Updating SCIM LDAP attributes mapping

You can update the SCIM LDAP attributes mapping.

To support the SCIM APIs for a configured LDAP connection in IBM Cloud Pak foundational services, you can update SCIM_LDAP_ATTRIBUTES_MAPPING data in the following ways:

Note: Use of the configmap is deprecated from the IBM Cloud Pak foundational services version 3.17.0 and is subject to be removed in the future release.

Updating with attributemapping API

To use the attributemapping API, you must add an authorization header to your request. You need to add an access token to the authorization header. To obtain the access token, see Preparing to run component or management API commands.

Procedure

Note: The members and objectClass attributes do not consider the custom SCIM attribute values. Use LDAP filter values for these attributes to map the data.

  1. Check the existing attribute mappings by using the following API call:

     curl -sk -X GET --header "Authorization: Bearer $ACCESS_TOKEN" --header "Content-Type: application/json" "https://$BCS_URL:443/idmgmt/identity/api/v1/scim/attributemappings"
    

    The response resembles the following code:

     [{"idp_id":"default","idp_type":"ldap","user":{"id":"dn","userName":"uid","principalName":"uid","displayName":"cn","givenName":"cn","familyName":"sn","fullName":"cn","externalId":"dn","emails":"mail","created":"createTimestamp","lastModified":"modifyTimestamp","phoneNumbers":[{"value":"mobile","type":"mobile"},{"value":"telephoneNumber","type":"work"}],"objectClass":"person","groups":"memberOf"},"group":{"id":"dn","name":"cn","principalName":"cn","displayName":"cn","externalId":"dn","created":"createTimestamp","lastModified":"modifyTimestamp","objectClass":"groupOfUniqueNames","members":"uniqueMember"}},
    
  2. Create the attribute mappings with your mapping data by using the following API call:

    Note: If you already have the attribute mappings, do not create another attribute mapping. You can skip this step.

     export DATA='{"idp_id":"test","dip_type":"ldap","user":{"id_test":"dn","userName":"uid","principalName":"uid","displayName":"cn","givenName":"cn","familyName":"sn","fullName":"cn","externalId":"dn","phoneNumbers":[{"value":"mobile","type":"mobile"},{"value":"telephoneNumber","type":"work"}],"objectClass":"person","groups":"memberOf"},"group":{"id":"dn","name":"cn","principalName":"cn","displayName":"cn","externalId":"dn","created":"createTimestamp","lastModified":"modifyTimestamp","objectClass":"groupOfUniqueNames","members":"uniqueMember"}}'
    

    The sample curl command resembles the following code:

     curl -sk -X POST --header "Authorization: Bearer $ACCESS_TOKEN" --header "Content-Type: application/json" -d $DATA "https://$BCS_URL:443/idmgmt/identity/api/v1/scim/attributemappings"
    

    The response resembles the following code:

     {"idp_id":"test","idp_type":"ldap","user":{"id_test":"dn","userName":"uid","principalName":"uid","displayName":"cn","givenName":"cn","familyName":"sn","fullName":"cn","externalId":"dn","phoneNumbers":[{"value":"mobile","type":"mobile"},{"value":"telephoneNumber","type":"work"}],"objectClass":"person","groups":"memberOf"},"group":{"id":"dn","name":"cn","principalName":"cn","displayName":"cn","externalId":"dn","created":"createTimestamp","lastModified":"modifyTimestamp","objectClass":"groupOfUniqueNames","members":"uniqueMember"}}
    
  3. Update the existing attribute mappings data with your mapping data by using the following API call:

     export DATA='{"idp_id":"$IDP_ID","idp_type":"ldap","user":{"id_test":"dn","userName":"uid","principalName":"uid","displayName":"cn","givenName":"cn","familyName":"sn","fullName":"cn","externalId":"dn","phoneNumbers":[{"value":"mobile","type":"mobile"},{"value":"telephoneNumber","type":"work"}],"objectClass":"person","groups":"memberOf"}},"group":{"id":"dn","name":"cn","principalName":"cn","displayName":"cn","externalId":"dn","created":"createTimestamp","lastModified":"modifyTimestamp","objectClass":"groupOfUniqueNames","members":"uniqueMember"}'
    

