Configuring secure LDAP with Liberty and WebSphere® for Engineering Lifecycle Management applications

To use the Lightweight Directory Access Protocol (LDAP) user registry for the Engineering Lifecycle Management applications, you can configure the secure LDAP configuration and user group-mapping details as the input. When the LDAP user registry is configured, you can access the Engineering Lifecycle Management applications with Single Sign-On (SSO).

Before you begin

Create the LDAP_CONFIG file in the configmaps directory in the following format. The inputs that are needed for LDAP user registry are provided in the file.

<!-- reference secure ldap property config-->
    <ldapRegistry ldapType="IBM Tivoli Directory Server" baseDN="o=test.com"
      bindDN="uid=clmadmin,c=in,ou=Users,o=test.com" bindPassword="${com.ibm.team.ldap.password}"
      host="ldapserver" id="ldapserver:636" ignoreCase="true" port="636"
      realm="ldapserver:636" recursiveSearch="true" searchTimeout="10m" sslEnabled="true">
      <idsFilters 
          groupFilter="(&(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))"
          groupIdMap="*:cn"
          groupMemberIdMap="groupOfUniqueNames:uniquemember"
          userFilter="(&(uid=%v)(objectclass=person))"
          userIdMap="*:uid">
       </idsFilters>
       <attributeConfiguration>
          <attribute name="cn" propertyName="displayName" entityType="PersonAccount"/>
          <!-- propertyName is the scim property, name is the ldap property-->
       </attributeConfiguration>
       <ldapEntityType name="PersonAccount">
          <searchBase>c=in,ou=Users,o=test.com</searchBase>
       </ldapEntityType>
       <ldapEntityType name="Group">
          <searchBase>ou=JazzGroups,ou=Groups,o=test.com</searchBase>
       </ldapEntityType>
    </ldapRegistry>
    <federatedRepository maxSearchResults="100000" />
    <administrator-role>
        <user>myscimadmin</user>
    </administrator-role>

Important: The property flag sslEnabled must be set as true while you are trying to use secure LDAP configuration. If your LDAP configuration includes bindPassword property, its value must be added as a placeholder as provided in the following example.

bindPassword="${com.ibm.team.ldap.password}"

Provide the LDAP password in the LDAP_PASSWORD field in the Engineering Lifecycle Management instance secret. For more information, see Creating the Engineering Lifecycle Management instance secret.

Create the AUTH_ROLE_CONFIG file in the configmaps directory in the following format. The information that is provided in the file is used to map the groups and users as JAS administrator.

<oauth-roles>
   <authenticated>
        <special-subject type= "ALL_AUTHENTICATED_USERS" />
    </authenticated>
    <clientManager>
        <group name= "MYJazzAdmins" />
        <user name= "myscimadmin" />
    </clientManager>
    <tokenManager>
        <group name= "MYJazzAdmins" />
        <user name= "myscimadmin" />
    </tokenManager>
</oauth-roles>

Important: The tokenManager element is applicable only when you use Security Assertion Markup Language (SAML) as the JAS authentication type.

Create the SCIM_GROUP_MAPPING file in the configmaps directory in the following format. The group mappings to map the Jazz® roles with LDAP groups are provided in the file.
```
JazzAdmins=MYJazzAdmins;JazzOperationsAdmins,JazzProjectAdmins=JazzProjectAdmins,JazzUsers=JazzUsers,JazzGuests=JazzGuests
```

About this task

For the Engineering Lifecycle Management instance creation, you must provide LDAP configuration and user group-mapping details as input. When the LDAP user registry is configured, you can access the Engineering Lifecycle Management applications with Single Sign-On (SSO).

You can configure the LDAP user registry by providing the input in a configmap object in the Kubernetes cluster. The configmap named elm-auth-type-config needs to be created with the inputs provided from three files, which are named LDAP_CONFIG, AUTH_ROLE_CONFIG, and SCIM_GROUP_MAPPING. The configuration files are placed in the configmaps directory and the configmap object is created by using the command line.

