LDAP configuration

A server that runs the Lightweight Directory Access Protocol (LDAP) can be configured by more than one component on Kubernetes.

Download the sample configuration XML files from cert-kubernetes and modify a file to match your existing LDAP server. The CP4BA operator supports a maximum of 5 LDAP servers. Follow the instructions to apply the modified configuration file in your deployment. Options include IBM Security Directory Server, Microsoft Active Directory, and a custom directory.

Use the following sections to help you configure your LDAPs.

Bind secret
LDAP parameters
SCIM parameters
Example LDAP_configuration YAML for IBM Security Directory Server
Example LDAP_configuration YAML for Microsoft Active Directory
Example LDAP_configuration YAML for a custom LDAP
Database tuning

Bind secret

For components that require LDAP, use the lc_bind_secret parameter in the template YAML file to locate a secret that includes the ldapUsername and ldapPassword keys. Specify the secret name that you create in the lc_bind_secret parameter.

ldap_configuration:
  lc_bind_secret: ldap-bind-secret
    ldap<ID>Username:
    ldap<ID>Password:

The following command shows how to create the (ldap-bind-secret) secret with the needed usernames and passwords.

oc create secret generic ldap-bind-secret \
    --from-literal=ldapUsername="cn=admin,dc=ibm,dc=edu" --from-literal=ldapPassword="<yourLDAPPassword>" \

If you need multiple LDAP configurations, for example ldap_configuration_xxx and ldap_configuration_yyy use a single secret (by default ldap-bind-secret) to include all your LDAP credentials. The operator looks for a username and password for each LDAP ID. A ldap_configuration_***.lc_ldap_id parameter is required to separate the credentials. You do not need to add an ID for the first ldap_configuration, which uses ldapUsername and ldapPassword.

For example, set the LDAP IDs in the custom resource:

ldap_configuration:

ldap_configuration_abc:
  lc_ldap_id: abc

ldap_configuration_def:
  lc_ldap_id: def

You can then add the credentials to the bind secret for each of the LDAPs. For example, the following secret includes credentials for 3 LDAPs (for the first LDAP, and for LDAP IDs abc and def):

kubectl create secret generic ldap-bind-secret     
  --from-literal=ldapUsername="cn=admin,dc=ibm,dc=edu" 
  --from-literal=ldapPassword="<yourLDAPPassword>"     
  --from-literal=ldapabcUsername="cn=admin,dc=ibm,dc=edu" 
  --from-literal=ldapabcPassword="<yourLDAPPassword>" 
  --from-literal=ldapdefUsername="cn=admin,dc=ibm,dc=edu"
  --from-literal=ldapdefPassword="<yourLDAPPassword>"

Restriction: User short names and group short names must be unique across all configured directory servers.