    The sample curl command resembles the following code:

     curl -sk -X PUT --header "Authorization: Bearer $ACCESS_TOKEN" --header "Content-Type: application/json" -d $DATA "https://$BCS_URL:443/idmgmt/identity/api/v1/scim/attributemappings/$IDP_ID"
    

    The response resembles the following code:

     {"idp_id":"test","idp_type":"ldap","user":{"id_test":"dn","userName":"uid","principalName":"uid","displayName":"cn","givenName":"cn","familyName":"sn","fullName":"cn","externalId":"dn","phoneNumbers":[{"value":"mobile","type":"mobile"},{"value":"telephoneNumber","type":"work"}],"objectClass":"person","groups":"memberOf"},"group":{"id":"dn","name":"cn","principalName":"cn","displayName":"cn","externalId":"dn","created":"createTimestamp","lastModified":"modifyTimestamp","objectClass":"groupOfUniqueNames","members":"uniqueMember"}}
    
  4. Delete the existing attribute mappings by using the following API call:

     curl -sk -X DELETE --header "Authorization: Bearer $ACCESS_TOKEN" \
     --header "Content-Type: application/json" \
     "https://$BCS_URL:443/idmgmt/identity/api/v1/scim/attributemappings/$IDP_ID"
    

    The response resembles the following code:

     {"count":1}
    

Updating with platform-auth-idp configmap

You can update SCIM_LDAP_ATTRIBUTES_MAPPING data in the configmap platform-auth-idp to support SCIM APIs for a configured LDAP connection in IBM Cloud Pak foundational services.

Currently, the platform-auth-idp configmap contains the following default configuration. Within this configuration, default is the default name. This configuration also has two sets of mapping data for each user and group SCIM resource.

In each data set, key is the SCIM attribute name and value is the LDAP attribute name, for example, "userName": "uid". See the following parameter description:

Default configuration

{
    "default": {
        "user": {
            "id": "dn",
            "userName": "uid",
            "principalName": "uid",
            "displayName": "cn",
            "givenName": "cn",
            "familyName": "sn",
            "fullName": "cn",
            "externalId": "dn",
            "emails": "mail",
            "created": "createTimestamp",
            "lastModified": "modifyTimestamp",
            "phoneNumbers": [{
                    "value": "mobile",
                    "type": "mobile"
                },
                {
                    "value": "telephoneNumber",
                    "type": "work"
                }],
            "objectClass": "person",
            "groups": "memberOf"
        },
        "group": {
            "id": "dn",
            "name": "cn",
            "principalName": "cn",
            "displayName": "cn",
            "externalId": "dn",
            "created": "createTimestamp",
            "lastModified": "modifyTimestamp",
            "objectClass": "groupOfUniqueNames",
            "members": "uniqueMember"
        }
    }
}

You can customize the configuration to meet your requirements for the configured LDAP connection. Then, you can construct a similar mapping for your LDAP server and append the mapping to the SCIM_LDAP_ATTRIBUTES_MAPPING data in the platform-auth-idp configmap.

As an example, you can use Connection name as pmsad in your configured MSAD LDAP connection configuration. Next, you can use pmsad as the configuration key and construct the mapping data as shown in the following code example. Then, you can append the mapping data to your configmap data. For more information about attributes, see LDAP attributes.

    "pmsad": {
        "user": {
            "id": "dn",
            "userName": "sAMAccountName",
            "principalName": "sAMAccountName",
            "displayName": "displayName",
            "givenName": "givenName",
            "familyName": "sn",
            "fullName": "cn",
            "externalId": "dn",
            "emails": "mail",
            "created": "whenCreated",
            "lastModified": "whenChanged",
            "phoneNumbers": [{
                    "value": "mobile",
                    "type": "mobile"
                },
                {
                    "value": "telephoneNumber",
                    "type": "work"
                }],
            "objectClass": "person",
            "groups": "memberOf"
        },
        "group": {
            "id": "dn",
            "name": "cn",
            "principalName": "cn",
            "displayName": "cn",
            "externalId": "dn",
            "created": "whenCreated",
            "lastModified": "whenChanged",
            "objectClass": "group",
            "members": "member"
        }
    }

Procedure

Update your configmap by using the CLI. Run these commands:

  1. Edit platform-auth-idp configmap.

    oc -n <your-foundational-services-namespace> edit configmap platform-auth-idp
    

    Go to the SCIM_LDAP_ATTRIBUTES_MAPPING attribute value and append your mapping data to the existing value. Make sure to add a comma(,) for previous entry in the JSON.

