LDAP configuration

A server that runs the Lightweight Directory Access Protocol (LDAP) can be configured by more than one component on Kubernetes.

Download the sample configuration XML files from the folders on GitHub and modify a file to match your existing LDAP server. Follow the instructions to apply the modified configuration file in your deployment. Options include IBM Security Directory Server and Active Directory.

New in 19.0.3 LDAP configuration parameters
For 19.0.2 LDAP configuration parameters

New in 19.0.3 LDAP configuration parameters

You can find two LDAP configuration sections in the operator custom resource template YAML file, ldap_configuration and ext_ldap_configuration. The LDAP ldap_configuration parameters begin with lc_ and xx.lc_, and are shared by all of the components that use an LDAP. The ext_ldap_configuration parameters are used by IBM Business Automation Navigator and IBM FileNet® Content Manager to list external users (Business Partners) in addition to internal users. Internal users (employees) are listed in the ldap_configuration parameters.

To authenticate an instance of UMS, use the lc_bind_secret parameter in the template YAML file to locate a secret that includes the ldapUsername and ldapPassword keys. Specify the secret name that you create in the lc_bind_secret parameter.

ext_ldap_configuration:
  lc_bind_secret: ldap-bind-secret

The following command shows how to create the (ldap-bind-secret) secret with the needed usernames and passwords.

oc create secret generic ldap-bind-secret \
    --from-literal=gcdDBUsername="db2inst1" --from-literal=gcdDBPassword="<yourDBPassword>" \
    --from-literal=osDBUsername="db2inst1" --from-literal=osDBPassword="<yourDBPassword>" \
    --from-literal=ldapUsername="cn=admin,dc=ibm,dc=edu" --from-literal=ldapPassword="<yourLDAPPassword>" \
    --from-literal=externalLdapUsername="cn=admin,dc=ibm,dc=edu" --from-literal=externalLdapPassword="<yourLDAPPassword>" \
    --from-literal=keystorePassword="Password1" \
    --from-literal=ltpaPassword="Genius1" \
    --from-literal=navigatorDBUsername="db2inst1" --from-literal=navigatorDBPassword="<yourDBPassword>"

Where ldapUsername is the bindDN property of your LDAP server with base64 encoded, and ldapPassword is the bindPassword property of your LDAP server with base64 encoded.

Tip: Specify the hostname of your LDAP server in the lc_ldap_server parameter. If routes are created automatically, make sure that you set the hostname in the ums_configuration section of your YAML file.

ums_configuration:
   service_type: Ingress
   hostname: <your external UMS host name>.nip.io

Table 1. LDAP configuration
Parameters	Description	Example values
Directory service type lc_selected_ldap_type	The type of the directory.	IBM Security Directory Server Microsoft Active Directory
Directory service server hostname lc_ldap_server	The hostname must be either the fully qualified domain name or IP address of your LDAP server.	openldap
Directory service server port number lc_ldap_port	The LDAP server host port number.	389
LDAP bind secret lc_bind_secret	User name and password for the bind user. The LDAP bind secret must have ldapUsername and ldapPassword keys.	ldap-bind-secret
LDAP base distinguished name. lc_ldap_base_dn	The LDAP base distinguished name (DN). The base DN subtree is used when you search for user entries on the LDAP server.	dc=hqpsidcdom,dc=com
SSL access. lc_ldap_ssl_enable	Specifies whether SSL is used to access LDAP server.	true, false
Secret for SSL access. lc_ldap_ssl_secret_name	Specifies a secret name that includes an SSL certificate to use when SSL is used to access LDAP server.	ldap-ssl-cert
The attribute that identifies the usernames of users. lc_ldap_user_name_attribute	The LDAP attribute that represents the full name of the user.	*:cn
LDAP username to display. lc_ldap_user_display_name_attr	The LDAP attribute to display for the full name of the user.	cn
LDAP base group distinguished name. lc_ldap_group_base_dn	The LDAP group base distinguished name (DN). The base DN subtree is used when you search for group entries on the LDAP server.	dc=hqpsidcdom,dc=com
LDAP group name. lc_ldap_group_name_attribute	The LDAP attribute that represents the group name.	*:cn
LDAP group name to display. lc_ldap_group_display_name_attr	The LDAP attribute to display the full name of the group.	cn
LDAP group membership filter. lc_ldap_group_membership_search_filter	Search filter for finding group membership.	(\|(&(objectclass=groupofnames)(member={0}))(&(objectclass=groupofuniquenames)(uniquemember={0})))
Members of an LDAP group. lc_ldap_group_member_id_map	Identifies the group member.	groupofnames:member
Maximum search results returned. lc_ldap_max_search_results	Specify a higher value if you expect more search results.	4500
Active Directory server global catalog hostname ad.lc_ad_gc_host	The hostname of the Active Directory Global Catalog
Active Directory server global catalog port ad.lc_ad_gc_port	The port of the Active Directory Global Catalog
Active Directory server user filter ad.lc_user_filter	Search filter for finding entries in the Active Directory base DN users subtree that match the username.	(&(cn=%v)(objectclass=person))
Active Directory server group filter ad.lc_group_filter	Search filter for finding entries in the Active Directory base DN group subtree that match the group name.	(&(cn=%v)(\|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))
IBM Directory server user filter tds.lc_user_filter	Search filter for finding entries in the IBM Directory Server base DN users subtree that match the username.	(&(cn=%v)(objectclass=person))
IBM Directory server group filter tds.lc_group_filter	Search filter for finding entries in the IBM Directory Server base DN group subtree that match the group name.	(&(cn=%v)(\|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))

