Pulling information from Credentials using Cache Object Script

Question

Question

Scott Roth · Feb 23, 2018

#Databases #Globals #LDAP #Object Data Model #Security #Ensemble

Is there a way to pull a user name and password from the Credentials list that is kept in Ensemble? Right now I have a LDAP user that I have hard coded into my ZAUTHENTICATE, which I would like to get away from. I am not to familiar with settings Global, or calling them at least.

Thanks

Scott

Discussion (12)2

Log in or sign up to continue

Stylianos Chalkiotis · Feb 24, 2018

Hi

If you want to get the username and password that is stored in the Ensemble credentials list that is accessible via the management portal Ensemble>Credentials, and if you know the credential id,

then you can get the username and password via the Ens.Config.Credentials class:

SET cr=##class(Ens.Config.Credentials).%OpenId("yourCredentialID")

SET UserName=cr.Username

SET Password=cr.Password

see here the class reference:

http://docs.intersystems.com/latest/csp/docbook/%25CSP.Documatic.cls?AGE...

I hope it helps

Stelios

1 0

score 0 · Answer 1 · 2018-02-23T15:03:55-05:00

Passwords are encrypted so no.

Login details are stored in Security.Users table or ^SYS("Security","UsersD") global in %sys namespace.

score 0 · Answer 2 · 2018-03-01T09:02:58-05:00

Instead of storing it at the Credentials level, I have created a Global to store the LDAP server information. However when I am calling $Get(^OSUMCLDAP(Server)) nothing is being returned. Am I not calling it appropriately? Do I need to add an include statement somewhere to make sure it includes the globals?

#define LDAPServer $Get(^OSUMCLDAP(Server))

i $$$WindowsLDAPServer{
s AdminDN=$Get(^OSUMCLDAP(User))
s AdminPW=$Get(^OSUMCLDAP(Pass))
}

Thanks

Scott

score 0 · Answer 3 · 2018-03-01T09:11:07-05:00

Scott Roth · Mar 1, 2018

Never mind I figured it out.

0 0

score 0 · Answer 4 · 2018-02-23T15:05:16-05:00

Dmitry Maslennikov · Feb 23, 2018

Could you please add your code as an example what you already did with ZAUTHENTICATE?

0 0

score 0 · Answer 5 · 2018-02-26T07:42:00-05:00

ZAUTHENTICATE(ServiceName,Namespace,Username,Password,Credentials,Properties) PUBLIC {
#include %occErrors
#include %sySecurity
#include %syLDAP

 
 s LDAPServer="xxxxx.xxxxxx.xxxx"
 s LD=##Class(%SYS.LDAP).Init(LDAPServer)
 i LD=0 {
   s Status=##Class(%SYS.LDAP).GetLastError()
   //g Error
 }
 s LDAPUser = "ensemble.Services"
 s LDAPPass = "xxxxxxxxxxxxxxxxxxxxxxxxxxx"
 
 s Status=##Class(%SYS.LDAP).Binds(LD,"",$lb(LDAPUser,"",LDAPPass),$$$LDAPAUTHNEGOTIATE)
 i Status'=$$$LDAPSUCCESS q $SYSTEM.Status.Error($$$InvalidUsernameOrPassword)
 
  s BaseDN="dc=OSUMC,dc=EDU"
 s Filter="sAMAccountname="_Username
 s Attributes=$lb("sAMAccountname","displayName","mail")
 s Status=##Class(%SYS.LDAP).SearchExts(LD,BaseDN,$$$LDAPSCOPESUBTREE,Filter,Attributes,0,"","",10,1,.SearchResult)
 i Status'=$$$LDAPSUCCESS {
 w !,"SearchExts error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
 g Done
 }
 s CurrentEntry=##Class(%SYS.LDAP).FirstEntry(LD,SearchResult)
 i CurrentEntry=0 {
 s Status=##Class(%SYS.LDAP).GetError(LD)
 w !,"FirstEntry error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status) 
 g Done
 }
 s DN=##Class(%SYS.LDAP).GetDN(LD,CurrentEntry) 
 s Attribute=##Class(%SYS.LDAP).FirstAttribute(LD,CurrentEntry,.Ptr)
 while (Attribute'="") {
   s Values=##Class(%SYS.LDAP).GetValuesLen(LD,CurrentEntry,Attribute)
   //w Values
   s Properties("Attributes",Attribute)=Values
   //w Attributes(Attribute)
  s Attribute=##Class(%SYS.LDAP).NextAttribute(LD,CurrentEntry,.Ptr)
 }
 s Properties("Username")=$li(Properties("Attributes","sAMAccountName"))
 k Properties("Attributes","sAMAccountName")
 s Properties("FullName")=$li(Properties("Attributes","displayName"))
 k Properties("Attributes","displayName")

