LDAP Authentication Help

Question

Question

Scott Roth · Sep 5, 2023

#LDAP #System Administration #Health Connect #InterSystems IRIS #InterSystems IRIS for Health

Currently we are using Delegated Authentication using ZAUTHENTICATE to look at the groups that are associated with a user and if it matches a role within IRIS, to assign the user to that role within IRIS.

Instead of using ZAUTHENTICATE as custom code, I am looking to use the built-in LDAP Authentication instead. Since I already have two AD Groups called (Access.Ensemble.Developer.User and Access.Ensemble.DataLookup.User) is it possible to config the built in LDAP functionality to look for these groups and assign the users to the correct roles within IRIS without the custom ZAUTHENTICATE? From what I understand looking at the documentation it seemed like it had to be specifically formatted as per InterSystems documentation. I don't have too much confidence in our AD Group being able to define the attributes correctly or really want someone else controlling access to our application.

ZAUTHENTICATE has given us some issues and I haven't been able to successfully track down why it is Intermittent in getting the proper response from LDAP, so why not go back to what is built in and not have to account for the errors in ZAUTHENTICATE.

I had another AD group called Access.InterSystems.Group.Developer, created just for testing this.

I am getting the following error through the Test LDAP Authentication, and I am not sure what it means.

SearchExts error: 1 - Operations error
Test completed

I just want to define the ROLE level and not specify Instance, Namespace, Routine.

Thanks

Scott

Product version: IRIS 2023.1

$ZV: IRIS for UNIX (Red Hat Enterprise Linux 8 for x86-64) 2023.1 (Build 229U) Fri Apr 14 2023 17:16:34 EDT

Discussion (5)2

Log in or sign up to continue

Pietro Montorfano · Sep 9, 2023

no no for the testldap don't remove it. Test ldap will run the query as it will do on the login giving you the output of the search for debugging. May be how samacountname is written?

On an AD installation i got it as "sAMAccountName"...

0 0

score 0 · Answer 1 · 2023-09-07T05:07:23-04:00

Hi Scott,
i've setup ldap auth and basically it automatically do what you are looking for. The only thing is (like you saw) that you have the AD groups named as IRIS is expecting.

This is an example of what we are using and to have a %All a user must be in the ad group isc_Role_%All

score 0 · Answer 2 · 2023-09-07T07:44:23-04:00

Well found that my Certificate had expired, so I replaced the certificate with one that I had gotten created for something else I was working on. But it is still not working through the LDAP Test or when I attempt to sign on with my AD account...

Using Test LDAP Authentication I am receiving... SearchExts error: 1 - Operations error

When I attempt to sign into the port with my AD account I am getting the following...

Error message: ERROR #798: Password login failed ERROR #838: User roth16 does not exist ERROR #798: LDAP login failed ERROR #5002: ObjectScript error: <ILLEGAL VALUE>LDAPLogin+47^%SYS.LDAP Web Application: /csp/sys $I: |TCP|1972|2013912 $P: |TCP|1972|2013912

Since I moved from Delegated Sign on using ZAUTHENTICATE to LDAP do I need to remove my ZAUTHENTICATE? or does the LDAP functionality know not to use ZAUTHENTICATE?

score 0 · Answer 3 · 2023-09-08T02:58:23-04:00

i think that zauth will conflict with ldap integrated, but before switching off zauth, make sure that ldap works as expected using the "test ldap authentication" on the previous screen.

What i see from your screen is that you may have errors in the "hostname" and "search username dn".

Hostname should be the ip or fqdn of your AD domain servers (start with one and then add all the other).

Search username has to be specified in LDAPish way so something like
cn=ensemble Service,dc=osumc,dc=edu

score 0 · Answer 4 · 2023-09-08T09:11:23-04:00

it seems the Test LDAP is failing on... the search for SamAccountName, as search AD user of ensemble.Services is showing authenticated and my Base DN for the user search passed.

Search user ensemble.Services,DC=OSUMC,DC=EDU authenticated Searching for user roth16, using SamAccountName=roth16 SearchExts error: 1 - Operations error Test completed

The BaseDN and the Nested Group Search BaseDN is the same that I used in my ZAUTHENTICATE. I shouldn't have to remove the ZAUTHENTICATE for the Test LDAP to run should I?