更新 SCIM LDAP 屬性對映
您可以更新 SCIM LDAP 屬性對映。
若要支援 IBM Cloud Platform 基礎服務中已配置 LDAP 連線的 SCIM API ,您可以使用下列方式來更新 SCIM_LDAP_ATTRIBUTES_MAPPING 資料:
- 使用 SCIM 配置進行 LDAP 連線。 如需相關資訊,請參閱 使用 IBM WebSphere 自動化使用者介面進行 SCIM 配置。
- 使用
attributemappingAPI (適用於 IBM Cloud Platform 基礎服務 3.11.0 版或更新版本) - 使用
platform-auth-idpconfigmap
附註: IBM Cloud Platform 基礎服務 3.17.0 版已淘汰使用 configmap ,而且可能會在未來版本中移除。
使用 attributemapping API 更新
若要使用 attributemapping API ,您必須將授權標頭新增至要求。 您需要將存取記號新增至授權標頭。 若要取得存取記號,請參閱 準備執行元件或管理 API 指令。
程序
附註: members 及 objectClass 屬性不會考量自訂 SCIM 屬性值。 請使用這些屬性的 LDAP 過濾器值來對映資料。
使用下列 API 呼叫來檢查現有的屬性對映:
curl -sk -X GET --header "Authorization: Bearer $ACCESS_TOKEN" --header "Content-Type: application/json" "https://$BCS_URL:443/idmgmt/identity/api/v1/scim/attributemappings"回應類似下列程式碼:
[{"idp_id":"default","idp_type":"ldap","user":{"id":"dn","userName":"uid","principalName":"uid","displayName":"cn","givenName":"cn","familyName":"sn","fullName":"cn","externalId":"dn","emails":"mail","created":"createTimestamp","lastModified":"modifyTimestamp","phoneNumbers":[{"value":"mobile","type":"mobile"},{"value":"telephoneNumber","type":"work"}],"objectClass":"person","groups":"memberOf"},"group":{"id":"dn","name":"cn","principalName":"cn","displayName":"cn","externalId":"dn","created":"createTimestamp","lastModified":"modifyTimestamp","objectClass":"groupOfUniqueNames","members":"uniqueMember"}},使用下列 API 呼叫,以您的對映資料來建立屬性對映:
附註: 如果您已有屬性對映,請不要建立另一個屬性對映。 您可以跳過此步驟。
export DATA='{"idp_id":"test","dip_type":"ldap","user":{"id_test":"dn","userName":"uid","principalName":"uid","displayName":"cn","givenName":"cn","familyName":"sn","fullName":"cn","externalId":"dn","phoneNumbers":[{"value":"mobile","type":"mobile"},{"value":"telephoneNumber","type":"work"}],"objectClass":"person","groups":"memberOf"},"group":{"id":"dn","name":"cn","principalName":"cn","displayName":"cn","externalId":"dn","created":"createTimestamp","lastModified":"modifyTimestamp","objectClass":"groupOfUniqueNames","members":"uniqueMember"}}'範例 curl 指令類似於下列程式碼:
curl -sk -X POST --header "Authorization: Bearer $ACCESS_TOKEN" --header "Content-Type: application/json" -d $DATA "https://$BCS_URL:443/idmgmt/identity/api/v1/scim/attributemappings"回應類似下列程式碼:
{"idp_id":"test","idp_type":"ldap","user":{"id_test":"dn","userName":"uid","principalName":"uid","displayName":"cn","givenName":"cn","familyName":"sn","fullName":"cn","externalId":"dn","phoneNumbers":[{"value":"mobile","type":"mobile"},{"value":"telephoneNumber","type":"work"}],"objectClass":"person","groups":"memberOf"},"group":{"id":"dn","name":"cn","principalName":"cn","displayName":"cn","externalId":"dn","created":"createTimestamp","lastModified":"modifyTimestamp","objectClass":"groupOfUniqueNames","members":"uniqueMember"}}使用下列 API 呼叫,以您的對映資料來更新現有的屬性對映資料:
export DATA='{"idp_id":"$IDP_ID","idp_type":"ldap","user":{"id_test":"dn","userName":"uid","principalName":"uid","displayName":"cn","givenName":"cn","familyName":"sn","fullName":"cn","externalId":"dn","phoneNumbers":[{"value":"mobile","type":"mobile"},{"value":"telephoneNumber","type":"work"}],"objectClass":"person","groups":"memberOf"}},"group":{"id":"dn","name":"cn","principalName":"cn","displayName":"cn","externalId":"dn","created":"createTimestamp","lastModified":"modifyTimestamp","objectClass":"groupOfUniqueNames","members":"uniqueMember"}'範例 curl 指令類似於下列程式碼:
curl -sk -X PUT --header "Authorization: Bearer $ACCESS_TOKEN" --header "Content-Type: application/json" -d $DATA "https://$BCS_URL:443/idmgmt/identity/api/v1/scim/attributemappings/$IDP_ID"回應類似下列程式碼:
{"idp_id":"test","idp_type":"ldap","user":{"id_test":"dn","userName":"uid","principalName":"uid","displayName":"cn","givenName":"cn","familyName":"sn","fullName":"cn","externalId":"dn","phoneNumbers":[{"value":"mobile","type":"mobile"},{"value":"telephoneNumber","type":"work"}],"objectClass":"person","groups":"memberOf"},"group":{"id":"dn","name":"cn","principalName":"cn","displayName":"cn","externalId":"dn","created":"createTimestamp","lastModified":"modifyTimestamp","objectClass":"groupOfUniqueNames","members":"uniqueMember"}}使用下列 API 呼叫來刪除現有的屬性對映:
curl -sk -X DELETE --header "Authorization: Bearer $ACCESS_TOKEN" \ --header "Content-Type: application/json" \ "https://$BCS_URL:443/idmgmt/identity/api/v1/scim/attributemappings/$IDP_ID"回應類似下列程式碼:
{"count":1}
使用 platform-auth-idp configmap 更新
您可以更新 configmap platform-auth-idp 中的 SCIM_LDAP_ATTRIBUTES_MAPPING 資料,以支援 IBM Cloud Platform 基礎服務中已配置 LDAP 連線的 SCIM API。
目前, platform-auth-idp configmap 包含下列預設配置。 在此配置內, default 是預設名稱。 此配置也針對每一個 user 及 group SCIM 資源具有兩組對映資料。
在每一個資料集中, key 是 SCIM 屬性名稱, value 是 LDAP 屬性名稱,例如 "userName": "uid"。 請參閱下列參數說明:
userName是 SCIM 屬性名稱。uid是 LDAP 屬性名稱。
預設配置
{
"default": {
"user": {
"id": "dn",
"userName": "uid",
"principalName": "uid",
"displayName": "cn",
"givenName": "cn",
"familyName": "sn",
"fullName": "cn",
"externalId": "dn",
"emails": "mail",
"created": "createTimestamp",
"lastModified": "modifyTimestamp",
"phoneNumbers": [{
"value": "mobile",
"type": "mobile"
},
{
"value": "telephoneNumber",
"type": "work"
}],
"objectClass": "person",
"groups": "memberOf"
},
"group": {
"id": "dn",
"name": "cn",
"principalName": "cn",
"displayName": "cn",
"externalId": "dn",
"created": "createTimestamp",
"lastModified": "modifyTimestamp",
"objectClass": "groupOfUniqueNames",
"members": "uniqueMember"
}
}
}
您可以自訂配置,以符合所配置 LDAP 連線的需求。 然後,您可以建構 LDAP 伺服器的類似對映,並將對映附加至 platform-auth-idp configmap 中的 SCIM_LDAP_ATTRIBUTES_MAPPING 資料。
例如,您可以在已配置的 MSAD LDAP 連線配置中使用 Connection name 作為 pmsad 。 接下來,您可以使用 pmsad 作為配置索引鍵,並建構對映資料,如下列程式碼範例所示。 然後,您可以將對映資料附加至 configmap 資料。 如需屬性的相關資訊,請參閱 LDAP 屬性。
"pmsad": {
"user": {
"id": "dn",
"userName": "sAMAccountName",
"principalName": "sAMAccountName",
"displayName": "displayName",
"givenName": "givenName",
"familyName": "sn",
"fullName": "cn",
"externalId": "dn",
"emails": "mail",
"created": "whenCreated",
"lastModified": "whenChanged",
"phoneNumbers": [{
"value": "mobile",
"type": "mobile"
},
{
"value": "telephoneNumber",
"type": "work"
}],
"objectClass": "person",
"groups": "memberOf"
},
"group": {
"id": "dn",
"name": "cn",
"principalName": "cn",
"displayName": "cn",
"externalId": "dn",
"created": "whenCreated",
"lastModified": "whenChanged",
"objectClass": "group",
"members": "member"
}
}
程序
使用 CLI 更新您的 configmap。 執行下列指令:
編輯
