your LDAP directory into your cluster.
The following LDAP types are supported:
- IBM Tivoli Directory Server
- IBM Lotus Domino
- IBM SecureWay Directory Server
- Novell eDirectory
- Sun Java™ System Directory Server
- Netscape Directory Server
- Microsoft Active Directory
- Custom
Note: You can configure an account lockout policy when you set up your LDAP server. An account lockout policy provides more security by restricting access to the account if multiple login attempts fail.
Required user type or access level: Cluster administrator
Connecting to your LDAP directory
Follow these steps to set up your LDAP connection.
- Log on as an administrator.
- From the navigation menu, click Manage > Identity & Access.
- Click Create Connection. The "LDAP connection" page is displayed.
-
Enter the following details to set up your LDAP connection.
Note: You can configure multiple LDAP connection instances to the same LDAP server. However, both theBase DN
and connectionName
must be unique.LDAP connection
Enter connection information.
- Name: A unique name for the LDAP connection. Format: 1 - 50 alphanumeric characters; Special characters that are allowed:
-
_
- Type: A type of LDAP directory that you are connecting to. Select from the list. Format: 1 - 255 alphanumeric characters; white space is allowed; no special characters are allowed.
-
URL: The LDAP directory domain name or IP address, and the LDAP port number. The domain name must begin with
ldap://
. Example URL:ldap://corpldap.abc.com:389
orldap://10.10.10.1:389
.For LDAP over SSL (LDAPS), you must use the domain name, and the URL must begin with
ldaps://
. Example URL:ldaps://corpldap.abc.com:636
.Note: If you are unable to connect to your LDAPS server by using the host name, add the IP address and host name of the LDAPS server in your local DNS. The LDAPS server host name must be resolvable from your IBM Cloud Private master node.
LDAP authentication
Enter authentication information.
- Base DN: The distinguished name of the search base. Example: dc=abc,dc=com. Format: 1 - 255 alphanumeric characters; Special characters that are allowed:
=
.
,
-
- Bind DN: The user who is allowed to search the base DN. Example: cn=admin,dc=abc,dc=com. This parameter is optional. If no user is specified in the
Bind DN
parameter, the LDAP connection is established without authentication. Format: 0 - 255 alphanumeric characters; white space is allowed; Special characters that are allowed:=
.
,
-
-
Bind DN password: The password of the user who is mentioned in the
Bind DN
. This parameter is not required if you do not specify a user in the bind DN. A maximum of 255 characters are allowed.Note: The configuration of Base DN and Bind DN values must be set as case-sensitive and must be a full distinguished name (DN) path. The DN path, including spaces, commas, and other characters, must be the same as configured in the LDAP server. See the following example:
Base DN : DC=mycompany,DC=com Bind DN : CN=Administrator,CN=Users,DC=mycompany,DC=com
For
Base DN
, the following values are invalid:- dc=mycompany,dc=com because
DC
is lowercase alphabet. - DC=mycompany, DC=com because there is a space between the parameters.
For
Bind DN
, the following values are invalid:- cn=Administrator,cn=Users,dc=mycompany,dc=com because
CN
andDC
are lowercase alphabets. - CN=Administrator,DC=mycompany,DC=com because
CN=Users
parameter is missing. - CN=Administrator,CN=Users, DC=mycompany,DC=com because there is a space between the parameters.
- CN=administrator,CN=Users,DC=mycompany,DC=com because the
administrator
parameter value starts with a lowercase alphabet.
Note: Microsoft Active Directory server does a strict check of
Base DN
andBind DN
values while it establishes a connection. - dc=mycompany,dc=com because
You can click Test connection to verify whether the LDAP connection details are valid.
LDAP filters
Enter information about the search filters. For default LDAP filters by LDAP type, see Default LDAP filters by LDAP type.
- Group filter: The filter clause for searching groups. Format: 1 - 255 alphanumeric characters; Special characters that are allowed: white space,
=
;
.
,
&
%
()
{}
<>
|
- Group ID map: The filter to map a group name to an LDAP entry. Format: 1 - 255 alphanumeric characters; Special characters that are allowed: white space,
*
:
=
;
.
,
&
%
()
{}
- Group member ID map: The filter to map a user to a group. Format: 1 - 255 alphanumeric characters; Special characters that are allowed: white space,
*
:
=
;
.
