IBM Security Verify Governance Adapter 10.0.7 for LDAP is available. Compatibility, installation, and other getting-started issues are addressed.
These Release Notes contain information for the following products that was not available when the IBM Security Verify Governance manuals were printed:
The IBM Security Verify Governance Adapter for LDAP is designed to create and manage LDAP accounts. The adapter runs in agentless mode and is preconfigured to manage the iNetOrgPerson schema on IBM Security Directory Server, Oracle Directory Servers and OpenLDAP. However, adapter can be configured to manage other directories. The LDAP Customization White Paper, packaged with this adapter, contains information about customizing the IBM Security Verify Governance Adapter for LDAP.
IBM Security Verify Governance Server adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from IBM Security Verify Governance Server will fail if the adapter is not given sufficient authority to perform the requested task. IBM recommends that this adapter run with administrative (root) permissions.
Service Group Management
A service group refers to any logical entity that can group accounts together on the managed resource. In the case of IBM Security Verify Governance Adapter for LDAP, the service group is an LDAP group.
Managing service groups implies the following:
· Create service groups on the managed resource.
· Modify attribute of a service group.
· Delete a service group.
Notes:
· Modify service group name is not supported.
· Group Management is not supported on IGI
Review and agree to the terms of the IBM Security Verify Governance License prior to using this product.
The license can be viewed from the "license" folder included in the product package.
Adapter Version
Component |
Version |
Build Date |
2024 April 20 00.30.35 |
Adapter Version |
10.0.7 |
Component Versions |
Adapter build: 10.0.7.9 Profile: 10.0.7.9 Connector: N/A (uses the LDAP connector from Security Directory Integrator) Dispatcher 7.1.39 or higher (packaged separately) |
Documentation |
The following guides are available in the IBM Security Verify Governance Adapters Knowledge Center: · IBM Security Verify Governance Adapter for LDAP Installation and Configuration guide
Guides packaged with the IBM Security Verify Governance Adapter for LDAP: · IBM Security Verify Governance Adapter for LDAP Customization Guide |
New Features
Internal # |
Enhancement # (RFE / Idea) |
Description |
|
|
Items included in current (10.0.7) release |
SVGAD-1822 |
ADAPT-150 |
Certify the adapter for use with IBM Security Verify Directory Integrator version 10.0.0 |
|
|
Items included in 10.0.6 release |
|
|
None |
|
|
Items included in 10.0.5 release |
|
|
None |
|
|
Items included in 10.0.4 release |
|
|
None |
|
|
Items included in 10.0.3 release |
RTC-189674 |
|
OpenLDAP support |
|
|
Items included in 10.0.2 release |
|
|
None |
|
|
Items included in 10.0.1 release |
RTC-188053 |
|
Add tooltip labels for LDAP adapter |
|
|
Items included in 7.1.24 release |
|
|
None |
|
|
Items included in 7.1.23 release |
RTC-184341 Bugz 2965 |
RFE 124159 (55457) |
Update LDAP customization guide for IGI 525 |
|
|
Items included in 7.1.22 release |
RTC-182167 |
|
Attribute Values lookup Support for LDAP adapter |
|
|
Items included in 7.1.21 release |
RTC-173232
|
|
PIM 2.1 - When using the LDAP adapter, <username> returns eruid=undefined |
|
|
Items included in 7.1.20 release |
|
|
None |
|
|
Items included in 7.1.19 release |
RTC 168739 |
|
US - As an LDAP adapter developer, I must support the new specialFlags attribute in targetProfile.json. |