    For IBM Cloud Pak foundational services version 3.11.0, set the ATTR_MAPPING_FROM_CONFIG attribute value to true.

    Save and quit.

  2. Check the updated data in your platform-auth-idp configmap. The output resembles the following code.

     oc -n <your-foundational-services-namespace> get configmap platform-auth-idp -o yaml | grep -A50 SCIM_LDAP_ATTRIBUTES_MAPPING
    
     ...
     {
         "default": {
             "user": {
                 "id": "dn",
                 "userName": "uid",
                 "principalName": "uid",
                 "displayName": "cn",
                 "givenName": "cn",
                 "familyName": "sn",
                 "fullName": "cn",
                 "externalId": "dn",
                 "emails": "mail",
                 "created": "createTimestamp",
                 "lastModified": "modifyTimestamp",
                 "phoneNumbers": [{
                         "value": "mobile",
                         "type": "mobile"
                     },
                     {
                         "value": "telephoneNumber",
                         "type": "work"
                     }],
                 "objectClass": "person",
                 "groups": "memberOf"
             },
             "group": {
                 "id": "dn",
                 "name": "cn",
                 "principalName": "cn",
                 "displayName": "cn",
                 "externalId": "dn",
                 "created": "createTimestamp",
                 "lastModified": "modifyTimestamp",
                 "objectClass": "groupOfUniqueNames",
                 "members": "uniqueMember"
             }
         },
         "pmsad": {
             "user": {
                 "id": "dn",
                 "userName": "sAMAccountName",
                 "principalName": "sAMAccountName",
                 "displayName": "displayName",
                 "givenName": "givenName",
                 "familyName": "sn",
                 "fullName": "cn",
                 "externalId": "dn",
                 "emails": "mail",
                 "created": "whenCreated",
                 "lastModified": "whenChanged",
                 "phoneNumbers": [{
                         "value": "mobile",
                         "type": "mobile"
                     },
                     {
                         "value": "telephoneNumber",
                         "type": "work"
                     }],
                 "objectClass": "person",
                 "groups": "memberOf"
             },
             "group": {
                 "id": "dn",
                 "name": "cn",
                 "principalName": "cn",
                 "displayName": "cn",
                 "externalId": "dn",
                 "created": "whenCreated",
                 "lastModified": "whenChanged",
                 "objectClass": "group",
                 "members": "member"
             }
         }
     }
    

    Note: Make sure that complete data is a valid JSON.

  3. Restart the platform-identity-management pods.

     oc -n <your-foundational-services-namespace> delete pod -l k8s-app=platform-identity-management
    
  4. Wait for some time. Then, check the status of the platform-identity-management pods. The status must show as 1/1 Running for all pods.

     oc -n <your-foundational-services-namespace> get pods | grep platform-identity-management
    

Note: By default, the LDAP connection configuration considers the following mapping values for SCIM APIs.

Table 1. LDAP connection attributes
LDAP connection attributes SCIM object SCIM attributes
LDAP_USERIDMAP user userName
LDAP_USERFILTER user objectClass
LDAP_GROUPIDMAP group name
LDAP_GROUPFILTER group objectClass
LDAP_GROUPMEMBERIDMAP group members

Note: If you have multiple expressions in the LDAP connection attributes configuration, the first configuration value is considered.

LDAP attributes

For information about LDAP attributes, you can use the ldapsearch tool or any LDAP browser such as Apache Directory Studio.

Installing the ldapsearch tool

On Ubuntu, run the following command:

sudo apt-get install ldap-utils

On Red Hat® Enterprise Linux®, run the following command:

sudo yum install openldap-clients

The following examples show the ldapsearch tool command structure and an example output.

