LDAP configuration

A server that runs the Lightweight Directory Access Protocol (LDAP) can be configured by more than one component on Kubernetes.

Download the sample configuration XML files from cert-kubernetes and modify a file to match your existing LDAP server. The CP4BA operator supports a maximum of 5 LDAP servers. Follow the instructions to apply the modified configuration file in your deployment. Options include IBM Security Directory Server, Microsoft Active Directory, and a custom directory.

Use the following sections to help you configure your LDAPs.

Bind secret
LDAP parameters
SCIM parameters
Example LDAP_configuration YAML for IBM Security Directory Server
Example LDAP_configuration YAML for Microsoft Active Directory
Example LDAP_configuration YAML for a custom LDAP
Database tuning

Bind secret

For components that require LDAP, use the lc_bind_secret parameter in the template YAML file to locate a secret that includes the ldapUsername and ldapPassword keys. Specify the secret name that you create in the lc_bind_secret parameter.

ldap_configuration:
  lc_bind_secret: ldap-bind-secret
    ldap<ID>Username:
    ldap<ID>Password:

The following command shows how to create the (ldap-bind-secret) secret with the needed usernames and passwords.

oc create secret generic ldap-bind-secret \
    --from-literal=ldapUsername="cn=admin,dc=ibm,dc=edu" --from-literal=ldapPassword="<yourLDAPPassword>" \

Important: In the Cloud Pak Platform UI or Zen service, you can manage LDAP users, user group roles, and permissions. For example, you can add an LDAP or OpenShift user to your cluster. When you add a user, you must specify the OpenShift or LDAP login ID of that user in the Username field.

LDAP username

The ldapUsername key is comprised of the username and the location of the username in the LDAP directory tree. The user must be allowed to search the base DN. If no user is specified in the ldapUsername, the LDAP connection is established without authentication. The length is restricted to 255 alphanumeric characters. White space and the following special characters are allowed.

= . , - : @ ( ) _ \

The ldapUsername value is case-sensitive and must be the full distinguished name (DN) path. The DN path, including spaces, commas, and other characters, must be the same as configured in the LDAP server. The following value is an example:

Bind DN : CN=Administrator,CN=Users,DC=mycompany,DC=com

The following value is invalid because CN and DC are lowercase.
```
cn=Administrator,cn=Users,dc=mycompany,dc=com
```
The following value is invalid because the CN=Users parameter is missing.
```
CN=Administrator,DC=mycompany,DC=com
```
The following value is invalid because of a space between the parameters.
```
CN=Administrator,CN=Users, DC=mycompany,DC=com
```
The following value is invalid because the administrator parameter value starts with a lowercase letter.
```
CN=administrator,CN=Users,DC=mycompany,DC=com
```

LDAP username password

The password of the user specified in the ldapUsername. The ldapPassword is not required if you do not specify a user in the ldapUsername. A maximum of 255 characters is allowed.

If you need multiple LDAP configurations, for example ldap_configuration_xxx and ldap_configuration_yyy use a single secret (by default ldap-bind-secret) to include all your LDAP credentials. The operator looks for a username and password for each LDAP ID. A ldap_configuration_***.lc_ldap_id parameter is required to separate the credentials. You do not need to add an ID for the first ldap_configuration, which uses ldapUsername and ldapPassword.

For example, set the LDAP IDs in the custom resource:

ldap_configuration:

ldap_configuration_abc:
  lc_ldap_id: abc

ldap_configuration_def:
  lc_ldap_id: def

You can then add the credentials to the bind secret for each of the LDAPs. For example, the following secret includes credentials for 3 LDAPs (for the first LDAP, and for LDAP IDs abc and def):

kubectl create secret generic ldap-bind-secret     
  --from-literal=ldapUsername="cn=admin,dc=ibm,dc=edu" 
  --from-literal=ldapPassword="<yourLDAPPassword>"     
  --from-literal=ldapabcUsername="cn=admin,dc=ibm,dc=edu" 
  --from-literal=ldapabcPassword="<yourLDAPPassword>" 
  --from-literal=ldapdefUsername="cn=admin,dc=ibm,dc=edu"
  --from-literal=ldapdefPassword="<yourLDAPPassword>"

Restriction: User short names and group short names must be unique across all configured directory servers.