|
|
Items included in 7.1.18 release |
RTC 165311 |
|
US - As an LDAP adapter developer, I must implement support for the latest IGI requirements |
|
|
Items included in 7.1.17 release |
|
|
None |
|
|
Items included in 7.1.16 release |
RTC 151771 |
|
Add Support for Identity Governance and Intelligence (IGI) v5.2.2
This adapter is now designed for use with IBM Security Identity Manager, Privileged Identity Manager, and Identity Governance and Intelligence. |
|
|
Items included in 7.0.15 release |
|
|
Add support for IBM Security Directory Suite (SDS) VA version 8.0 |
|
|
Items included in 7.0.14 release |
RTC 133534 |
|
Add support for TDS 6.3.1/ 6.4. |
|
|
Items included in 7.0.13 release |
|
|
None |
Closed Issues
Internal # |
APAR # /Case # |
Description |
|
|
Items included in 10.0.7 current release |
SVGAD-1330 Bug 4210 |
DT244945 / TS014366689 |
ISIM LDAP Adapter reconciliation fails with OpenLDAP |
|
|
Items included in 10.0.6 release |
RTC-191009 Bug 3948 |
TS010466774 |
Target Profile Creator tool creates empty targetProfile.json file |
|
|
Items included in 10.0.5 current release |
RTC-189882 Bug 3608 |
APAR IJ34884 |
checking for submit of new APAR with ldap adapter ProfileRename.jar (TS006622296) |
|
|
Items included in 10.0.4 release |
RTC-189908 Bug 3602 |
APAR IJ35156 |
LDAP Adapter not reconnecting on Connection Reset error(TS006493867) |
|
|
Items included in 10.0.3 release |
None |
||
|
|
Items included in 10.0.2 release |
RTC-188404 |
Added User / Group container DN Validation in Test AL |
|
|
|
Items included in 10.0.1 release |
|
|
None |
|
|
Items included in 7.1.24 release |
RTC-186397 Bugz 3181 |
APAR IJ23962 |
Case TS003067097/Missing O in the LDAP Adapter profile JSON. |
|
|
Items included in 7.1.23 release |
RTC-183737 Bugz 2914 |
APAR IJ16211 |
Case TS002232863/LDAP adapter fails when user's DN includes a "2C" |
|
|
Items included in 7.1.22 release |
|
|
None |
|
|
Items included in 7.1.21 release |
|
|
None |
|
|
Items included in 7.1.20 release |
Internal |
N/A |
Internal- Additional configuration steps included in Section 10 of CustomizationGuide-LDAP-7.1.pdf · Handling changes to service.def · Handling changes to Attribute Mapping file |
RTC-170584 Bug 2493 |
PMR TS000043998 |
LDAP Adapter Rename Tool for IGI |
|
|
Items included in 7.1.19 release |
RTC-166793 Bug 2429 |
PMR 74468,057,649 |
UserPassword attribute is in clear text |
RTC-166853 Bug 2422 |
IV99694/ PMR 35235,001,862 |
LDAP adapter 6.0.16 returns success even if create / modify account refers to non-existant group. |
RTC-165445 |
IV95319 |
Limit stack trace data to avoid unnecessary information exposure |
|
|
Items included in 7.1.18 release |
|
|
None |
|
|
Items included in 7.1.17 release |
RTC 163615 |
N/A |
Internal - Ensure that the attributes are not repeated in the same schema |
RTC 163604 |
N/A |
Internal - Correct the recon behavior when running in IGI |
RTC 160689- Bug 2332 |
IV95847/ PMR 46177,004,000 |
LDAP Adapter Version 6.0.11 and processing of CN |
RTC 160690- Bug 2323 |
IV96078/ PMR 04331,124,848 |
ISIM - LDAP Injection |
|
|
Items included in 7.1.16 release |
RTC 153471- Bug 2197 |
IV91082/ PMR 82554,033,724 |
RMI Dispatcher throwing ServiceUnavailableException (socket closed). |
|
|
Items included in 7.0.15 release |
Bug 1708 |
PMR 06341,379,000 |
LDAP adapter design/behavior, performance issue for customer. |
|
|
Items included in 7.0.14 release |
RTC 133535 - Bug 1848 |
PMR 44809,7TD,000 |
Support Password attribute Binary option for TDS 6.3.1 and above. |
RTC 138080 |
N/A |
Internal - LDAP adapter does not set failure on modify.
