LDAP configuration

A server that runs the Lightweight Directory Access Protocol (LDAP) can be configured by more than one component.

Download the sample configuration XML files from cert-kubernetes-bai and modify a file to match your existing LDAP server. The BAI operator supports a maximum of 5 LDAP servers. Follow the instructions to apply the modified configuration file in your deployment. Options include IBM Security Directory Server, Microsoft Active Directory, and a custom directory.

Use the following sections to help you configure your LDAPs.

Bind secret
LDAP parameters
Example LDAP_configuration YAML for IBM Security Directory Server
Example LDAP_configuration YAML for Microsoft Active Directory
Example LDAP_configuration YAML for a custom LDAP

Bind secret

For components that require LDAP, use the lc_bind_secret parameter in the template YAML file to locate a secret that includes the ldapUsername and ldapPassword keys. Specify the secret name that you create in the lc_bind_secret parameter.

ldap_configuration:
  lc_bind_secret: ldap-bind-secret
    ldap<ID>Username:
    ldap<ID>Password:

The following command shows how to create the (ldap-bind-secret) secret with the needed usernames and passwords.

kubectl create secret generic ldap-bind-secret \
    --from-literal=ldapUsername="cn=admin,dc=ibm,dc=edu" --from-literal=ldapPassword="<yourLDAPPassword>" \

Important: In the Zen service, you can manage LDAP users, user group roles, and permissions. For example, you can add an LDAP or OpenShift user to your cluster. When you add a user, you must specify the OpenShift or LDAP login ID of that user in the Username field.

LDAP username

The ldapUsername key is comprised of the username and the location of the username in the LDAP directory tree. The user must be allowed to search the base DN. If no user is specified in the ldapUsername, the LDAP connection is established without authentication. The length is restricted to 255 alphanumeric characters. White space and the following special characters are allowed.

= . , - : @ ( ) _ \

The ldapUsername value is case-sensitive and must be the full distinguished name (DN) path. The DN path, including spaces, commas, and other characters, must be the same as configured in the LDAP server. The following value is an example:

Bind DN : CN=Administrator,CN=Users,DC=mycompany,DC=com

The following value is invalid because CN and DC are lowercase.
```
cn=Administrator,cn=Users,dc=mycompany,dc=com
```
The following value is invalid because the CN=Users parameter is missing.
```
CN=Administrator,DC=mycompany,DC=com
```
The following value is invalid because of a space between the parameters.
```
CN=Administrator,CN=Users, DC=mycompany,DC=com
```
The following value is invalid because the administrator parameter value starts with a lowercase letter.
```
CN=administrator,CN=Users,DC=mycompany,DC=com
```

LDAP username password

The password of the user specified in the ldapUsername. The ldapPassword is not required if you do not specify a user in the ldapUsername. A maximum of 255 characters is allowed.

If you need multiple LDAP configurations, for example ldap_configuration_xxx and ldap_configuration_yyy use a single secret (by default ldap-bind-secret) to include all your LDAP credentials. The operator looks for a username and password for each LDAP ID. A ldap_configuration_***.lc_ldap_id parameter is required to separate the credentials. You do not need to add an ID for the first ldap_configuration, which uses ldapUsername and ldapPassword.

For example, set the LDAP IDs in the custom resource:

ldap_configuration:

ldap_configuration_abc:
  lc_ldap_id: abc

ldap_configuration_def:
  lc_ldap_id: def

You can then add the credentials to the bind secret for each of the LDAPs. For example, the following secret includes credentials for 3 LDAPs (for the first LDAP, and for LDAP IDs abc and def):

kubectl create secret generic ldap-bind-secret     
  --from-literal=ldapUsername="cn=admin,dc=ibm,dc=edu" 
  --from-literal=ldapPassword="<yourLDAPPassword>"     
  --from-literal=ldapabcUsername="cn=admin,dc=ibm,dc=edu" 
  --from-literal=ldapabcPassword="<yourLDAPPassword>" 
  --from-literal=ldapdefUsername="cn=admin,dc=ibm,dc=edu"
  --from-literal=ldapdefPassword="<yourLDAPPassword>"

Restriction: User short names and group short names must be unique across all configured directory servers.