LDAP parameters

Table 1. LDAP configuration
Parameters	Description	IBM Security Directory Server example values	Microsoft Active Directory example values
ad.lc_ad_gc_host	The hostname of the Active Directory Global Catalog	N/A	N/A
ad.lc_ad_gc_port	The port of the Active Directory Global Catalog	N/A	N/A
ad.lc_group_filter	Search filter for finding entries in the Active Directory base DN group subtree that match the group name.	N/A	(&(cn=%v)(objectcategory=group))
ad.lc_user_filter	Search filter for finding entries in the Active Directory base DN users subtree that match the username.	N/A	(&(sAMAccountName=%v)(objectcategory=user))
lc_bind_secret	User name and password for the bind user. The LDAP bind secret must have ldapUsername and ldapPassword keys.	ldap-bind-secret	ldap-bind-secret
lc_enable_pagination	Set to true if you want to enable LDAP pagination in the Identity Access and Management (IAM) foundational service. The default is false.	true, false	true, false
lc_group_searchbase_list	Use this parameter to add custom search bases to IAM. The value must be a list of search bases within square brackets "`[]`".	N/A	N/A
lc_ldap_base_dn	The LDAP base distinguished name (DN). The base DN subtree is used when you search for user or group entries on the LDAP server.	o=mycompany,c=us	cn=users,dc=adtest,dc=mycity,dc=mycompany,dc=com
lc_ldap_group_base_dn	The LDAP group base distinguished name (DN). The base DN subtree is used when you search for group entries on the LDAP server.	dc=hqpsidcdom,dc=com	dc=hqpsidcdom,dc=com
lc_ldap_group_display_name_attr	The LDAP attribute to display the full name of the group.	cn	cn
lc_ldap_group_member_id_map	Identifies the group member. Hyphens ("-") are not supported in the value for this parameter due to a defect in the Identity Access and Management (IAM) service REST API. The limitation is removed in an upcoming version.	groupOfNames:member;groupOfUniqueNames:uniqueMember Note: If nested group support is enabled in SDS, lc_ldap_group_member_id_map should be set to ibm-allGroups:member;ibm-allGroups:uniqueMember.	memberOf:member
lc_ldap_group_membership_search_filter	Search filter for finding group membership.	(\|(&(objectclass=groupofnames)(member={0}))(&(objectclass=groupofuniquenames)(uniquemember={0})))	(&(cn=%v)(objectcategory=group))
lc_ldap_group_name_attribute	The LDAP attribute that represents the group name.	*:cn	*:cn
lc_ldap_id	Enter your LDAP ID information.	username, password	username, password
lc_ldap_port	The LDAP server host port number.	389	636
lc_ldap_precheck	The default value is set to true. True enables the validation of the LDAP connection before the installation. If the value is set to false, the operator skips the validation.	true	true
lc_ldap_server	The hostname must be either the fully qualified domain name or IP address of your LDAP server.	HOSTNAME	HOSTNAME
lc_ldap_ssl_enable	Specifies whether SSL is used to access LDAP server.	true, false	true, false
lc_ldap_max_search_results	Specify a higher value if you expect more search results.	4500	4500
lc_ldap_recursive_search	Enable recursive searches. The default value is false.	true, false If the SDS has nested groups, then this parameter needs to be set as lc_ldap_recursive_search: true	true, false If the SDS has nested groups, then this parameter needs to be set as lc_ldap_recursive_search: true
lc_ldap_ssl_secret_name	Specifies a secret name that includes an SSL certificate to use when SSL is used to access LDAP server.	ldap-ssl-cert	ldap-ssl-cert
lc_ldap_user_display_name_attr	The LDAP attribute to display for the full name of the user.	cn or uid	sAMAccountName
lc_ldap_user_name_attribute	The LDAP attribute that represents the user name. The list can contain multiple values, which are separated by a semicolon. The first relative distinguished name (RDN) must be part of the list. For example, if your user distinguished names (DNs) typically start with `uid=...`, make sure to include `*:uid` in the list.	:cn or :uid	user:sAMAccountName
lc_pagination_size	If lc_enable_pagination is set to true, then specify the pagination size. If not specified, the Custom type has a default of 4500.	2000	1000
lc_selected_ldap_type	The type of the directory. It can be Custom, IBM Security Directory Server, or Microsoft Active Directory.	IBM Security Directory Server	Microsoft Active Directory
lc_user_searchbase_list	If your LDAP has many sub-trees and the users are not organized in structured groups, then use a list of search bases to add LDAP connections to IAM.	["OU=searchbase1,DC=test,DC=com","OU=searchbase2,DC=test,DC=com","OU=searchbase3,DC=test,DC=com"]	["OU=searchbase1,DC=test,DC=com","OU=searchbase2,DC=test,DC=com","OU=searchbase3,DC=test,DC=com"]
scim_configuration_iam	Provide the relevant SCIM attribute mapping if they are derived from the default values of IAM SCIM attributes.	N/A	N/A
tds.lc_group_filter	Search filter for finding entries in the IBM Directory Server base DN group subtree that match the group name.	(&(cn=%v)(\|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))	N/A
tds.lc_user_filter	Search filter for finding entries in the IBM Directory Server base DN users subtree that match the username.	(&(cn=%v)(objectclass=person))	N/A

