Published on InterSystems Developer Community (https://community.intersystems.com)

Home > Adding TLS to ZAUTHENTICATE
Question
· Jun 29, 2018

Adding TLS to ZAUTHENTICATE

I wrote a ZAUTHENTICATE.mac a couple of months back, and found recently that it is creating coredumps on almost a nightly basis. I think I have figured out this problem to be not clearing out my MsgSearch after I am doing 2 of them within the code.

1. Get User Attibutes from AD

2. Get User Groups From AD

So while I am trying to cleanup the code I thought it would be a good time to add a Certificate and TLS to the mix since I should of been using that all along. However I keep running into issues

Error message: Cache error: <UNDEFINED>ZAUTHENTICATE+104^ZAUTHENTICATE *LD

its not displaying the error code it should be from the ZAUTHENTICATE in the Audit Database. How do I get it to tell me where it is actually stopping in the ZAUTHENTICATE code? Or can someone look at the code below and see what I might be doing wrong?

ZAUTHENTICATE(ServiceName,Namespace,Username,Password,Credentials,Properties) PUBLIC {
#include %occErrors
#include %sySecurity
#include %sySite
#include %syLDAP
#define LDAPServer $Get(^OSUMCLDAP("Server"))
#define WindowsLDAPServer 1
#define WindowsCacheClient 0
#define UseSecureConnection 1
#define UnixCertificateFile $Get(^OSUMCLDAP("LDAPKey"))_"certnew.pem"
#define WindowsBaseDN "dc="_$Get(^OSUMCLDAP("Domain"))_",dc=edu"
#define WindowsFilter "sAMAccountname"
#define WindowsAttributeList $lb("displayName","department","mail")
 $zt="Error"
 Status = 0
 Password="" {
Status= $SYSTEM.Status.Error($$$InvalidUsernameOrPassword)
Error
 }
 $$$WindowsLDAPServer{
AdminDN=$Get(^OSUMCLDAP("User"))
AdminPW=$Get(^OSUMCLDAP("Pass"))
 }
 $$$ISWINDOWS,$$$UseSecureConnection{
 LD=##Class(%SYS.LDAP).Init($$$LDAPServer)
 LD=0 {
 Status=##Class(%SYS.LDAP).GetLastError()
 Status="Init error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
 Error
  }
 Status=##Class(%SYS.LDAP).SetOption(LD,$$$LDAPOPTXTLSCACERTFILE,$$$UnixCertificateFile)
 i Status'=$$$LDAPSUCCESS{
 Status ="SetOption error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
 Error

  Status=##class(%SYS.LDAP).StartTLSs(LD)
  Status'=$$$LDAPSUCCESS{
  Status="ldap_setoption(Certificate) - "_##class(%SYS.LDAP).Err2String(Status)
  Error
  }
 }

 Status=##Class(%SYS.LDAP).SimpleBinds(LD,AdminDN,AdminPW)
 Status'=$$$LDAPSUCCESS 
  {
Status = "ldap_Simple_Bind(AdminDN) - "_##Class(%SYS.LDAP).Err2String(Status)
#;w !,Status
Error
  }
  $$$WindowsLDAPServer {
  s Filter=$$$WindowsFilter_"="_Username
 }
 $$$WindowsLDAPServer {
AttributeList=$$$WindowsAttributeList
#;AttributeList
 
