· Sep 5, 2023

LDAP Authentication Help

Currently we are using Delegated Authentication using ZAUTHENTICATE to look at the groups that are associated with a user and if it matches a role within IRIS, to assign the user to that role within IRIS. 

Instead of using ZAUTHENTICATE as custom code, I am looking to use the built-in LDAP Authentication instead. Since I already have two AD Groups called (Access.Ensemble.Developer.User and Access.Ensemble.DataLookup.User) is it possible to config the built in LDAP functionality to look for these groups and assign the users to the correct roles within IRIS without the custom ZAUTHENTICATE? From what I understand looking at the documentation it seemed like it had to be specifically formatted as per InterSystems documentation. I don't have too much confidence in our AD Group being able to define the attributes correctly or really want someone else controlling access to our application.

ZAUTHENTICATE has given us some issues and I haven't been able to successfully track down why it is Intermittent in getting the proper response from LDAP, so why not go back to what is built in and not have to account for the errors in ZAUTHENTICATE.

I had another AD group called Access.InterSystems.Group.Developer, created just for testing this. 

I am getting the following error through the Test LDAP Authentication, and I am not sure what it means.

SearchExts error: 1 - Operations error
Test completed

I just want to define the ROLE level and not specify Instance, Namespace, Routine.

Product version: IRIS 2023.1
$ZV: IRIS for UNIX (Red Hat Enterprise Linux 8 for x86-64) 2023.1 (Build 229U) Fri Apr 14 2023 17:16:34 EDT
Discussion (5)2
Log in or sign up to continue

Well found that my Certificate had expired, so I replaced the certificate with one that I had gotten created for something else I was working on. But it is still not working through the LDAP Test or when I attempt to sign on with my AD account...

Using Test LDAP Authentication I am receiving... SearchExts error: 1 - Operations error

When I attempt to sign into the port with my AD account I am getting the following...

Error message: ERROR #798: Password login failed
ERROR #838: User roth16 does not exist
ERROR #798: LDAP login failed
ERROR #5002: ObjectScript error: <ILLEGAL VALUE>LDAPLogin+47^%SYS.LDAP
Web Application: /csp/sys
$I: |TCP|1972|2013912
$P: |TCP|1972|2013912

Since I moved from Delegated Sign on using ZAUTHENTICATE to LDAP do I need to remove my ZAUTHENTICATE? or does the LDAP functionality know not to use ZAUTHENTICATE?

i think that zauth will conflict with ldap integrated, but before switching off zauth, make sure that ldap works as expected using the "test ldap authentication" on the previous screen.

What i see from your screen is that you may have errors in the "hostname" and "search username dn".

Hostname should be the ip or fqdn of your AD domain servers (start with one and then add all the other).

Search username has to be specified in LDAPish way so something like
cn=ensemble Service,dc=osumc,dc=edu

it seems the Test LDAP is failing on... the search for SamAccountName, as search AD user of ensemble.Services is showing authenticated and my Base DN for the user search passed.

Search user ensemble.Services,DC=OSUMC,DC=EDU authenticated
Searching for user roth16, using SamAccountName=roth16
SearchExts error: 1 - Operations error
Test completed

The BaseDN and the Nested Group Search BaseDN is the same that I used in my ZAUTHENTICATE. I shouldn't have to remove the ZAUTHENTICATE for the Test LDAP to run should I?