Table 2. Multi LDAP configuration parameters: ldap_configuration_<id_name>
Parameters	Description	Default Values	Required
lc_ldap_id	The LDAP id for your multi LDAP configuration. The <id_name> value must be unique. Example values could be msad, ad1, sds, tds1.	<id_name>	Yes
lc_selected_ldap_type	The type of the directory. This can be Custom, IBM Security Directory Server, or Microsoft Active Directory.	IBM Security Directory Server	Microsoft Active Directory
lc_ldap_server	The host name for the LDAP server that you are using for the environment.		Yes
lc_ldap_port	The port number for the LDAP server that you are using.	389	Yes
lc_bind_secret	User name and password for the bind user. If lc_ldap_id is not defined, the LDAP bind secret would have ldapUsername and ldapPassword keys. If lc_ldap_id is defined, then the LDAP bind secret is expected to have ldap<lc_ldap_id>Username ldap<lc_ldap_id>Password keys	ldap-bind-secret
lc_ldap_base_dn	The base distinguished name (DN) of an LDAP user who is allowed to search the LDAP directory if the LDAP server does not allow anonymous access.	dc=example,dc=com	Yes
lc_ldap_ssl_enabled	Specify whether SSL is enabled.	true	No
lc_ldap_ssl_secret_name	Provide the name of the SSL secret that you created.	" "	Yes
lc_ldap_user_name_attribute	Provide the format of the user name.	(For TDS) *:cn (For AD) user:sAMAccountName	Yes
lc_ldap_user_display_name_attr	Provide the format of the display name.	(For TDS) cn (For AD) sAMAccountName	Yes
lc_ldap_group_base_dn	The base DN subtree that is used when searching for group entries on the LDAP server.	dc=example,dc=com	Yes
lc_ldap_group_name_attribute	Provide the format of the group name.	(For TDS) *:cn	Yes
lc_ldap_group_display_name_attr	Provide the format of the group display name.	(For TDS) cn	Yes
lc_ldap_group_membership_search_filter	Filter for finding entries in the LDAP base DN (groups) subtree that match the group name.	(For TDS and AD) (\|(&(objectclass=groupofnames)(member={0})) (&(objectclass=groupofuniquenames)(uniquemember={0})))	Yes
lc_ldap_group_member_id_map	The group id is a filter that is used to determine the group name.	(For TDS) groupofnames:member (For AD) memberOf:member	Yes
ad.lc_ad_gc_host	Active Directory host.		Yes
ad.lc_ad_gc_port	Active Directory port.		Yes
ad.lc_user_filter	Active Directory user filter.	(&(samAccountName=%v)(objectClass=user))	No
ad.lc_group_filter	Active Directory group filter.	(&(samAccountName=%v)(objectclass=group))	No
tds.lc_user_filter	IBM Security Directory user filter	(&(cn=%v)(objectclass=person))	No
tds.lc_group_filter	IBM Security Directory group filter.	(&(cn=%v)(\|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))	No
custom.lc_user_filter	Custom Directory user filter	(&(objectClass=person)(cn=%v))	No
custom.lc_group_filter	Custom Directory group filter	(&(objectClass=group)(cn=%v))	No

SCIM parameters

Table 3 is used by the operator to construct a configmap when you deploy IAM from the IBM Cloud Pak foundational services. The platform-auth-idp configmap is used by IAM to support the SCIM APIs for a configured LDAP connection in IBM Cloud Pak foundational services. The configmap allows you to modify the IAM default SCIM_LDAP_ATTRIBUTES_MAPPING data so it matches with the LDAP that IAM is configured to use. For more information about updating the SCIM_LDAP_ATTRIBUTES_MAPPING, see Updating SCIM LDAP attributes mapping.

Note: The default values shown in the table below are for Tivoli Directory Server. To view the actual default values that are used in your environment run the command that is described in the Updating SCIM LDAP attributes mapping to check your existing attribute mappings.

Table 3. IAM SCIM LDAP attribute mapping parameters: ldap_configuration.scim_configuration_iam
Parameters	Description	Default Values	Required
group_external_id_attribute	Reference attribute for use with external repositories and directories. This attribute is sometimes set to the DN or the ObjectGUID of the group from the external registry.	dn	No
group_unique_id_attribute	Group ID	dn	No
group_name_attribute	Provide the format of the group name.	cn	No
group_display_name_attribute	Provide the format of the group display name.	cn	No
group_members_attribute	Attribute that holds the list of group members.	member	No
group_object_class_attribute	Object class in the LDAP most commonly used to define groups. Must match with first value that is given in lc_group_filter.	groupOfNames	No
group_principal_name_attribute	Attribute holding group's principal name.	cn	No
group_custom_mapping	Attribute holding the group's custom mapping.	ibmentryuuid	No
user_external_id_attribute	Reference attribute for use with external repositories and directories. This attribute is sometimes set to the DN or the ObjectGUID of the user from the external registry.	dn	No
user_unique_id_attribute	User ID	dn	No
user_display_name_attribute	Provide the format of the display name.	cn	No
user_name_attribute	Provide the format of the username.	uid	No
user_family_name_attribute	Attribute holding user's surname.	sn	No
user_full_name_attribute	Attribute holding user's full name.	cn	No
user_given_name_attribute	Attribute holding user's given name.	cn	No
user_groups_attribute	Attribute used to determine a user is part of a group.	memberOf	No
user_object_class_attribute	Object class in the LDAP most commonly used to define users. Must match with first value that is given in lc_user_filter.	person	No
user_principal_name_attribute	Attribute holding user's principal name.	uid	No
user_custom_mapping	Attribute holding user's custom mapping.	ibmentryuuid	No
user_emails_attribute	Attribute holding user's email.	mail	No

