LDAP Adapter - Credentials?

Beginner, Caché, LDAP, Ensemble

I'm writing an operation to use the LDAP Outbound Adapter to query AD.

The operation's settings include a basic Credentials selector, to allow you to use the built in Credentials function of Ensemble. This can be referenced in the operation with ..Adapter.Credentials

But when it comes to specifying the credentials in the Bind method, the documentation indicates that only a format of $lb(Username,Domain,Password) is supported. I tried ..Adapter.Credentials and $lb(..Adapter.Credentials) but the only thing that worked was setting the three variables in plain text first in the operation itself (e.g. set Username="abc", etc).

Even if I could get the reference to the adapter credentials to work - Ensemble credentials don't include a separate Domain field, only a Username and Password.

Is the adapter's credentials selector a red herring? Or can it be made to work?

  • + 1
  • 0
  • 412
  • 4
  • 2

Answers

Hi Matthew - 

Have you tried:

set credentials = ##class(Ens.Config.Credentials).%OpenId(..Adapter.Credentials)

Then you can use:

credentials.Username and credentials.Password.

But there's no domain, sorry.

Thanks Michael, that's a handy bit of code, worked great :)

The credentials do not have space to store a Domain field. Maybe add the domain as an extra setting?

Property Domain As %String ;

Parameter SETTINGS = "Domain";

Then you can use ..Domain in your Business Operation. You might also need to subclass the adapter to get it working with the Domain.

Thanks Marcel, that's a good idea. That'd work well I think if we needed to store credentials for many different domains. However we only have one domain in our organisation - my concern was around declaring/storing the username and password in plain text in the code, whereas I wouldn't mind doing that for the domain.

However, that said, I wasn't aware until now that the credentials stored in Ensemble could be pulled back in plain text using that code. I assumed as they're obfuscated in the front end that they'd be encrypted in some fashion, but the code Michael provided can be used to trace them out in plain text (or write them out in Terminal). Not as secure as I'd imagined, but still somewhat of a step up from writing them in the method's code.

Comments

I think you may be looking at the wrong class documentation.  

There are two LDAP classes - %Net.LDAP.Client and %SYS.LDAP.  The EnsLib.LDAP.OutboundAdapter is written using %Net.LDAP.Client.Session, which does not have a Binds method.  The %SYS.LDAP class does have a Binds method, and discusses wanting a $lb like you've described.

Thanks for letting me know Katherine, I guess I've just written a method which isn't actually using the adapter at all. I'll check out the %Net.LDAP.Client documentation and see if I can rework it.