LDAP parameters

Table 1. LDAP configuration
Parameters	Description	IBM Security Directory Server example values	Microsoft Active Directory example values
ad.lc_ad_gc_host	The hostname of the Active Directory Global Catalog	N/A	Global Catalog host for LDAP. Leave empty (`""`) if not applicable.
ad.lc_ad_gc_port	The port of the Active Directory Global Catalog	N/A	Global Catalog host for LDAP. Leave empty (`""`) if not applicable.
ad.lc_group_filter	Search filter for finding entries in the Active Directory base DN group subtree that match the group name.	N/A	(&(cn=%v)(objectcategory=group))
ad.lc_user_filter	Search filter for finding entries in the Active Directory base DN users subtree that match the username.	N/A	(&(sAMAccountName=%v)(objectcategory=user))
lc_bind_secret	Username and password for the bind user. The LDAP bind secret must have ldapUsername and ldapPassword keys.	ldap-bind-secret	ldap-bind-secret
lc_enable_pagination	Set to true if you want to enable LDAP pagination in the Identity Management (IM) foundational service. The default is false.	true, false	true, false
lc_group_searchbase_list	Use this parameter to add custom search bases to IM. The value must be a list of search bases within square brackets "`[]`".	N/A	N/A
lc_ldap_base_dn	The LDAP base distinguished name (DN). The base DN subtree is used when you search for user or group entries on the LDAP server.	o=mycompany,c=us	cn=users,dc=adtest,dc=mycity,dc=mycompany,dc=com
lc_ldap_group_base_dn	The LDAP group base distinguished name (DN). The base DN subtree is used when you search for group entries on the LDAP server.	dc=hqpsidcdom,dc=com	dc=hqpsidcdom,dc=com
lc_ldap_group_display_name_attr	The LDAP attribute to display the full name of the group.	cn	cn
lc_ldap_group_member_id_map	Identifies the group member. Hyphens ("-") are not supported in the value for this parameter due to a defect in the Identity Management (IM) service REST API. The limitation might be removed in an upcoming version.	groupOfNames:member;groupOfUniqueNames:uniqueMember Note: If nested group support is enabled in SDS, set lc_ldap_group_member_id_map to ibm-allGroups:member;ibm-allGroups:uniqueMember.	memberOf:member
lc_ldap_group_membership_search_filter	Search filter for finding group membership.	(\|(&(objectclass=groupofnames)(member={0}))(&(objectclass=groupofuniquenames)(uniquemember={0})))	(&(cn=%v)(objectcategory=group))
lc_ldap_group_name_attribute	The LDAP attribute that represents the group name.	*:cn	*:cn
lc_ldap_id	Enter your LDAP ID information.	username, password	username, password
lc_ldap_port	The LDAP server host port number.	389	636
lc_ldap_precheck	The default value is set to true. True enables the validation of the LDAP connection before the installation. If the value is set to false, the operator skips the validation.	true	true
lc_ldap_server	The hostname must be either the fully qualified domain name or IP address of your LDAP server.	HOSTNAME	HOSTNAME
lc_ldap_ssl_enable	Specifies whether SSL is used to access an LDAP server.	true, false	true, false
lc_ldap_max_search_results	Specify a higher value if you expect more search results.	4500	4500
lc_ldap_recursive_search	Enable recursive searches. The default value is false.	true, false If the SDS has nested groups, then this parameter needs to be set as lc_ldap_recursive_search: true	true, false If the SDS has nested groups, then this parameter needs to be set as lc_ldap_recursive_search: true
lc_ldap_ssl_secret_name	Specifies a secret name that includes an SSL certificate to use when SSL is used to access an LDAP server.	ldap-ssl-cert	ldap-ssl-cert
lc_ldap_user_display_name_attr	The LDAP attribute to display for the full name of the user.	cn or uid	sAMAccountName
lc_ldap_user_name_attribute	The LDAP attribute that represents the username. The list can contain multiple values, which are separated by a semicolon. The first relative distinguished name (RDN) must be part of the list. For example, if your user distinguished names (DNs) typically start with `uid=...`, make sure to include `*:uid` in the list.	:cn or :uid	user:sAMAccountName
lc_pagination_size	If lc_enable_pagination is set to true, then specify the pagination size. If not specified, the Custom type has a default of 4500.	2000	1000
lc_selected_ldap_type	The type of the directory. It can be Custom, IBM Security Directory Server, or Microsoft Active Directory.	IBM Security Directory Server	Microsoft Active Directory
lc_user_searchbase_list	If your LDAP has many sub-trees and the users are not organized in structured groups, then use a list of search bases to add LDAP connections to IAM.	["OU=searchbase1,DC=test,DC=com","OU=searchbase2,DC=test,DC=com","OU=searchbase3,DC=test,DC=com"]	["OU=searchbase1,DC=test,DC=com","OU=searchbase2,DC=test,DC=com","OU=searchbase3,DC=test,DC=com"]
scim_configuration_iam	Provide the relevant SCIM attribute mapping if they are derived from the default values of IM SCIM attributes.	N/A	N/A
tds.lc_group_filter	Search filter for finding entries in the IBM Directory Server base DN group subtree that match the group name.	(&(cn=%v)(\|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))	N/A
tds.lc_user_filter	Search filter for finding entries in the IBM Directory Server base DN users subtree that match the username.	(&(cn=%v)(objectclass=person))	N/A

