LDAP configuration
A server that runs the Lightweight Directory Access Protocol (LDAP) can be configured by more than one component on Kubernetes.
Download the sample configuration XML files from cert-kubernetes and modify a file to match your existing LDAP server. The CP4BA operator supports a maximum of 5 LDAP servers. Follow the instructions to apply the modified configuration file in your deployment. Options include IBM Security Directory Server, Microsoft Active Directory, and a custom directory.
Use the following sections to help you configure your LDAPs.
Bind secret
For components that require LDAP, use the lc_bind_secret parameter in the
template YAML file to locate a secret that includes the ldapUsername
and
ldapPassword
keys. Specify the secret name that you create in the
lc_bind_secret parameter.
ldap_configuration:
lc_bind_secret: ldap-bind-secret
ldap<ID>Username:
ldap<ID>Password:
The following command shows how to create the (ldap-bind-secret) secret with the needed usernames and passwords.
oc create secret generic ldap-bind-secret \
--from-literal=ldapUsername="cn=admin,dc=ibm,dc=edu" --from-literal=ldapPassword="<yourLDAPPassword>" \
If you need multiple LDAP configurations, for example ldap_configuration_xxx
and
ldap_configuration_yyy
use a single secret (by default
ldap-bind-secret
) to include all your LDAP credentials. The operator looks for a
username and password for each LDAP ID. A ldap_configuration_***.lc_ldap_id
parameter is required to separate the credentials. You do not need to add an ID for the first
ldap_configuration
, which uses ldapUsername
and
ldapPassword
.
For example, set the LDAP IDs in the custom resource:
ldap_configuration:
ldap_configuration_abc:
lc_ldap_id: abc
ldap_configuration_def:
lc_ldap_id: def
You can then add the credentials to the bind secret for each of the LDAPs. For example, the
following secret includes credentials for 3 LDAPs (for the first LDAP, and for LDAP IDs
abc
and def
):
kubectl create secret generic ldap-bind-secret
--from-literal=ldapUsername="cn=admin,dc=ibm,dc=edu"
--from-literal=ldapPassword="<yourLDAPPassword>"
--from-literal=ldapabcUsername="cn=admin,dc=ibm,dc=edu"
--from-literal=ldapabcPassword="<yourLDAPPassword>"
--from-literal=ldapdefUsername="cn=admin,dc=ibm,dc=edu"
--from-literal=ldapdefPassword="<yourLDAPPassword>"
LDAP parameters
Parameters | Description | IBM Security Directory Server example values | Microsoft Active Directory example values |
---|---|---|---|
ad.lc_ad_gc_host | The hostname of the Active Directory Global Catalog | N/A | N/A |
ad.lc_ad_gc_port | The port of the Active Directory Global Catalog | N/A | N/A |
ad.lc_group_filter | Search filter for finding entries in the Active Directory base DN group subtree that match the group name. | N/A | (&(cn=%v)(objectcategory=group)) |
ad.lc_user_filter | Search filter for finding entries in the Active Directory base DN users subtree that match the username. | N/A | (&(sAMAccountName=%v)(objectcategory=user)) |
lc_bind_secret | User name and password for the bind user. The LDAP bind secret must have ldapUsername and ldapPassword keys. | ldap-bind-secret | ldap-bind-secret |
lc_enable_pagination | Set to true if you want to enable LDAP pagination in the Identity Access and Management (IAM) foundational service. The default is false. | true, false | true, false |
lc_group_searchbase_list | Use this parameter to add custom search bases to IAM. The value must be a list of search
bases within square brackets "[] ". |
N/A | N/A |
lc_ldap_base_dn | The LDAP base distinguished name (DN). The base DN subtree is used when you search for user or group entries on the LDAP server. | o=mycompany,c=us | cn=users,dc=adtest,dc=mycity,dc=mycompany,dc=com |
lc_ldap_group_base_dn | The LDAP group base distinguished name (DN). The base DN subtree is used when you search for group entries on the LDAP server. | dc=hqpsidcdom,dc=com | dc=hqpsidcdom,dc=com |
lc_ldap_group_display_name_attr | The LDAP attribute to display the full name of the group. | cn | cn |
lc_ldap_group_member_id_map | Identifies the group member. Hyphens ("-") are not supported in the value for this parameter due to a defect in the Identity Access and Management (IAM) service REST API. The limitation is removed in an upcoming version. | groupOfNames:member;groupOfUniqueNames:uniqueMember Note: If nested
group support is enabled in SDS, lc_ldap_group_member_id_map should be set to
ibm-allGroups:member;ibm-allGroups:uniqueMember.