User

Command:

ldapsearch -x -H <LDAP_URL> -b <LDAP_BASEDN> -D <LDAP_BINDDN> -W -s sub "(sAMAccountName=pavann)" "*" "+"

Output:

# extended LDIF
#
# LDAPv3
# base <DC=ibmtest,DC=com> with scope subtree
# filter: (sAMAccountName=pava)
# requesting: * +
#

# Tom Northwood, Users, ibmtest.com
dn: CN=Tom Northwood,CN=Users,DC=ibmtest,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Tom Northwood
givenName: Tom Northwood
distinguishedName: CN=Tom Northwood,CN=Users,DC=ibmtest,DC=com
instanceType: 4
whenCreated: 20180802104118.0Z
whenChanged: 20210305115346.0Z
displayName: Tom Northwood
uSNCreated: 13356
memberOf: CN=group9,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group8,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group7,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group6,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group5,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group4,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group3,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group2,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group1,CN=Users,DC=ibmtest,DC=com
memberOf: CN=security,CN=Users,DC=ibmtest,DC=com
uSNChanged: 145644
name: Tom Northwood
objectGUID:: pVKE4qv5MEyqxjQ3nUvsWA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132285264754362226
lastLogoff: 0
lastLogon: 132285264944206361
pwdLastSet: 131776804917936927
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAr/FodBO+7uVBDhlaXAQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: pavann
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ibmtest,DC=com
dSCorePropagationData: 20180802104118.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132594188266767176

# search reference
ref: ldap://ForestDnsZones.ibmtest.com/DC=ForestDnsZones,DC=ibmtest,DC=com

# search reference
ref: ldap://DomainDnsZones.ibmtest.com/DC=DomainDnsZones,DC=ibmtest,DC=com

# search reference
ref: ldap://ibmtest.com/CN=Configuration,DC=ibmtest,DC=com

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

Group

Command:

ldapsearch -x -H <LDAP_URL> -b <LDAP_BASEDN> -D <LDAP_BINDDN> -W -s sub "(cn=security)" "*" "+"

Output:

# extended LDIF
#
# LDAPv3
# base <DC=ibmtest,DC=com> with scope subtree
# filter: (cn=security)
# requesting: * +
#

# security, Users, ibmtest.com
dn: CN=security,CN=Users,DC=ibmtest,DC=com
objectClass: top
objectClass: group
cn: security
member: CN=Neil Wilson,CN=Users,DC=ibmtest,DC=com
member: CN=John Winston,CN=Users,DC=ibmtest,DC=com
member: CN=Jeff Rodrigue,CN=Users,DC=ibmtest,DC=com
member: CN=Kane Shatner,CN=Users,DC=ibmtest,DC=com
member: CN=Anna Reynolds,CN=Users,DC=ibmtest,DC=com
member: CN=Gessie Lemson,CN=Users,DC=ibmtest,DC=com
member: CN=Lauri Williamson,CN=Users,DC=ibmtest,DC=com
member: CN=Tom Northwood,CN=Users,DC=ibmtest,DC=com
distinguishedName: CN=security,CN=Users,DC=ibmtest,DC=com
instanceType: 4
whenCreated: 20180802103445.0Z
whenChanged: 20180802105558.0Z
uSNCreated: 13330
memberOf: CN=isl,CN=Users,DC=ibmtest,DC=com
uSNChanged: 13455
name: security
objectGUID:: UPoQ3uNfVk+fHn1W1b5KUg==
objectSid:: AQUAAAAAAAUVAAAAr/FodBO+7uVBDhlaWAQAAA==
sAMAccountName: security
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ibmtest,DC=com
dSCorePropagationData: 16010101000000.0Z

# search reference
ref: ldap://ForestDnsZones.ibmtest.com/DC=ForestDnsZones,DC=ibmtest,DC=com

# search reference
ref: ldap://DomainDnsZones.ibmtest.com/DC=DomainDnsZones,DC=ibmtest,DC=com

# search reference
ref: ldap://ibmtest.com/CN=Configuration,DC=ibmtest,DC=com

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

IBM Cloud attributes

To search IBM Cloud users in SCIM, custom attributes can be defined as shown in the following code example. By default, these attributes are not defined.

"IBMCloud" = {
    "user": {
        "id": "userId",
        "userName": "userId",
        "principalName": "userId",
        "displayName": "firstName",
        "emails": "email",
        "familyName": "lastName",
        "givenName": "firstName",
        "externalId": "userId"
    }
};