Table 2. Multi LDAP configuration parameters: ldap_configuration_<id_name>
Parameters	Description	Default Values	Required
lc_ldap_id	The LDAP id for your multi LDAP configuration. The <id_name> value must be unique. Example values might be msad, ad1, sds, tds1.	<id_name>	Yes
lc_selected_ldap_type	The type of the directory. This can be Custom, IBM Security Directory Server, or Microsoft Active Directory.	IBM Security Directory Server	Microsoft Active Directory
lc_ldap_server	The host name for the LDAP server that you are using for the environment.		Yes
lc_ldap_port	The port number for the LDAP server that you are using.	389	Yes
lc_bind_secret	Username and password for the bind user. If lc_ldap_id is not defined, the LDAP bind secret is expected to have ldapUsername and ldapPassword keys. If lc_ldap_id is defined, then the LDAP bind secret is expected to have ldap<lc_ldap_id>Username ldap<lc_ldap_id>Password keys.	ldap-bind-secret
lc_ldap_base_dn	The base distinguished name (DN) of an LDAP user who is allowed to search the LDAP directory if the LDAP server does not allow anonymous access.	dc=example,dc=com	Yes
lc_ldap_ssl_enabled	Specify whether SSL is enabled.	true	No
lc_ldap_ssl_secret_name	Provide the name of the SSL secret that you created.	" "	Yes
lc_ldap_user_name_attribute	Provide the format of the username.	(For TDS) *:cn (For AD) user:sAMAccountName	Yes
lc_ldap_user_display_name_attr	Provide the format of the display name.	(For TDS) cn (For AD) sAMAccountName	Yes
lc_ldap_group_base_dn	The base DN subtree that is used to search for group entries on the LDAP server.	dc=example,dc=com	Yes
lc_ldap_group_name_attribute	Provide the format of the group name.	(For TDS) *:cn	Yes
lc_ldap_group_display_name_attr	Provide the format of the group display name.	(For TDS) cn	Yes
lc_ldap_group_membership_search_filter	Filter for finding entries in the LDAP base DN (groups) subtree that match the group name.	(For TDS and AD) (\|(&(objectclass=groupofnames)(member={0})) (&(objectclass=groupofuniquenames)(uniquemember={0})))	Yes
lc_ldap_group_member_id_map	The group id is a filter that is used to determine the group name.	(For TDS) groupofnames:member (For AD) memberOf:member	Yes
ad.lc_ad_gc_host	Active Directory host.		Yes
ad.lc_ad_gc_port	Active Directory port.		Yes
ad.lc_user_filter	Active Directory user filter.	(&(samAccountName=%v)(objectClass=user))	No
ad.lc_group_filter	Active Directory group filter.	(&(samAccountName=%v)(objectclass=group))	No
tds.lc_user_filter	IBM Security Directory user filter	(&(cn=%v)(objectclass=person))	No
tds.lc_group_filter	IBM Security Directory group filter.	(&(cn=%v)(\|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))	No
custom.lc_user_filter	Custom Directory user filter	(&(objectClass=person)(cn=%v))	No
custom.lc_group_filter	Custom Directory group filter	(&(objectClass=group)(cn=%v))	No

