Adding users that are based on an LDAP group

You can create a group of users that are loaded from an LDAP group.

To register an LDAP group, follow the instructions in Adding an LDAP server. To create an individual user, see Adding an individual user.

Method and URI

To add a user, use a POST method with a URI:

POST    https://{hostname|IPv4}/api/security/user

Parameters

None.

Data

Data 1: name

The CN of the LDAP group.

  • Example value: Sarah

  • Type: String. Required. Available in the web user interface.

Data 2: type

The type of user to add.

  • Value: LDAP_GROUP

  • Type: System string. Required. Available in the web user interface.

Data 3: sourceProvider

The {ldapHref} value of the LDAP server.

Tip

To get an {ldapHref} value based on the hostname or the IPv4 address of the LDAP server, follow the instructions in Getting an {ldapHref}.

  • Example value: https://10.0.0.111/api/ldap/1012

  • Type: System string. Required. Available in the web user interface.

Data 4: sourceUser

The {ldapUserHref} value of the LDAP server.

Tip

To get an {identityUserHref} value based on the identity name, follow the instructions in Getting an {identityUserHref}.

  • Example value: https://10.0.0.111/api/ldap/1011/group/Sales_Americas

  • Type: System string. Required. Available in the web user interface.

Data 5: sourceUserDn

The DN of the LDAP user. Use the syntax:

CN={CN},{groupRDN},{groupDN}
  • Example value:

CN=Sales_Americas,OU=BM,OU=Security Groups,DC=BLUEMACHINES,DC=com.invalid
  • Type: String. Required. Available in the web user interface.

Data 6: permissions

Define permissions for the new user. Roles define what actions users can take and resource groups define what resources they can access.

  • Example value: Use the following syntax to specify the roles and the resource groups for the user. You must specify the same roles for all resource groups.

[
    {
        "resourcePoolId": {resourcePoolId 1},
        "roleIds":        [
                              {roleId 1},
                              {roleId 2},
                              ...
                          ]
    }
    {
        "resourcePoolId": {resourcePoolId 2},
        "roleIds":        [
                              {roleId 1},
                              {roleId 2},
                              ...
                          ]
    },
    ...
]

Tip

To get a {roleId} value based on its name, follow the instructions in Getting a {roleId}. To get the {resourcepoolId} value based on its name, follow the instructions in Getting a {resourcepoolId}.

  • Type: Array. Required. Available in the web user interface.

Example: Add users based on an LDAP group

Assume that you want to create users based on the following LDAP group in IBM Spectrum Protect Plus:

  • CN: Sales_Americas

  • Type: An LDAP group

  • {ldapHref}: https://10.0.0.111/api/ldap/1011

  • {ldapUserHref} https://10.0.0.111/api/ldap/1011/group/Sales_Americas

  • LDAP group search criteria: CN=Sales_Americas,OU=BM,OU=Security Groups

    • CN: Sales_Americas

    • Group RDN: OU=BM, OU=Security Groups

    • Base DN: DC=BLUEMACHINES,DC=com.invalid

  • Roles to assign: Backup Only ({roleId} 992)

  • Resource groups to access: Hypervisor All Resource Group ({resourcepoolId}: 1000)

ldap_href = "https://10.0.0.111/api/ldap/1011"
ldap_user_href = "https://10.0.0.111/api/ldap/1011/group/Sales_Americas"

_data = f'''{{
    "name":           "Sales-Americas",
    "type":           "LDAP_GROUP",
    "sourceProvider": "{ldap_href}}",
    "sourceUser":     "{ldap_user_href}",
    "sourceUserDN":   "CN=Sales_Americas,OU=BM,OU=Security Groups,"
        + "DC=BLUEMACHINES,DC=com.invalid",
    "permissions":    [
        {{
            "resourcePoolId": "1000",
            "roleIds":        ["992"]
        }}
    ]
}}'''

requests.post('https://' + spp_ipv4 + '/api/security/user',
    headers={...}, data=_data, verify=...)
_images/reference_accounts_user_create04ldap.png

Figure 83 The same action can be taken in the IBM Spectrum Protect Plus web user interface: In the navigation pane, click Accounts > User and click Add User. Select LDAP Group from the drop-down list. To see a list of all LDAP groups that are registered in IBM Spectrum Protect Plus, click View All. To search the LDAP groups, enter search criteria in the Group RDN (optional) field or the Group Name field, and click the search icon. Click the LDAP group that you want to add.

_images/reference_accounts_user_create05ldap.png

Figure 84 In the Add User - Assign Resources section, select resource groups to assign to the new user. Click Add resources and click Create user.

The request prompts a response with the HTTP status of 201 (Created). Review the response to ensure that the LDAP group, Sales_Americas, was added to the list of the users. The response body is similar to the JSON object for Sales_Americas , as shown in Getting user information.