Question
· Apr 27, 2021

Is it possible to authenticate via LDAP in a CSP REST application?

I am using MDX2JSON do display data, it uses CSP REST to retrieve data and uses Password Authentication. I enabled LDAP authentication for this applicaiton, but it does not work.

Product version: Caché 2018.1
Discussion (7)2
Log in or sign up to continue

The AppS.REST Framework, described here: https://community.intersystems.com/post/appsrest-new-rest-framework-inte..., provides hooks for authentication (see "AuthenticationStrategy()" and "GetUserResource()" methods in AppS.REST.Handler class). You can use these hooks with the following "LDAP" package to interact with an LDAP database programmatically: https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY...

I have not tried this but if you enable LDAP security and select it for that Web Application then passing a username and password it may work.  You would setup LDAP per the documentation for Cache.  

As I said I am not sure that this would work in this context.  An alternative is to use Delegated Authentication.  Here is a link to a Global Summit presentation on dealing with LDAP in the Delegated Authentication zAuthenticate routine.  https://community.intersystems.com/post/global-summit-2016-ldap-beyond-s...

This  is a bit old and it is focused on dealing with custom LDAP schemas, but it will help you understand how to work with LDAP in code.

We are using MDX2JSON extension (back in the day the company needed to quickly roll out some application and did that without much thinking about the future and now I'm stuck with the issue). I have enabled LDAP authentication for all of it's applications, but still get 'Uknown login and password pair. Please try again' error (note that CSP applications in the same namespace DO work with LDAP authentication). I tried to find the authentication logic in the extension's classes, but did not find anything related to it.

I am trying my luck on the forums in case someone else faced an issue like this before going nuclear and rewriting everything.

I managed to bypass authentication with a crutch, but cannot access the data and get the following error:

{"Error":"ERROR #5002: Cache error: <PROTECT>%Construct+3^%DeepSee.ResultSet.1 ^DeepSee.Cache.LocalResults(\"session\"),e:\\hs-db\\tfoms\\"}{"Error":""}

Does anyone have an idea what could it mean? I've given the user everything I could imagine related to the issue (except %All of cource) but it still does not work.

The two places that I would look for more information on a <PROTECT> error are the audit log and the line of code the error is coming from.   The audit entry for a <PROTECT> error sometimes has more information about why the error was generated.  The line of code can also help as it can show you whether there was an explicit permission check, a reference to a particular global, etc.