Updating SCIM LDAP attributes mapping
You can update the SCIM LDAP attributes mapping.
To support the SCIM APIs for a configured LDAP connection in IBM Cloud Pak foundational services, you can update SCIM_LDAP_ATTRIBUTES_MAPPING
data in the following ways:
- By using SCIM configuration for LDAP connection. For more information, see SCIM configuration by using your product UI.
- By using the
attributemapping
API (available for IBM Cloud Pak foundational services version 3.11.0 or later) - By using the
platform-auth-idp
configmap
Note: Use of the configmap is deprecated from the IBM Cloud Pak foundational services version 3.17.0 and is subject to be removed in the future release.
Updating with attributemapping
API
To use the attributemapping
API, you must add an authorization header to your request. You need to add an access token to the authorization header. To obtain the access token, see Preparing to run component or management API commands.
Procedure
Note: The members
and objectClass
attributes do not consider the custom SCIM attribute values. Use LDAP filter values for these attributes to map the data.
-
Check the existing attribute mappings by using the following API call:
curl -sk -X GET --header "Authorization: Bearer $ACCESS_TOKEN" --header "Content-Type: application/json" "https://$BCS_URL:443/idmgmt/identity/api/v1/scim/attributemappings"
The response resembles the following code:
[{"idp_id":"default","idp_type":"ldap","user":{"id":"dn","userName":"uid","principalName":"uid","displayName":"cn","givenName":"cn","familyName":"sn","fullName":"cn","externalId":"dn","emails":"mail","created":"createTimestamp","lastModified":"modifyTimestamp","phoneNumbers":[{"value":"mobile","type":"mobile"},{"value":"telephoneNumber","type":"work"}],"objectClass":"person","groups":"memberOf"},"group":{"id":"dn","name":"cn","principalName":"cn","displayName":"cn","externalId":"dn","created":"createTimestamp","lastModified":"modifyTimestamp","objectClass":"groupOfUniqueNames","members":"uniqueMember"}},
-
Create the attribute mappings with your mapping data by using the following API call:
Note: If you already have the attribute mappings, do not create another attribute mapping. You can skip this step.
export DATA='{"idp_id":"test","dip_type":"ldap","user":{"id_test":"dn","userName":"uid","principalName":"uid","displayName":"cn","givenName":"cn","familyName":"sn","fullName":"cn","externalId":"dn","phoneNumbers":[{"value":"mobile","type":"mobile"},{"value":"telephoneNumber","type":"work"}],"objectClass":"person","groups":"memberOf"},"group":{"id":"dn","name":"cn","principalName":"cn","displayName":"cn","externalId":"dn","created":"createTimestamp","lastModified":"modifyTimestamp","objectClass":"groupOfUniqueNames","members":"uniqueMember"}}'
The sample curl command resembles the following code:
curl -sk -X POST --header "Authorization: Bearer $ACCESS_TOKEN" --header "Content-Type: application/json" -d $DATA "https://$BCS_URL:443/idmgmt/identity/api/v1/scim/attributemappings"
The response resembles the following code:
{"idp_id":"test","idp_type":"ldap","user":{"id_test":"dn","userName":"uid","principalName":"uid","displayName":"cn","givenName":"cn","familyName":"sn","fullName":"cn","externalId":"dn","phoneNumbers":[{"value":"mobile","type":"mobile"},{"value":"telephoneNumber","type":"work"}],"objectClass":"person","groups":"memberOf"},"group":{"id":"dn","name":"cn","principalName":"cn","displayName":"cn","externalId":"dn","created":"createTimestamp","lastModified":"modifyTimestamp","objectClass":"groupOfUniqueNames","members":"uniqueMember"}}
-
Update the existing attribute mappings data with your mapping data by using the following API call:
