Custom search base support for LDAP group and user entity in SCIM group and user APIs

You can use custom search base for LDAP group and user entities in SCIM group APIs. For now, the custom search base is supported only through APIs, and not from your product UI.

The structure of the LDAP server is organized as a tree hierarchy. The leaves of the tree represent an individual user account or a group with a common name (cn) and other attributes. The classification of the LDAP tree is as follows:

The custom search is useful in a scenario when you have multiple organizations in your LDAP server. By using the custom search base, you can isolate each organization in separate namespaces, and search the LDAP group and user under the organizations.

The structure of the LDAP server

See the following notes:

Enabling a custom search base

The LDAP_GROUP_SEARCHBASE_LIST and LDAP_USER_SEARCHBASE_LIST parameters define the list of custom search bases for LDAP groups and users. The data type must be a list. And, it is an optional parameter. To enable a custom search base, add the parameters with the list of search bases. See the following examples:

"LDAP_GROUP_SEARCHBASE_LIST":["OU=searchbase1,DC=ibmtest,DC=com","OU=searchbase2,DC=ibmtest,DC=com","OU=searchbase3,DC=ibmtest,DC=com"]
"LDAP_USER_SEARCHBASE_LIST":["OU=searchbase1,DC=ibmtest,DC=com","OU=searchbase2,DC=ibmtest,DC=com","OU=searchbase3,DC=ibmtest,DC=com"]


The following API shows how to enable a custom search base:
API version
1.0.0
API URI components
Scheme
HTTPS
Host IP
Cluster Host
Port number
Cluster Port
Path
/idprovider/v3/auth/idsource/
Command
POST
Command output format
application/json

To use the API, you need the host details and the base64-encoded password for the "LDAP_BINDPASSWORD" parameter. For more information, see Registering an LDAP connection by using IdP V3 API.

The following curl command is an example of adding a custom search base for an LDAP group entity while you create an LDAP connection:

curl -k -X POST 'https://<cluster_address>/idprovider/v3/auth/idsource/'
--header "Authorization: bearer $ACCESS_TOKEN" \
--header 'Content-Type: application/json'
-d
'{
 "LDAP_ID": "msad",
 "LDAP_URL": "ldap://corp.abc.com:389",
 "LDAP_BASEDN": "DC=ibmtest,DC=com",
 "LDAP_BINDDN": "CN=Administrator,cn=Users,DC=ibmtest,DC=com",
 "LDAP_BINDPASSWORD": "password in base64 encoded",
 "LDAP_TYPE": "Microsoft Active Directory",
 "LDAP_USERFILTER": "(&(sAMAccountName=%v)(objectclass=person))",
 "LDAP_GROUPFILTER": "(&(cn=%v)(objectcategory=group))",
 "LDAP_USERIDMAP": "user:sAMAccountName",
 "LDAP_GROUPIDMAP":"*:cn",
 "LDAP_GROUPMEMBERIDMAP": "memberOf:member"
 "LDAP_GROUP_SEARCHBASE_LIST":["OU=searchbase1,DC=ibmtest,DC=com","OU=searchbase2,DC=ibmtest,DC=com","OU=searchbase3,DC=ibmtest,DC=com"]
}'

The following curl command is an example of adding a custom search base for an LDAP user entity while you create an LDAP connection:

curl -k -X POST 'https://<cluster_address>/idprovider/v3/auth/idsource/'
--header "Authorization: bearer $ACCESS_TOKEN" \
--header 'Content-Type: application/json'
-d
'{
 "LDAP_ID": "msad",
 "LDAP_URL": "ldap://corp.abc.com:389",
 "LDAP_BASEDN": "DC=ibmtest,DC=com",
 "LDAP_BINDDN": "CN=Administrator,cn=Users,DC=ibmtest,DC=com",
 "LDAP_BINDPASSWORD": "password in base64 encoded",
 "LDAP_TYPE": "Microsoft Active Directory",
 "LDAP_USERFILTER": "(&(sAMAccountName=%v)(objectclass=person))",
 "LDAP_GROUPFILTER": "(&(cn=%v)(objectcategory=group))",
 "LDAP_USERIDMAP": "user:sAMAccountName",
 "LDAP_GROUPIDMAP":"*:cn",
 "LDAP_GROUPMEMBERIDMAP": "memberOf:member"
 "LDAP_USER_SEARCHBASE_LIST":["OU=searchbase1,DC=ibmtest,DC=com","OU=searchbase2,DC=ibmtest,DC=com","OU=searchbase3,DC=ibmtest,DC=com"]
}'

You can also enable the custom search base for LDAP group or LDAP user while you update the existing LDAP directory. For more information, see Updating an LDAP connection by using IdP V3 API.