Using the ldapEntityType element for advanced LDAP configuration

To narrow the IBM Spectrum® Control view of your LDAP structure so that you can find and map your groups to IBM Spectrum Control roles, you need to configure the ldapEntityType element within the ldapRegistry element.

Example: LDAP user and group scenario

In this scenario, you want to provide access to LDAP users that reside in a different node of the LDAP structure than your LDAP groups. You also want to prevent authorization of LDAP users and groups that are not associated with IBM Spectrum Control.

In this scenario, the LDAP users use the following distinguished names:
  • LDAP user 1: cn=LDAPUser1,ou=MarketingUsers,dc=storage,dc=company,dc=com
  • LDAP user 2: cn=LDAPUser2,ou=SalesUsers,dc=storage,dc=company,dc=com
  • LDAP user 3: cn=LDAPUser3,ou=ManagementUsers,dc=storage,dc=company,dc=com
In this scenario, the LDAP groups use the following distinguished names:
  • LDAP user 1 is a member of LDAP group 1: cn=LDAPGroup1,ou=MarketingGroups,dc=storage,dc=company,dc=com
  • LDAP user 2 is a member LDAP group 2: cn=LDAPGroup2,ou=SalesGroups,dc=storage,dc=company,dc=com
  • LDAP user 3 is a member of LDAP group 3: cn=LDAPGroup3,ou=ManagementGroups,dc=storage,dc=company,dc=com

In this scenario, LDAPUser1 and LDAPUser2 are in different nodes of the LDAP structure than the associated LDAP groups, LDAPGroup1 and LDAPGroup2. You need to find and map LDAPGroup1 and LDAPGroup2 to the IBM Spectrum Control roles and be able to log in to IBM Spectrum Control as the LDAPUser1 and LDAPUser2.

When you configure IBM Spectrum Control for LDAP authentication and you encounter this scenario, set the baseDN value in your LDAP XML template file to dc=storage, dc=company, dc=com.

In following example, this baseDN value is common to all LDAP users and groups.

Example of the LDAP XML template file that implements this baseDN value:
<server description="IBM Web Server">
	<ldapRegistry activedFilters="active_dir_server" baseDN="dc=storage,dc=company,dc=com" 
      bindDN="cn=Administrator,cn=users,dc=storage,dc=company,dc=com" bindPassword="password" 
      host="ldap.storage.company.com" id="LDAP1" ignoreCase="true" 
      ldapType="Microsoft Active Directory" 
      port="389" realm="TPCRealm" sslEnabled="false">
	</ldapRegistry>
	
	<activedLdapFilterProperties groupFilter="(&amp;(cn=%v)(objectcategory=group))" groupIdMap="*:cn" 
       groupMemberIdMap="memberof:member" id="active_dir_server" 
       userFilter="(&amp;(sAMAccountName=%v)(objectcategory=user))" userIdMap="user:sAMAccountName"/>
	
	<federatedRepository>
		<primaryRealm allowOpIfRepoDown="true" name="TPCRealm">
			<participatingBaseEntry name="dc=storage,dc=company,dc=com"/>
			<!-- The next two entries must NOT be changed -->  
			<participatingBaseEntry name="o=TPCRealm"/>
			<participatingBaseEntry name="o=OSRealm"/>
		</primaryRealm>
	</federatedRepository>
</server>
When you use this example LDAP XML template file, you also are able to find and map LDAPGroup3 to an IBM Spectrum Control role. This behavior enables LDAPUser3 to log in to IBM Spectrum Control, which is not part of the successful outcome. Use the ldapEntityType element within the ldapRegistry element so you can only find and map LDAPGroup1 and LDAPGroup2 to IBM Spectrum Control roles.
Tip: Whenever you modify the ldapRegistry element, in the LDAP XML template file, verify that the XML file is valid by opening it in a web browser and checking the results.
This is the previous example of the LDAP XML template file that was edited to use the ldapEntityType element within the ldapRegistry element:
<server description="IBM Web Server">
	<ldapRegistry activedFilters="active_dir_server" baseDN="dc=storage,dc=company,dc=com" 
bindDN="cn=Administrator,cn=users,dc=storage,dc=company,dc=com" bindPassword="password" 
host="ldap.storage.company.com" id="LDAP1" ignoreCase="true" ldapType="Microsoft Active Directory" 
port="389" realm="TPCRealm" sslEnabled="false">
	
		<ldapEntityType name="Group">
			<objectClass>group</objectClass>
			<searchBase>ou=MarketingGroups,dc=storage,dc=company,dc=com</searchBase>
			<searchBase>ou=SalesGroups,dc=storage,dc=company,dc=com</searchBase>
		</ldapEntityType>
		
		<ldapEntityType name="PersonAccount">
			<objectClass>user</objectClass>
			<searchBase>ou=MarketingUsers,dc=storage,dc=company,dc=com</searchBase>
			<searchBase>ou=SalesUsers,dc=storage,dc=company,dc=com</searchBase>
		</ldapEntityType>
	
	</ldapRegistry>
	
	<activedLdapFilterProperties groupFilter="(&amp;(cn=%v)(objectcategory=group))" 
       groupIdMap="*:cn" groupMemberIdMap="memberof:member" id="active_dir_server" 
       userFilter="(&amp;(sAMAccountName=%v)(objectcategory=user))" 
       userIdMap="user:sAMAccountName"/>
	
	<federatedRepository>
		<primaryRealm allowOpIfRepoDown="true" name="TPCRealm">
			<participatingBaseEntry name="dc=storage,dc=company,dc=com"/>
			<!-- The next two entries must NOT be changed -->  
			<participatingBaseEntry name="o=TPCRealm"/>
			<participatingBaseEntry name="o=OSRealm"/>
		</primaryRealm>
	</federatedRepository>
</server>

When you use the LDAP XML template that implements the ldapEntityType element, it prevents you from finding and mapping LDAPGroup3 to IBM Spectrum Control role. However, you can find and map LDAPGroup1 and LDAPGroup2 to IBM Spectrum Control roles and LDAPUser1 and LDAPUser2 can log in to IBM Spectrum Control.