export DATA='{"idp_id":"$IDP_ID","idp_type":"ldap","user":{"id_test":"dn","userName":"uid","principalName":"uid","displayName":"cn","givenName":"cn","familyName":"sn","fullName":"cn","externalId":"dn","phoneNumbers":[{"value":"mobile","type":"mobile"},{"value":"telephoneNumber","type":"work"}],"objectClass":"person","groups":"memberOf"}},"group":{"id":"dn","name":"cn","principalName":"cn","displayName":"cn","externalId":"dn","created":"createTimestamp","lastModified":"modifyTimestamp","objectClass":"groupOfUniqueNames","members":"uniqueMember"}'
The sample curl command resembles the following code:
curl -sk -X PUT --header "Authorization: Bearer $ACCESS_TOKEN" --header "Content-Type: application/json" -d $DATA "https://$BCS_URL:443/idmgmt/identity/api/v1/scim/attributemappings/$IDP_ID"
The response resembles the following code:
{"idp_id":"test","idp_type":"ldap","user":{"id_test":"dn","userName":"uid","principalName":"uid","displayName":"cn","givenName":"cn","familyName":"sn","fullName":"cn","externalId":"dn","phoneNumbers":[{"value":"mobile","type":"mobile"},{"value":"telephoneNumber","type":"work"}],"objectClass":"person","groups":"memberOf"},"group":{"id":"dn","name":"cn","principalName":"cn","displayName":"cn","externalId":"dn","created":"createTimestamp","lastModified":"modifyTimestamp","objectClass":"groupOfUniqueNames","members":"uniqueMember"}}
-
Delete the existing attribute mappings by using the following API call:
curl -sk -X DELETE --header "Authorization: Bearer $ACCESS_TOKEN" \ --header "Content-Type: application/json" \ "https://$BCS_URL:443/idmgmt/identity/api/v1/scim/attributemappings/$IDP_ID"
The response resembles the following code:
{"count":1}
Updating with platform-auth-idp
configmap
You can update SCIM_LDAP_ATTRIBUTES_MAPPING
data in the configmap platform-auth-idp
to support SCIM APIs for a configured LDAP connection in IBM Cloud Pak foundational services.
Currently, the platform-auth-idp
configmap contains the following default configuration. Within this configuration, default
is the default name. This configuration also has two sets of mapping data for each user
and group
SCIM resource.
In each data set, key
is the SCIM attribute name and value
is the LDAP attribute name, for example, "userName": "uid"
. See the following parameter description:
userName
is the SCIM attribute name.uid
is the LDAP attribute name.
Default configuration
{
"default": {
"user": {
"id": "dn",
"userName": "uid",
"principalName": "uid",
"displayName": "cn",
"givenName": "cn",
"familyName": "sn",
"fullName": "cn",
"externalId": "dn",
"emails": "mail",
"created": "createTimestamp",
"lastModified": "modifyTimestamp",
"phoneNumbers": [{
"value": "mobile",
"type": "mobile"
},
{
"value": "telephoneNumber",
"type": "work"
}],
"objectClass": "person",
"groups": "memberOf"
},
"group": {
"id": "dn",
"name": "cn",
"principalName": "cn",
"displayName": "cn",
"externalId": "dn",
"created": "createTimestamp",
"lastModified": "modifyTimestamp",
"objectClass": "groupOfUniqueNames",
"members": "uniqueMember"
}
}
}
You can customize the configuration to meet your requirements for the configured LDAP connection. Then, you can construct a similar mapping for your LDAP server and append the mapping to the SCIM_LDAP_ATTRIBUTES_MAPPING
data in the
platform-auth-idp
configmap.
As an example, you can use Connection name
as pmsad
in your configured MSAD LDAP connection configuration. Next, you can use pmsad
as the configuration key and construct the mapping data as shown in the following
code example. Then, you can append the mapping data to your configmap data. For more information about attributes, see LDAP attributes.
