Troubleshooting
Problem
This technote discusses an issue that happens when you deploy IBM Cloud Pak for Business Automation on the Bare Metal Red Hat OpenShift cluster. When you create the Customer Resources for the deployment and use the LDAP user filter validated by Ldapsearch Linux Tool, lc_user_filter:
"(&(samAccountName={0})(objectClass=user)(!(memberOf=CN=HS.APP.FileNetP8.PRD.Exclude.Dups,OU=Groups,OU=API,OU=Applications,DC=hcgg,DC=fr,DC=co,DC=hennepin,DC=mn,DC=us))(!(msExchMasterAccountSid=*)))"
An error is generated indicating that there is an "Invalid input given for LDAP_USERFILTER"
Symptom
Invalid input given for LDAP_USERFILTER when using NOT operator (!)
TASK [Failed to config openldap to IAM]
TASK [Failed to config openldap to IAM]
Cause
The RegEx in IBM Cloud Pak for Business Automation does not include the exclamation mark (!)
Environment
- Product Version: Cloud Pak for Business Automation 22.0.1
- Cloud Platform: BareMetal
- Red Hat OpenShift 4.11
Diagnosing The Problem
The validation error happening in the function is Valid (req, modelInstance, url, cb) from the /opt/ibm/identity-mgmt/common/models/validator.js
This function uses regex validation from the /opt/ibm/identitymgmt/common/models/validators/directory.properties:
The regular expression:
This function uses regex validation from the /opt/ibm/identitymgmt/common/models/validators/directory.properties:
LDAP_USERFILTER={"min":"1","max":"255","regex":"^[a-zA-Z0-9=;.*\\-_,&%(){}\\s<>|]*$","type":""}
The regular expression:
^[a-zA-Z0-9=;.\-_,&%(){}\s<>|]$ doesn’t match their user filter (exclamation mark is not in REGEX): (&(samAccountName={0})(objectClass=user)(!(memberOf=CN=HS.APP.FileNetP8.PRD.Exclude.Dups,OU=Groups
,OU=API,OU=Applications,DC=hcgg,DC=fr,DC=co,DC=hennepin,DC=mn,DC=us))(!(msExchMasterAccountSid=*)))
Resolving The Problem
This issue happens with IBM Cloud Pak foundational services 3.22.0 and is resolved in the IBM foundational services version 3.23.
If you are using an older version of IBM Cloud Pak foundational services and do not plan to upgrade, this filter can be used as a workaround:
If you are using an older version of IBM Cloud Pak foundational services and do not plan to upgrade, this filter can be used as a workaround:
(&(objectClass=user)(samAccountName={0}))
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRV9V","label":"IBM Cloud Pak foundational services"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Product Synonym
IBM Cloud Pak foundational services
Was this topic helpful?
Document Information
Modified date:
25 January 2023
UID
ibm16857595