Question
· Jan 10, 2017

Using LDAP to Authenticate and Authorize

Hi Group, I've followed the instructions from the documentation to configure LDAP and Ensemble to authenticate, however, I'm unable to authenticate using an account in the LDAP.  The user is able to authenticate in a Linux shell.  I have added the ObjectClass of IntersystemsAccount and the 3 group definitions to the schema.  Other than adding the user to this group, do I have to change the user's objectClass at all?  

This is not on active directory - it is a Linux based LDAP solution (slapd).

Discussion (3)0
Log in or sign up to continue

There are a couple of things you could be doing here, so let me make sure I understand what you're trying to do.  Are you trying to configure LDAP authentication so that users who log into Ensemble will authenticate against the LDAP server, based on the settings in the System Administration > Security > System Settings > LDAP options ?

If so:

What error do you get when you try to log in?

Have you tried the "Test LDAP authentication" option in ^SECURITY?  This may give you more details of what's failing.  (It's under 12) System parameter setup, then 3) Edit LDAP options )

Are you using the "Use LDAP Groups for Roles/Routine/Namespace" option?  I'm guessing not, since you said you added IntersystemsAccount to the schema, but want to check because you also mentioned groups.  (You may not have this option on some older versions.)

Well, I was originally getting an access denied error and upon further investigation I realized I had not modified the /csp/sys web application to allow for LDAP authentication.  That got me to log in, however it was not picking up the LDAP Groups for Roles/Routine/Namespace.  I had the options properly added to the LDAP accounts but they weren't getting picked up.  I unchecked that option and made sure the values were populated with intersystems-Roles, intersystems-Routine and intersystems-Namespace and it finally worked.  I now have a functioning LDAP configuration.