"pmsad": {
"user": {
"id": "dn",
"userName": "sAMAccountName",
"principalName": "sAMAccountName",
"displayName": "displayName",
"givenName": "givenName",
"familyName": "sn",
"fullName": "cn",
"externalId": "dn",
"emails": "mail",
"created": "whenCreated",
"lastModified": "whenChanged",
"phoneNumbers": [{
"value": "mobile",
"type": "mobile"
},
{
"value": "telephoneNumber",
"type": "work"
}],
"objectClass": "person",
"groups": "memberOf"
},
"group": {
"id": "dn",
"name": "cn",
"principalName": "cn",
"displayName": "cn",
"externalId": "dn",
"created": "whenCreated",
"lastModified": "whenChanged",
"objectClass": "group",
"members": "member"
}
}
Procedure
Update your configmap by using the CLI. Run these commands:
-
Edit
platform-auth-idp
configmap.oc -n <your-foundational-services-namespace> edit configmap platform-auth-idp
Go to the
SCIM_LDAP_ATTRIBUTES_MAPPING
attribute value and append your mapping data to the existing value. Make sure to add a comma(,) for previous entry in the JSON.For IBM Cloud Pak foundational services version 3.11.0, set the
ATTR_MAPPING_FROM_CONFIG
attribute value totrue
.Save and quit.
-
Check the updated data in your
platform-auth-idp
configmap. The output resembles the following code.oc -n <your-foundational-services-namespace> get configmap platform-auth-idp -o yaml | grep -A50 SCIM_LDAP_ATTRIBUTES_MAPPING ... { "default": { "user": { "id": "dn", "userName": "uid", "principalName": "uid", "displayName": "cn", "givenName": "cn", "familyName": "sn", "fullName": "cn", "externalId": "dn", "emails": "mail", "created": "createTimestamp", "lastModified": "modifyTimestamp", "phoneNumbers": [{ "value": "mobile", "type": "mobile" }, { "value": "telephoneNumber", "type": "work" }], "objectClass": "person", "groups": "memberOf" }, "group": { "id": "dn", "name": "cn", "principalName": "cn", "displayName": "cn", "externalId": "dn", "created": "createTimestamp", "lastModified": "modifyTimestamp", "objectClass": "groupOfUniqueNames", "members": "uniqueMember" } }, "pmsad": { "user": { "id": "dn", "userName": "sAMAccountName", "principalName": "sAMAccountName", "displayName": "displayName", "givenName": "givenName", "familyName": "sn", "fullName": "cn", "externalId": "dn", "emails": "mail", "created": "whenCreated", "lastModified": "whenChanged", "phoneNumbers": [{ "value": "mobile", "type": "mobile" }, { "value": "telephoneNumber", "type": "work" }], "objectClass": "person", "groups": "memberOf" }, "group": { "id": "dn", "name": "cn", "principalName": "cn", "displayName": "cn", "externalId": "dn", "created": "whenCreated", "lastModified": "whenChanged", "objectClass": "group", "members": "member" } } }
Note: Make sure that complete data is a valid JSON.
-
Restart the
platform-identity-management
pods.oc -n <your-foundational-services-namespace> delete pod -l k8s-app=platform-identity-management
-
Wait for some time. Then, check the status of the
platform-identity-management
pods. The status must show as1/1 Running
for all pods.oc -n <your-foundational-services-namespace> get pods | grep platform-identity-management
Note: By default, the LDAP connection configuration considers the following mapping values for SCIM APIs.
LDAP connection attributes | SCIM object | SCIM attributes |
---|---|---|
LDAP_USERIDMAP |
user |
userName |
LDAP_USERFILTER |
user |
objectClass |
LDAP_GROUPIDMAP |
group |
name |
LDAP_GROUPFILTER |
group |
objectClass |
LDAP_GROUPMEMBERIDMAP |
group |
members |
Note: If you have multiple expressions in the LDAP connection attributes configuration, the first configuration value is considered.
LDAP attributes
For information about LDAP attributes, you can use the ldapsearch
tool or any LDAP browser such as Apache Directory Studio
.
Installing the ldapsearch tool
On Ubuntu, run the following command:
sudo apt-get install ldap-utils
On Red Hat® Enterprise Linux®, run the following command:
sudo yum install openldap-clients
The following examples show the ldapsearch tool command structure and an example output.
