Updating SCIM LDAP attributes mapping
You can update the SCIM LDAP attributes mapping.
To support the SCIM APIs for a configured LDAP connection in IBM Cloud Pak foundational services, you can update SCIM_LDAP_ATTRIBUTES_MAPPING
data in the following ways:
- By using SCIM configuration for LDAP connection. For more information, see SCIM configuration by using your product UI.
- By using the
attributemapping
API (available for IBM Cloud Pak foundational services version 3.11.0 or later)
Note: Use of the configmap to update the SCIM LDAP attributes mapping is not supported and removed from the foundational services version 4.8.
Updating with attributemapping
API
To use the attributemapping
API, you must add an authorization header to your request. You need to add an access token to the authorization header. To obtain the access token, see Preparing to run component or management API commands.
Procedure
Note: The members
and objectClass
attributes do not consider the custom SCIM attribute values. Use LDAP filter values for these attributes to map the data.
-
Check the existing attribute mappings by using the following API call:
curl -sk -X GET --header "Authorization: Bearer $ACCESS_TOKEN" --header "Content-Type: application/json" "https://$BCS_URL:443/idmgmt/identity/api/v1/scim/attributemappings"
The response resembles the following code:
[{"idp_id":"default","idp_type":"ldap","user":{"id":"dn","userName":"uid","principalName":"uid","displayName":"cn","givenName":"cn","familyName":"sn","fullName":"cn","externalId":"dn","emails":"mail","created":"createTimestamp","lastModified":"modifyTimestamp","phoneNumbers":[{"value":"mobile","type":"mobile"},{"value":"telephoneNumber","type":"work"}],"objectClass":"person","groups":"memberOf"},"group":{"id":"dn","name":"cn","principalName":"cn","displayName":"cn","externalId":"dn","created":"createTimestamp","lastModified":"modifyTimestamp","objectClass":"groupOfUniqueNames","members":"uniqueMember"}},
-
Create the attribute mappings with your mapping data by using the following API call:
Note: If you already have the attribute mappings, do not create another attribute mapping. You can skip this step.
export DATA='{"idp_id":"test","idp_type":"ldap","user":{"id_test":"dn","userName":"uid","principalName":"uid","displayName":"cn","givenName":"cn","familyName":"sn","fullName":"cn","externalId":"dn","phoneNumbers":[{"value":"mobile","type":"mobile"},{"value":"telephoneNumber","type":"work"}],"objectClass":"person","groups":"memberOf"},"group":{"id":"dn","name":"cn","principalName":"cn","displayName":"cn","externalId":"dn","created":"createTimestamp","lastModified":"modifyTimestamp","objectClass":"groupOfUniqueNames","members":"uniqueMember"}}'
The sample curl command resembles the following code:
curl -sk -X POST --header "Authorization: Bearer $ACCESS_TOKEN" --header "Content-Type: application/json" -d $DATA "https://$BCS_URL:443/idmgmt/identity/api/v1/scim/attributemappings"
The response resembles the following code:
{"idp_id":"test","idp_type":"ldap","user":{"id_test":"dn","userName":"uid","principalName":"uid","displayName":"cn","givenName":"cn","familyName":"sn","fullName":"cn","externalId":"dn","phoneNumbers":[{"value":"mobile","type":"mobile"},{"value":"telephoneNumber","type":"work"}],"objectClass":"person","groups":"memberOf"},"group":{"id":"dn","name":"cn","principalName":"cn","displayName":"cn","externalId":"dn","created":"createTimestamp","lastModified":"modifyTimestamp","objectClass":"groupOfUniqueNames","members":"uniqueMember"}}
-
Update the existing attribute mappings data with your mapping data by using the following API call:
export DATA='{"idp_id":"$IDP_ID","idp_type":"ldap","user":{"id_test":"dn","userName":"uid","principalName":"uid","displayName":"cn","givenName":"cn","familyName":"sn","fullName":"cn","externalId":"dn","phoneNumbers":[{"value":"mobile","type":"mobile"},{"value":"telephoneNumber","type":"work"}],"objectClass":"person","groups":"memberOf"}},"group":{"id":"dn","name":"cn","principalName":"cn","displayName":"cn","externalId":"dn","created":"createTimestamp","lastModified":"modifyTimestamp","objectClass":"groupOfUniqueNames","members":"uniqueMember"}'
The sample curl command resembles the following code:
curl -sk -X PUT --header "Authorization: Bearer $ACCESS_TOKEN" --header "Content-Type: application/json" -d $DATA "https://$BCS_URL:443/idmgmt/identity/api/v1/scim/attributemappings/$IDP_ID"
The response resembles the following code:
{"idp_id":"test","idp_type":"ldap","user":{"id_test":"dn","userName":"uid","principalName":"uid","displayName":"cn","givenName":"cn","familyName":"sn","fullName":"cn","externalId":"dn","phoneNumbers":[{"value":"mobile","type":"mobile"},{"value":"telephoneNumber","type":"work"}],"objectClass":"person","groups":"memberOf"},"group":{"id":"dn","name":"cn","principalName":"cn","displayName":"cn","externalId":"dn","created":"createTimestamp","lastModified":"modifyTimestamp","objectClass":"groupOfUniqueNames","members":"uniqueMember"}}
-
Delete the existing attribute mappings by using the following API call:
curl -sk -X DELETE --header "Authorization: Bearer $ACCESS_TOKEN" \ --header "Content-Type: application/json" \ "https://$BCS_URL:443/idmgmt/identity/api/v1/scim/attributemappings/$IDP_ID"
The response resembles the following code:
{"count":1}
Note: By default, the LDAP connection configuration considers the following mapping values for SCIM APIs.
