Changing SCIM LDAP search limit settings

You can change the SCIM LDAP search limits settings in IBM Cloud Pak® for AIOps.

Following are the SCIM LDAP search limit description and configuration parameters:

  • SCIM_LDAP_SEARCH_SIZE_LIMIT: It limits the number of entries that can be returned in the SCIM user/group API call. The default value is 4500. There is no limitation for the value, you can set any value based on the number of entries that is expected to return from the LDAP. When the LDAP returns the entries more than its configured value, it displays Size Limit Exceeded error.

    Note: Consider the LDAP maximum page size value while tuning the SCIM_LDAP_SEARCH_SIZE_LIMIT parameter. For now, IM SCIM does not fully support the LDAP pagination.

  • SCIM_LDAP_SEARCH_TIME_LIMIT: It limits the maximum wait time for the SCIM users/groups search API call. The default value is 10 seconds and this value is configurable. If the wait time is greater than 10 seconds or the configured value, it displays Time Limit Exceeded error. It is a client-side restriction. The LDAP server can also provide a limit on the search time.

    Note: If the configured value of the SCIM_LDAP_SEARCH_TIME_LIMIT is greater than 30 seconds, increase the OpenShift Platform Container route ingress level timeout.

    It can be adjusted by using the following annotations:

    oc annotate route cp-console -n <your-foundational-services-namespace> --overwrite haproxy.router.openshift.io/timeout=60s

Changing the values by using the console

  1. Log in to the OpenShift Container console as a user with cluster administrator access.
  2. From the navigation menu, click Workloads > Config Maps.
  3. Search for platform-auth-idp.
  4. Click ... > Edit Config Map.
  5. Change the following attribute values, as required:
    • SCIM_LDAP_SEARCH_SIZE_LIMIT
    • SCIM_LDAP_SEARCH_TIME_LIMIT
  6. Click Submit.
  7. From the navigation menu, click Workloads > Deployments.
  8. Locate platform-auth-service.
  9. Click ... > Edit Deployment. A window for editing displays.
  10. Click Submit without making any change. This step is to reload the platform-auth-service pods with the latest ConfigMap values.
  11. Click platform-auth-service.
  12. Wait for some time. Then, check the status of the platform-auth-service pods in the Pods pane. The status of all the pods must show as 4/4 under the Ready field name.