IBM Cloud Pak for Security

Cloud Pak for Security

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

OpenLDAP integration with IBM Cloud Pak for Security

By Anuj Shrivastava posted Wed March 02, 2022 03:02 PM

  


The approach is to centralize user account management, which entails having a single database that houses all user account information. There are various ways to do this, but the Lightweight Directory Access Protocol (LDAP) in one of its many variations is likely the most popular today.

Supported Cloud Pak for Security identity providers

To allow users to log in to IBM Cloud Pak for Security one of the identity provider authentication must be configured:

 

  1. Red Hat OpenShift Kubernetes Service (ROKS)
  2. SSO through Security Assertion Markup Language (SAML) e.g.( IBM Security Verify)
  3. LDAP (Lightweight Directory Access Protocol) e.g.(Microsoft Active Directory, IBM Tivoli Directory Server)
  4. OpenLDAP by deploying an instance of OpenLDAP with users

 

Linux systems keep a local registry of all their users by default. The /etc/passwd file is the registry. There is a line for each registered user in this file. So, in order to access a computer, we must first create a user account. This is fine if we only have a few computers, but if we have tens or hundreds, creating new users or modifying passwords on all of them could be a nightmare.

Why integrate OpenLDAP with Cloud Pak for Security

  • There can be various reasons, one can be for testing purposes for a demo instance, or you want to provide access to the user for whom you cannot create UserID in your company LDAP, but still want to provide access.
  • Another reason can be, to enable secondary identity provider or authentication in case of primary identity provider failure as a Backup Plan.
  • OpenLDAP Software is an open-source implementation of the Lightweight Directory Access Protocol hence it does not add any cost.
  • In some cases, this can be your Primary authentication medium if you do not have any other identity provider available for authentication.
  • OpenLDAP still adheres closely to the LDAP standards. 

Integrating OpenLDAP with IBM Cloud Pak for Security


  1. Get the Login Token from OCP web Console
    Login to the OCP web console and click the copy login command

    Then Click on display token


    Copy the entire command along with the token displayed on the webpage

    Note: Before you proceed to install the cpctl command-line interface (CLI) utility to perform OpenLDAP installation tasks. If you are using a windows machine then you must install Windows Subsystem for Linux

  2. Log in to the OpenShift® cluster by using one of the following oc login commands and install cpctl utility 
    #loging to CP4S cluster
 oc login <openshift_url> -u <username> -p <password> -n <namespace>

#or use below command, use your token command you got from your OCP web console
 oc login --token=<token> --server=<openshift_url>

#Change Project to CP4S Namespace you provided during CP4S installation 
#e.g. oc project cp4s
 oc project <namespace>

#Retrive cptl utility 
 POD=$(oc get pod --no-headers -lrun=cp-serviceability | cut -d' ' -f1) 

#Copy Utility to your local computer
 oc cp $POD:/opt/bin/linux/cpctl ./cpctl && chmod +x ./cpctl 

#add utility to your globa PATH
install -vm 0755 -o root ./cpctl /usr/local/bin/cpctl

#Load cpctl utility
 cpctl load

    Important: The OpenLDAP deployment is intended to be used only for demonstration purposes in a test environment and is not supported for use in a production environment.

  3. Gather Installation Parameters.
      1. Decide your username List and password (Remember, one/same password applies to all users.)
      2. Find out what user you have used during the CP4S installation as adminUser 
  4. Installing OpenLDAP using cpctl utility. 
    # To run the deploy_openldap action, enter the following command. 
 cpctl tools deploy_openldap --token <admin_token> --operation <action_operation> --ldap_usernames <users_list>  --ldap_password <openldap_password>

#e.g. 
 cpctl tools deploy_openldap --token $(oc whoami -t) --ldap_usernames 'adminuser@example.com,user1,user2,user3' --ldap_password myCustomPassword

#Note: Here adminuser@example.com is is an example of adminUser
  5. Testing the identity Provider.
  1. Go to CP4S Login Page "Enterprise LDAP" should be popped up as a new option for authentication Type 
  2. Log in using your adminUser and use the password you have set for OpenLDAP users as shown in the below example image

  3. A successful login will take you to System Administrator Account

    Click on System Administrator Account to change the account settings & then click on Account Management

    Now click on Edit Account settings

    Let's add users which we created during OpenLDAP integration
    1. The CP4SLDAP is now available to use as a new identity provider
    		2. LDAP user1 is also searchable & I have assigned an admin role to it for account Management.
     

    3.  To show one more example I have also added a user called user2 which we created at the time of LDAP installation, this user I have only assigned admin for User Management only
    now at the end, you will see the list of all users and when you log in again using LDAP authentication, you can use user1 user2 (for example) or whatever usernames you have provided during OpenLDAP installation and then added that user to CP4S.


Uninstall Procedure

  1. To Uninstall use the following.

    #To uninstall OpenLDAP, run the command:
 cpctl tools deploy_openldap --token $(oc whoami -t) --operation uninstall

Key Points To remember

  1. During installation or upgrade, The user that you provide in the installation for the adminUser parameter to set the initial user in Cloud Pak for Security. adminUser This value must be added to the OpenLDAP deployment.
  2. To access the deploy_openldap action, you must install the command-line interface (CLI) utility cpctl from the cp-serviceability pod.
  3. This OpenLDAP deployment must not be used when an existing Lightweight Directory Access Protocol (LDAP) is configured.
  4. The OpenLDAP deployment does not provide persistence of users within Cloud Pak for Security.
  5. One password applies to all users.
  6. OpenLDAP does not have an action to add users after deployment. You can rerun the deploy_openldap action to include more users.
Important: The OpenLDAP deployment is intended to be used only for demonstration purposes in a test environment and is not supported for use in a production environment.


Official Documentation Link
works well with IBM Cloud Pak for Security v1.9
3 comments
77 views

Permalink

https://community.ibm.com/community/user/blogs/anuj-shrivastava1/2022/03/01/openldap-integration-with-cloud-pak-for-security

Comments

Eric Bos
Mon February 05, 2024 04:32 AM

Please note that OpenLDAP should never be deployed on production systems

VIKAS MANORIA
Fri June 03, 2022 06:25 AM

Thanks Anuj! Appreciate you sharing the information.

Suzanne Russell
Thu March 03, 2022 01:00 PM

Thank you Anuj for this post! This might come in handy if we decide to grant external clients access to our CP4S environment so they can view relevant information on their cases.