platform-auth-idpconfigmap。oc -n ibm-common-services edit configmap platform-auth-idp跳至
SCIM_LDAP_ATTRIBUTES_MAPPING屬性值,並將對映資料附加至現有值。 請務必在 JSON 中為前一個項目新增逗點 (,)。若為 IBM Cloud Platform 基礎服務 3.11.0版,請將
ATTR_MAPPING_FROM_CONFIG屬性值設為true。儲存並退出。
檢查
platform-auth-idpconfigmap 中已更新的資料。 輸出類似下列程式碼。oc -n ibm-common-services get configmap platform-auth-idp -o yaml | grep -A50 SCIM_LDAP_ATTRIBUTES_MAPPING ... { "default": { "user": { "id": "dn", "userName": "uid", "principalName": "uid", "displayName": "cn", "givenName": "cn", "familyName": "sn", "fullName": "cn", "externalId": "dn", "emails": "mail", "created": "createTimestamp", "lastModified": "modifyTimestamp", "phoneNumbers": [{ "value": "mobile", "type": "mobile" }, { "value": "telephoneNumber", "type": "work" }], "objectClass": "person", "groups": "memberOf" }, "group": { "id": "dn", "name": "cn", "principalName": "cn", "displayName": "cn", "externalId": "dn", "created": "createTimestamp", "lastModified": "modifyTimestamp", "objectClass": "groupOfUniqueNames", "members": "uniqueMember" } }, "pmsad": { "user": { "id": "dn", "userName": "sAMAccountName", "principalName": "sAMAccountName", "displayName": "displayName", "givenName": "givenName", "familyName": "sn", "fullName": "cn", "externalId": "dn", "emails": "mail", "created": "whenCreated", "lastModified": "whenChanged", "phoneNumbers": [{ "value": "mobile", "type": "mobile" }, { "value": "telephoneNumber", "type": "work" }], "objectClass": "person", "groups": "memberOf" }, "group": { "id": "dn", "name": "cn", "principalName": "cn", "displayName": "cn", "externalId": "dn", "created": "whenCreated", "lastModified": "whenChanged", "objectClass": "group", "members": "member" } } }附註: 請確定完整資料是有效的 JSON。
重新啟動
auth-idpPodoc -n ibm-common-services delete pod -l k8s-app=auth-idp等一下 然後,檢查
auth-idpPod 的狀態。 對於所有 Pod ,狀態必須顯示為4/4 Running。oc -n ibm-common-services get pods | grep auth-idp
附註: 依預設, LDAP 連線配置會考量 SCIM API 的下列對映值。
| LDAP 連線屬性 | SCIM 物件 | SCIM 屬性 |
|---|---|---|
LDAP_USERIDMAP |
user |
userName |
LDAP_USERFILTER |
user |
objectClass |
LDAP_GROUPIDMAP |
group |
name |
LDAP_GROUPFILTER |
group |
objectClass |
LDAP_GROUPMEMBERIDMAP |
group |
members |
附註: 如果 LDAP 連線屬性配置中有多個表示式,則會考量第一個配置值。
LDAP 屬性
如需 LDAP 屬性的相關資訊,您可以使用 ldapsearch 工具或任何 LDAP 瀏覽器,例如 Apache Directory Studio。
安裝 ldapsearch 工具
在 Ubuntu 上,執行下列指令:
sudo apt-get install ldap-utils
在 {{site.data.keyword.rhel_marked}}上,執行下列指令:
sudo yum install openldap-clients
下列範例顯示 ldapsearch 工具指令結構及範例輸出。
使用者
指令:
ldapsearch -x -H <LDAP_URL> -b <LDAP_BASEDN> -D <LDAP_BINDDN> -W -s sub "(sAMAccountName=pavann)" "*" "+"
輸出:
# extended LDIF
#
# LDAPv3
# base <DC=ibmtest,DC=com> with scope subtree
# filter: (sAMAccountName=pava)
# requesting: * +
#
# Tom Northwood, Users, ibmtest.com
dn: CN=Tom Northwood,CN=Users,DC=ibmtest,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Tom Northwood
givenName: Tom Northwood
distinguishedName: CN=Tom Northwood,CN=Users,DC=ibmtest,DC=com
instanceType: 4
whenCreated: 20180802104118.0Z
whenChanged: 20210305115346.0Z
displayName: Tom Northwood
uSNCreated: 13356
