Changing LDAP search settings
Changing the Lightweight Directory Access Protocol (LDAP) search settings in your product.
Configure attributes consideration for LDAP search
By default, your product searches for users and groups on both the common name (CN) and identifier (ID) attributes as configured in the LDAP connection settings. Examples of ID attributes are uid
, sAMAccountName
, and emailAddress
.
This behavior can be changed by setting the following configuration parameters:
The following two attributes are used for the search:
LDAP_SEARCH_CN_ATTR_ONLY
- Search by CN only. Default value isfalse
.LDAP_SEARCH_ID_ATTR_ONLY
- Search by ID only. Default value isfalse
.
To use only the CN attribute for searching users or groups, set LDAP_SEARCH_CN_ATTR_ONLY
value to true
. To use only the ID attribute for searching users or groups, set LDAP_SEARCH_ID_ATTR_ONLY
value to true
.
Following are the steps to change the values of the LDAP search config parameters:
Changing the attribute values by using kubectl
To change the values, complete the following steps:
-
Install the
kubectl
CLI. -
Edit the
platform-auth-idp
ConfigMap.kubectl -n <your-foundational-services-namespace> edit configmap platform-auth-idp
Set the following attribute values as required to
true
orfalse
.LDAP_SEARCH_CN_ATTR_ONLY
LDAP_SEARCH_ID_ATTR_ONLY
Note: Set only one value to
true
. -
Save and close the ConfigMap.
-
Restart the
platform-auth-service
podskubectl -n <your-foundational-services-namespace> delete pod -l k8s-app=platform-auth-service
-
Wait for some time. Then, check the status of the
platform-auth-service
pods. The status must show as4/4 Running
for all the pods.kubectl -n <your-foundational-services-namespace> get pods | grep platform-auth-service
Changing the attribute values by using the console
- Log in to the OpenShift Container Platform console as a user with cluster administrator access.
- From the navigation menu, click Workloads > Config Maps.
- Search for
platform-auth-idp
. - Click ... > Edit Config Map.
-
Change either of the following attribute values to
true
, as required:LDAP_SEARCH_CN_ATTR_ONLY
LDAP_SEARCH_ID_ATTR_ONLY
Note: Set only one value to
true
. - Click Save.
- From the navigation menu, click Workloads > Deployments.
- Locate
platform-auth-service
. - Click ... > Edit Deployment. A window for editing displays.
- Click Save without making any change. This step is to reload the
platform-auth-service
pods with the latest ConfigMap values. - Click
platform-auth-service
. - Wait for some time. Then, check the status of the
platform-auth-service
pods in the Pods pane. The status of all the pods must show as4/4
under the Ready field name.
Changing the LDAP search size limit and time limit values
Following are the LDAP search limit configuration parameters:
LDAP_SEARCH_SIZE_LIMIT
: Default value is "50". Range of values is 50 - 100.LDAP_SEARCH_TIME_LIMIT
: Default value is "5". Range of values is 5 - 50.
Changing the values by using kubectl
To change the values, complete the following steps:
-
Set up the
kubectl
CLI. For more information, see Install tools . -
Edit the
platform-auth-idp
ConfigMap.kubectl -n <your-foundational-services-namespace> edit configmap platform-auth-idp
Change the following values as required:
LDAP_SEARCH_SIZE_LIMIT
LDAP_SEARCH_TIME_LIMIT
-
Save and close the ConfigMap.
-
Restart the
platform-auth-service
podskubectl -n <your-foundational-services-namespace> delete pod -l k8s-app=platform-auth-service
-
Wait for some time. Then, check the status of the
platform-auth-service
pods. The status must show as4/4 Running
for all the pods.kubectl -n <your-foundational-services-namespace> get pods | grep platform-auth-service
Changing the values by using the console
- Log in to the console as a user with cluster administrator access.
- From the navigation menu, click Workloads > Config Maps.
- Search for
platform-auth-idp
. - Click ... > Edit Config Map.
- Change the following attribute values, as required:
LDAP_SEARCH_SIZE_LIMIT
LDAP_SEARCH_TIME_LIMIT
- Click Submit.
- From the navigation menu, click Workloads > Deployments.
- Locate
platform-auth-service
. - Click ... > Edit Deployment. A window for editing displays.
- Click Submit without making any change. This step is to reload the
platform-auth-service
pods with the latest ConfigMap values. - Click
platform-auth-service
. - Wait for some time. Then, check the status of the
platform-auth-service
pods in the Pods pane. The status of all the pods must show as4/4
under the Ready field name.
Change LDAP search wild characters usage
Following is the LDAP search wild characters configuration parameter:
LDAP_SEARCH_EXCLUDE_WILDCARD_CHARS
: Default value is "false".
In your product, wild characters such as asterisk are used in the search string to match the substring value of the LDAP server attribute.
Set LDAP_SEARCH_EXCLUDE_WILDCARD_CHARS
value to true
to exclude wild characters (*) in the search string and to match the exact value of the LDAP server attribute.
Following is the default search string:
(|(&(cn=*<searchstring>*)(objectclass=person))(&(uid=*<searchstring>*)(objectclass=person)))
Following is the search string when the LDAP_SEARCH_EXCLUDE_WILDCARD_CHARS
is set to true
:
(|(&(cn=<searchstring>)(objectclass=person))(&(uid=<searchstring>)(objectclass=person)))
To change the wild characters usage in the search string, complete the following steps:
Changing the wild characters configuration parameter by using kubectl
To change the values, complete the following steps:
-
Install the Kubernetes CLI (kubectl) tool.
-
Edit the
platform-auth-idp
ConfigMap.kubectl -n <your-foundational-services-namespace> edit configmap platform-auth-idp
Change the following value as required:
LDAP_SEARCH_EXCLUDE_WILDCARD_CHARS
-
Save and close the ConfigMap.
-
Restart the
platform-auth-service
podskubectl -n <your-foundational-services-namespace> delete pod -l k8s-app=platform-auth-service
-
Wait for some time. Then, check the status of the
platform-auth-service
pods. The status must show as4/4 Running
for all the pods.kubectl -n <your-foundational-services-namespace> get pods | grep platform-auth-service
Changing the wild characters configuration parameter by using the console
- Log in to the OpenShift Container Platform console as a user with cluster administrator access.
- From the navigation menu, click Configuration > Config Maps.
- Search for
platform-auth-idp
. - Click ... > Edit Config Map.
- Change the following value, as required:
LDAP_SEARCH_EXCLUDE_WILDCARD_CHARS
- Click Save.
- From the navigation menu, click Workloads > Deployments.
- Locate
platform-auth-service
. - Click ... > Edit. A window for editing displays.
- Click Save without making any change. This step is to reload the
platform-auth-service
pods with the latest ConfigMap values. - Click
platform-auth-service
. - Wait for some time. Then, check the status of the
platform-auth-service
pods in the Pods pane. The status of all the pods must show as4/4
under the Ready field name.