Configuring an External LDAP Attribute Source to Enrich Grants


OAuth/OIDC definition can be configured to retrieve attributes to encrich the grant. The attribute source can be a fixed value or a LDAP attribute source.

In this topic we provide instruction to configure an external LDAP to enrich grants.

Configuring provider.yml

  • The definition configuration defines an attribute_map configuration.
# Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
version: 22.12
  level: debug
  id: 1
  name: OIDC Definition
    - authorization_code
  pre_mappingrule_id: isvaop_pretoken                       # Pre-Token mapping rule ID.
  post_mappingrule_id: isvaop_posttoken  
  token_settings:                                           # Token Settings
    issuer:                          # OP's issuer URI.
    signing_alg: PS256                                      # Signing algorithm for ID token generated.
    signing_keystore: isvaop_signing                        # Signing keystore name.
    signing_keylabel: jwtsigning                            # Signing key label.
  attribute_map:                                            # Attribute mapping to resolve claims. also refer to attributesources.yml
    surname: surname  
    key: ks:isvaop_keys/httpserverkey
    certificate: ks:isvaop_keys/httpservercert
  signing_keystore: isvaop_signing
  obf_key: "ENC:iUt+3MzCntxSL2FPTUuJqER79UaiRSApMz3cbgJm4yzuiv6H7KN8ADsamX6+Qre1oTsATjnb1bJ0Lmi7WWfxWeGT477yqqvgVayFlCDIFzZeNkdINjASfTE3B+/3Sm9YjIYuWtZdySiXeydhJXSiOGU9osdA9g2BZXR4eMrXNutCuaSvFH6MY+TyOH5q15vy6vEWOebJQHrnug0A8rN6NF8G8XaxCe/+yqH57jJpdhm0N7iUydIYOBOQ1wDgCc8nRMWkQqlkcRhDZvLLAIlhoshYvo06ubyryt8/vv/0AvTLq9AIiQoL8CtYLr+SNZlzWe4CnHYZdO9S+AIrUOVORw=="
  enc_key: "@keys/private.pem"
  • Read more about key management to be able to create a jwtsigning key to sign the id_token, and to create https_keys to configure server node.
  • secrets node defines secret data which can be used to obfuscate or encrypt entries within the YAML configuration documents. Read more about geerating the obf_key and enc_key in the document.

Configuring attributesources.yml

  • Based on the attribute map configuration in the provider.yml, the attributesources.yml is referenced based on the id.

  • Update the attributesources.yml with the following content:

  - id: 1                                                                       # Attribute source id.
    name: surname                                                               # Attribute source name.
    type: ldap                                                                  # Attribute source type. `value`, `credential`, or `ldap`
    value: sn                                                                   # Attribute source value. For attribute source of type `value`, this contains the fixed value. For `credential` type, it refers to a credential attribute. For `ldap` type, it refers to an LDAP attribute to be retrieved.
    scope: subtree                                                              # Only for attribute source of type `ldap`. LDAP search scope.
    filter: filter: (objectclass=*)                                             # Only applicable for attribute source type `ldap`. LDAP search filter. It might contain macros, refer to Attribute Source documentation
    selector: cn,mail,mobile,uid,givenName,sn,displayName                       # Only applicable for attribute source type `ldap`. LDAP selector containing other attributes that are retrieved together.
    srv_conn: ldap_srvconn                                                              # Only applicable for attribute source type, `ldap`. LDAP server connection name. This links to an `ldap` server connection in `storage.yml`
    baseDN: dc=ibm,dc=com                                                       # Only for attribute source of type `ldap`. LDAP base DN. It might contain macros similar to `filter`.

Configuring storage.yml

  • Based on the attribute sources configuration in the attributesources.yml, the storage.yml is referenced based on the srv_conn node.

  • Update the storage.yml with the following content:

server_connections:                                         # Server connections
  - name: ldap_srvconn                                      # Connection name
    type: ldap                                              # Connection type
    hosts:                                                  # List of host information (IP and port)
      - hostname: openldap                                  # Server's hostname
        hostport: 636                                       # Server's host port
        credential:                                         # Credential information to connect to the host.
          bind_dn: cn=root,secAuthority=Default             # Specifies the binding credential for the LDAP server connection.
          bind_password: "OBF:U2FsdGVkX1+BPKsUsh0oGSsNNr1HSsAQWwPLB30MyDs=" 
                                                            # Specifies the binding password for the LDAP server connection. It is recommended to obfuscate this.
      certificate:                                          # The SSL connection certificate array.
        - ks:ldap_keys                                      # The SSL keystore to be used for SSL connections. ks: indicates keystore.
      disable_hostname_verification: false                  # The SSL connection validates the hostname.
    conn_settings:                                          # Connection pool settings for the LDAP server. It can be specified at the top level if the settings are common across hosts.
      max_pool_size: 50                                     # Maximum connection pool size.
      connect_timeout: 3                                    # Connect timeout, in seconds.
      aged_timeout: 5                                       # Aged timeout, in seconds.

  • Read more about key management here.
  • Read more about bind_password obfuscation here.

Configuring the mapping rule

  • The isvaop_pretoken.js needs to be modified to enrich the grant based on the attribute retrieved from the LDAP.
 * Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
IDMappingExtUtils.traceString("Starting Pre Token JS");
 * Use this mapping rule to enrich the session:
 * - Resolve the claims requested for id_token (and userinfo)
 *   Populate resolved claims into 'idtokenData' context
 * - Adding extra claims for token introspection (and JWT access token)
 *   Populate the extra claims into 'tokenData' context
 * Attribute Source:
 * The system will resolve any attribute source mappings prior to this mapping rule execution.
 * If the mapping should contain a value, it will be available in STSUU attribute container.
IDMappingExtUtils.traceString("STSUU content: " + stsuu.toString());
var requestType = stsuu.getContextAttributes().getAttributeValueByName("request_type");
var grant_type = stsuu.getContextAttributes().getAttributeValueByName("grant_type");
var surname = stsuu.getAttributeContainer().getAttributeValuesByName("surname");
if (surname != null) {
     Example of enriching id_token
    idtokenData["surname"] = surname;
    * Example of enriching introspection result
    tokenData["surname"] = surname;

Configuring the static client

# Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
client_id: client_ldap
client_secret: "OBF:U2FsdGVkX19NE2KIGDC4doFwol69xk0roywd9TFjMVFHO6GaNtWhlev29g7XZeuC" 
client_name: "AuthorizationCode with LDAP attribute mapping"
enabled: true
  - authorization_code
  - code
token_endpoint_auth_method: default