 s GroupFilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:="_DN_"))"
 s GroupAttributes=""
 s Status=##Class(%SYS.LDAP).SearchExts(LD,BaseDN,$$$LDAPSCOPESUBTREE,GroupFilter,GroupAttributes,0,"","",10,0,.GroupSearchResult)
 i Status'=$$$LDAPSUCCESS {
w !,"SearchExts error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
g Done
 }
 s GroupNumEntries=##Class(%SYS.LDAP).CountEntries(LD,GroupSearchResult)
 i GroupNumEntries=-1 {
s Status=##Class(%SYS.LDAP).GetError(LD)
//w !,"CountEntries Group error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
g Done
 }

 w !
 i GroupNumEntries=0 {
w !,"No nested groups for "_Username_" found"
g Done
 }
 i GroupNumEntries>0 {
//w !,"Found "_GroupNumEntries_" nested groups for user "_Username
 }

#;Get the dn of the first entry returned.
 s GroupCurrentEntry=##Class(%SYS.LDAP).FirstEntry(LD,GroupSearchResult)
 i GroupCurrentEntry=0 {
s Status=##Class(%SYS.LDAP).GetError(LD)
w !,"FirstEntry error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
g Done
 }
 s Groups=""
 While (GroupCurrentEntry'=0) {
s GroupDN=##Class(%SYS.LDAP).GetDN(LD,GroupCurrentEntry)
i GroupDN="" {
s Status=##Class(%SYS.LDAP).GetError(LD)
w !,"GetDN Group error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
q
}
s CN=$p(GroupDN,",",1)
s AD=$p(CN,"=",2)
s AD=$zcvt(AD,"L") 
set exists=''$d(^|"%SYS"|SYS("Security","RolesD",AD))
if exists{
s Properties("Roles") = AD
w Properties("Roles")
}
#;Save for later display
//w !,AD
  s GroupCurrentEntry=##Class(%SYS.LDAP).NextEntry(LD,GroupCurrentEntry)
 }
Done
 i $d(SearchResult) d ##Class(%SYS.LDAP).MsgFree(SearchResult)
 i $d(GroupSearchResult) d ##Class(%SYS.LDAP).MsgFree(GroupSearchResult)
#;Close the connection and free the LDAP in memory structures.
 i $d(LD) d ##Class(%SYS.LDAP).UnBinds(LD)
 q $SYSTEM.Status.OK()
Error s $zt=""
 w !,"Cache error: "_$ze
 g Done
}

score 0 · Answer 6 · 2018-02-26T08:54:00-05:00

ZAUTHENTICATE used to authenticate users with their login and password, so, if you already have user's password you can connect to LDAP/AD server with this credentials.

score 0 · Answer 7 · 2018-02-26T08:42:04-05:00

To verify against LDAP we needed a separate user other than the user trying to log into the system.
Also to make it easier on all parties involved instead of using new Attributes in LDAP, I had a group created that I could match up against a role of the same name in Ensemble.

So if I have an additional user I need to use to verify as the LDAP search user, how would I store the user name and password in this scenario?

score 0 · Answer 8 · 2018-02-26T09:29:38-05:00

First, you can access Ensemble Credentials using the Ens.Config.Credentials class. To be clear this is NOT User definitions from the Security module. These are defined via the Ensemble Management portal options under Ensemble -> Configure ->Credentials.

That should work for you. I would still like to better understand what is going on in the application here that drives this. You seem to be indicating that this is a user logging into Ensemble. If you could detail out the workflow that is happening and how it related to Ensemble Services we might be able to better advise you.

Finally, I want to make you aware that the LDAP interface in InterSystems technologies has a method for using groups to define everything the security model needs. In fact that is the default method in recent versions.

The best path forward is to get your Sales Engineer (SE) involved in what you are trying to achieve. That person would be best suited to dig into your requirements and advise you. If, for some reason, you cannot contact your SE or don't know who that is send me a private message. I'd be happy to help out more directly.

score 0 · Answer 9 · 2018-02-26T10:46:49-05:00

Sorry I am learning AD/LDAP as I go. I talked with the "powers that be" and they did confirm that I do not see a separate username and password to BIND to LDAP, and that I can use the UserName. So I will make that switch in the code above.

Thanks everyone.

score 0 · Answer 10 · 2018-02-26T11:33:39-05:00

Your welcome.

As you said you are still learning LDAP I am putting a couple of links regarding LDAP documentation and articles below. Hope that helps you out.

http://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY=GCAS_LDAP

http://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY=EGIN_options_connectivity_adapters

https://community.intersystems.com/post/global-summit-2016-ldap-beyond-simple-schema

score 0 · Answer 11 · 2018-02-26T08:28:57-05:00

Ensemble Credentials are normally used to satisfy security for an Ensemble Business host. This separates the maintenance of security from the maintenance of the actual interfaces. The application of the security is handled completely by Ensemble in that scenario. This does not appear to be how you are attempting to utilize this. It would help to better understand your use case here. What is the entry path/service that is utilizing delegated authentication?