Configuring LDAP-based user authentication

You can configure IBM Security Guardium Key Lifecycle Manager to use a supported LDAP provider for user authentication.

About this task

You can use the graphical user interface or the REST interface to configure LDAP.
Note: On a multi-master or replication setup, if you update the certificate that is used to trust the LDAP server in IBM Security Guardium Key Lifecycle Manager, restart the clone server manually for the change to take effect. For instructions, see Restarting the Guardium Key Lifecycle Manager server.

Procedure

  • To secure communication between IBM Security Guardium Key Lifecycle Manager and the LDAP server, configure and use TLS as follows:
    1. Access the Swagger UI.
      For more information, see Using Swagger UI.
    2. Authenticate and authorize the IBM Security Guardium Key Lifecycle Manager REST API operations.
    3. Obtain the LDAP server certificate and root certificate authority (CA) certificate.
    4. To upload the LDAP server certificate and root CA certificate you obtained in Step 3 to IBM Security Guardium Key Lifecycle Manager server, run the Upload File to Server REST Service.
      The certificate files are uploaded to the SKLM_DATA directory.
    5. To import the LDAP server certificate and root CA certificate you obtained in Step 3 in the Liberty truststore, run the Add Certificate to Liberty Truststore REST Service.
  • Using graphical user interface
    1. Log in to the graphical user interface by using your credentials.
    2. Click User Management.
      The Users page opens that displays a list of the users and their assigned roles and groups.
    3. Click the Authentication Providers tab.
      The current user authentication properties are displayed.
    4. To configure or modify the existing user authentication settings, click Update.
    5. To configure or update the LDAP-based authentication, click the LDAP/OIDC tab, and ensure that LDAP is selected.
    6. Select Enable LDAP-based Authentication and specify the following parameter values.
      Basic and Advanced configuration properties
      Property name Description
      LDAP Server Type Select the type of LDAP server to be connected to:
      IBM® Tivoli Directory Server
      Configure the LDAP registry to use IBM Security Directory Server.
      Microsoft Active Directory
      Configure the LDAP registry to use Microsoft Active Directory.
      LDAP Host Specify the hostname or IP address of the LDAP server.
      LDAP Port Specify the port number of the LDAP server.
      Base Entry Specify the base node in the LDAP directory. For example,
      o=klm.com
      Advanced Configuration
      Bind DN Specify the distinguished name (DN) for the application server, which is used to bind to the directory service.
      Bind Password Specify the password for the DN that is specified in the Bind DN parameter. The value can be stored in clear text.
      Confirm Bind Password Specify the password that you provided in the Bind Password field.
      Enable TLS Select the checkbox to enable TLS connection to the LDAP server.
      LDAP Display Name Specify the LDAP attribute to be used for displaying the user name on the graphical user interface. For example, cn, uid, mail.
      GR Obj Class Specify the object class that is defined for the group LDAP entity type in the LDAP server. For example, GroupofUniquenames.
      Group Member ID Map Specify an LDAP filter that identifies user to group membership.
      PR Obj Class Specify the object class that is defined for the person LDAP entity type in the LDAP server. For example, person.
      Recursive Search Select the checkbox to indicate whether to perform a nested group search.

      Ensure that the LDAP server does not support recursive server-side searches.

      User Filter Specify an LDAP filter clause for searching the user registry for users.
      Group Filter Specify an LDAP filter clause for searching the user registry for groups.
      User ID Map Specify an LDAP filter that maps the name of a user to an LDAP entry.
      Group ID Map Specify an LDAP filter that maps the name of a group to an LDAP entry.
    7. Click Update.
    8. In the dialog box that opens, click Close.
      The Authentication Providers page is displayed with the updated parameter values.
    9. Restart WebSphere Liberty. For instructions, see Restarting the Guardium Key Lifecycle Manager server.
  • Using REST interface
    1. Access the Swagger UI. For more information, see Using Swagger UI.
    2. Authenticate and authorize the IBM Security Guardium Key Lifecycle Manager REST API operations.
    3. To configure LDAP-based authentication, see Update LDAP-Based Authentication Configuration REST Service.
    4. To view the authentication configuration values, see Get Authentication Configuration Details REST Service..