The following YAML shows an example ldap_configuration section:

ldap_configuration:
    # the candidate value is "IBM Security Directory Server" or "Microsoft Active Directory"
    lc_selected_ldap_type: "IBM Security Directory Server"
    lc_ldap_server: "myhost"
    lc_ldap_port: "389"
    lc_ldap_base_dn: "dc=hqpsidcdom,dc=com"
    lc_ldap_ssl_enabled: false
    lc_ldap_ssl_secret_name: ""
    lc_ldap_user_name_attribute: "*:cn"
    lc_ldap_user_display_name_attr: "cn"
    lc_ldap_group_base_dn: "dc=hqpsidcdom,dc=com"
    lc_ldap_group_name_attribute: "*:cn"
    lc_ldap_group_display_name_attr: "cn"
    lc_ldap_group_membership_search_filter: "(|(&(objectclass=groupofnames)(member={0}))(&(objectclass=groupofuniquenames)(uniquemember={0})))"
    lc_ldap_group_member_id_map: "groupofnames:member"
    lc_ldap_max_search_results: 4500
    ad:
      lc_ad_gc_host: ""
      lc_ad_gc_port: ""
      lc_user_filter: "(&(cn=%v)(objectclass=person))"
      lc_group_filter: "(&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))"
    tds:
      lc_user_filter: "(&(cn=%v)(objectclass=person))"
      lc_group_filter: "(&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))"

For 19.0.2 LDAP configuration parameters

Table 2. LDAP configuration
Parameters	Description	Example values
Directory service server hostname	The hostname must be either the fully qualified domain name or IP address of your LDAP server.	openldap
Directory service server port number	The LDAP server host port number.	389
Directory service server bind username	Maps to `Name` in the LDAP provider. CN is a mandatory property.	cn=root
Directory service server bind user password	The password of the LDAP security authentication user.	admin
Base entry distinguished name (repository)	The base distinguished name (DN) of an LDAP user who is allowed to search the LDAP directory if the LDAP server does not allow anonymous access. `CN=John Smith,OU=Rochester,DC=cp,DC=com` The base DN subtree is used when you search for user entries on the LDAP server.	ou=Rochester,o=IBM
Directory service server user filter	Filter for finding entries in the LDAP base DN (users) subtree that match the username. The following filter searches for entries with a user ID attribute (uid) that matches the user ID used to log in to the system. This filter looks for entries within the `Person` object class. `"(&(uid={0})(objectclass=Person))"` When the match occurs, the `{0}` placeholder is replaced by the user ID.	For Active Directory, (&(samAccountName=%v)(objectClass=user)) For IBM Security Directory Server, (&(cn=%v)(objectclass=person))
Base group entry distinguished name (repository)	The base DN subtree that is used when you search for group entries on the LDAP server.	ou=Rochester,o=IBM
Directory service server group filter	Filter for finding entries in the LDAP base DN (groups) subtree that match the group name. The following filter searches for entries within the `groupOfNames` object class that match the group name. `"(&(cn={0}) (objectclass=groupOfNames))"` When the match occurs, the `{0}` placeholder is replaced by the group name.	For Active Directory, (&(samAccountName=%v)(objectClass=group)) For IBM Security Directory Server, (&(cn=%v)(\|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))
Directory service server user id map	The user id is a filter that is used to determine the user's Full Name (FN). You can specify the attribute from the LDAP that you want to display for the full name of the user.	For Active Directory, userIdMap="user:sAMAccountName" For IBM Security Directory Server, userIdMap=" *:uid"
Directory service server group id map	The group id is a filter that is used to determine the group name.	For Active Directory, groupIdMap=":cn" For IBM Security Directory Server, groupIdMap=" :cn"
Directory service server groupMember id map	Identifies the groupMember.	For Active Directory, groupMemberIdMap=memberOf:member For more information, see Configuring LDAP user registries in Liberty . For IBM Security Directory Server, groupMemberIdMap=groupNames:member