LDAP parameters

Table 1. LDAP configuration: spec.ldap_configuration
Parameters	Description	IBM Security Directory Server example values	Microsoft Active Directory example values
ad.lc_ad_gc_host	The hostname of the Active Directory Global Catalog	N/A	N/A
ad.lc_ad_gc_port	The port of the Active Directory Global Catalog	N/A	N/A
ad.lc_group_filter	Search filter for finding entries in the Active Directory base DN group subtree that match the group name.	N/A	(&(cn=%v)(objectcategory=group))
ad.lc_user_filter	Search filter for finding entries in the Active Directory base DN users subtree that match the username.	N/A	(&(sAMAccountName=%v)(objectcategory=user))
lc_bind_secret	Username and password for the bind user. The LDAP bind secret must have ldapUsername and ldapPassword keys.	ldap-bind-secret	ldap-bind-secret
lc_enable_pagination	Set to true if you want to enable LDAP pagination in the Identity Management (IM) foundational service. The default is false.	true, false	true, false
lc_group_searchbase_list	Use this parameter to add custom search bases to IM. The value must be a list of search bases within square brackets "`[]`".	N/A	N/A
lc_ldap_base_dn	The LDAP base distinguished name (DN). The base DN subtree is used when you search for user or group entries on the LDAP server.	o=mycompany,c=us	cn=users,dc=adtest,dc=mycity,dc=mycompany,dc=com
lc_ldap_group_base_dn	The LDAP group base distinguished name (DN). The base DN subtree is used when you search for group entries on the LDAP server.	dc=hqpsidcdom,dc=com	dc=hqpsidcdom,dc=com
lc_ldap_group_display_name_attr	The LDAP attribute to display the full name of the group.	cn	cn
lc_ldap_group_member_id_map	Identifies the group member. Hyphens ("-") are not supported in the value for this parameter due to a defect in the Identity Management (IM) service REST API. The limitation might be removed in an upcoming version.	groupOfNames:member;groupOfUniqueNames:uniqueMember Note: If nested group support is enabled in SDS, set lc_ldap_group_member_id_map to ibm-allGroups:member;ibm-allGroups:uniqueMember.	memberOf:member
lc_ldap_group_membership_search_filter	Search filter for finding group membership.	(\|(&(objectclass=groupofnames)(member={0}))(&(objectclass=groupofuniquenames)(uniquemember={0})))	(&(cn=%v)(objectcategory=group))
lc_ldap_group_name_attribute	The LDAP attribute that represents the group name.	*:cn	*:cn
lc_ldap_id	Enter your LDAP ID information.	username, password	username, password
lc_ldap_port	The LDAP server host port number.	389	636
lc_ldap_precheck	The default value is set to true. True enables the validation of the LDAP connection before the installation. If the value is set to false, the operator skips the validation.	true	true
lc_ldap_server	The hostname must be either the fully qualified domain name or IP address of your LDAP server.	HOSTNAME	HOSTNAME
lc_ldap_ssl_enable	Specifies whether SSL is used to access an LDAP server.	true, false	true, false
lc_ldap_max_search_results	Specify a higher value if you expect more search results.	4500	4500
lc_ldap_recursive_search	Enable recursive searches. The default value is false.	true, false If the SDS has nested groups, then this parameter needs to be set as lc_ldap_recursive_search: true	true, false If the SDS has nested groups, then this parameter needs to be set as lc_ldap_recursive_search: true
lc_ldap_ssl_secret_name	Specifies a secret name that includes an SSL certificate to use when SSL is used to access an LDAP server.	ldap-ssl-cert	ldap-ssl-cert
lc_ldap_user_display_name_attr	The LDAP attribute to display for the full name of the user.	cn or uid	sAMAccountName
lc_ldap_user_name_attribute	The LDAP attribute that represents the username. The list can contain multiple values, which are separated by a semicolon. The first relative distinguished name (RDN) must be part of the list. For example, if your user distinguished names (DNs) typically start with `uid=...`, make sure to include `*:uid` in the list.	:cn or :uid	user:sAMAccountName
lc_pagination_size	If lc_enable_pagination is set to true, then specify the pagination size. If not specified, the Custom type has a default of 4500.	2000	1000
lc_selected_ldap_type	The type of the directory. It can be Custom, IBM Security Directory Server, or Microsoft Active Directory.	IBM Security Directory Server	Microsoft Active Directory
lc_user_searchbase_list	If your LDAP has many sub-trees and the users are not organized in structured groups, then use a list of search bases to add LDAP connections to IAM.	["OU=searchbase1,DC=test,DC=com","OU=searchbase2,DC=test,DC=com","OU=searchbase3,DC=test,DC=com"]	["OU=searchbase1,DC=test,DC=com","OU=searchbase2,DC=test,DC=com","OU=searchbase3,DC=test,DC=com"]
scim_configuration_iam	Provide the relevant SCIM attribute mapping if they are derived from the default values of IM SCIM attributes.	N/A	N/A
tds.lc_group_filter	Search filter for finding entries in the IBM Directory Server base DN group subtree that match the group name.	(&(cn=%v)(\|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))	N/A
tds.lc_user_filter	Search filter for finding entries in the IBM Directory Server base DN users subtree that match the username.	(&(cn=%v)(objectclass=person))	N/A

