Community
Search Options
Search Options
Log in
Skip to main content (Press Enter).
Sign in
Skip auxiliary navigation (Press Enter).
Power
Topic areas
Automation with Power
Business Continuity
Enterprise Infrastructure as a Service
IBM i
ISV Solutions
Modernization with IBM Power
Open Source
Operating Systems
Power Developer eXchange
Power Global
Power Security
Programming Languages
Virtualization
User groups
Events
TechXchange Day
IBM TechXchange Conference
Upcoming Power Events
IBM TechXchange Webinars
All IBM TechXchange Community Events
Participate
Gamification Program
Getting Started
Community Manager's Welcome
Post to Forum
Share a Resource
Share Your Expertise
Blogging on the Community
Connect with Power Users
All IBM TechXchange Community Users
Resources
IBM TechXchange Group
IBM Champions
IBM Cloud Support
IBM Documentation
IBM Support
IBM Support 101
IBM Technology Zone
IBM Training
TechXchange Day
Marketplace
Marketplace
IBM Power
Connect, learn, share, and engage with IBM Power.
Ask a question
Join us for IBM TechXchange Day: AI and Automation
Skip main navigation (Press Enter).
Toggle navigation
Search Options
PowerVC
Virtualization
View Only
Group Home
Discussion
335
Library
2
Blogs
150
Events
0
Members
544
Share
IBM PowerVC LDAP Configuration FAQs
By
DIVYA K KONOOR
posted
Wed July 11, 2018 07:29 PM
0
Like
The intent of this blog is to cover some generic queries about LDAP configuration on PowerVC. For more details about configuring LDAP, visit the
IBM PowerVC Knowledge Center
.
Can PowerVC be configured with LDAP using the PowerVC UI?
No. PowerVC can be configured with LDAP only by using the powervc-config identity repository CLI command. Use the –help option with the command to learn about the different options available.
D
oes PowerVC cache LDAP user credentials such that authentication is successful even when there are network failures?
No. PowerVC does not cache or store user credentials. PowerVC always routes this information to the configured LDAP server and gets the credentials validated. Authentication (PowerVC login) fails if the configured LDAP server is not reachable over network.
Can communication with LDAP server be secure?
Yes. Communication from PowerVC to the LDAP server is secure by default. This means that if you don’t explicitly pass in the –insecure argument while running the “powervc-config identity repository” CLI, LDAP configuration will be done securely. Use the --tls-cacertfile or --tls-cacertdir options to specify the certificate path or directory. See command help (--help) for more details on these two arguments.
Does PowerVC support the anonymous mode while configuring LDAP?
Yes. PowerVC configuration by default uses authentication to connect to the specified LDAP server. Use the –anon option with the command to configure in the anonymous mode.
Does configuring LDAP server interrupt any ongoing operations?
Yes. Configuring an LDAP server with PowerVC causes the HTTPD service to restart, which impacts ongoing operations. Also, configuring LDAP removes all previous role assignments to users from the local OS registry. Thus, it is strongly recommended that LDAP configuration is performed only as a planned activity.
Can the same LDAP attribute be given as input for “User ID attribute” and “User name attribute” while configuring the LDAP server with PowerVC?
It depends on how the attributes have been configured for an LDAP user on the LDAP server. The User ID attribute has to represent an attribute that uniquely represents a LDAP user. For example, it can be any attribute that stores an email ID or employee ID or any other unique identifier. The User name attribute, on the other hand, is something that is intended to store the name associated with the LDAP user. In the below example, we see that the both LDAP attributes cn and uid stores the same value and they can be used interchangeably as inputs to either “User ID attribute” or “User name attribute”. The same explanation applies to Group ID and Group name attributes.
Do all LDAP users and groups get listed in PowerVC after a successful configuration?
It depends on whether values for –user-filter or --group-filter were specified at the time of configuration. If no filters were specified, then all of the users and groups in the LDAP server will be listed in PowerVC. If the filters were specified, then only the users/groups that match the filter are listed in PowerVC.
For example, if you specify --group-filter "(|(cn=group1)(cn=group2)) at the time of configuration, only LDAP groups whose “cn” attribute matches either group1 or group2 are displayed in PowerVC.
It’s highly recommended that filters are specified during PowerVC LDAP configuration for LDAP servers that have huge number of user/group entries to avoid running into size limit errors.
Does the LDAP server have to be on the same system as PowerVC?
No. Actually, the LDAP server has to be on a separate system. It has to be set up and loaded with at least one group (non-empty) or user before PowerVC is configured to it. At least one user or group must be assigned the ‘admin’ role at the time of PowerVC-LDAP configuration. Subsequent to the successful configuration of LDAP server with PowerVC, a user with this role can log in to PowerVC and assign roles and projects to other users and groups. You can add users and groups into the LDAP server later on as necessary.
Can LDAP users log in to the PowerVC UI after PowerVC LDAP configuration is complete?
Not automatically. LDAP users must be assigned a role to a project in PowerVC by a user who has administrator authority on that project. When PowerVC was configured to use the LDAP server (using powervc-config identity repository CLI), a user (on the –u / --user option) or a group (on the –g / --group option) was specified that automatically provide that user with admin privileges, which is required to assign role to other users/groups so that these users/groups can log in to PowerVC. After PowerVC-LDAP configuration is complete, this admin user is expected to login to PowerVC and assign specific roles to different users and groups.
Can users and groups be created into the LDAP server from PowerVC?
No. PowerVC uses the configured LDAP server in a read-only mode and merely for authentication. One cannot login into PowerVC UI and create LDAP users/groups from there. The users/groups have to be created at the LDAP server.
Where can the LDAP users/groups be seen in the PowerVC UI?
If you are logged in to a project as an admin, you can view users and groups from the PowerVC by clicking Users and Groups on the Configuration tab.
Author
Divya K Konoor (dikonoor@in.ibm.com)
#powervc
#security
#ldap
0 comments
8 views
Permalink
IBM Community Home
Browse
Discussions
Resources
Groups
Events
IBM TechXchange Conference 2023
IBM Community Webinars
All IBM Community Events
Participate
Gamification Program
Community Manager's Welcome
Post to Forum
Share a Resource
Blogging on the Community
All IBM Community Users
Resources
Community Front Porch
IBM Champions
IBM Cloud Support
IBM Documentation
IBM Support
IBM Technology Zone
IBM Training
Marketplace
Marketplace
Power
Topic areas
Automation with Power
Business Continuity
Enterprise Infrastructure as a Service
IBM i
ISV Solutions
Modernization with IBM Power
Open Source
Operating Systems
Power Developer eXchange
Power Global
Power Security
Programming Languages
Virtualization
User groups
Events
TechXchange Day
IBM TechXchange Conference
Upcoming Power Events
IBM TechXchange Webinars
All IBM TechXchange Community Events
Participate
Gamification Program
Getting Started
Community Manager's Welcome
Post to Forum
Share a Resource
Share Your Expertise
Blogging on the Community
Connect with Power Users
All IBM TechXchange Community Users
Resources
IBM TechXchange Group
IBM Champions
IBM Cloud Support
IBM Documentation
IBM Support
IBM Support 101
IBM Technology Zone
IBM Training
TechXchange Day
Marketplace
Marketplace
Powered by Higher Logic