The intent of this blog is to cover some generic queries about LDAP configuration on PowerVC. For more details about configuring LDAP, visit the IBM PowerVC Knowledge Center.
- Can PowerVC be configured with LDAP using the PowerVC UI?
No. PowerVC can be configured with LDAP only by using the powervc-config identity repository CLI command. Use the âhelp option with the command to learn about the different options available.
- Does PowerVC cache LDAP user credentials such that authentication is successful even when there are network failures?
No. PowerVC does not cache or store user credentials. PowerVC always routes this information to the configured LDAP server and gets the credentials validated. Authentication (PowerVC login) fails if the configured LDAP server is not reachable over network.
- Can communication with LDAP server be secure?
Yes. Communication from PowerVC to the LDAP server is secure by default. This means that if you donât explicitly pass in the âinsecure argument while running the âpowervc-config identity repositoryâ CLI, LDAP configuration will be done securely. Use the –tls-cacertfile or –tls-cacertdir options to specify the certificate path or directory. See command help (–help) for more details on these two arguments.
- Does PowerVC support the anonymous mode while configuring LDAP?
Yes. PowerVC configuration by default uses authentication to connect to the specified LDAP server. Use the âanon option with the command to configure in the anonymous mode.
- Does configuring LDAP server interrupt any ongoing operations?
Yes. Configuring an LDAP server with PowerVC causes the HTTPD service to restart, which impacts ongoing operations. Also, configuring LDAP removes all previous role assignments to users from the local OS registry. Thus, it is strongly recommended that LDAP configuration is performed only as a planned activity.
- Can the same LDAP attribute be given as input for âUser ID attributeâ and âUser name attributeâ while configuring the LDAP server with PowerVC?
It depends on how the attributes have been configured for an LDAP user on the LDAP server. The User ID attribute has to represent an attribute that uniquely represents a LDAP user. For example, it can be any attribute that stores an email ID or employee ID or any other unique identifier. The User name attribute, on the other hand, is something that is intended to store the name associated with the LDAP user. In the below example, we see that the both LDAP attributes cn and uid stores the same value and they can be used interchangeably as inputs to either âUser ID attributeâ or âUser name attributeâ. The same explanation applies to Group ID and Group name attributes.
- Do all LDAP users and groups get listed in PowerVC after a successful configuration?
It depends on whether values for âuser-filter or –group-filter were specified at the time of configuration. If no filters were specified, then all of the users and groups in the LDAP server will be listed in PowerVC. If the filters were specified, then only the users/groups that match the filter are listed in PowerVC.
For example, if you specify –group-filter “(|(cn=group1)(cn=group2)) at the time of configuration, only LDAP groups whose âcnâ attribute matches either group1 or group2 are displayed in PowerVC.
Itâs highly recommended that filters are specified during PowerVC LDAP configuration for LDAP servers that have huge number of user/group entries to avoid running into size limit errors.
- Does the LDAP server have to be on the same system as PowerVC?
No. Actually, the LDAP server has to be on a separate system. It has to be set up and loaded with at least one group (non-empty) or user before PowerVC is configured to it. At least one user or group must be assigned the âadminâ role at the time of PowerVC-LDAP configuration. Subsequent to the successful configuration of LDAP server with PowerVC, a user with this role can log in to PowerVC and assign roles and projects to other users and groups. You can add users and groups into the LDAP server later on as necessary.
- Can LDAP users log in to the PowerVC UI after PowerVC LDAP configuration is complete?
Not automatically. LDAP users must be assigned a role to a project in PowerVC by a user who has administrator authority on that project. When PowerVC was configured to use the LDAP server (using powervc-config identity repository CLI), a user (on the âu / –user option) or a group (on the âg / –group option) was specified that automatically provide that user with admin privileges, which is required to assign role to other users/groups so that these users/groups can log in to PowerVC. After PowerVC-LDAP configuration is complete, this admin user is expected to login to PowerVC and assign specific roles to different users and groups.
- Can users and groups be created into the LDAP server from PowerVC?
No. PowerVC uses the configured LDAP server in a read-only mode and merely for authentication. One cannot login into PowerVC UI and create LDAP users/groups from there. The users/groups have to be created at the LDAP server.
- Where can the LDAP users/groups be seen in the PowerVC UI?
If you are logged in to a project as an admin, you can view users and groups from the PowerVC by clicking Users and Groups on the Configuration tab.
Divya K Konoor (firstname.lastname@example.org)