Changing LDAP search settings

Changing the Lightweight Directory Access Protocol (LDAP) search settings in your product.

By default, your product searches for users and groups on both the common name (CN) and identifier (ID) attributes as configured in the LDAP connection settings. Examples of ID attributes are uid, sAMAccountName, and emailAddress.

This behavior can be changed by setting the following configuration parameters:

The following two attributes are used for the search:

To use only the CN attribute for searching users or groups, set LDAP_SEARCH_CN_ATTR_ONLY value to true. To use only the ID attribute for searching users or groups, set LDAP_SEARCH_ID_ATTR_ONLY value to true.

Following are the steps to change the values of the LDAP search config parameters:

Changing the attribute values by using kubectl

To change the values, complete the following steps:

  1. Install the kubectl CLI.

  2. Edit the platform-auth-idp ConfigMap.

    kubectl -n <your-foundational-services-namespace> edit configmap platform-auth-idp
    

    Set the following attribute values as required to true or false.

    • LDAP_SEARCH_CN_ATTR_ONLY
    • LDAP_SEARCH_ID_ATTR_ONLY

    Note: Set only one value to true.

  3. Save and close the ConfigMap.

  4. Restart the platform-auth-service pods

    kubectl -n <your-foundational-services-namespace> delete pod -l k8s-app=platform-auth-service
    
  5. Wait for some time. Then, check the status of the platform-auth-service pods. The status must show as 4/4 Running for all the pods.

    kubectl -n <your-foundational-services-namespace> get pods | grep platform-auth-service
    

Changing the attribute values by using the console

  1. Log in to the OpenShift Container Platform console as a user with cluster administrator access.
  2. From the navigation menu, click Workloads > Config Maps.
  3. Search for platform-auth-idp.
  4. Click ... > Edit Config Map.
  5. Change either of the following attribute values to true, as required:

    • LDAP_SEARCH_CN_ATTR_ONLY
    • LDAP_SEARCH_ID_ATTR_ONLY

    Note: Set only one value to true.

  6. Click Save.
  7. From the navigation menu, click Workloads > Deployments.
  8. Locate platform-auth-service.
  9. Click ... > Edit Deployment. A window for editing displays.
  10. Click Save without making any change. This step is to reload the platform-auth-service pods with the latest ConfigMap values.
  11. Click platform-auth-service.
  12. Wait for some time. Then, check the status of the platform-auth-service pods in the Pods pane. The status of all the pods must show as 4/4 under the Ready field name.

Changing the LDAP search size limit and time limit values

Following are the LDAP search limit configuration parameters:

Changing the values by using kubectl

To change the values, complete the following steps:

  1. Set up the kubectl CLI. For more information, see Install tools Opens in a new tab.

  2. Edit the platform-auth-idp ConfigMap.

    kubectl -n <your-foundational-services-namespace> edit configmap platform-auth-idp
    

    Change the following values as required:

    • LDAP_SEARCH_SIZE_LIMIT
    • LDAP_SEARCH_TIME_LIMIT
  3. Save and close the ConfigMap.

  4. Restart the platform-auth-service pods

    kubectl -n <your-foundational-services-namespace> delete pod -l k8s-app=platform-auth-service
    
  5. Wait for some time. Then, check the status of the platform-auth-service pods. The status must show as 4/4 Running for all the pods.

    kubectl -n <your-foundational-services-namespace> get pods | grep platform-auth-service
    

Changing the values by using the console

  1. Log in to the console as a user with cluster administrator access.
  2. From the navigation menu, click Workloads > Config Maps.
  3. Search for platform-auth-idp.
  4. Click ... > Edit Config Map.
  5. Change the following attribute values, as required:
    • LDAP_SEARCH_SIZE_LIMIT
    • LDAP_SEARCH_TIME_LIMIT
  6. Click Submit.
  7. From the navigation menu, click Workloads > Deployments.
  8. Locate platform-auth-service.
  9. Click ... > Edit Deployment. A window for editing displays.
  10. Click Submit without making any change. This step is to reload the platform-auth-service pods with the latest ConfigMap values.
  11. Click platform-auth-service.
  12. Wait for some time. Then, check the status of the platform-auth-service pods in the Pods pane. The status of all the pods must show as 4/4 under the Ready field name.

Change LDAP search wild characters usage

Following is the LDAP search wild characters configuration parameter:

In your product, wild characters such as asterisk are used in the search string to match the substring value of the LDAP server attribute.

Set LDAP_SEARCH_EXCLUDE_WILDCARD_CHARS value to true to exclude wild characters (*) in the search string and to match the exact value of the LDAP server attribute.

Following is the default search string:

(|(&(cn=*<searchstring>*)(objectclass=person))(&(uid=*<searchstring>*)(objectclass=person)))

Following is the search string when the LDAP_SEARCH_EXCLUDE_WILDCARD_CHARS is set to true:

(|(&(cn=<searchstring>)(objectclass=person))(&(uid=<searchstring>)(objectclass=person)))

To change the wild characters usage in the search string, complete the following steps:

Changing the wild characters configuration parameter by using kubectl

To change the values, complete the following steps:

  1. Install the Kubernetes CLI (kubectl) tool.

  2. Edit the platform-auth-idp ConfigMap.

    kubectl -n <your-foundational-services-namespace> edit configmap platform-auth-idp
    

    Change the following value as required:

    • LDAP_SEARCH_EXCLUDE_WILDCARD_CHARS
  3. Save and close the ConfigMap.

  4. Restart the platform-auth-service pods

    kubectl -n <your-foundational-services-namespace> delete pod -l k8s-app=platform-auth-service
    
  5. Wait for some time. Then, check the status of the platform-auth-service pods. The status must show as 4/4 Running for all the pods.

    kubectl -n <your-foundational-services-namespace> get pods | grep platform-auth-service
    

Changing the wild characters configuration parameter by using the console

  1. Log in to the OpenShift Container Platform console as a user with cluster administrator access.
  2. From the navigation menu, click Configuration > Config Maps.
  3. Search for platform-auth-idp.
  4. Click ... > Edit Config Map.
  5. Change the following value, as required:
    • LDAP_SEARCH_EXCLUDE_WILDCARD_CHARS
  6. Click Save.
  7. From the navigation menu, click Workloads > Deployments.
  8. Locate platform-auth-service.
  9. Click ... > Edit. A window for editing displays.
  10. Click Save without making any change. This step is to reload the platform-auth-service pods with the latest ConfigMap values.
  11. Click platform-auth-service.
  12. Wait for some time. Then, check the status of the platform-auth-service pods in the Pods pane. The status of all the pods must show as 4/4 under the Ready field name.