APAR status
Closed as program error.
Error description
When deploying IBM Cloud Pak for Business Automation or the IBM Business Automation Workflow on Containers, a custom LDAP filter for user or group searches might not applied by UMS. Users and groups that the filter should have excluded appear in UMS SCIM, Business Automation Workflow and Business Automation Studio. PRODUCTS AFFECTED IBM Business Automation Workflow on Containers IBM Cloud Pak for Business Automation
Local fix
In your Custom Resource configuration file add the following custom_xml fragment to ums_configuration.sso and ums_configuration.scim and adjust it to your LDAP settings and search requirements: ums_configuration: scim: custom_xml: | <server> <featureManager> <feature>ldapRegistry-3.0</feature> </featureManager> <ldapRegistry id="LdapConfig" realm="defaultRealm" host="myldap.ibm.com" baseDN="o=ibm,c=us" port="636" ldapType="Microsoft Active Directory" bindDN="${env.LDAP_USER}" bindPassword="${env.LDAP_PASSWORD}" sslEnabled="true" sslRef="LDAPSSL" activedFiltersRef="bogus" > <loginProperty name="uid" /> <loginProperty name="mail" /> <ldapEntityType name="PersonAccount"> objectClass>User</objectClass> <searchBase>OU=Users,DC=ibm,DC=com</searchBase> </ldapEntityType> <ldapEntityType name="Group"> <objectClass>Group</objectClass> <searchBase>OU=Groups,DC=ibm,DC=com</searchBase> <searchFilter>(|(cn=AAA*)(cn=BBB*))</searchFilter> </ldapEntityType> <groupProperties> <memberAttribute name="uniqueMember" objectClass="groupOfUniqueNames" scope="all"/> </groupProperties> </ldapRegistry> </server> 1. Add the activedFiltersRef attribute to ldapRegistry. This points to a non-existing MS Active Directory LDAP filter element to avoid considering the embedded element from the original ldapRegistry element in ldap.xml. 2. Introduce ldapEntityType elements for PersonAccount and Group which will be used by SCIM to construct LDAP queries. Specify the searchBase for User and Group to reflect the sub tree for the search call for the given entity type. Specify the searchFilter for the entity type Group. 3. Optional: Introduce groupProperties to allow searching for groups of a user. 4. Optional: Introduce loginProperties to ensure the user can sign in as either with uid or email 5. Replace host with the IP Address or the host name of your LDAP server baseDN with the Base distinguished name (DN) of the directory service 6. Apply the configuration oc apply -f <your-cr.yaml>
Problem summary
When deploying IBM Cloud Pak for Business Automation or IBM Business Automation Workflow on Containers, a custom LDAP filter for user or group searches might not be applied by UMS. Users and groups that the filter should have excluded appear in UMS SCIM, Business Automation Workflow and Business Automation Studio. Sample for Active Directory ldap_configuration: ad: lc_user_filter: "(&(samAccountName=%v)(objectcategory=user))" lc_group_filter: "(&(cn=%v)(objectcategory=group)(|(cn=AAA*)(cn=BBB*)))" APAR Products affected IBM Business Automation Workflow on Containers IBM Cloud Pak for Business Automation
Problem conclusion
The CP4BA operator will be updated to inject a different format of LDAP search filter configuration into UMS to ensure filters are considered for SCIM queries. The updated operator uses new parameters in the custom resource. These parameters must be added to the custom resource to enable the LdapEntityType liberty configuration instead of the activedFilters or idsFillters configuration The new custom resource parameters: ## This section allows to enhance the ldap configuration for the UMS SCIM capability. If lc_user_filter or lc_group_filter cannot handle a custom LDAP filter for user or group searches this section should be enabled. ## optional: enables the liberty ldapEntityType configuration and disables the usage of lc_user_filter, lc_group_filter, lc_ldap_group_member_id_map, lc_ldap_user_name_attribute and lc_ldap_group_name_attribute in the UMS capabilities. ## for detailed information about the ldapEntityType, loginProperty and groupProperties parameters please see the liberty documentation: https://www.ibm.com/docs/en/was-liberty/nd?topic=configuration-l dapregistry ## default is false ldap_configuration: lc_use_ldap_entity_type: ## optional: only used if lc_use_ldap_entity_type is true ## default is uid lc_ldap_login_property: ## optional: only used if lc_use_ldap_entity_type is true ## the defaults depends on the lc_selected_ldap_type lc_ldap_entity_type_user: object_class: search_base: searchfilter: ## optional: only used if lc_use_ldap_entity_type is true ## the defaults depends on the lc_selected_ldap_type lc_ldap_entity_type_group: object_class: search_base: searchfilter: ## optional: only used if lc_use_ldap_entity_type is true ## the defaults depends on the lc_selected_ldap_type lc_ldap_group_properties: member_attribute: name: object_class: ## the scope options are: all, direct, nested scope: membership_attribute: name: ## the scope options are: all, direct, nested scope:
Temporary fix
Not applicable
Comments
APAR Information
APAR number
JR63604
Reported component name
CLOUD PAK FOR A
Reported component ID
5737I2300
Reported release
K00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-04-27
Closed date
2021-09-30
Last modified date
2021-09-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
CLOUD PAK FOR A
Fixed component ID
5737I2300
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBYVB","label":"IBM Cloud Pak for Business Automation"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"K00","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
11 March 2022