When group update fails, and it is the only attribute requested to modify, then adapter gives warning instead of error. |
|
|
Items included in 7.0.13 release |
|
|
None |
Known Limitations
Internal # |
APAR # |
Case # / Description |
Internal |
NA |
Single User account is retrieved if the same user is found in different containers: cn=joe,ou=cm,o=us cn=joe,ou=cm,ou=ca,o=us |
See the Installation Guide for IBM Security Verify Governance LDAP adapter for detailed instructions.
Corrections to Installation guide:
Chapter 1: Overview
No updates for the current release
Chapter 2: Planning
Prerequisites:
Please consult the release notes for the currently supported versions of the below products
Directory Integrator:
Remove Version 7.2 + FP6 + 7.2.0-ISS-SDI-LA0019 from the description
Identity server:
Update description as below:
The following servers are supported:
- IBM Security Verify Governance Identity Manager
- IBM Security Verify Governance
Chapter 3: Installing in Virtual Appliance (Chapter present under ISVG only)
Add below note to the end of the content of the chapter:
Note: While uploading the Adapter package, you may receive System Error: A file included in the SDI Adapter zip already exists on the system and the Server Message log under Appliance tab of VA will have a reference to error com.ibm.identity.sdi.SDIManagementService E File ibm.com_IBM_Security_Verify_Governance_xxxx.swidtag found in the adapter zip at location ILMT-Tags/ already exists in system. This is because, you can install the same swidtags only once. So, if another adapter of the same type is installed, remove the swidtags.
To enable the read-from and write-to channels, and to set the change log synchronization schedule for each new connector, complete these steps in Verify Governance:
Installing ILMT-Tags File
Before you begin:
The Dispatcher must be installed
Procedure:
Copy the files from ILMT-Tags folder to the specified location:
1. Windows: <SDI-HOME>\swidtag
2. Unix/Linux: <SDI-HOME>/swidtag
Service/Target form
Administrator name
Specify the user name for the administrator.
Note: For OpenLDAP, root admin user's bind dn has to be used for service connection (e.g cn=,dc=,dc=com)
Installing in the Verify Governance Virtual Appliance
( Please add this new section at knowledge centre (under Installing > Installing in the Verify Governance Virtual Appliance) for Ldap Adapter to describe installation procedure of adapter in Verify Governance Virtual Appliance: https://www.ibm.com/docs/en/svgaa?topic=ldap-installing-in-virtual-appliance. Please add this below note as well after adding the description.)
Note: While uploading the Adapter package, you may receive System Error: A file included in the SDI Adapter zip already exists on the system and the Server Message log under Appliance tab of VA will have a reference to error com.ibm.identity.sdi.SDIManagementService E File ibm.com_IBM_Security_Verify_Governance_xxxx.swidtag found in the adapter zip at location ILMT-Tags/ already exists in system. This is because, you can install the same swidtags only once. So, if another adapter of the same type is installed, remove the swidtags.
The ibm.com_IBM_Security_Verify_Governance_Enterprise-xxxx.swidtag file is common to all adapters. In addition to the common swidtag file, an application adapter needs ibm.com_IBM_Security_Verify_Governance_Application_Adapters-xxxx.swidtag file and an infra adapter needs ibm.com_IBM_Security_Verify_Governance_Lifecycle-xxxx.swidtag and ibm.com_IBM_Security_Verify_Governance_Compliance-xxxx.swidtag files. So, if an application adapter is already installed and this is an infra adapter, then only install the infra-specific swidtags and the other way around. Please visit IBM Security Verify Governance Adapters v10
Installing in an IBM Security Verify Directory Dispatcher Container
Before you begin
The steps to install adapter and related files into the container can be performed using the adapterUtil.sh script, which is shipped with the dispatcher package. This script should be staged on the machine running Kubernetes cli. The adapterUtil.sh script is also readily available in the bin directory of ISIM IBM Security Verify Governance Identity Manager Container Starter Kit installation directory (If ISVDI was selected for installation during the ISIM container installation steps).