The inputs that you provide in the configmap must describe the user registry that the Engineering Lifecycle Management instance is going to work with. It is the set up user registry that exists in the environment to include the user groups that are expected to work in the Engineering Lifecycle Management instance. If you have an existing on-premises Engineering Lifecycle Management installation or LDAP setting that is used with another application, you can copy the user registry settings and reuse. Ensure that the groups to roles mapping and authorized user credentials are valid.

By using Red Hat OpenShift Container Platform web console method
By using Red Hat OpenShift CLI method
By using Kubernetes CLI method

Red Hat OpenShift Container Platform web console method

Procedure

Log in to the Red Hat OpenShift using appropriate user role.
Go to Workloads > ConfigMaps.
Select Create configmap on the upper right of the page.
To continue by using the Form view
- Enter the configmap contents: name:elm-auth-type-config
- Add the keys LDAP_CONFIG, AUTH_ROLE_CONFIG, SCIM_GROUP_MAPPING and the value of the key.

To continue by using the YAML view

kind: ConfigMap
apiVersion: v1
metadata:
  name: elm-auth-type-config
  namespace: <namespace_name>
data:
  AUTH_ROLE_CONFIG: |
    <oauth-roles>
    <authenticated>
        <special-subject type= "ALL_AUTHENTICATED_USERS" />
    </authenticated>
    <clientManager>
        <group name= "MYJazzAdmins" />
        <user name= "myscimadmin" />
    </clientManager>
    <tokenManager>
        <group name= "MYJazzAdmins" />
        <user name= "myscimadmin" />
    </tokenManager>
    </oauth-roles>
  LDAP_CONFIG: |
    <!-- reference secure ldap property config-->
    <ldapRegistry ldapType="IBM Tivoli Directory Server" baseDN="o=test.com"
    bindDN="uid=clmadmin,c=in,ou=Users,o=test.com" bindPassword="${com.ibm.team.ldap.password}"
    host="ldapserver" id="ldapserver:636" ignoreCase="true" port="636"
    realm="ldapserver:636" recursiveSearch="true" searchTimeout="10m" sslEnabled="true">
    <idsFilters 
        groupFilter="(&(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))"
        groupIdMap="*:cn"
        groupMemberIdMap="groupOfUniqueNames:uniquemember"
        userFilter="(&(uid=%v)(objectclass=person))"
        userIdMap="*:uid">
    </idsFilters>
    <attributeConfiguration>
        <attribute name="cn" propertyName="displayName" entityType="PersonAccount"/>
        <!-- propertyName is the scim property, name is the ldap property-->
    </attributeConfiguration>
    <ldapEntityType name="PersonAccount">
        <searchBase>c=in,ou=Users,o=test.com</searchBase>
    </ldapEntityType>
    <ldapEntityType name="Group">
        <searchBase>ou=JazzGroups,ou=Groups,o=test.com</searchBase>
    </ldapEntityType>
    </ldapRegistry>
    <federatedRepository maxSearchResults="100000" />
    <administrator-role>
        <user>myscimadmin</user>
    </administrator-role>"
  SCIM_GROUP_MAPPING: |
    JazzAdmins=JazzAdmins,JazzProjectAdmins=JazzProjectAdmins,JazzUsers=JazzUsers,JazzGuests=JazzGuests

Click on Create.

Red Hat OpenShift CLI method

Procedure

Log in to the cluster.
```
oc login
```
Set the project area.
```
oc project <your-project>
```
Run the following command to create the configmap in the cluster. It creates a configmap named elm-auth-type-config.
The information that is provided in the configmap is used for the JAS application configuration.
```
oc create configmap elm-auth-type-config --from-file=configmaps/
```
During the Engineering Lifecycle Management instance creation, the availability of configmap elm-auth-type-config and all parameters are validated. If the validation fails, the Engineering Lifecycle Management instance cannot be created and the error message appears.
For more information on ConfigMap, see Fully populated sample YAML of elm-auth-type-config

Kubernetes CLI method

Procedure

Create configmap named elm-auth-type-config based on folder configmaps.

kubectl create elm-auth-type-config --from-file=configmaps/

For more information on ConfigMap, see Fully populated sample YAML of elm-auth-type-config