User
Command:
ldapsearch -x -H <LDAP_URL> -b <LDAP_BASEDN> -D <LDAP_BINDDN> -W -s sub "(sAMAccountName=pavann)" "*" "+"
Output:
# extended LDIF
#
# LDAPv3
# base <DC=ibmtest,DC=com> with scope subtree
# filter: (sAMAccountName=pava)
# requesting: * +
#
# Tom Northwood, Users, ibmtest.com
dn: CN=Tom Northwood,CN=Users,DC=ibmtest,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Tom Northwood
givenName: Tom Northwood
distinguishedName: CN=Tom Northwood,CN=Users,DC=ibmtest,DC=com
instanceType: 4
whenCreated: 20180802104118.0Z
whenChanged: 20210305115346.0Z
displayName: Tom Northwood
uSNCreated: 13356
memberOf: CN=group9,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group8,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group7,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group6,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group5,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group4,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group3,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group2,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group1,CN=Users,DC=ibmtest,DC=com
memberOf: CN=security,CN=Users,DC=ibmtest,DC=com
uSNChanged: 145644
name: Tom Northwood
objectGUID:: pVKE4qv5MEyqxjQ3nUvsWA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132285264754362226
lastLogoff: 0
lastLogon: 132285264944206361
pwdLastSet: 131776804917936927
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAr/FodBO+7uVBDhlaXAQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: pavann
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ibmtest,DC=com
dSCorePropagationData: 20180802104118.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132594188266767176
# search reference
ref: ldap://ForestDnsZones.ibmtest.com/DC=ForestDnsZones,DC=ibmtest,DC=com
# search reference
ref: ldap://DomainDnsZones.ibmtest.com/DC=DomainDnsZones,DC=ibmtest,DC=com
# search reference
ref: ldap://ibmtest.com/CN=Configuration,DC=ibmtest,DC=com
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
Group
Command:
ldapsearch -x -H <LDAP_URL> -b <LDAP_BASEDN> -D <LDAP_BINDDN> -W -s sub "(cn=security)" "*" "+"
Output:
# extended LDIF
#
# LDAPv3
# base <DC=ibmtest,DC=com> with scope subtree
# filter: (cn=security)
# requesting: * +
#
# security, Users, ibmtest.com
dn: CN=security,CN=Users,DC=ibmtest,DC=com
objectClass: top
objectClass: group
cn: security
member: CN=Neil Wilson,CN=Users,DC=ibmtest,DC=com
member: CN=John Winston,CN=Users,DC=ibmtest,DC=com
member: CN=Jeff Rodrigue,CN=Users,DC=ibmtest,DC=com
member: CN=Kane Shatner,CN=Users,DC=ibmtest,DC=com
member: CN=Anna Reynolds,CN=Users,DC=ibmtest,DC=com
member: CN=Gessie Lemson,CN=Users,DC=ibmtest,DC=com
member: CN=Lauri Williamson,CN=Users,DC=ibmtest,DC=com
member: CN=Tom Northwood,CN=Users,DC=ibmtest,DC=com
distinguishedName: CN=security,CN=Users,DC=ibmtest,DC=com
instanceType: 4
whenCreated: 20180802103445.0Z
whenChanged: 20180802105558.0Z
uSNCreated: 13330
memberOf: CN=isl,CN=Users,DC=ibmtest,DC=com
uSNChanged: 13455
name: security
objectGUID:: UPoQ3uNfVk+fHn1W1b5KUg==
objectSid:: AQUAAAAAAAUVAAAAr/FodBO+7uVBDhlaWAQAAA==
sAMAccountName: security
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ibmtest,DC=com
dSCorePropagationData: 16010101000000.0Z
# search reference
ref: ldap://ForestDnsZones.ibmtest.com/DC=ForestDnsZones,DC=ibmtest,DC=com
# search reference
ref: ldap://DomainDnsZones.ibmtest.com/DC=DomainDnsZones,DC=ibmtest,DC=com
# search reference
ref: ldap://ibmtest.com/CN=Configuration,DC=ibmtest,DC=com
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
IBM Cloud attributes
To search IBM Cloud users in SCIM, custom attributes can be defined as shown in the following code example. By default, these attributes are not defined.
"IBMCloud" = {
"user": {
"id": "userId",
"userName": "userId",
"principalName": "userId",
"displayName": "firstName",
"emails": "email",
"familyName": "lastName",
"givenName": "firstName",
"externalId": "userId"
}
};