,
&
%
()
{}
- User filter: The filter clause for searching users. Format: 1 - 255 alphanumeric characters; Special characters that are allowed: white space,
=
;
.
,
&
%
()
{}
<>
|
- User ID map: The filter to map a user name to an LDAP entry. Format: 1 - 255 alphanumeric characters; Special characters that are allowed: white space,
*
:
=
;
.
,
&
%
()
{}
- Name: A unique name for the LDAP connection. Format: 1 - 50 alphanumeric characters; Special characters that are allowed:
-
Click Connect.
Your IBM Cloud Private cluster is now connected with your LDAP directory.
Note: If you are using an LDAPS connection, the SSL (Secure Sockets Layer) certificates that are required for your LDAPS connection are automatically configured when you connect with your directory. However, you must manually restart
the auth-idp
pod. Complete these steps on your master node:
-
Install
kubectl
. For more information, see Installing the Kubernetes CLI (kubectl). -
Get the
auth-idp
pods.kubectl -n kube-system get pods | grep auth-idp
-
Delete the
auth-idp
pods.kubectl -n kube-system delete pods <pod_name>
-
Wait for the pods to restart.
If your LDAPS connection is not successful, you can try setting up the connection manually. For more information, see Configuring LDAP over SSL.
Next, you can add your LDAP users and user groups to your IBM Cloud Private cluster. For more information about adding users, see Add users to a team and Add groups to a team.
Default LDAP filters by LDAP type
Attribute name | Data type | Default value |
---|---|---|
groupFilter | string | (&(cn=%v)(objectclass=groupOfUniqueNames)) |
groupIdMap | string | *:cn |
groupMemberIdMap | string | groupOfUniqueNames:uniquemember |
userFilter | string | (&(emailAddress=%v)(objectclass=person)) |
userIdMap | string | *:uid |
Attribute name | Data type | Default value |
---|---|---|
groupFilter | string | (&(cn=%v)(objectclass=groupOfUniqueNames)) |
groupIdMap | string | *:cn |
groupMemberIdMap | string | groupOfUniqueNames:uniquemember |
userFilter | string | (&(uid=%v)(objectclass=ePerson)) |
userIdMap | string | *:uid |
Attribute name | Data type | Default value |
---|---|---|
groupFilter | string | (&(cn=%v)(objectclass=group)) |
groupIdMap | string | *:cn |
groupMemberIdMap | string | memberOf:member |
userFilter | string | (&(sAMAccountName=%v)(objectclass=user)) |
userIdMap | string | user:sAMAccountName |
Attribute name | Data type | Default value |
---|---|---|
groupFilter | string | (&(cn=%v)(objectclass=dominoGroup)) |
groupIdMap | string | *:cn |
groupMemberIdMap | string | dominoGroup:member |
userFilter | string | (&(uid=%v)(objectclass=Person)) |
userIdMap | string | person:uid |
Attribute name | Data type | Default value |
---|---|---|
groupFilter | string | (&(cn=%v)((objectclass=groupOfNames)(objectclass=groupOfUniqueNames))) |
groupIdMap | string | *:cn |
groupMemberIdMap | string | groupOfNames:member;groupOfUniqueNames:uniqueMember |
userFilter | string | (&(uid=%v)(objectclass=ePerson)) |
userIdMap | string | *:uid |
Attribute name | Data type | Default value |
---|---|---|
groupFilter | string | (&(cn=%v)(objectclass=ldapsubentry)) |
groupIdMap | string | *:cn |
groupMemberIdMap | string | nsRole:nsRole |
userFilter | string | (&(uid=%v)(objectclass=inetOrgPerson)) |
userIdMap | string | inetOrgPerson:uid |
Attribute name | Data type | Default value |
---|---|---|
groupFilter | string | (&(cn=%v)((objectclass=groupOfNames)(objectclass=groupOfUniqueNames))) |
groupIdMap | string | *:cn |
groupMemberIdMap | string | groupOfNames:member;groupOfUniqueNames:uniqueMember |
userFilter | string | (&(uid=%v)(objectclass=inetOrgPerson)) |
userIdMap | string | inetOrgPerson:uid |
Attribute name | Data type | Default value |
---|---|---|
groupFilter | string | (&(cn=%v)(objectclass=groupOfNames)) |
groupIdMap | string | *:cn |
groupMemberIdMap | string | groupOfNames:member |
userFilter | string | (&(cn=%v)(objectclass=Person)) |
userIdMap | string | person:cn |