Table 2. Multi LDAP configuration parameters: spec.ldap_configuration_<id_name>
Parameters	Description	Default Values	Required
lc_ldap_id	The LDAP id for your multi LDAP configuration. The <id_name> value must be unique. Example values might be msad, ad1, sds, tds1.	<id_name>	Yes
lc_selected_ldap_type	The type of the directory. This can be Custom, IBM Security Directory Server, or Microsoft Active Directory.	IBM Security Directory Server	Microsoft Active Directory
lc_ldap_server	The host name for the LDAP server that you are using for the environment.		Yes
lc_ldap_port	The port number for the LDAP server that you are using.	389	Yes
lc_bind_secret	Username and password for the bind user. If lc_ldap_id is not defined, the LDAP bind secret is expected to have ldapUsername and ldapPassword keys. If lc_ldap_id is defined, then the LDAP bind secret is expected to have ldap<lc_ldap_id>Username ldap<lc_ldap_id>Password keys.	ldap-bind-secret
lc_ldap_base_dn	The base distinguished name (DN) of an LDAP user who is allowed to search the LDAP directory if the LDAP server does not allow anonymous access.	dc=example,dc=com	Yes
lc_ldap_ssl_enabled	Specify whether SSL is enabled.	true	No
lc_ldap_ssl_secret_name	Provide the name of the SSL secret that you created.	" "	Yes
lc_ldap_user_name_attribute	Provide the format of the username.	(For TDS) *:cn (For AD) user:sAMAccountName	Yes
lc_ldap_user_display_name_attr	Provide the format of the display name.	(For TDS) cn (For AD) sAMAccountName	Yes
lc_ldap_group_base_dn	The base DN subtree that is used to search for group entries on the LDAP server.	dc=example,dc=com	Yes
lc_ldap_group_name_attribute	Provide the format of the group name.	(For TDS) *:cn	Yes
lc_ldap_group_display_name_attr	Provide the format of the group display name.	(For TDS) cn	Yes
lc_ldap_group_membership_search_filter	Filter for finding entries in the LDAP base DN (groups) subtree that match the group name.	(For TDS and AD) (\|(&(objectclass=groupofnames)(member={0})) (&(objectclass=groupofuniquenames)(uniquemember={0})))	Yes
lc_ldap_group_member_id_map	The group id is a filter that is used to determine the group name.	(For TDS) groupofnames:member (For AD) memberOf:member	Yes
ad.lc_ad_gc_host	Active Directory host.		Yes
ad.lc_ad_gc_port	Active Directory port.		Yes
ad.lc_user_filter	Active Directory user filter.	(&(samAccountName=%v)(objectClass=user))	No
ad.lc_group_filter	Active Directory group filter.	(&(samAccountName=%v)(objectclass=group))	No
tds.lc_user_filter	IBM Security Directory user filter	(&(cn=%v)(objectclass=person))	No
tds.lc_group_filter	IBM Security Directory group filter.	(&(cn=%v)(\|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))	No
custom.lc_user_filter	Custom Directory user filter	(&(objectClass=person)(cn=%v))	No
custom.lc_group_filter	Custom Directory group filter	(&(objectClass=group)(cn=%v))	No

