Create LDAP users in OIDC¶
Sila Kissuu
© IBM v0.1 2024-03-25
-
Save LDAP/LUR registry users for each Provider Organization to a file:
apic users:list -o {yourProviderOrg} -s {yourMgmtServer} --user-registry {yourRegistry} --fields username,email,first_name,last_name --format json > ldap-users.json
TIP:
Adjust path to "ldap-users.json:" as needed
Use the
apic user-registries:list
command to get a list of registry names in your Provider Org. -
File contents from Step 1:
Note down the value of "total_results". We will need it for verification purposes in Step 6. -
Remove 4 extra elements so that you are left with an array of users.
- Delete line 1
- Delete line 2
- Remove the string '“results”:' from line 3
- Delete the last line - line 17 in this example.
-
The updated file will look like this:
-
Here is python code that reads the file containing an array of multiple users and creates a separate JSON file for each user in the array. Why? The user:create command accepts a file with only 1 user in it.
#!/usr/bin/env python3 """ Created on Mon Mar 25 11:53:25 2024 @author: sila """ import json import os with open('/{pathTo}/ldap-users.json', 'r') as file: users = json.load(file) output_dir = '/{pathTo}/output_files' os.makedirs(output_dir, exist_ok=True) # Iterate over the array and process each user individually for user in users: # Extract email for the filename filename = user["email"].lower() + ".json" # Write each user to a separate file with open(os.path.join(output_dir, filename), 'w') as file: json.dump(user, file, indent=4)
-
Verify files were written. Number of files should equal number of users in the file obtained in Step 2 - see the value of the element "total_results" which in this case is 2.
tree -f output_files
-
Verify file contents.
cat output_files/user2@ibm.com.json
-
You can create each user in OIDC by passing their corresponding individual file to the users:create command.
-
Verify user exists:
apic users:list -o {yourProviderOrg} -s {yourMgmtServer} --user-registry {yourOIDCRegistry} | cut -d' ' -f1 | sed 's/-/@/'
-
You can loop through the files in the output directory to create all users in one users:create command.
for file in *; do echo "creating user " $file; apic users:create -o {yourProviderOrg} -s {yourMgmtServer} --user-registry {yourOIDCRegistry}$file; done 2>/tmp/error.log
creating user user1@ibm.com.json user1-ibm.com [state: enabled] https://{yourMgmtServer}/api/user-registries/86441fe3-dfed-4fe6-99ef-6153b0d14afe/7311fdd9-8cee-4a34-8fdc-398ae61f9426/users/00942444-66cd-463d-9a49-44c3223f426e creating user user2@ibm.com.json user2-ibm.com [state: enabled] https://{yourMgmtServer}/api/user-registries/86441fe3-dfed-4fe6-99ef-6153b0d14afe/7311fdd9-8cee-4a34-8fdc-398ae61f9426/users/a0cb650a-d5b3-4929-8971-77606f9f90e3
Note: errors encountered during user creation will be written to /tmp/error.log (adjust file path as needed).
For example, attempts to create a user that already exists will result in the following:
cat /tmp/error.log