LDAP connection attributes | SCIM object | SCIM attributes |
---|---|---|
LDAP_USERIDMAP |
user |
userName |
LDAP_USERFILTER |
user |
objectClass |
LDAP_GROUPIDMAP |
group |
name |
LDAP_GROUPFILTER |
group |
objectClass |
LDAP_GROUPMEMBERIDMAP |
group |
members |
Note: If you have multiple expressions in the LDAP connection attributes configuration, the first configuration value is considered.
LDAP attributes
For information about LDAP attributes, you can use the ldapsearch
tool or any LDAP browser such as Apache Directory Studio
.
Installing the ldapsearch tool
On Ubuntu, run the following command:
sudo apt-get install ldap-utils
On Red Hat® Enterprise Linux®, run the following command:
sudo yum install openldap-clients
The following examples show the ldapsearch tool command structure and an example output.
User
Command:
ldapsearch -x -H <LDAP_URL> -b <LDAP_BASEDN> -D <LDAP_BINDDN> -W -s sub "(sAMAccountName=pavann)" "*" "+"
Output:
# extended LDIF
#
# LDAPv3
# base <DC=ibmtest,DC=com> with scope subtree
# filter: (sAMAccountName=pava)
# requesting: * +
#
# Tom Northwood, Users, ibmtest.com
dn: CN=Tom Northwood,CN=Users,DC=ibmtest,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Tom Northwood
givenName: Tom Northwood
distinguishedName: CN=Tom Northwood,CN=Users,DC=ibmtest,DC=com
instanceType: 4
whenCreated: 20180802104118.0Z
whenChanged: 20210305115346.0Z
displayName: Tom Northwood
uSNCreated: 13356
memberOf: CN=group9,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group8,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group7,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group6,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group5,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group4,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group3,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group2,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group1,CN=Users,DC=ibmtest,DC=com
memberOf: CN=security,CN=Users,DC=ibmtest,DC=com
uSNChanged: 145644
name: Tom Northwood
objectGUID:: pVKE4qv5MEyqxjQ3nUvsWA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132285264754362226
lastLogoff: 0
lastLogon: 132285264944206361
pwdLastSet: 131776804917936927
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAr/FodBO+7uVBDhlaXAQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: pavann
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ibmtest,DC=com
dSCorePropagationData: 20180802104118.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132594188266767176
# search reference
ref: ldap://ForestDnsZones.ibmtest.com/DC=ForestDnsZones,DC=ibmtest,DC=com
# search reference
ref: ldap://DomainDnsZones.ibmtest.com/DC=DomainDnsZones,DC=ibmtest,DC=com
# search reference
ref: ldap://ibmtest.com/CN=Configuration,DC=ibmtest,DC=com
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
Group
Command:
ldapsearch -x -H <LDAP_URL> -b <LDAP_BASEDN> -D <LDAP_BINDDN> -W -s sub "(cn=security)" "*" "+"
Output:
# extended LDIF
#
# LDAPv3
# base <DC=ibmtest,DC=com> with scope subtree
# filter: (cn=security)
# requesting: * +
#
# security, Users, ibmtest.com
dn: CN=security,CN=Users,DC=ibmtest,DC=com
objectClass: top
objectClass: group
cn: security
member: CN=Neil Wilson,CN=Users,DC=ibmtest,DC=com
member: CN=John Winston,CN=Users,DC=ibmtest,DC=com
member: CN=Jeff Rodrigue,CN=Users,DC=ibmtest,DC=com
member: CN=Kane Shatner,CN=Users,DC=ibmtest,DC=com
member: CN=Anna Reynolds,CN=Users,DC=ibmtest,DC=com
member: CN=Gessie Lemson,CN=Users,DC=ibmtest,DC=com
member: CN=Lauri Williamson,CN=Users,DC=ibmtest,DC=com
member: CN=Tom Northwood,CN=Users,DC=ibmtest,DC=com
distinguishedName: CN=security,CN=Users,DC=ibmtest,DC=com
instanceType: 4
whenCreated: 20180802103445.0Z
whenChanged: 20180802105558.0Z
uSNCreated: 13330
memberOf: CN=isl,CN=Users,DC=ibmtest,DC=com
uSNChanged: 13455
name: security
objectGUID:: UPoQ3uNfVk+fHn1W1b5KUg==
objectSid:: AQUAAAAAAAUVAAAAr/FodBO+7uVBDhlaWAQAAA==
sAMAccountName: security
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ibmtest,DC=com
dSCorePropagationData: 16010101000000.0Z
# search reference
ref: ldap://ForestDnsZones.ibmtest.com/DC=ForestDnsZones,DC=ibmtest,DC=com
# search reference
ref: ldap://DomainDnsZones.ibmtest.com/DC=DomainDnsZones,DC=ibmtest,DC=com
# search reference
ref: ldap://ibmtest.com/CN=Configuration,DC=ibmtest,DC=com
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
IBM Cloud attributes
To search IBM Cloud users in SCIM, custom attributes can be defined as shown in the following code example. By default, these attributes are not defined.
"IBMCloud" = {
"user": {
"id": "userId",
"userName": "userId",
"principalName": "userId",
"displayName": "firstName",
"emails": "email",
"familyName": "lastName",
"givenName": "firstName",
"externalId": "userId"
}
};