Configuring LDAP group mapping on API Manager user roles

As an API Manager administrator, you can configure LDAP group mapping on API Connect roles in a provider organization by using the developer toolkit CLI.

Before you begin

You must have an LDAP user registry resource in the API Manager that has the external_group_mapping_enabled configuration set to true. See Using the CLI to create an organization-specific LDAP user registry for information.

One of the following roles is required to edit roles:

  • Administrator
  • Owner
  • Custom role with the Settings: manage permissions
Note: The provider organization roles apply only to API Manager users. If you want to apply LDAP group mapping to Cloud Manager users, see Configuring LDAP group mapping on Cloud Manager user roles. LDAP group mapping cannot be applied to Developer Portal users.

About this task

You can map external LDAP groups to the API Connect preconfigured user roles (except for the Owner and Member roles), as well as to any custom user roles, to reflect your business needs.

Note:
  • After LDAP group mapping is enabled on a role, user onboarding always honors the group mappings.
  • Once onboarded, user membership in API Connect is valid throughout the login period (access_token_ttl), irrespective of any changes in the external LDAP registry. Membership is updated only on the next login, when the LDAP information is fetched and refreshed.
  • One or more API Connect roles can be mapped to one or more LDAP groups, and vice versa.
  • When multiple LDAP groups are mapped to a single role, it means that a user from any one of the LDAP groups can logon to API Connect.
  • If a user is removed from the external LDAP user registry, to ensure quick removal from API Connect you must also delete the user membership in API Connect.
  • In API Manager you can map roles at the provider organization, Catalog and, if appropriate, Space level. However, you can only map roles at the child level of Catalog, and then the Catalog's child level of Space, if the parent level also has group mapping defined. Mapping at a child level overrides the mapping for the same role at the parent level. For example:

    If the Administrator Role at the provider organization level is mapped to the LDAP group of cn=APIC-Administrators,ou=ibmgroups,o=ibm.com, and the Administrator Role at a Catalog level is mapped to the LDAP group of cn=APIC-Developers,ou=ibmgroups,o=ibm.com, then any user that is added as a Catalog member must belong to the cn=APIC-Developers,ou=ibmgroups,o=ibm.com group. Note that provider organization level members that belong to the cn=APIC-Administrators,ou=ibmgroups,o=ibm.com group can still access the Catalog due to inheritance.

LDAP group mapping can be configured only by using the developer toolkit CLI. For detailed information about how to use the CLI, see Installing the toolkit, and Overview of the command-line tool.

Procedure

Perform the following steps to map external LDAP groups to API Manager user roles.
  1. Log in to the management server CLI.
    Before you can update the role configuration, you must log in to your management server from the developer toolkit CLI as a member of a provider organization. Use the following command:
    apic login --server mgmt_endpoint_url --username user_id --password password --realm provider/identity_provider
    where mgmt_endpoint_url is the platform API endpoint URL.
    You can determine which identity provider to use in the --realm parameter by entering the following command to see a list of all available identity providers (you do not need to be logged in to use this command):
    apic identity-providers:list --scope provider --server mgmt_endpoint_url --fields title,realm
    For example:
    apic identity-providers:list --scope provider --server myserver.com --fields title,realm 
total_results: 2
results:
  - title: Cloud Manager User Registry
    realm: provider/default-idp-2
  - title: Corporate LDAP user registry
    realm: provider/corporate-ldap
    The title value should enable you to determine which identity provider to use; you can then copy the corresponding --realm parameter directly from the displayed realm value. For any identity providers that were created by your administrator after API Connect was installed, the names will have been determined at creation time. The default API Manager Local User Registry for login as a member of a provider organization is default-idp-2.

    For full details of the login command, see Logging in to a management server.

  2. Run the following command to get the URL of the LDAP user registry resource in the API Manager that you want to map the user roles to:
    apic user-registries:get  ldap_user_registry --org organization_name --server mgmt_endpoint_url --output -
    where:
    • ldap_user_registry is the name or ID of your LDAP user registry resource.
    • organization_name is the value of the name property of your provider organization.
    • mgmt_endpoint_url is the platform API endpoint URL.
    This command outputs the configuration details of your LDAP user registry, and the url: is shown at the end of the list, for example:
    type: user_registry
api_version: 2.0.0
id: 35e75bad-1d89-4a65-a70f-xxxxxx
name: ldap
title: LDAP
integration_url: >-
  https://server.com/api/cloud/integrations/user-registry/147b5fb1-e88e-41e3-90e9-xxxxxx
registry_type: ldap
user_managed: false
user_registry_managed: false
external_group_mapping_enabled: true
...
url: >-
  https://server.com/api/user-registries/3d58ce7e-16a8-493b-9684-xxxxxx/35e75bad-1d89-4a65-a70f-xxxxxx
  3. Create a role yaml file that contains the following LDAP group mapping configuration properties:
    external_group_mapping:
  user_registry_url: https://server.com/api/user-registries/3d58ce7e-16a8-493b-9684-xxxxxx/35e75bad-1d89-4a65-a70f-xxxxxx
  ldap_groups:
    - 'cn=apic-administrators,ou=ibmgroups,o=ibm.com'
    - 'cn=apic-developers,ou=ibmgroups,o=ibm.com'
  user_group_filter_prefix: (&(uniquemember=
  user_group_filter_suffix: )(objectClass=groupOfUniqueNames))
    Where:
    • user_registry_url is the URL of your LDAP user registry resource from Step 2.
    • ldap_groups is a list of the LDAP group names that you want to map to the user role.
    • user_group_filter_prefix is the prefix for the LDAP user group.
    • user_group_filter_suffix is the suffix for the LDAP user group.
  4. Run the following command to update the user role with the external_group_mapping configuration properties:
    apic roles:update role_name --scope org --org organization_name --server mgmt_endpoint_url mapping_properties_file
    Where:
    • role_name is the name of the user role that you want to add the LDAP group mapping to.
    • --scope is the organization level that you want the update to apply to. Valid values are:
      • org to apply the mapping at the provider organization level.
      • catalog to apply the mapping at the Catalog level.
      • space to apply the mapping at the Space level.
    • organization_name is the value of the name property of your provider organization.
    • mgmt_endpoint_url is the platform API endpoint URL.
    • mapping_properties_file is the name of your mapping properties file from Step 3, for example role_mapping_file.yaml.
    If you prefer to enter the configuration properties interactively on the command line, you can substitute the mapping_properties_file for a terminating hyphen character -, and enter the information manually, followed by pressing CTRL D to terminate the input.

    If you want to create a custom role that includes LDAP group mapping, you can include the external_group_mapping configuration section in the role_file, and then create the new role by using the apic roles:create command.

For more information about the apic roles commands, see apic roles in the CLI reference section.

Results

The role is updated with the LDAP group mapping information. Users can now log on to the API Manager, and automatically be assigned the correct access permissions for their role.