If, for any reason, the adapter util script cannot be executed or used, the below manual instructions must be followed to copy the files to the persistent volume.
Note:
The container must be restarted after installing or uninstalling the
adapter and any changes to the configuration.yaml. To activate
changes and restart the container run the following commands:
· <path_to_starterkit>/bin/createConfigs.sh
isvdi
· for
OpenShift container: oc -n isvgim rollout restart deployment isvdi
· for
kubernetes container: kubectl -n isvgim rollout restart deployment
isvdi
Note: This document only describes the adapterUtil.sh command options that are required to install this adapter. For other command options, such as listing installed connectors and 3rd party jars, please refer to the Dispatcher10 Installation and Configuration Guide.
Installing / Upgrading / Re-installing / Downgrading the adapter
Using Script
Use the below command to install / upgrade/ re-install / downgrade the adapter:
/path/to/adapterUtil.sh -loadAdapter "/path/to/Adapter-LDAP-*.zip" accept
Where /path/to/adapterUtil.sh is the location where the adapterUtil.sh script could be found is installed and /path/to/Adapter-LDAP-*.zip is the location where the Adapter zip file is staged on the machine running Kubernetes cli.
Manually copying files to Persistent Volume
Copy the files to the persistent volume mapped to the /opt/IBM/svgadapters directory of the container image as per the given directory structure:
ILMT-Tags
Copy below files to the <Persistent_Volume>/swidtag directory:
ibm.com_IBM_Security_Verify_Governance_Compliance-10.0.2.swidtag
ibm.com_IBM_Security_Verify_Governance_Enterprise-10.0.2.swidtag
ibm.com_IBM_Security_Verify_Governance_Lifecycle-10.0.2.swidtag
Updating the container
Using Script
To
update the dispatcher container using the ISVG-IM starter kit , run
the following commands:
· <path_to_starterkit>/bin/createConfigs.sh
isvdi
· for
OpenShift container: oc -n isvgim rollout restart deployment isvdi
· for
kubernetes container: kubectl -n isvgim rollout restart deployment
isvdi
Manually
To update the dispatcher container on Kubernetes/OpenShift, now run the following commands to create a config map and update the dispatcher specific yaml <kubectl or oc > create configmap <namespace> --from-file=<path to main isvdi config yaml> --from-file=<directory where certificates are stored> --dry-run=client -o yaml –namespace=<namespace where dispatcher container resides> <path_to_dispatcher_container_that_runs_this_adapter_yaml>
e.g. kubectl create configmap isvgimsdi --from-file=/root/isvg/config/adapters/isvdi_config.yaml --from-file=/root/isvg/config/certs --dry-run=client -o yaml --namespace=isvgim > /root/isvg/yaml/045-config-adapters.yaml Then apply the updated dispatcher that runs this adapter yaml . <kubectl or oc> appply -f <path_to_dispatcher_container_that_runs_this_adapter_yaml> e.g. oc apply -f /root/isvg/yaml/045-config-adapters.yaml Finally restart the container <kubectl or oc> rollout restart deployment <isvdi container deployment> e.g. oc -n isvgim rollout restart deployment isvdi
Configuring the SSL connection between the IBM Security Verify Directory Integrator Container and the LDAP Target
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#keyfile_trusted-certificates page from SVDI
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have a trusted-certificates element, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#keyfile_trusted-certificates to add a trusted-certificates section to the config.yaml file.
To add a trusted-certificates element (if it doesn’t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container, Create a certificate and CA certificate for the managed LDAP server and place the certificate in the certs directory of the config volume which contains the config.yaml file. The default location for this config volume is /opt/IBM/dispatcher/config.
Provide this path of the certificate in config.yaml file as shown in the example below:
keyfile:
trusted-certificates:
- '@/opt/IBM/dispatcher/config/certs/DigiCertGlobalRootG2.crt'
- '@/opt/IBM/dispatcher/config/certs/DigiCertGlobalRootCA.crt'
Follow the steps in Updating the container to activate the changes
Enabling TLS 1.2
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced page from SDI to add advanced configuration element (if it don’t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container.
