LDAP Logging

Question

Question

Scott Roth · Dec 14, 2023

#LDAP #System Administration #Health Connect #InterSystems IRIS #InterSystems IRIS for Health

I am trying to troubleshoot an issue with LDAP and a specific user. Besides what is in the Audit Database is there another way to look to see the LDAP functionality that is being called and the response, like there is with OAuth and the ISCLOG? The Audit Log is returning a failure (Unexpected - /api/atelier login failure | InterSystems Developer Community) for this particular user, and I want to get proof that it might be something with the LDAP and not IRIS.

Thanks

Scott

Product version: IRIS 2022.1

$ZV: IRIS for UNIX (Red Hat Enterprise Linux 8 for x86-64) 2022.1 (Build 209U) Tue May 31 2022 12:13:24 EDT

Discussion (6)2

Log in or sign up to continue

Vic Sun · Dec 14, 2023

Hi Scott,

I would suggest using the %SYS.LDAP APIs to test each method individually or the LDAP test configuration page which will show additional logging.

https://docs.intersystems.com/iris20233/csp/docbook/DocBook.UI.Page.cls?KEY=ROARS_iam_ldap#ROARS_iam_ldap_unixapicertdebug

0 0

Tani Frankel · Dec 14, 2023

Maybe using the Portal built-in "Test LDAP Authentication" can help.

See Docs.

0 0

score 1 · Answer 1 · 2023-12-14T10:19:15-05:00

I had to debug an application LDAP issue and I used to Apache Directory Studio.

It turned out that the user had been copied from one OU to another and not moved.

score 0 · Answer 2 · 2023-12-15T08:56:07-05:00

Didn't give me any more additional information on the error besides what was in the Audit Database, but thanks.

score 0 · Answer 3 · 2024-02-02T09:42:14-05:00

I am wondering if the Query against LDAP is taking too long and timing out in a response, even though he is getting an Invalid Username/password error returned but this happens when he tries to sign in from VS Code using /api/atelier. I tried increasing the timeout, but it doesn't seem to make a difference. I tried adjusting the Base DN search, and the Nested Group search to no avail.

score 0 · Answer 4 · 2024-02-07T21:19:04-05:00

Hi, there was a breaking change after upgrading some IRIS version in regards to credential stored in IRIS for ldap connections.

Can the user logon to SMP using LDAP successfully? If not, then it might be worth a try deleting the user account for the user marked as LDAP. in IRIS, It will get recreated on next successful login.