memberOf: CN=group9,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group8,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group7,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group6,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group5,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group4,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group3,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group2,CN=Users,DC=ibmtest,DC=com
memberOf: CN=group1,CN=Users,DC=ibmtest,DC=com
memberOf: CN=security,CN=Users,DC=ibmtest,DC=com
uSNChanged: 145644
name: Tom Northwood
objectGUID:: pVKE4qv5MEyqxjQ3nUvsWA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132285264754362226
lastLogoff: 0
lastLogon: 132285264944206361
pwdLastSet: 131776804917936927
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAr/FodBO+7uVBDhlaXAQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: pavann
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ibmtest,DC=com
dSCorePropagationData: 20180802104118.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132594188266767176
# search reference
ref: ldap://ForestDnsZones.ibmtest.com/DC=ForestDnsZones,DC=ibmtest,DC=com
# search reference
ref: ldap://DomainDnsZones.ibmtest.com/DC=DomainDnsZones,DC=ibmtest,DC=com
# search reference
ref: ldap://ibmtest.com/CN=Configuration,DC=ibmtest,DC=com
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
群組
指令:
$ ldapsearch -x -H <LDAP_URL> -b <LDAP_BASEDN> -D <LDAP_BINDDN> -W -s sub "(cn=security)" "*" "+"
輸出:
# extended LDIF
#
# LDAPv3
# base <DC=ibmtest,DC=com> with scope subtree
# filter: (cn=security)
# requesting: * +
#
# security, Users, ibmtest.com
dn: CN=security,CN=Users,DC=ibmtest,DC=com
objectClass: top
objectClass: group
cn: security
member: CN=Neil Wilson,CN=Users,DC=ibmtest,DC=com
member: CN=John Winston,CN=Users,DC=ibmtest,DC=com
member: CN=Jeff Rodrigue,CN=Users,DC=ibmtest,DC=com
member: CN=Kane Shatner,CN=Users,DC=ibmtest,DC=com
member: CN=Anna Reynolds,CN=Users,DC=ibmtest,DC=com
member: CN=Gessie Lemson,CN=Users,DC=ibmtest,DC=com
member: CN=Lauri Williamson,CN=Users,DC=ibmtest,DC=com
member: CN=Tom Northwood,CN=Users,DC=ibmtest,DC=com
distinguishedName: CN=security,CN=Users,DC=ibmtest,DC=com
instanceType: 4
whenCreated: 20180802103445.0Z
whenChanged: 20180802105558.0Z
uSNCreated: 13330
memberOf: CN=isl,CN=Users,DC=ibmtest,DC=com
uSNChanged: 13455
name: security
objectGUID:: UPoQ3uNfVk+fHn1W1b5KUg==
objectSid:: AQUAAAAAAAUVAAAAr/FodBO+7uVBDhlaWAQAAA==
sAMAccountName: security
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ibmtest,DC=com
dSCorePropagationData: 16010101000000.0Z
# search reference
ref: ldap://ForestDnsZones.ibmtest.com/DC=ForestDnsZones,DC=ibmtest,DC=com
# search reference
ref: ldap://DomainDnsZones.ibmtest.com/DC=DomainDnsZones,DC=ibmtest,DC=com
# search reference
ref: ldap://ibmtest.com/CN=Configuration,DC=ibmtest,DC=com
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
IBM Cloud 屬性
若要在 SCIM 中搜尋 IBM Cloud 使用者,可以定義自訂屬性,如下列程式碼範例所示。 依預設,不會定義這些屬性。
"IBMCloud" = {
"user": {
"id": "userId",
"userName": "userId",
"principalName": "userId",
"displayName": "firstName",
"emails": "email",
"familyName": "lastName",
"givenName": "firstName",
"externalId": "userId"
}
};