Adding, removing, and disabling LDAP connections

Guardium® Insights requires a connection to one or more Lightweight Directory Access Protocol (LDAP) servers for user authentication.

Before you begin

To open the settings menu, select Settings (main menu). After opening the settings menu, choose LDAP configuration.

In the LDAP connection page, click Connect an LDAP server and then complete the Add LDAP connection page as follows:

Procedure

  1. Required: Connection name: Specify a name for this LDAP connection. This name will be used to distinguish the connection from other LDAP connections that you create in Guardium Insights.
    Note: This field must be at least 4 characters long and it can contain alpha-numeric characters or the hyphen (-) and underscore (_) characters.
  2. Required: LDAP directory type: Choose the type of LDAP server that you will connect to.
  3. Required: Base distinguished name (DN): Enter the location that will be the starting point for user searches (for example, dc=ibm,dc=com).
  4. Optional: Bind distinguished name and Bind distinguished name password: Enter any credentials that are required for authenticating to the LDAP directory.
  5. Required: URL: Enter the LDAP directory domain name (or IP address) and port number (for example, ldap://ldapserver.ibm.com:389).
  6. Optional: Group filter: If desired, enter a group filter to use for searching groups.
  7. Required: User filter: Enter the filter to use for finding users to add.
  8. Optional: Group ID map: If desired, enter a Group ID map (this filter maps a group to an LDAP entry).
  9. Required: User ID map: Enter the filter to use for mapping usernames to LDAP entries.
  10. Optional: Group member ID map: Enter the filter to use for mapping users to groups.
  11. When all entries are completed, click Save to add the LDAP connection to Guardium Insights.

Example

This example shows the syntax used by the LDAP configuration:

LDAP External Server URL	ldap://guardium.ibm.com:389
LDAP Base DN	dc=atlanta,dc=ds,dc=priv
LDAP port (external)	389
LDAP Bind distinguished name	cn=admin,dc=atlanta,dc=ds,dc=priv
LDAP Password	myldappassword123
User filter	(&(uid=%v)(objectclass=inetOrgPerson))
User ID Map	*:uid:

What to do next

After adding an LDAP connection, you can click the menu on the top right of the card and select these actions:
  • Edit: Selecting this opens the Add LDAP connection screens so that you can edit and save the connection's settings.
  • Enable: If the connection is disabled, select this to enable it.
  • Disable: If the connection is enabled, select this to disable it.
  • Delete: Select this to remove the LDAP connection.
Important: When you remove or disable an LDAP connection, any users that had added from that directory will be disabled.

Once your LDAP connection is complete, you can add users to Guardium Insights.

Note: The LDAP server that you connect to must have a uid attribute in its schema. If it does not, you will need to update its ICS config map with an alternative.

For example, for an Active Directory LDAP server, you will have to specify sAMAccountName as the userName. To change the userName attribute mapping from the default uid to another value like sAmAccountName, edit the platform-auth-idp config map on your OCP cluster in the namespace where IBM® Common Services is installed. Change the userName field to the desired value. It is located under user in the default object, as shown here: