LDAP configuration
A server that runs the Lightweight Directory Access Protocol (LDAP) can be configured by more than one component on Kubernetes.
Download the sample configuration XML files from the folders on GitHub and modify a file to match your existing LDAP server. Follow the instructions to apply the modified configuration file in your deployment. Options include IBM Security Directory Server and Active Directory.
New in 19.0.3 LDAP configuration parameters
You can find two LDAP configuration sections in the operator custom resource template YAML file,
ldap_configuration
and ext_ldap_configuration
. The LDAP
ldap_configuration
parameters begin with
and
lc_
, and are shared by all of the components that use an LDAP. The
xx.lc_
ext_ldap_configuration
parameters are used by IBM Business Automation Navigator and IBM FileNet® Content
Manager to list external users (Business Partners) in
addition to internal users. Internal users (employees) are listed in the
ldap_configuration
parameters.
To authenticate an instance of UMS, use the lc_bind_secret parameter in the
template YAML file to locate a secret that includes the ldapUsername
and
ldapPassword
keys. Specify the secret name that you create in the
lc_bind_secret parameter.
ext_ldap_configuration:
lc_bind_secret: ldap-bind-secret
The following command shows how to create the (ldap-bind-secret) secret with the needed usernames and passwords.
oc create secret generic ldap-bind-secret \
--from-literal=gcdDBUsername="db2inst1" --from-literal=gcdDBPassword="<yourDBPassword>" \
--from-literal=osDBUsername="db2inst1" --from-literal=osDBPassword="<yourDBPassword>" \
--from-literal=ldapUsername="cn=admin,dc=ibm,dc=edu" --from-literal=ldapPassword="<yourLDAPPassword>" \
--from-literal=externalLdapUsername="cn=admin,dc=ibm,dc=edu" --from-literal=externalLdapPassword="<yourLDAPPassword>" \
--from-literal=keystorePassword="Password1" \
--from-literal=ltpaPassword="Genius1" \
--from-literal=navigatorDBUsername="db2inst1" --from-literal=navigatorDBPassword="<yourDBPassword>"
Where ldapUsername
is the bindDN property of your LDAP
server with base64 encoded, and ldapPassword
is the
bindPassword property of your LDAP server with base64 encoded.
ums_configuration
section of your YAML
file.ums_configuration:
service_type: Ingress
hostname: <your external UMS host name>.nip.io
Parameters | Description | Example values |
---|---|---|
Directory service type lc_selected_ldap_type |
The type of the directory. | IBM Security Directory Server Microsoft Active Directory |
Directory service server hostname lc_ldap_server |
The hostname must be either the fully qualified domain name or IP address of your LDAP server. | openldap |
Directory service server port number lc_ldap_port |
The LDAP server host port number. | 389 |
LDAP bind secret lc_bind_secret |
User name and password for the bind user. The LDAP bind secret must have ldapUsername and ldapPassword keys. | ldap-bind-secret |
LDAP base distinguished name. lc_ldap_base_dn |
The LDAP base distinguished name (DN). The base DN subtree is used when you search for user entries on the LDAP server. | dc=hqpsidcdom,dc=com |
SSL access. lc_ldap_ssl_enable |
Specifies whether SSL is used to access LDAP server. | true, false |
Secret for SSL access. lc_ldap_ssl_secret_name |
Specifies a secret name that includes an SSL certificate to use when SSL is used to access LDAP server. | ldap-ssl-cert |
The attribute that identifies the usernames of users.
lc_ldap_user_name_attribute |
The LDAP attribute that represents the full name of the user. | *:cn |
LDAP username to display. lc_ldap_user_display_name_attr |
The LDAP attribute to display for the full name of the user. | cn |
LDAP base group distinguished name. lc_ldap_group_base_dn |
The LDAP group base distinguished name (DN). The base DN subtree is used when you search for group entries on the LDAP server. | dc=hqpsidcdom,dc=com |
LDAP group name. lc_ldap_group_name_attribute |
The LDAP attribute that represents the group name. | *:cn |
LDAP group name to display. lc_ldap_group_display_name_attr |
The LDAP attribute to display the full name of the group. | cn |
LDAP group membership filter. lc_ldap_group_membership_search_filter |
Search filter for finding group membership. | (|(&(objectclass=groupofnames)(member={0}))(&(objectclass=groupofuniquenames)(uniquemember={0}))) |
Members of an LDAP group. lc_ldap_group_member_id_map |
Identifies the group member. | groupofnames:member |
Maximum search results returned. lc_ldap_max_search_results |
Specify a higher value if you expect more search results. | 4500 |
Active Directory server global catalog hostname ad.lc_ad_gc_host |
The hostname of the Active Directory Global Catalog | |
Active Directory server global catalog port ad.lc_ad_gc_port |
The port of the Active Directory Global Catalog | |
Active Directory server user filter ad.lc_user_filter |
Search filter for finding entries in the Active Directory base DN users subtree that match the username. | (&(cn=%v)(objectclass=person)) |
Active Directory server group filter ad.lc_group_filter |
Search filter for finding entries in the Active Directory base DN group subtree that match the group name. | (&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls))) |
IBM Directory server user filter tds.lc_user_filter |
Search filter for finding entries in the IBM Directory Server base DN users subtree that match the username. | (&(cn=%v)(objectclass=person)) |
IBM Directory server group filter tds.lc_group_filter |
Search filter for finding entries in the IBM Directory Server base DN group subtree that match the group name. | (&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls))) |
The following YAML shows an example ldap_configuration
section:
ldap_configuration:
# the candidate value is "IBM Security Directory Server" or "Microsoft Active Directory"
lc_selected_ldap_type: "IBM Security Directory Server"
lc_ldap_server: "myhost"
lc_ldap_port: "389"
lc_ldap_base_dn: "dc=hqpsidcdom,dc=com"
lc_ldap_ssl_enabled: false
lc_ldap_ssl_secret_name: ""
lc_ldap_user_name_attribute: "*:cn"
lc_ldap_user_display_name_attr: "cn"
lc_ldap_group_base_dn: "dc=hqpsidcdom,dc=com"
lc_ldap_group_name_attribute: "*:cn"
lc_ldap_group_display_name_attr: "cn"
lc_ldap_group_membership_search_filter: "(|(&(objectclass=groupofnames)(member={0}))(&(objectclass=groupofuniquenames)(uniquemember={0})))"
lc_ldap_group_member_id_map: "groupofnames:member"
lc_ldap_max_search_results: 4500
ad:
lc_ad_gc_host: ""
lc_ad_gc_port: ""
lc_user_filter: "(&(cn=%v)(objectclass=person))"
lc_group_filter: "(&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))"
tds:
lc_user_filter: "(&(cn=%v)(objectclass=person))"
lc_group_filter: "(&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))"
For 19.0.2 LDAP configuration parameters
Parameters | Description | Example values |
---|---|---|
Directory service server hostname | The hostname must be either the fully qualified domain name or IP address of your LDAP server. | openldap |
Directory service server port number | The LDAP server host port number. | 389 |
Directory service server bind username | Maps to Name in the LDAP provider. CN is a mandatory property. |
cn=root |
Directory service server bind user password | The password of the LDAP security authentication user. | admin |
Base entry distinguished name (repository) | The base distinguished name (DN) of an LDAP user who is allowed to search the LDAP directory
if the LDAP server does not allow anonymous access.
The base DN subtree is used when you
search for user entries on the LDAP server. |
ou=Rochester,o=IBM |
Directory service server user filter | Filter for finding entries in the LDAP base DN (users) subtree that match the username. The
following filter searches for entries with a user ID attribute (uid) that matches the user ID used
to log in to the system. This filter looks for entries within the Person object
class. When the match occurs, the
{0} placeholder is replaced by the user ID. |
For Active Directory, (&(samAccountName=%v)(objectClass=user)) For IBM Security Directory Server, (&(cn=%v)(objectclass=person)) |
Base group entry distinguished name (repository) | The base DN subtree that is used when you search for group entries on the LDAP server. | ou=Rochester,o=IBM |
Directory service server group filter | Filter for finding entries in the LDAP base DN (groups) subtree that match the group name.
The following filter searches for entries within the groupOfNames object class that
match the group name.
When the
match occurs, the |
For Active Directory, (&(samAccountName=%v)(objectClass=group)) For IBM Security Directory Server, (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs))) |
Directory service server user id map | The user id is a filter that is used to determine the user's Full Name (FN). You can specify the attribute from the LDAP that you want to display for the full name of the user. | For Active Directory, userIdMap="user:sAMAccountName" For IBM Security Directory Server, userIdMap=" *:uid" |
Directory service server group id map | The group id is a filter that is used to determine the group name. | For Active Directory, groupIdMap="*:cn" For IBM Security Directory Server, groupIdMap=" *:cn" |
Directory service server groupMember id map | Identifies the groupMember. | For Active Directory, groupMemberIdMap=memberOf:member For more information, see Configuring LDAP user registries in Liberty . For IBM Security Directory Server, groupMemberIdMap=groupNames:member |