Configuring mutual TLS authentication between IM and LDAP server

From foundational services version 4.9, you can enable mutual TLS authentication between Identity Management (IM) and LDAP server when you configure LDAP connection based on the backend LDAP registry configuration. You need to configure TLS/SSL to enable mutual authentication.

To enable mutual TLS authentication for LDAP server, you need to add the ldap_tls_verify_client parameter in the IdP V3 API when you create LDAP connection. The values of the ldap_tls_verify_client parameter are try and demand.

You can configure mutual TLS authentication using IdP v3 API with one of the following methods:

Configuring mutual TLS authentication with try mTLS SSL profile

Specify the ldap_tls_verify_client parameter with try to enable mutual TLS authentication with try mTLS SSL profile when you create the LDAP connection. You can use try mTLS SSL profile for LDAP connection when the import of an IM client certificate is not required in the LDAP server. If you enable try mTLS SSL profile, IM prevents the passing of the client certificate for the LDAP mutual TLS/SSL authentication.

The following curl command is an example to create LDAP connection with try mTLS SSL profile:

$ export ACCESS_TOKEN= $BEARER-TOKEN
$ export CP_CONSOLE_URL=$CP_CONSOLE_URL_ROUTE
$ curl -k -X POST \
   -H "Authorization: Bearer ${ACCESS_TOKEN}" \
   -H "content-type: application/json" \
   "https://${CP_CONSOLE_URL}/idprovider/v3/auth/idsource" \
   -d '{
      "name": "openLDAP",
      "description": "description 1",
       "protocol": "ldap",
       "type": "Custom",
       "idp_config": {
         "ldap_url": "ldap://9.30.253.13:389",
         "ldap_basedn": "dc=ibm,dc=com",
         "ldap_bindpassword": "<base64 encoded password>",
         "ldap_binddn": "cn=admin,dc=ibm,dc=com",
         "ldap_userfilter": "(&(uid=%v)(objectclass=person))",
         "ldap_groupfilter": "(&(cn=%v)(objectclass=groupOfUniqueNames))",
         "ldap_useridmap": "*:uid",
         "ldap_groupidmap": "*:cn",
         "ldap_groupmemberidmap": "groupOfUniqueNames:uniquemember",
         "ldap_tls_verify_client":"try"
       }
}'

Ensure that you specify the base64-encoded password in the ldap_bindpassword parameter.

Configuring mutual TLS authentication with demand mTLS SSL profile

Specify the ldap_tls_verify_client parameter with demand to enable mutual TLS authentication with demand mTLS SSL profile when you create the LDAP connection. If you set the ldap_tls_verify_client parameter with demand, the LDAP server requests the CA certificate from IM, and a valid certificate need to be provided for TLS authentication. If the certificate is invalid, the session stops immediately.

You can configure the demand mTLS SSL with one of the following methods:

Configuring demand mTLS SSL with default IM certificates

You must obtain a certificate authority (CA) certificate of IM and import it to the truststore of the LDAP server to enable mutual TLS authentication with demand mTLS SSL profile.

Complete the following steps to enable mutual TLS authentication with demand mTLS SSL profile:

  1. Get the CA certificate of IM with the following command:

    oc get secret identity-provider-secret -o jsonpath='{.data.ca\.crt}' | base64 –decode
    
  2. Import the CA certificate of IM in the PEM format to the truststore of the LDAP server. Contact your LDAP team to upload the CA certificate to the truststore of your LDAP server.

  3. Set the ldap_tls_verify_client parameter with demand when you create the LDAP connection.

    The following curl command is an example to create LDAP connection with demand mTLS SSL profile:

    $ export ACCESS_TOKEN= $BEARER-TOKEN
    $ export CP_CONSOLE_URL=$CP_CONSOLE_URL_ROUTE
    $ curl -k -X POST \
        -H "Authorization: Bearer ${ACCESS_TOKEN}" \
        -H "content-type: application/json" \
        "https://${CP_CONSOLE_URL}/idprovider/v3/auth/idsource" \
        -d '{
            "name": "openLDAP",
            "description": "description 1",
            "protocol": "ldap",
            "type": "Custom",
            "idp_config": {
                "ldap_url": "ldap://9.30.253.13:389",
                "ldap_basedn": "dc=ibm,dc=com",
                "ldap_bindpassword": "<base64 encoded password>",
                "ldap_binddn": "cn=admin,dc=ibm,dc=com",
                "ldap_userfilter": "(&(uid=%v)(objectclass=person))",
                "ldap_groupfilter": "(&(cn=%v)(objectclass=groupOfUniqueNames))",
                "ldap_useridmap": "*:uid",
                "ldap_groupidmap": "*:cn",
                "ldap_groupmemberidmap": "groupOfUniqueNames:uniquemember",
                "ldap_tls_verify_client":"demand"
    
            }
    }'
    

Configuring demand mTLS SSL with custom certificates

You can provide the CA bundle (CA key and certificate pair) of the LDAP server when you create LDAP connection to configure mutual TLS authentication with custom certificates. Ensure that you specify the CA key and certificate pair of the LDAP server in the ldap_tls_client_key and ldap_tls_client_cert parameters.

The following curl command is an example to create LDAP connection with demand mTLS SSL profile:

$ export ACCESS_TOKEN= $BEARER-TOKEN
$ export CP_CONSOLE_URL=$CP_CONSOLE_URL_ROUTE
$ curl -k -X POST \
    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    -H "content-type: application/json" \
    "https://${CP_CONSOLE_URL}/idprovider/v3/auth/idsource" \
    -d '{
        "name": "openLDAP",
        "description": "description 1",
        "protocol": "ldap",
        "type": "Custom",
        "idp_config": {
            "ldap_url": "ldap://9.30.253.13:389",
            "ldap_basedn": "dc=ibm,dc=com",
            "ldap_bindpassword": "<base64 encoded password>",
            "ldap_binddn": "cn=admin,dc=ibm,dc=com",
            "ldap_userfilter": "(&(uid=%v)(objectclass=person))",
            "ldap_groupfilter": "(&(cn=%v)(objectclass=groupOfUniqueNames))",
            "ldap_useridmap": "*:uid",
            "ldap_groupidmap": "*:cn",
            "ldap_groupmemberidmap": "groupOfUniqueNames:uniquemember",
            "ldap_tls_verify_client":"demand",
           "ldap_tls_client_key": "<base64-encoded-value-of-ldap-server-ca-pem-
         key>",
        "ldap_tls_client_cert": "<base64-encoded-value- of-ldap-server-ca-pem-
         cert>"
        }

        }
}'