|
memberOf:member |
lc_ldap_group_membership_search_filter | Search filter for finding group membership. | (|(&(objectclass=groupofnames)(member={0}))(&(objectclass=groupofuniquenames)(uniquemember={0}))) | (&(cn=%v)(objectcategory=group)) |
lc_ldap_group_name_attribute | The LDAP attribute that represents the group name. | *:cn | *:cn |
lc_ldap_id | Enter your LDAP ID information. | username, password | username, password |
lc_ldap_port | The LDAP server host port number. | 389 | 636 |
lc_ldap_precheck | The default value is set to true. True enables the validation of the LDAP connection before the installation. If the value is set to false, the operator skips the validation. | true | true |
lc_ldap_server | The hostname must be either the fully qualified domain name or IP address of your LDAP server. | HOSTNAME | HOSTNAME |
lc_ldap_ssl_enable | Specifies whether SSL is used to access LDAP server. | true, false | true, false |
lc_ldap_max_search_results | Specify a higher value if you expect more search results. | 4500 | 4500 |
lc_ldap_recursive_search | Enable recursive searches. The default value is false. |
true, false If the SDS has nested groups, then this parameter needs to be set as lc_ldap_recursive_search: true |
true, false If the SDS has nested groups, then this parameter needs to be set as lc_ldap_recursive_search: true |
lc_ldap_ssl_secret_name | Specifies a secret name that includes an SSL certificate to use when SSL is used to access LDAP server. | ldap-ssl-cert | ldap-ssl-cert |
lc_ldap_user_display_name_attr | The LDAP attribute to display for the full name of the user. | cn or uid | sAMAccountName |
lc_ldap_user_name_attribute | The LDAP attribute that represents the user name. The list can contain multiple values, which
are separated by a semicolon. The first relative distinguished name (RDN) must be part of the list.
For example, if your user distinguished names (DNs) typically start with uid=... ,
make sure to include *:uid in the list. |
*:cn or *:uid | user:sAMAccountName |
lc_pagination_size | If lc_enable_pagination is set to true, then specify the pagination size. If not specified, the Custom type has a default of 4500. | 2000 | 1000 |
lc_selected_ldap_type | The type of the directory. It can be Custom, IBM Security Directory Server, or Microsoft Active Directory. | IBM Security Directory Server | Microsoft Active Directory |
lc_user_searchbase_list | If your LDAP has many sub-trees and the users are not organized in structured groups, then use a list of search bases to add LDAP connections to IAM. | ["OU=searchbase1,DC=test,DC=com","OU=searchbase2,DC=test,DC=com","OU=searchbase3,DC=test,DC=com"] | ["OU=searchbase1,DC=test,DC=com","OU=searchbase2,DC=test,DC=com","OU=searchbase3,DC=test,DC=com"] |
scim_configuration_iam | Provide the relevant SCIM attribute mapping if they are derived from the default values of IAM SCIM attributes. | N/A | N/A |
tds.lc_group_filter | Search filter for finding entries in the IBM Directory Server base DN group subtree that match the group name. | (&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls))) | N/A |
tds.lc_user_filter | Search filter for finding entries in the IBM Directory Server base DN users subtree that match the username. | (&(cn=%v)(objectclass=person)) | N/A |
Parameters | Description | Default Values | Required |
---|---|---|---|
lc_ldap_id |
The LDAP id for your multi LDAP configuration. The <id_name> value must be unique. Example values could be msad, ad1, sds, tds1. | <id_name> | Yes |
lc_selected_ldap_type | The type of the directory. This can be Custom, IBM Security Directory Server, or Microsoft Active Directory. | IBM Security Directory Server | Microsoft Active Directory |
lc_ldap_server |
The host name for the LDAP server that you are using for the environment. | Yes | |
lc_ldap_port |
The port number for the LDAP server that you are using. | 389 | Yes |
lc_bind_secret |
