Custom search base support for LDAP group and user entity in SCIM group and user APIs
You can use custom search base for LDAP group and user entities in SCIM group APIs. For now, the custom search base is supported only through APIs, and not from your product UI.
The structure of the LDAP server is organized as a tree hierarchy. The leaves of the tree represent an individual user account or a group with a common name (cn) and other attributes. The classification of the LDAP tree is as follows:
-
The root directory structure of the LDAP server is the Base DN, which is the distinguished name of the search base. It is further classified into subclasses such as country (c), domain component (dc), and organization name (o). For example, dc=abc,dc=com.
-
The subtree of the LDAP server is Organizational Unit (ou) that you can use for a group search in a specific search base.
The custom search is useful in a scenario when you have multiple organizations in your LDAP server. By using the custom search base, you can isolate each organization in separate namespaces, and search the LDAP group and user under the organizations.
See the following notes:
-
The custom search base specifies the subtree of the LDAP server for the search call for an entity type. The subtree overrides the base DN in search operations. For example, if the base DN is o=ibm,c=us and the search base is ou=iUsers,o=ibm,c=us, then all search calls are made under the ou=iUsers,o=ibm,c=us subtree. Multiple search bases can be configured for the same entity type.
-
By using a custom search base for LDAP user entity in SCIM user APIs, you can configure search bases per LDAP connection. The corresponding search bases are used over base DN for the user search.
Enabling a custom search base
The LDAP_GROUP_SEARCHBASE_LIST
and LDAP_USER_SEARCHBASE_LIST
parameters define the list of custom search bases for LDAP groups and users. The data type must be a list. And, it is an optional parameter. To enable a custom
search base, add the parameters with the list of search bases. See the following examples:
"LDAP_GROUP_SEARCHBASE_LIST":["OU=searchbase1,DC=ibmtest,DC=com","OU=searchbase2,DC=ibmtest,DC=com","OU=searchbase3,DC=ibmtest,DC=com"]
"LDAP_USER_SEARCHBASE_LIST":["OU=searchbase1,DC=ibmtest,DC=com","OU=searchbase2,DC=ibmtest,DC=com","OU=searchbase3,DC=ibmtest,DC=com"]
The following API shows how to enable a custom search base:
- API version
- 1.0.0
- API URI components
-
- Scheme
HTTPS
- Host IP
Cluster Host
- Port number
Cluster Port
- Path
/idprovider/v3/auth/idsource/
- Command
POST
- Command output format
application/json
To use the API, you need the host details and the base64-encoded password for the "LDAP_BINDPASSWORD"
parameter. For more information, see Registering an LDAP connection by using IdP V3 API.
The following curl command is an example of adding a custom search base for an LDAP group entity while you create an LDAP connection:
curl -k -X POST 'https://<cluster_address>/idprovider/v3/auth/idsource/'
--header "Authorization: bearer $ACCESS_TOKEN" \
--header 'Content-Type: application/json'
-d
'{
"LDAP_ID": "msad",
"LDAP_URL": "ldap://corp.abc.com:389",
"LDAP_BASEDN": "DC=ibmtest,DC=com",
"LDAP_BINDDN": "CN=Administrator,cn=Users,DC=ibmtest,DC=com",
"LDAP_BINDPASSWORD": "password in base64 encoded",
"LDAP_TYPE": "Microsoft Active Directory",
"LDAP_USERFILTER": "(&(sAMAccountName=%v)(objectclass=person))",
"LDAP_GROUPFILTER": "(&(cn=%v)(objectcategory=group))",
"LDAP_USERIDMAP": "user:sAMAccountName",
"LDAP_GROUPIDMAP":"*:cn",
"LDAP_GROUPMEMBERIDMAP": "memberOf:member"
"LDAP_GROUP_SEARCHBASE_LIST":["OU=searchbase1,DC=ibmtest,DC=com","OU=searchbase2,DC=ibmtest,DC=com","OU=searchbase3,DC=ibmtest,DC=com"]
}'
The following curl command is an example of adding a custom search base for an LDAP user entity while you create an LDAP connection:
curl -k -X POST 'https://<cluster_address>/idprovider/v3/auth/idsource/'
--header "Authorization: bearer $ACCESS_TOKEN" \
--header 'Content-Type: application/json'
-d
'{
"LDAP_ID": "msad",
"LDAP_URL": "ldap://corp.abc.com:389",
"LDAP_BASEDN": "DC=ibmtest,DC=com",
"LDAP_BINDDN": "CN=Administrator,cn=Users,DC=ibmtest,DC=com",
"LDAP_BINDPASSWORD": "password in base64 encoded",
"LDAP_TYPE": "Microsoft Active Directory",
"LDAP_USERFILTER": "(&(sAMAccountName=%v)(objectclass=person))",
"LDAP_GROUPFILTER": "(&(cn=%v)(objectcategory=group))",
"LDAP_USERIDMAP": "user:sAMAccountName",
"LDAP_GROUPIDMAP":"*:cn",
"LDAP_GROUPMEMBERIDMAP": "memberOf:member"
"LDAP_USER_SEARCHBASE_LIST":["OU=searchbase1,DC=ibmtest,DC=com","OU=searchbase2,DC=ibmtest,DC=com","OU=searchbase3,DC=ibmtest,DC=com"]
}'
You can also enable the custom search base for LDAP group or LDAP user while you update the existing LDAP directory. For more information, see Updating an LDAP connection by using IdP V3 API.