 $$$WindowsLDAPServer {
BaseDN=$$$WindowsBaseDN
#;BaseDN
 
  SearchScope=$$$LDAPSCOPESUBTREE
  Timeout=30
  SizeLimit=1
 Status=##Class(%SYS.LDAP).SearchExts(LD,BaseDN,SearchScope,Filter,AttributeList,0,"","",Timeout,"",.SearchResult)
 Status'=$$$LDAPSUCCESS {
Status=$$$XLDAPFILTERERROR {
Status="1,User "_Username_" does not exist"
!,Status
else {
Status=Status_",ldap_Search_Ext - "_##Class(%SYS.LDAP).Err2String(Status)
}
Error
 }
 NumEntries=##Class(%SYS.LDAP).CountEntries(LD,SearchResult)
 NumEntries=-1 {
 Status=##Class(%SYS.LDAP).GetError(LD)
 Status=Status_",ldap_Count_Entries - "_##Class(%SYS.LDAP).Err2String(Status)
 Error
 }
 NumEntries=0 {
Status="1,User "_Username_" does not exist"
  Error
 }
 NumEntries>1 {
Status="1,LDAP Filter is not unique"
  Error
 }
 CurrentEntry=##Class(%SYS.LDAP).FirstEntry(LD,SearchResult)
 CurrentEntry=0 {
Status=##Class(%SYS.LDAP).GetError(LD)
Status="ldap_FirstEntry - "_##Class(%SYS.LDAP).Err2String(Status)
Error
 }
 DN=##Class(%SYS.LDAP).GetDN(LD,CurrentEntry)
 Password="" {
Status="1,ldap_Simple_Bind("_DN_") - password cannot be null"
Error
 }
 Status=##Class(%SYS.LDAP).SimpleBinds(LD,DN,Password)
 Status'=$$$LDAPSUCCESS {
Status=Status_",ldap_Simple_Bind("_DN_") - "_##Class(%SYS.LDAP).Err2String(Status)
Error
 }
 Attribute=##Class(%SYS.LDAP).FirstAttribute(LD,CurrentEntry,.Ptr)
 while (Attribute'="") {
   Values=##Class(%SYS.LDAP).GetValuesLen(LD,CurrentEntry,Attribute)
   #;Values:"_Values
   Properties("Attributes",Attribute)=Values
  Attribute=##Class(%SYS.LDAP).NextAttribute(LD,CurrentEntry,.Ptr)
 }
 Properties("Username")=Username
 Properties("FullName")=$li(Properties("Attributes","displayName"))
 Properties("Attributes","displayName")
 Properties("Comment")=$li(Properties("Attributes","department"))
 Properties("Attributes","department")
 Properties("EmailAddress")=$li(Properties("Attributes","mail"))
 Properties("Attributes","mail")
 $d(SearchResult) ##Class(%SYS.LDAP).MsgFree(SearchResult)
 GroupFilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:="_DN_"))"
 GroupAttributes=""
 Status=##Class(%SYS.LDAP).SearchExts(LD,BaseDN,$$$LDAPSCOPESUBTREE,GroupFilter,GroupAttributes,0,"","",10,0,.GroupSearchResult)
 Status'=$$$LDAPSUCCESS {
!,"SearchExts error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
Error
 }
 GroupNumEntries=##Class(%SYS.LDAP).CountEntries(LD,GroupSearchResult)
 GroupNumEntries=-1 {
Status=##Class(%SYS.LDAP).GetError(LD)
Status=##Class(%SYS.LDAP).Err2String(Status)
Error
 }
 !
 GroupNumEntries=0 {
!,"No nested groups for "_Username_" found"
Done
 }
 GroupNumEntries>0 {
//w !,"Found "_GroupNumEntries_" nested groups for user "_Username
 }
 GroupCurrentEntry=##Class(%SYS.LDAP).FirstEntry(LD,GroupSearchResult)
 GroupCurrentEntry=0 {
Status=##Class(%SYS.LDAP).GetError(LD)
!,"FirstEntry error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
Error
 }
 Groups=""
 While (GroupCurrentEntry'=0) {
GroupDN=##Class(%SYS.LDAP).GetDN(LD,GroupCurrentEntry)
GroupDN="" {
Status=##Class(%SYS.LDAP).GetError(LD)
!,"GetDN Group error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
Error
}
CN=$p(GroupDN,",",1)
AD=$p(CN,"=",2)
AD=$zcvt(AD,"L")
exists=''$d(^|"%SYS"|SYS("Security","RolesD",AD))
exists{
Properties("Roles") = AD
}
  GroupCurrentEntry=##Class(%SYS.LDAP).NextEntry(LD,GroupCurrentEntry)
 }
Done
 //i $d(SearchResult) d ##Class(%SYS.LDAP).MsgFree(SearchResult)
 $d(GroupSearchResult) ##Class(%SYS.LDAP).MsgFree(GroupSearchResult)
#;Close the connection and free the LDAP in memory structures.
 +$d(LD) ##Class(%SYS.LDAP).UnBinds(LD)
 #;w !,"SystemOK "_$SYSTEM.Status.OK()
 $SYSTEM.Status.OK()
Error $zt=""
 $d(SearchResult) ##Class(%SYS.LDAP).MsgFree(SearchResult)
 $d(GroupSearchResult) ##Class(%SYS.LDAP).MsgFree(GroupSearchResult)
 +$d(LD) Status=##class(%SYS.LDAP).UnBinds(LD)
 $ze'=""{
 #;w !,"ERROR:"_$SYSTEM.Status.Error($$$CacheError,$ze)
 $SYSTEM.Status.Error($$$CacheError,$ze)
 else{  
  #;w !,"ERROR:"_$SYSTEM.Status.Error($$$GeneralError,"LDAP error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status))
  $SYSTEM.Status.Error($$$GeneralError,"LDAP error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status))
 }
}
 

Thanks

Scott Roth

The Ohio State University Wexner Medical Center

#LDAP #Object Data Model #Security #SSL #Caché
Source URL:https://community.intersystems.com/post/adding-tls-zauthenticate