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have an advanced configuration element, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced to add an advanced configuration section to the config.yaml file.
To enable TLSv1.2, add 2 attr and value (key pair as mentioned in the SDI guide) as below:
- attr: com.ibm.di.SSLProtocols
value: 'TLSv1.2'
- attr: com.ibm.di.SSLServerProtocols
value: 'TLSv1.2'
Follow the steps in Updating the container to activate the changes
Enabling debug logs and disabling json-logging
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have root-level and json-logging configuration elements, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging to the add root-level and json-logging configuration elements section to the config.yaml file.
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging page from SDI to add root-level and json-logging configuration elements (if they don’t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container.
To enable debug logs, set the value for root-level to debug. To and to disable json logging, set the value for json-logging element to false.
Follow the steps in Updating the container to activate the changes
Uninstalling the adapter
Using Script
Use the below command to remove the Aadapter:
/path/to/adapterUtil.sh -removeAdapter LDAP
Manually copyingremoving files tofrom the Persistent Volume
Remove files from the given directory structure of the persistent volume mapped to the /opt/IBM/svgadapters directory of the container image.
Note: Some 3rd party jars and ILMT-Tags files might be common with other installed adapters, and hence should not be removed while uninstalling this adapter:
ILMT-Tags
Remove below files from <Persistent_Volume>/swidtag directory:
ibm.com_IBM_Security_Verify_Governance_Compliance-10.0.2.swidtag
ibm.com_IBM_Security_Verify_Governance_Enterprise-10.0.2.swidtag
ibm.com_IBM_Security_Verify_Governance_Lifecycle-10.0.2.swidtag
Chapter
4: Installing
No updates for the
current release
Chapter
5: Upgrading
No updates for the
current release
No updates for the current release
Chapter 7: Troubleshooting
Enabling DEBUG Logs on SDI Server
1. Stop the SDI Server process
Pre-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_Solution_Directory>/etc/log4j.properties
3. Modify the following line:
log4j.rootCategory=INFO, Default
to
log4j.rootCategory=DEBUG, Default
Post-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_Solution_Directory>/etc/log4j2.xml
3. Modify the following line:
<Root level="info">
to
<Root level="debug">
Post-7.2.0-ISS-SDI-FP0011
4. To enable TCB block in debug
5. Append the line com.ibm.di.logging.close=false in the <SDI_HOME_Directory>/etc/global.properties file.
6. Start the SDI Server process
7. Re-create the problem and collect the <SDI_Solution_Dir>/logs/ibmdi.log
Chapter
8: Uninstalling
No
updates for the current release
Installation Platform
The IBM Security Verify Governance Adapter for LDAP was built and tested on the following product versions.
Adapter Installation Platform:
Due to continuous Java security updates that may be applied to your ISVG or ISVGIM servers, the following SDI releases are the officially supported versions:
Security Directory Integrator 7.2 + FP11
Security Verify Directory Integrator 10.0.0
Note: Earlier SDI supported version may function properly, however to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions by the adapters
Managed Resource:
· IBM Security Directory Server version 6.4
· IBM Security Directory Suite (SDS) VA version 8.0
· OpenLDAP version 2.4.44
· OpenLDAP version 2.5.7
Other directories that comply with RFC2798 standards and are supported by the Security Directory Integrator LDAP connector.
However, you might require additional customization. See the IBM Security Verify Governance Adapter for LDAP Customization Guide for information on customizing this adapter.
IBM Security Verify Governance Servers:
· IBM Security Verify Governance Identity Manager v10.0
· IBM Security Verify Governance v10.0
* Unless this document specifies a specific fix pack version of ISVG Identity Manager v10, we expect the adapter to work with ISIM 6 as well. However, it will only be debugged and fixed from the perspective of ISVG-IM v10
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.