SCIM pagination support for LDAP server
From the foundational services version 3.19.9, 3.21, and later, the server-side pagination is supported for the LDAP. The pagination feature in the LDAP server allows you to access the large results sets when there is a server-side administrative limit to the number of entries returned from a query.
The supported LDAP types in your product cluster enforce the page size limits upon the results that are returned from the LDAP in the SCIM user/group API call. The supported LDAP types in your product cluster with their corresponding default page size limit:
LDAP type | Default page size |
---|---|
IBM Tivoli Directory Server | 20000 |
IBM Lotus Domino | 20000 |
IBM SecureWay Directory Server | 20000 |
Novell eDirectory | 500 |
Sun Java™ System Directory Server | 2000 |
Netscape Directory Server | 5000 |
Microsoft Active Directory | 1000 |
Custom | 4500 |
For example, in Microsoft Active Directory, the default page size limit is 1000. It means, the default number of entries that are returned in a single request is, 1000. If you send the request to retrieve more than 1000 entries, the LDAP server
returns the LDAP_SIZELIMIT_EXCEEDED
error. To avoid the LDAP_SIZELIMIT_EXCEEDED
error in the foundational services version 3.20 and earlier, the entry request in your query should be less than or equal to 1000.
Similarly, for other LDAPs server, if the number of entries in your request exceeds the default page size limit of the LDAP server, the server displays the LDAP_SIZELIMIT_EXCEEDED
error. To overcome this page size limit of LDAP server,
the SCIM pagination option is introduced with the foundational services version 3.19.9, 3.21, and later. The pagination option for LDAP server is applicable for the SCIM APIs. This option enables you to retrieve the result of your query even if
your LDAP entry request is beyond the default page size limit of the LDAP server.
Enabling pagination option for LDAP server
By default, the SCIM pagination option for the LDAP server is disabled. You can enable the pagination option by using the Identity Provider V3 API. For now, you can enable pagination option through the APIs only.
The Identity Provider V3 API contains following parameters to support the server-side pagination option for LDAP:
-
LDAP_PAGINGSEARCH
: If the LDAP_PAGINGSEARCH parameter is set as "false", it indicates that the pagination option is disabled. Set this parameter to "true" to enable the pagination option. -
LDAP_PAGING_SIZE
: It is a numeric field that defines the page size of the LDAP type. You can set the number as per your requirement. It is an optional field. If you do not provide the value to theLDAP_PAGING_SIZE
parameter, the default page size of the LDAP server will be considered as a request in the API query. For example, when the LDAP type is Microsoft Active Directory (MSAD) and you do not provide theLDAP_PAGING_SIZE
value in the API, then 1000 (default page size) value will be considered as a request in the API. Also, theLDAP_PAGING_SIZE
value should not exceed the default server side page limit or the maximum configured value for the respective LDAP type.
See the following notes:
-
The IM supports LDAP user and group search through SCIM APIs and LDAP APIs. However, the pagination option for the LDAP server is applicable for the SCIM APIs only.
-
You can configure the server-side pagination option for each LDAP type.
-
LDAP_PAGINGSEARCH
andLDAP_PAGING_SIZE
parameters are optional in the Identity Provider V3 API. Include these parameters in the API as per your requirement.
Procedure
The following example to enable the pagination and set the page size while creating an LDAP connection through Identity Provider V3 API:
Before you begin: Ensure that you are informed about the other LDAP configuration parameters that are used in the Identity Provider V3 APIs. For more information, see LDAP authentication, LDAP filters and Default LDAP filters by LDAP type.
Prerequisites: The LDAP server must have bind dn
and bind password
, otherwise you might get InsufficientAccessRightsError
while performing the SCIM APIs query. You must use the admin bind dn
and bind password
while configuring the LDAP connection. If you use the non-admin bind dn
and bind password
, enable the non-admin page search option in the underlying LDAP server. For example, in IBM Tivoli
Directory Server, the conf file attribute, ibm-slapdPagedResAllowNonAdmin
(boolean) should be enabled. This file attribute decides whether the non-admin binds are allowed to perform page search.
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster Master Host
- Port number
Cluster Master API Port
- Path
idprovider/v3/auth/idsource/
- Command
POST
- Command output format
application/json
The sample curl command to create an LDAP connection:
curl -k -X POST 'https://cp-console.apps.mycluster.mydomain.fyre.ibm.com/idprovider/v3/auth/idsource/' \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $ACCESS_TOKEN"
--data-raw
'{
"name": "openldap",
"description": "",
"protocol": "ldap",
"type": "Custom",
"idp_config": {
"ldap_id": "openldap",
"ldap_realm": "REALM",
"ldap_url": "ldap://9.30.253.13:389",
"ldap_host": "9.30.253.13",
"ldap_port": "389",
"ldap_protocol": "ldap",
"ldap_basedn": "dc=ibm,dc=com",
"ldap_binddn": "cn=admin,dc=ibm,dc=com",
"ldap_bindpassword": "UGFzc3cwcmQ=",
"ldap_type": "Custom",
"ldap_ignorecase": "false",
"ldap_userfilter": "(&(uid=%v)(objectclass=person))",
"ldap_useridmap": "*:uid",
"ldap_groupfilter": "(&(cn=%v)(objectclass=groupOfUniqueNames))",
"ldap_groupidmap": "*:cn",
"ldap_groupmemberidmap": "groupOfUniqueNames:uniqueMember",
"ldap_nestedsearch": "false",
"ldap_pagingsearch": "false"
}
}'
To use the Identity Provider APIs for LDAP connection, you need to get the host details, and the base64-encoded password for the "LDAP_BINDPASSWORD"
parameter. For more information, see Creating an LDAP connection.
By using Identity Provider APIs, you can also enable pagination option and set the page size while updating the existing LDAP directory. For more information, see Update an LDAP directory.