Example LDAP_configuration YAML for IBM Security Directory Server

Adjust the example to match your LDAP configuration.

ldap_configuration:
    lc_selected_ldap_type: "IBM Security Directory Server"
    lc_ldap_server: "myhost"
    lc_ldap_port: "389"
    lc_ldap_base_dn: "dc=hqpsidcdom,dc=com"
    lc_ldap_ssl_enabled: false
    lc_ldap_ssl_secret_name: ""
    lc_ldap_user_name_attribute: "*:cn"
    lc_ldap_user_display_name_attr: "cn"
    lc_ldap_group_base_dn: "dc=hqpsidcdom,dc=com"
    lc_ldap_group_name_attribute: "*:cn"
    lc_ldap_group_display_name_attr: "cn"
    lc_ldap_group_membership_search_filter: "(|(&(objectclass=groupofnames)(member={0}))(&(objectclass=groupofuniquenames)(uniquemember={0})))"
    lc_ldap_group_member_id_map: "groupofnames:member"
    lc_ldap_max_search_results: 4500
    lc_ldap_recursive_search: false
    tds:
      lc_user_filter: "(&(cn=%v)(objectclass=person))"
      lc_group_filter: "(&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))"

Example LDAP_configuration YAML for Microsoft Active Directory

Adjust the example to match your LDAP configuration.

ldap_configuration:
    lc_selected_ldap_type: "Microsoft Active Directory"
    lc_ldap_server: "myhost"
    lc_ldap_port: "636"
    lc_ldap_base_dn: "dc=hqpsidcdom,dc=com"
    lc_ldap_ssl_enabled: true
    lc_ldap_ssl_secret_name: "ldap-ssl-cert-secret"
    lc_ldap_user_name_attribute: "user:sAMAccountName"
    lc_ldap_user_display_name_attr: "cn"
    lc_ldap_group_base_dn: "dc=hqpsidcdom,dc=com"
    lc_ldap_group_name_attribute: "*:cn"
    lc_ldap_group_display_name_attr: "cn"
    lc_ldap_group_membership_search_filter: "(&(cn=%v)(objectcategory=group))"
    lc_ldap_group_member_id_map: "memberOf:member"
    lc_ldap_max_search_results: 4500 
    lc_ldap_recursive_search: false
    ad:
      lc_ad_gc_host: ""
      lc_ad_gc_port: ""
      lc_user_filter: "(&(samAccountName=%v)(objectcategory=user))"
      lc_group_filter: "(&(cn=%v)(objectcategory=group))"

Example LDAP_configuration YAML for a custom LDAP

Adjust the example to match your LDAP configuration.

ldap_configuration:
     lc_selected_ldap_type: "Custom"
     lc_ldap_server: "myhost"
     lc_ldap_port: "636"
     lc_ldap_base_dn: "dc=hqpsidcdom,dc=com"
     lc_ldap_ssl_enabled: true
     lc_ldap_ssl_secret_name: "ldap-ssl-cert-secret"
     lc_ldap_user_name_attribute: "user:sAMAccountName"
     lc_ldap_user_display_name_attr: "cn"
     lc_ldap_group_base_dn: "dc=hqpsidcdom,dc=com"
     lc_ldap_group_name_attribute: "\*:cn"
     lc_ldap_group_display_name_attr: "cn"
     lc_ldap_group_membership_search_filter: "(&(cn=%v)(objectcategory=group))"
     lc_ldap_group_member_id_map: "memberOf:member"
     lc_ldap_max_search_results: 4500
     lc_ldap_recursive_search: false
     lc_enable_pagination: false
     lc_pagination_size: 4500 
     custom:
       lc_user_filter: "(&(objectClass=person)(cn=%v))"
       lc_group_filter: "(&(objectClass=group)(cn=%v))"