Changing LDAP search settings

Changing the Lightweight Directory Access Protocol (LDAP) search settings in IBM Cloud Pak® for AIOps.

Configure attributes consideration for LDAP search

By default, IBM Cloud Pak for AIOps searches for users and groups on both the common name (CN) and identifier (ID) attributes as configured in the LDAP connection settings. Examples of ID attributes are uid, sAMAccountName, and emailAddress.

This behavior can be changed by setting the following configuration parameters:

The following two attributes are used for the search:

LDAP_SEARCH_CN_ATTR_ONLY - Search by CN only. Default value is false.
LDAP_SEARCH_ID_ATTR_ONLY- Search by ID only. Default value is false.

To use only the CN attribute for searching users or groups, set LDAP_SEARCH_CN_ATTR_ONLY value to true. To use only the ID attribute for searching users or groups, set LDAP_SEARCH_ID_ATTR_ONLY value to true.

Following are the steps to change the values of the LDAP search config parameters:

Changing the attribute values by using kubectl

To change the values, complete the following steps:

Install the kubectl CLI.
Edit the platform-auth-idp ConfigMap.
```
kubectl -n <your-foundational-services-namespace> edit configmap platform-auth-idp
```
Set the following attribute values as required to true or false.
- LDAP_SEARCH_CN_ATTR_ONLY
- LDAP_SEARCH_ID_ATTR_ONLY
Note: Set only one value to true.
Save and close the ConfigMap.

Restart the platform-auth-service pods

kubectl -n <your-foundational-services-namespace> delete pod -l k8s-app=platform-auth-service

Wait for some time. Then, check the status of the platform-auth-service pods. The status must show as 4/4 Running for all the pods.
```
kubectl -n <your-foundational-services-namespace> get pods | grep platform-auth-service
```

Changing the attribute values by using the console

Log in to the Red Hat® OpenShift® Container Platform console as a user with cluster administrator access.
From the navigation menu, click Workloads > Config Maps.
Search for platform-auth-idp.
Click ... > Edit Config Map.
Change either of the following attribute values to true, as required:
- LDAP_SEARCH_CN_ATTR_ONLY
- LDAP_SEARCH_ID_ATTR_ONLY
Note: Set only one value to true.
Click Save.
From the navigation menu, click Workloads > Deployments.
Locate platform-auth-service.
Click ... > Edit Deployment. A window for editing displays.
Click Save without making any change. This step is to reload the platform-auth-service pods with the latest ConfigMap values.
Click platform-auth-service.
Wait for some time. Then, check the status of the platform-auth-service pods in the Pods pane. The status of all the pods must show as 4/4 under the Ready field name.

Changing the LDAP search size limit and time limit values

Following are the LDAP search limit configuration parameters:

LDAP_SEARCH_SIZE_LIMIT: Default value is "50". Range of values is 50 - 100.
LDAP_SEARCH_TIME_LIMIT: Default value is "5". Range of values is 5 - 50.

Changing the values by using kubectl

To change the values, complete the following steps:

Set up the kubectl CLI. For more information, see Install tools .
Edit the platform-auth-idp ConfigMap.
```
kubectl -n <your-foundational-services-namespace> edit configmap platform-auth-idp
```
Change the following values as required:
- LDAP_SEARCH_SIZE_LIMIT
- LDAP_SEARCH_TIME_LIMIT
Save and close the ConfigMap.

Restart the platform-auth-service pods

kubectl -n <your-foundational-services-namespace> delete pod -l k8s-app=platform-auth-service

Wait for some time. Then, check the status of the platform-auth-service pods. The status must show as 4/4 Running for all the pods.
```
kubectl -n <your-foundational-services-namespace> get pods | grep platform-auth-service
```

Changing the values by using the console

Log in to the console as a user with cluster administrator access.
From the navigation menu, click Workloads > Config Maps.
Search for platform-auth-idp.
Click ... > Edit Config Map.
Change the following attribute values, as required:
- LDAP_SEARCH_SIZE_LIMIT
- LDAP_SEARCH_TIME_LIMIT
Click Submit.
From the navigation menu, click Workloads > Deployments.
Locate platform-auth-service.
Click ... > Edit Deployment. A window for editing displays.
Click Submit without making any change. This step is to reload the platform-auth-service pods with the latest ConfigMap values.
Click platform-auth-service.
Wait for some time. Then, check the status of the platform-auth-service pods in the Pods pane. The status of all the pods must show as 4/4 under the Ready field name.

Change LDAP search wild characters usage

Following is the LDAP search wild characters configuration parameter:

LDAP_SEARCH_EXCLUDE_WILDCARD_CHARS: Default value is "false".

In IBM Cloud Pak for AIOps, wild characters such as asterisk are used in the search string to match the substring value of the LDAP server attribute.

Set LDAP_SEARCH_EXCLUDE_WILDCARD_CHARS value to true to exclude wild characters (*) in the search string and to match the exact value of the LDAP server attribute.

Following is the default search string:

(|(&(cn=*<searchstring>*)(objectclass=person))(&(uid=*<searchstring>*)(objectclass=person)))

Following is the search string when the LDAP_SEARCH_EXCLUDE_WILDCARD_CHARS is set to true:

(|(&(cn=<searchstring>)(objectclass=person))(&(uid=<searchstring>)(objectclass=person)))

To change the wild characters usage in the search string, complete the following steps:

Changing the wild characters configuration parameter by using kubectl

To change the values, complete the following steps:

Install the Kubernetes CLI (kubectl) tool.
Edit the platform-auth-idp ConfigMap.
```
kubectl -n <your-foundational-services-namespace> edit configmap platform-auth-idp
```
Change the following value as required:
- LDAP_SEARCH_EXCLUDE_WILDCARD_CHARS
Save and close the ConfigMap.

Restart the platform-auth-service pods

kubectl -n <your-foundational-services-namespace> delete pod -l k8s-app=platform-auth-service

Wait for some time. Then, check the status of the platform-auth-service pods. The status must show as 4/4 Running for all the pods.
```
kubectl -n <your-foundational-services-namespace> get pods | grep platform-auth-service
```

Changing the wild characters configuration parameter by using the console

Log in to the Red Hat® OpenShift® Container Platform console as a user with cluster administrator access.
From the navigation menu, click Configuration > Config Maps.
Search for platform-auth-idp.
Click ... > Edit Config Map.
Change the following value, as required:
- LDAP_SEARCH_EXCLUDE_WILDCARD_CHARS
Click Save.
From the navigation menu, click Workloads > Deployments.
Locate platform-auth-service.
Click ... > Edit. A window for editing displays.
Click Save without making any change. This step is to reload the platform-auth-service pods with the latest ConfigMap values.
Click platform-auth-service.
Wait for some time. Then, check the status of the platform-auth-service pods in the Pods pane. The status of all the pods must show as 4/4 under the Ready field name.