Update LDAP-Based Authentication Configuration REST Service

Use the Update LDAP-Based Authentication Configuration REST Service to configure the authentication requirements in containerized IBM® Security Guardium® Key Lifecycle Manager.

Operation
POST
URL
https://host:port/SKLM/rest/v1/authnConfigProperties/ldap

By default, Guardium Key Lifecycle Manager server listens to the secure port 9443 (HTTPS) for communication. During IBM Security Guardium Key Lifecycle Manager installation, you can modify this default port.

Request

Request Parameters
Parameter Description
host Specify the IP address or hostname of the IBM Security Guardium Key Lifecycle Manager server.
port Specify the port number on which the IBM Security Guardium Key Lifecycle Manager server listens for requests.
Request Headers
Header name Value
Content-Type application/json
Accept application/json
Authorization SKLMAuth userAuthId=<authIdValue>
Accept-Language Any valid locale that is supported by IBM Security Guardium Key Lifecycle Manager. For example, en or de.
Request body

JSON object with the following specification:

Property name Description
AUTH_TYPE_LDAP Specify true if you want to configure a supported LDAP provider for user authentication. Otherwise, by default, file-based authentication is available.

Other possible value is false.

LDAP_TYPE Specify the type of LDAP server to be connected to.

Possible values:

IBM Security Directory Server
Configure the LDAP registry to use IBM Security Directory Server.
Microsoft Active Directory
Configure the LDAP registry to use Microsoft Active Directory.
Note: This parameter is mandatory if you have specified true as a value in the AUTH_TYPE_LDAP parameter.
LDAP_HOST Specify the host name or IP address of the LDAP server.
Note: This parameter is mandatory if you have specified true as a value in the AUTH_TYPE_LDAP parameter.
LDAP_PORT Specify the port number of the LDAP server.
Note: This parameter is mandatory if you have specified true as a value in the AUTH_TYPE_LDAP parameter.
LDAP_BASE_ENTRY Specify the base node in the LDAP directory. For example:
"DC=klm,DC=com"

where, DC is Domain Component.

Note: This parameter is mandatory if you have specified true as a value in the AUTH_TYPE_LDAP parameter.
LDAP_GR_OBJECT_CLASS Specify the object class that is defined for the group LDAP entity type in the LDAP server. For example, GroupofUniquenames.
LDAP_PR_OBJECT_CLASS Specify the object class that is defined for the person LDAP entity type in the LDAP server. For example, person.
LDAP_RECURSIVE_SEARCH Specify true to indicate whether to perform a nested group search.

Other value: false (default)

Specify true only if the LDAP server does not support recursive server-side searches.

LDAP_USER_FILTER Specify an LDAP filter clause for searching the user registry for users.
LDAP_GROUP_FILTER Specify an LDAP filter clause for searching the user registry for groups.
LDAP_USER_ID_MAP Specify an LDAP filter that maps the name of a user to an LDAP entry.
LDAP_GROUP_ID_MAP Specify an LDAP filter that maps the name of a group to an LDAP entry.
LDAP_GROUP_MEMBER_ID_MAP Specify an LDAP filter that identifies user to group memberships.
LDAP_BIND_DN Specify the distinguished name (DN) for the application server, which is used to bind to the directory service.
LDAP_BIND_PASSWD Specify the password for the DN that is specified in the LDAP_BIND_DN parameter. The value can be stored in clear text.
LDAP_SSL_ENABLED Specify true to indicate that a TLS connection must be made to the LDAP server. Otherwise, specify false.
LDAP_SKLMADMIN_USERNAME Specify the full distinguished name (DN) of the LDAP administrator. You can specify only alphanumeric, period (.), and underscore (_) characters.
Note: You must provide a value for this parameter or for the SKLMADMIN_USERNAME parameter if you have specified true as the value in the AUTH_TYPE_LDAP parameter.
LDAP_DISPLAY_NAME Specify a name for the LDAP user to be displayed on the graphical user interface.

Response

Response Headers
Header name Value and description
Status Code
200 OK
The request was successful. The response body contains the requested representation.
400 Bad Request
The authentication information was not provided in the correct format.
401 Unauthorized
The authentication credentials were missing or incorrect.
404 Not Found Error
The processing of the request fails.
500 Internal Server Error
The processing of the request fails because of an unexpected condition on the server.
Content-Type application/json
Content-Language Locale for the response message.
Success response body

JSON object with the following specification:

JSON property name Description
code Returns the code that is specified by the status property.
status Returns the request status.
Error Response Body

JSON object with the following specification.

JSON property name Description
code Returns the application error code.
message Returns a message that describes the error.

Example

Specify LDAP configuration
POST https://localhost:port/SKLM/rest/v1/authnConfigProperties/ldap
{
  "AUTH_TYPE_LDAP": "true",
  "LDAP_TYPE": "IBM Seurity Directory Server",
  "LDAP_HOST": "klm.abc.com",
  "LDAP_PORT": "389",
  "LDAP_BASE_ENTRY": "o=abc.com"
}
Success response
{
  "code": "CTGKM6204I",
  "status": "CTGKM6204I LDAP Configuration settings are updated."
}
Error response
{"code":"CTGKM6002E",
"message":"CTGKM6002E Bad Request: Invalid user authentication ID or invalid request format."}
Table 1. Topic change log
Date Change description
20 Oct 2021 Corrected the example.
30 Sept 2021 Removed ckms from the REST endpoint.
10 Sept 2021 Initial version.