The section describes the steps for including an additional LDAP, which can be configured
for external share.
Before you begin
The steps and requirements for setting up the external-user LDAP directory server are the
same for on-premises and container environments. Set up your external LDAP server per the
instructions in Configuring the external user LDAP realm, then return to complete the
container-specific piece of the configuration.
About this task
The procedure describes the method for configuring the additional LDAP directory that
contains external users.
Procedure
-
Provide the details about the external LDAP directory in the
ext_ldap_configuration
section of the CR YAML file for the operator
deployment:
ext_ldap_configuration:
## The possible values are: "IBM Security Directory Server"
## or "Microsoft Active Directory"
## or "NetIQ eDirectory"
## or "Oracle Internet Directory"
## or "Oracle Directory Server Enterprise Edition"
## or "Oracle Unified Directory"
## or "CA eTrust"
lc_selected_ldap_type: "<Required>"
## The lc_ldap_precheck parameter is used to enable or disable LDAP connection check.
## If set to "true", then LDAP connection check will be enabled.
## if set to "false", then LDAP connection check will not be enabled.
lc_ldap_precheck: true
## The name of the LDAP server to connect
lc_ldap_server: "<Required>"
## The port of the LDAP server to connect. Some possible values are: 389, 636, etc.
lc_ldap_port: "<Required>"
## The LDAP bind secret for LDAP authentication.
lc_bind_secret: ibm-ext-ldap-secret
## The LDAP base DN. For example, "dc=example,dc=com", "dc=abc,dc=com", etc
lc_ldap_base_dn: "<Required>"
## Enable SSL/TLS for LDAP communication. Refer to IBM Documentation for more info.
lc_ldap_ssl_enabled: true
## The name of the secret that contains the LDAP SSL/TLS certificate.
lc_ldap_ssl_secret_name: "<Required>"
## The LDAP user name attribute. One possible value is "*:cn" for TDS and "user:sAMAccountName" for AD. Refer to IBM Documentation for more info.
lc_ldap_user_name_attribute: "<Required>"
## The LDAP user display name attribute. One possible value is "cn" for TDS and "sAMAccountName" for AD. Refer to IBM Documentation for more info.
lc_ldap_user_display_name_attr: "<Required>"
## The LDAP group base DN. For example, "dc=example,dc=com", "dc=abc,dc=com", etc
lc_ldap_group_base_dn: "<Required>"
## The LDAP group name attribute. One possible value is "*:cn" for TDS and "*:cn" for AD. Refer to IBM Documentation for more info.
lc_ldap_group_name_attribute: "*:cn"
## The LDAP group display name attribute. One possible value for both TDS and AD is "cn". Refer to IBM Documentation for more info.
lc_ldap_group_display_name_attr: "cn"
## The LDAP group membership search filter string. One possible value is "(|(&(objectclass=groupofnames)(member={0}))(&(objectclass=groupofuniquenames)(uniquemember={0})))" for TDS and AD
lc_ldap_group_membership_search_filter: "<Required>"
## The LDAP group membership ID map. One possible value is "groupofnames:member" for TDS and "memberOf:member" for AD.
lc_ldap_group_member_id_map: "<Required>"
## Uncomment the necessary section (depending on if you are using Active Directory (ad) or Tivoli Directory Service (tds)) accordingly.
## NetIQ eDirectory (ed)
## Oracle (oracle) - OID, OUD and ODSEE
## CA eTrust (caet)
#ad:
# lc_ad_gc_host: "<Required>"
# lc_ad_gc_port: "<Required>"
# lc_user_filter: "(&(sAMAccountName=%v)(objectcategory=user))"
# lc_group_filter: "(&(cn=%v)(objectcategory=group))"
#tds:
# lc_user_filter: "(&(cn=%v)(objectclass=person))"
# lc_group_filter: "(&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))"
#ed:
# lc_user_filter: "(&(objectclass=Person)(cn=%v))"
# lc_group_filter: "(&(objectclass=groupOfNames)(cn=%v))"
#oracle:
# lc_user_filter: "(&(objectClass=person)(cn=%v))"
# lc_group_filter: "(&(objectClass=group)(cn=%v))"
#caet:
# lc_user_filter: "(&(objectClass=person)(cn=%v))"
# lc_group_filter: "(&(objectClass=group)(cn=%v))"
These settings are common across components, they apply for Content Platform Engine, IBM Content
Navigator, and External Share.
-
Create an
ibm-ext-ldap-secret
for your External LDAP configuration
information:
The following command shows how to create the
external-ldap-bind-secret
secret
with the needed usernames and passwords.
kubectl create secret generic ibm-ext-ldap-secret \
--from-literal=externalLdapUsername="cn=admin,dc=ibm,dc=edu" \
--from-literal=externalLdapPassword="<yourLDAPPassword>"
The secret that you create, ibm-ext-ldap-secret
is the value for
ext_ldap_configuration.lc_bind_secret
.
ext_ldap_configuration:
...
lc_bind_secret: ibm-ext-ldap-secret
-
Enable External Share for your deployment.
spec:
content_optional_components:
cpe: true
es: true
ban: true
Results
A new LDAP configuration XML file is generated and mounted under
/configDropins/override directory for Content Platform Engine, IBM Content
Navigator, and for the external share container.