SCIM pagination support for LDAP server

From the foundational services version 3.19.9, 3.21, and later, the server-side pagination is supported for the LDAP. The pagination feature in the LDAP server allows you to access the large results sets when there is a server-side administrative limit to the number of entries returned from a query.

The supported LDAP types in your product cluster enforce the page size limits upon the results that are returned from the LDAP in the SCIM user/group API call. The supported LDAP types in your product cluster with their corresponding default page size limit:

LDAP types with their corrresponding default page size limit
LDAP type Default page size
IBM Tivoli Directory Server 20000
IBM Lotus Domino 20000
IBM SecureWay Directory Server 20000
Novell eDirectory 500
Sun Java™ System Directory Server 2000
Netscape Directory Server 5000
Microsoft Active Directory 1000
Custom 4500

For example, in Microsoft Active Directory, the default page size limit is 1000. It means, the default number of entries that are returned in a single request is, 1000. If you send the request to retrieve more than 1000 entries, the LDAP server returns the LDAP_SIZELIMIT_EXCEEDED error. To avoid the LDAP_SIZELIMIT_EXCEEDED error in the foundational services version 3.20 and earlier, the entry request in your query should be less than or equal to 1000.

Similarly, for other LDAPs server, if the number of entries in your request exceeds the default page size limit of the LDAP server, the server displays the LDAP_SIZELIMIT_EXCEEDED error. To overcome this page size limit of LDAP server, the SCIM pagination option is introduced with the foundational services version 3.19.9, 3.21, and later. The pagination option for LDAP server is applicable for the SCIM APIs. This option enables you to retrieve the result of your query even if your LDAP entry request is beyond the default page size limit of the LDAP server.

Enabling pagination option for LDAP server

By default, the SCIM pagination option for the LDAP server is disabled. You can enable the pagination option by using the Identity Provider V3 API. For now, you can enable pagination option through the APIs only.

The Identity Provider V3 API contains following parameters to support the server-side pagination option for LDAP:

See the following notes:

Procedure

The following example to enable the pagination and set the page size while creating an LDAP connection through Identity Provider V3 API:

Before you begin: Ensure that you are informed about the other LDAP configuration parameters that are used in the Identity Provider V3 APIs. For more information, see LDAP authentication, LDAP filters and Default LDAP filters by LDAP type.

Prerequisites: The LDAP server must have bind dn and bind password, otherwise you might get InsufficientAccessRightsError while performing the SCIM APIs query. You must use the admin bind dn and bind password while configuring the LDAP connection. If you use the non-admin bind dn and bind password, enable the non-admin page search option in the underlying LDAP server. For example, in IBM Tivoli Directory Server, the conf file attribute, ibm-slapdPagedResAllowNonAdmin(boolean) should be enabled. This file attribute decides whether the non-admin binds are allowed to perform page search.

API version
1.0.0
API URI components
Scheme
HTTPS
Host IP
Cluster Master Host
Port number
Cluster Master API Port
Path
idprovider/v3/auth/idsource/
Command
POST
Command output format
application/json

The sample curl command to create an LDAP connection:

curl -k -X POST 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource/' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
--data-raw
'{
  "name": "openldap",
  "description": "",
  "protocol": "ldap",
  "type": "Custom",
  "idp_config": {
        "ldap_id": "openldap",
        "ldap_realm": "REALM",
        "ldap_url": "ldap://9.30.253.13:389",
        "ldap_host": "9.30.253.13",
        "ldap_port": "389",
        "ldap_protocol": "ldap",
        "ldap_basedn": "dc=ibm,dc=com",
        "ldap_binddn": "cn=admin,dc=ibm,dc=com",
        "ldap_bindpassword": "UGFzc3cwcmQ=",
        "ldap_type": "Custom",
        "ldap_ignorecase": "false",
        "ldap_userfilter": "(&(uid=%v)(objectclass=person))",
        "ldap_useridmap": "*:uid",
        "ldap_groupfilter": "(&(cn=%v)(objectclass=groupOfUniqueNames))",
        "ldap_groupidmap": "*:cn",
        "ldap_groupmemberidmap": "groupOfUniqueNames:uniqueMember",
        "ldap_nestedsearch": "false",
        "ldap_pagingsearch": "false"
        }
}'

To use the Identity Provider APIs for LDAP connection, you need to get the host details, and the base64-encoded password for the "LDAP_BINDPASSWORD" parameter. For more information, see Creating an LDAP connection.

By using Identity Provider APIs, you can also enable pagination option and set the page size while updating the existing LDAP directory. For more information, see Update an LDAP directory.