SCIM parameters

Update the CP4BA custom resource (CR) file to provide the relevant attribute mappings from your LDAP to the Identity Management (IM) SCIM. Choose a good value from your LDAP for the user_unique_id_attribute and group_unique_id attribute parameters. These values are used to set the SCIM id attribute in IM for users and groups, and the CPE user and group unique id attributes of the CPE SCIM Provider. A good value from your LDAP meets all the following criteria:

unique
stable (immutable - does not change)
efficient (objects can be quickly retrieved by this attribute)
String (it cannot be a binary LDAP attribute)

The unique id attribute depends on your LDAP server.

For a TDS/SDS LDAP, the ibm-entryuuid LDAP attribute is a good choice. It is used as the default value for an initial CP4BA deployment where no CPE domain is created.
For an MSAD LDAP, sAMAccountName or dn are possible choices. If your dn does not satisfy the stable requirement, do not choose this attribute. Unfortunately, the typical unique id attributes in MSAD (for example objectSid and objectGUID) are binary, so cannot be used as the SCIM id attribute.
The sAMAccountName is used as the default value for an initial CP4BA deployment where no CPE domain is created.
If you use openldap with the "Custom" LDAP type, then entryuuid is a good choice.

The SCIM configuration section of the CR is only processed on the initial CP4BA deployment. If you modify any of these values for an existing CP4BA deployment, they are not changed in IM. Therefore, if you need to change any of your LDAP to IM SCIM attribute mapping, change the SCIM configuration by using the SCIM configuration by using the IM console.

Warning: Although it is possible to change all the parameter values in the IM console, do not change the value of the SCIM id to a different LDAP attribute for either users or groups. If you do change the mapping after users have created documents, folders, or other objects in CPE, these users can no longer access them because the access control lists (ACLs) attached to each of these objects is based on this SCIM id. If you change the mapping of the id, the access that is granted to these users is removed.

The following table describes the parameters that you need to set in the CR to create the IM SCIM configuration. Specify the attributes from your LDAP in the corresponding CR parameters. The default values shown in the table are the values that IM uses for a TDS/SDS LDAP. The CP4BA operator uses these parameters to construct the SCIM_LDAP_ATTRIBUTES_MAPPING data in the platform-auth-idp configMap. For more information, see Updating SCIM LDAP attributes mapping.

Table 3. IM SCIM LDAP attribute mapping parameters: ldap_configuration.scim_configuration_iam
Parameters	Description	Default Values	Required
group_external_id_attribute	Reference attribute for use with external repositories and directories. This attribute is sometimes set to the DN or the ObjectGUID of the group from the external registry.	dn	No
group_unique_id_attribute	Group ID	dn	No
group_name_attribute	Provide the format of the group name. The group name has to be unique across all connected LDAP.	cn	No
group_display_name_attribute	Provide the format of the group display name.	cn	No
group_members_attribute	Attribute that holds the list of group members.	member	No
group_object_class_attribute	Object class in the LDAP most commonly used to define groups. Must match with first value that is given in lc_group_filter.	groupOfNames	No
group_principal_name_attribute	Attribute holding the group's principal name.	cn	No
group_custom_mapping	Attribute holding the group's custom mapping.	ibmentryuuid	No
user_external_id_attribute	Reference attribute for use with external repositories and directories. This attribute is sometimes set to the DN or the ObjectGUID of the user from the external registry.	dn	No
user_unique_id_attribute	User ID	dn	No
user_display_name_attribute	Provide the format of the display name.	cn	No
user_name_attribute	Provide the format of the username.	uid	No
user_family_name_attribute	Attribute holding the user's surname.	sn	No
user_full_name_attribute	Attribute holding the user's full name.	cn	No
user_given_name_attribute	Given name of the attribute holding the user.	cn	No
user_groups_attribute	Attribute used to determine a user is part of a group.	memberOf	No
user_object_class_attribute	Object class in the LDAP that is most commonly used to define users. Must match with first value that is given in lc_user_filter.	person	No
user_principal_name_attribute	Attribute holding the user's principal name.	uid	No
user_custom_mapping	Attribute holding user's custom mapping.	ibmentryuuid	No
user_emails_attribute	Attribute holding user's email.	mail	No

