Question
· Sep 25

LDAP Authentication Question

I am trying to track down a problem we saw this morning with our TEST environment. We had a momentary issue where InterSystems HealthShare Health Connect could not connect correctly to LDAP. When we tried to login and could not connect to LDAP, the system would Delete our users.

the Test LDAP function would return a "Can't contact LDAP server". I went through the Certificates, made sure they had the correct permissions and were not expired.

At the OS level we had no problems using our LDAP accounts to authenticate against the server, so we know the server could connect to LDAP, the trouble was the application itself.

We had to add our users back into the system as password users, then delete them, in order for us to connect to LDAP correctly and rebuild the users.

The System Audit logs show the Delete right before the LDAP sign on failures. None of our other boxes that are a part of the Mirror, or our Production box was affected.

We ended up failing over to a Mirror member since this was isolated to 1 server.

Is the LDAP functionality within the Application supposed to Delete Users if it cannot communicate correctly with LDAP?

Shouldn't it try to connect first and if it can't validate against LDAP, but the password is still cached use the cached login?

Beside using the Terminal to troubleshoot, is there any additional debug logging that could of been turned on to see what the LDAP authentication was doing besides REDEBUG?

Product version: IRIS 2024.1
$ZV: IRIS for UNIX (Red Hat Enterprise Linux 8 for x86-64) 2024.1 (Build 267_2U) Tue Apr 30 2024 16:06:39 EDT [HealthConnect:3.5.0-1.m1]
Discussion (2)1
Log in or sign up to continue

Hi,

You said the issue was only 1 server, and you could fail over to the mirror backup server, which could connect to LDAP from within IRIS. I assume you run the d TEST^%SYS.LDAP function to check connectivity.

If only 1 server can't connect, I would ask myself (investigate) "what was changed?" 
using REDEBUG could help to see more information re. the issue.

In any case, I recommend opening a WRC for that, if you can not find the root cause.