Managing secrets for LDAP

You need to create the LDAP secret that contains the LDAP configuration information. If you choose to use the Content Cortex prerequisites script to generate the deployment files, these secrets are generated.

Procedure

Create an ldap-bind-secret for your LDAP configuration information:
The following command shows how to create the ldap-bind-secret secret with the needed usernames and passwords.
```
kubectl create secret generic ldap-bind-secret \
  --from-literal=ldapUsername="cn=admin,dc=ibm,dc=edu" \
  --from-literal=ldapPassword="<yourLDAPPassword>"  
```
Note: When you create secrets, special characters such as $, \, *, =, and ! are interpreted by your shell, and therefore need escaping. In most shells, the simplest way to escape a password is to surround it with single quotation marks ('). For example, if your password is S!B\*d$zDsb= then use single quotation marks around the password string:
```
--from-literal=password='S!B\*d$zDsb='
```
You do not need to escape special characters in passwords from files (--from-file). For more information, see Managing Secrets .
The secret that you create, ldap-bind-secret is the value for ldap_configuration.lc_bind_secret.
```
ldap_configuration:
  ...
  lc_bind_secret: ldap-bind-secret 
```
Tip: If you have multiple LDAP configurations with different login credentials, you can use the lc_ldap_id parameter to differentiate your LDAP credentials in the secret. Assign an <id_name> for each LDAP, specify the <id_name> in the CR YAML for each LDAP by using the lc_ldap_id parameter, and add the <id_name> to your credential specification in the secret.
For example, you have two LDAP configurations, Oracle Unified Directory OUD and eDirectory EDIR. In the YAML, you specify the following values, including values for the lc_ldap_id parameter that are specific to each LDAP configuration:
```
ldap_configuration_OUD:
  lc_ldap_id: "OUD"
  lc_selected_ldap_type: “Oracle Unified Directory”
  lc_ldap_server: “server_name”
  lc_ldap_port: "389"
  ...

ldap_configuration_EDIR:
  lc_ldap_id: "EDIR"
  lc_selected_ldap_type: “NetIQ eDirectory”
  lc_ldap_server: “ldap2_server_name”
  lc_ldap_port: "389"
  ...
```
When you create the secret, you add the <id_name>(OUD and EDIR) to your username and password credentials in the format ldap<id_name>Username and ldap<id_name>Password. So, the username for OUD is referred to as ldapOUDUsername. For details, see example:
```
kubectl create secret generic ldap-bind-secret \
  --from-literal=ldapOUDUsername="cn=Directory Manager" \ 
  --from-literal=ldapOUDPassword="<yourLDAPPassword>" \ 
  --from-literal=ldapEDIRUsername="cn=Directory Manager" \ 
  --from-literal=ldapEDIRPassword="<yourLDAPPassword>"
```
This example uses two LDAP configurations, but you can use the lc_ldap_id parameter for multiple additional LDAP configurations.
Create an ibm-ext-ldap-secret for your External LDAP configuration information. This configuration is used when deploying External Share:
The following command shows how to create the ibm-ext-ldap-secret secret with the needed usernames and passwords.
```
kubectl create secret generic ibm-ext-ldap-secret \
  --from-literal=externalLdapUsername="cn=admin,dc=ibm,dc=edu" \ 
  --from-literal=externalLdapPassword="<yourLDAPPassword>" 
```
Note: When you create secrets, special characters such as $, \, *, =, and ! are interpreted by your shell, and therefore need escaping. In most shells, the simplest way to escape a password is to surround it with single quotation marks ('). For example, if your password is S!B\*d$zDsb= then use single quotation marks around the password string:
```
--from-literal=password='S!B\*d$zDsb='
```
You do not need to escape special characters in passwords from files (--from-file). For more information, see Managing Secrets .
The secret that you create, ibm-ext-ldap-secret is the value for ext_ldap_configuration.lc_bind_secret.
```
ext_ldap_configuration:
  ...
  lc_bind_secret: ibm-ext-ldap-secret
```