Example LDAP_configuration YAML for IBM Security Directory Server

You must adjust the example to match your LDAP configuration.

ldap_configuration:
    lc_selected_ldap_type: "IBM Security Directory Server"
    lc_ldap_server: "myhost"
    lc_ldap_port: "389"
    lc_ldap_base_dn: "dc=hqpsidcdom,dc=com"
    lc_ldap_ssl_enabled: false
    lc_ldap_ssl_secret_name: ""
    lc_ldap_user_name_attribute: "*:cn"
    lc_ldap_user_display_name_attr: "cn"
    lc_ldap_group_base_dn: "dc=hqpsidcdom,dc=com"
    lc_ldap_group_name_attribute: "*:cn"
    lc_ldap_group_display_name_attr: "cn"
    lc_ldap_group_membership_search_filter: "(|(&(objectclass=groupofnames)(member={0}))(&(objectclass=groupofuniquenames)(uniquemember={0})))"
    lc_ldap_group_member_id_map: "groupofnames:member"
    lc_ldap_max_search_results: 4500
    lc_ldap_recursive_search: false
    tds:
      lc_user_filter: "(&(cn=%v)(objectclass=person))"
      lc_group_filter: "(&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))"

Example LDAP_configuration YAML for Microsoft Active Directory

You must adjust the example to match your LDAP configuration.

ldap_configuration:
    lc_selected_ldap_type: "Microsoft Active Directory"
    lc_ldap_server: "myhost"
    lc_ldap_port: "636"
    lc_ldap_base_dn: "dc=hqpsidcdom,dc=com"
    lc_ldap_ssl_enabled: true
    lc_ldap_ssl_secret_name: "ldap-ssl-cert-secret"
    lc_ldap_user_name_attribute: "user:sAMAccountName"
    lc_ldap_user_display_name_attr: "cn"
    lc_ldap_group_base_dn: "dc=hqpsidcdom,dc=com"
    lc_ldap_group_name_attribute: "*:cn"
    lc_ldap_group_display_name_attr: "cn"
    lc_ldap_group_membership_search_filter: "(&(cn=%v)(objectcategory=group))"
    lc_ldap_group_member_id_map: "memberOf:member"
    lc_ldap_max_search_results: 4500 
    lc_ldap_recursive_search: false
    ad:
      lc_ad_gc_host: ""
      lc_ad_gc_port: ""
      lc_user_filter: "(&(samAccountName=%v)(objectcategory=user))"
      lc_group_filter: "(&(cn=%v)(objectcategory=group))"

Example LDAP_configuration YAML for a custom LDAP

You must adjust the example to match your LDAP configuration.

ldap_configuration:
     lc_selected_ldap_type: "Custom"
     lc_ldap_server: "myhost"
     lc_ldap_port: "636"
     lc_ldap_base_dn: "dc=hqpsidcdom,dc=com"
     lc_ldap_ssl_enabled: true
     lc_ldap_ssl_secret_name: "ldap-ssl-cert-secret"
     lc_ldap_user_name_attribute: "user:sAMAccountName"
     lc_ldap_user_display_name_attr: "cn"
     lc_ldap_group_base_dn: "dc=hqpsidcdom,dc=com"
     lc_ldap_group_name_attribute: "\*:cn"
     lc_ldap_group_display_name_attr: "cn"
     lc_ldap_group_membership_search_filter: "(&(cn=%v)(objectcategory=group))"
     lc_ldap_group_member_id_map: "memberOf:member"
     lc_ldap_max_search_results: 4500
     lc_ldap_recursive_search: false
     lc_enable_pagination: false
     lc_pagination_size: 4500 
     custom:
       lc_user_filter: "(&(objectClass=person)(cn=%v))"
       lc_group_filter: "(&(objectClass=group)(cn=%v))"

Database tuning

If your IBM Security Directory Server LDAP has 200,000+ users, 100+ groups, and multiple group search filters the LDAP might fail to integrate with IAM. You can remove group search filters to see whether it resolves the problem. For more information about tuning, see Advanced tuning mode and How to run REORG, REORGCHK and RUNSTAT on all tables in a database.