User name and password for the bind user. If lc_ldap_id is not defined, the LDAP bind secret
would have ldapUsername and ldapPassword keys. If lc_ldap_id is defined, then the LDAP bind secret is expected to have ldap<lc_ldap_id>Username ldap<lc_ldap_id>Password keys |
ldap-bind-secret | |
lc_ldap_base_dn |
The base distinguished name (DN) of an LDAP user who is allowed to search the LDAP directory if the LDAP server does not allow anonymous access. | dc=example,dc=com | Yes |
lc_ldap_ssl_enabled |
Specify whether SSL is enabled. | true | No |
lc_ldap_ssl_secret_name |
Provide the name of the SSL secret that you created. | " " | Yes |
lc_ldap_user_name_attribute |
Provide the format of the user name. |
(For TDS) *:cn (For AD) user:sAMAccountName |
Yes |
lc_ldap_user_display_name_attr |
Provide the format of the display name. |
(For TDS) cn (For AD) sAMAccountName |
Yes |
lc_ldap_group_base_dn |
The base DN subtree that is used when searching for group entries on the LDAP server. | dc=example,dc=com | Yes |
lc_ldap_group_name_attribute |
Provide the format of the group name. | (For TDS) *:cn | Yes |
lc_ldap_group_display_name_attr |
Provide the format of the group display name. | (For TDS) cn | Yes |
lc_ldap_group_membership_search_filter |
Filter for finding entries in the LDAP base DN (groups) subtree that match the group name. |
(For TDS and AD) (|(&(objectclass=groupofnames)(member={0})) (&(objectclass=groupofuniquenames)(uniquemember={0}))) |
Yes |
lc_ldap_group_member_id_map |
The group id is a filter that is used to determine the group name. |
(For TDS) groupofnames:member (For AD) memberOf:member |
Yes |
ad.lc_ad_gc_host |
Active Directory host. | Yes | |
ad.lc_ad_gc_port |
Active Directory port. | Yes | |
ad.lc_user_filter |
Active Directory user filter. | (&(samAccountName=%v)(objectClass=user)) | No |
ad.lc_group_filter |
Active Directory group filter. | (&(samAccountName=%v)(objectclass=group)) | No |
tds.lc_user_filter |
IBM Security Directory user filter | (&(cn=%v)(objectclass=person)) | No |
tds.lc_group_filter |
IBM Security Directory group filter. |
(&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))
|
No |
custom.lc_user_filter |
Custom Directory user filter | (&(objectClass=person)(cn=%v)) | No |
custom.lc_group_filter |
Custom Directory group filter | (&(objectClass=group)(cn=%v)) | No |
SCIM parameters
Table 3 is used by the operator to construct a configmap when you deploy IAM from the IBM Cloud Pak foundational services. The platform-auth-idp configmap is used by IAM to support the SCIM APIs for a configured LDAP connection in IBM Cloud Pak foundational services. The configmap allows you to modify the IAM default SCIM_LDAP_ATTRIBUTES_MAPPING data so it matches with the LDAP that IAM is configured to use. For more information about updating the SCIM_LDAP_ATTRIBUTES_MAPPING, see Updating SCIM LDAP attributes mapping.
Parameters | Description | Default Values | Required |
---|---|---|---|
group_external_id_attribute | Reference attribute for use with external repositories and directories. This attribute is sometimes set to the DN or the ObjectGUID of the group from the external registry. | dn | No |
group_unique_id_attribute | Group ID | dn | No |
group_name_attribute | Provide the format of the group name. | cn | No |
group_display_name_attribute | Provide the format of the group display name. | cn | No |
group_members_attribute | Attribute that holds the list of group members. | member | No |
group_object_class_attribute | Object class in the LDAP most commonly used to define groups. Must match with first value that is given in lc_group_filter. | groupOfNames | No |
group_principal_name_attribute | Attribute holding group's principal name. | cn | No |
group_custom_mapping | Attribute holding the group's custom mapping. | ibmentryuuid | No |
user_external_id_attribute | Reference attribute for use with external repositories and directories. This attribute is sometimes set to the DN or the ObjectGUID of the user from the external registry. | dn | No |