Example LDAP_configuration YAML for IBM Security Directory Server

Adjust the example to match your LDAP configuration.

ldap_configuration:
    lc_selected_ldap_type: "IBM Security Directory Server"
    lc_ldap_server: "myhost"
    lc_ldap_port: "389"
    lc_ldap_base_dn: "dc=hqpsidcdom,dc=com"
    lc_ldap_ssl_enabled: false
    lc_ldap_ssl_secret_name: ""
    lc_ldap_user_name_attribute: "*:cn"
    lc_ldap_user_display_name_attr: "cn"
    lc_ldap_group_base_dn: "dc=hqpsidcdom,dc=com"
    lc_ldap_group_name_attribute: "*:cn"
    lc_ldap_group_display_name_attr: "cn"
    lc_ldap_group_membership_search_filter: "(|(&(objectclass=groupofnames)(member={0}))(&(objectclass=groupofuniquenames)(uniquemember={0})))"
    lc_ldap_group_member_id_map: "groupofnames:member"
    lc_ldap_max_search_results: 4500
    lc_ldap_recursive_search: false
    tds:
      lc_user_filter: "(&(cn=%v)(objectclass=person))"
      lc_group_filter: "(&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))"

Example LDAP_configuration YAML for Microsoft Active Directory

Adjust the example to match your LDAP configuration.

ldap_configuration:
    lc_selected_ldap_type: "Microsoft Active Directory"
    lc_ldap_server: "myhost"
    lc_ldap_port: "636"
    lc_ldap_base_dn: "dc=hqpsidcdom,dc=com"
    lc_ldap_ssl_enabled: true
    lc_ldap_ssl_secret_name: "ldap-ssl-cert-secret"
    lc_ldap_user_name_attribute: "user:sAMAccountName"
    lc_ldap_user_display_name_attr: "cn"
    lc_ldap_group_base_dn: "dc=hqpsidcdom,dc=com"
    lc_ldap_group_name_attribute: "*:cn"
    lc_ldap_group_display_name_attr: "cn"
    lc_ldap_group_membership_search_filter: "(&(cn=%v)(objectcategory=group))"
    lc_ldap_group_member_id_map: "memberOf:member"
    lc_ldap_max_search_results: 4500 
    lc_ldap_recursive_search: false
    ad:
      lc_ad_gc_host: ""
      lc_ad_gc_port: ""
      lc_user_filter: "(&(samAccountName=%v)(objectcategory=user))"
      lc_group_filter: "(&(cn=%v)(objectcategory=group))"

Example LDAP_configuration YAML for a custom LDAP

Adjust the example to match your LDAP configuration.

ldap_configuration:
     lc_selected_ldap_type: "Custom"
     lc_ldap_server: "myhost"
     lc_ldap_port: "636"
     lc_ldap_base_dn: "dc=hqpsidcdom,dc=com"
     lc_ldap_ssl_enabled: true
     lc_ldap_ssl_secret_name: "ldap-ssl-cert-secret"
     lc_ldap_user_name_attribute: "user:sAMAccountName"
     lc_ldap_user_display_name_attr: "cn"
     lc_ldap_group_base_dn: "dc=hqpsidcdom,dc=com"
     lc_ldap_group_name_attribute: "\*:cn"
     lc_ldap_group_display_name_attr: "cn"
     lc_ldap_group_membership_search_filter: "(&(cn=%v)(objectcategory=group))"
     lc_ldap_group_member_id_map: "memberOf:member"
     lc_ldap_max_search_results: 4500
     lc_ldap_recursive_search: false
     lc_enable_pagination: false
     lc_pagination_size: 4500 
     custom:
       lc_user_filter: "(&(objectClass=person)(cn=%v))"
       lc_group_filter: "(&(objectClass=group)(cn=%v))"

Database tuning

If your IBM Security Directory Server LDAP has 200,000+ users, 100+ groups, and multiple group search filters the LDAP might fail to integrate with IAM. You can remove group search filters to see whether it resolves the problem. For more information about tuning, see Advanced tuning mode and How to run REORG, REORGCHK and RUNSTAT on all tables in a database.