user_unique_id_attribute | User ID | dn | No |
user_display_name_attribute | Provide the format of the display name. | cn | No |
user_name_attribute | Provide the format of the username. | uid | No |
user_family_name_attribute | Attribute holding user's surname. | sn | No |
user_full_name_attribute | Attribute holding user's full name. | cn | No |
user_given_name_attribute | Attribute holding user's given name. | cn | No |
user_groups_attribute | Attribute used to determine a user is part of a group. | memberOf | No |
user_object_class_attribute | Object class in the LDAP most commonly used to define users. Must match with first value that is given in lc_user_filter. | person | No |
user_principal_name_attribute | Attribute holding user's principal name. | uid | No |
user_custom_mapping | Attribute holding user's custom mapping. | ibmentryuuid | No |
user_emails_attribute | Attribute holding user's email. | No |
Example LDAP_configuration YAML for IBM Security Directory Server
ldap_configuration:
lc_selected_ldap_type: "IBM Security Directory Server"
lc_ldap_server: "myhost"
lc_ldap_port: "389"
lc_ldap_base_dn: "dc=hqpsidcdom,dc=com"
lc_ldap_ssl_enabled: false
lc_ldap_ssl_secret_name: ""
lc_ldap_user_name_attribute: "*:cn"
lc_ldap_user_display_name_attr: "cn"
lc_ldap_group_base_dn: "dc=hqpsidcdom,dc=com"
lc_ldap_group_name_attribute: "*:cn"
lc_ldap_group_display_name_attr: "cn"
lc_ldap_group_membership_search_filter: "(|(&(objectclass=groupofnames)(member={0}))(&(objectclass=groupofuniquenames)(uniquemember={0})))"
lc_ldap_group_member_id_map: "groupofnames:member"
lc_ldap_max_search_results: 4500
lc_ldap_recursive_search: false
tds:
lc_user_filter: "(&(cn=%v)(objectclass=person))"
lc_group_filter: "(&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))"
Example LDAP_configuration YAML for Microsoft Active Directory
ldap_configuration:
lc_selected_ldap_type: "Microsoft Active Directory"
lc_ldap_server: "myhost"
lc_ldap_port: "636"
lc_ldap_base_dn: "dc=hqpsidcdom,dc=com"
lc_ldap_ssl_enabled: true
lc_ldap_ssl_secret_name: "ldap-ssl-cert-secret"
lc_ldap_user_name_attribute: "user:sAMAccountName"
lc_ldap_user_display_name_attr: "cn"
lc_ldap_group_base_dn: "dc=hqpsidcdom,dc=com"
lc_ldap_group_name_attribute: "*:cn"
lc_ldap_group_display_name_attr: "cn"
lc_ldap_group_membership_search_filter: "(&(cn=%v)(objectcategory=group))"
lc_ldap_group_member_id_map: "memberOf:member"
lc_ldap_max_search_results: 4500
lc_ldap_recursive_search: false
ad:
lc_ad_gc_host: ""
lc_ad_gc_port: ""
lc_user_filter: "(&(samAccountName=%v)(objectcategory=user))"
lc_group_filter: "(&(cn=%v)(objectcategory=group))"
Example LDAP_configuration YAML for a custom LDAP
You must adjust the example to match your LDAP configuration.
ldap_configuration:
lc_selected_ldap_type: "Custom"
lc_ldap_server: "myhost"
lc_ldap_port: "636"
lc_ldap_base_dn: "dc=hqpsidcdom,dc=com"
lc_ldap_ssl_enabled: true
lc_ldap_ssl_secret_name: "ldap-ssl-cert-secret"
lc_ldap_user_name_attribute: "user:sAMAccountName"
lc_ldap_user_display_name_attr: "cn"
lc_ldap_group_base_dn: "dc=hqpsidcdom,dc=com"
lc_ldap_group_name_attribute: "\*:cn"
lc_ldap_group_display_name_attr: "cn"
lc_ldap_group_membership_search_filter: "(&(cn=%v)(objectcategory=group))"
lc_ldap_group_member_id_map: "memberOf:member"
lc_ldap_max_search_results: 4500
lc_ldap_recursive_search: false
lc_enable_pagination: false
lc_pagination_size: 4500
custom:
lc_user_filter: "(&(objectClass=person)(cn=%v))"
lc_group_filter: "(&(objectClass=group)(cn=%v))"
Database tuning
If your IBM Security Directory Server LDAP has 200,000+ users, 100+ groups, and multiple group search filters the LDAP might fail to integrate with IAM. You can remove group search filters to see whether it resolves the problem. For more information about tuning, see Advanced tuning mode and How to run REORG, REORGCHK and RUNSTAT on all tables in a database.