LDAP

Syndicate content 9 

Hi,
I am facing issue during LDAP lookup like whenever I used product group parameter in AD explorer to search data from application I am getting empty result. If I set product group parameter as null then based on distinguished name result is generated in application. So if anyone knows about how LDAP works and how parameters are set in AD explorer then please let me know.

Thanks in advance.

0   0 0
0

answers

0

comments

17

views

0

rating

Hello everyone,

 

i am in process of changing our authentication method, so we can integrate our AD authentication in our programs. At the moment i am using they %SYS.LDAP object, and trying to use the .Bind() method with the user information to authenticate. This seems to work without issues, but here the problems start.

When i flag a user 'Change password on next logon' in our Active Directory, the Bind fails with a status error: "Invalid Credentials". To make sure the user who logged in is in fact the user to change the password. I still need to check if this user entered the correct current login information.

Checking the fields 'badPwdCount' or 'badPasswordTime' does not help since they are not filled after a failed .Bind() it seems.

Anyone has experience with this issue and knows how to work around the change password issue?

Thank you guys in advance!

 

Thomas

Last answer 4 April 2019
0   0 2
0

comments

58

views

0

rating

Hi Community!

Please welcome a new video on Developer Community YouTube Channel:

Building Powerful LDAP Configurations

 

0   0 1
0

comments

33

views

0

rating

Does Intersystems specifically Ensemble support a Single Sign On architecture? Currently we are using Delegated sign on using LDAP and TLS, however our CIO would like us to move toward a single sign on, so when you sign into your PC it would automatically pass the credentials to Ensemble.

Thanks

Scott

Last answer 23 January 2019 Last comment 23 January 2019
0   0 3
128

views

0

rating

Hi Everyone!

New session recording from Global Summit 2018 is already on Developer Community YouTube Channel:

Advanced Cloud Provisioning & Deployment

 

0   0 1
0

comments

54

views

0

rating

Has anyone worked out a way to use LDAP to define the default namespace on multiple servers?  I know that documentation says that intersystems-Namespace-xxx only supports one namespace, but how is this useful?   Any workaround to say have  intersystems-Namespace-server1-namespaceA  and intersystems-Namespace-server2-namespaceB?  Is it best practice to use the same "namespace" on every server?

Thanks!

Last answer 6 November 2018
0   0 2
0

comments

71

views

0

rating

From the first glance, the task of configuring LDAP authentication in Caché is not hard at all – the manual describes this process in just 6 paragraphs. On the other hand, if the LDAP server uses Microsoft Active Directory, there a few non-evident things that need to be configured on the LDAP server side. Those who don’t do anything like that on a regular basis may get lost in Caché settings. In this article, we will describe the step-by-step process of setting up LDAP authentication and cover the diagnostic methods that can be used if something doesn’t work as expected.

Last comment 23 October 2018
+ 4   2 5
518

views

+ 4

rating

Hi all,By using LDAP cache method ##Class(%SYS.LDAP).GetValuesLen(LD,CurrentEntry,Attribute) we get the list of attributes but in "ObjectSid" attribute have the SID in binary format(objectSid^U¤:c@ãºþÕLCP]). how to convert to the readable format from the binary format in cache side.
Please help us to proceed further

Last answer 9 October 2018 Last comment 10 October 2018
0   0 2
79

views

0

rating

Hi All,
I tried to execute the ##Class(%SYS.LDAP).Binds(LD,"",$lb(Username,Domain,Password),$$$LDAPAUTHNEGOTIATE) but this command is returning the value as 7 only instead of 0,7 is an "Authentication Method Not Supported",How to recover it and why this error message is occuring
Please help me

Last comment 14 September 2018
0   0 3
0

answers

88

views

0

rating

Do you want to simplify your user management by using Windows domain accounts? When you add LDAP integration to your system, you can: 

  • Use the same logins on all your instances 
  • Manage the user accounts centrally 
  • Stop worrying about synchronizing accounts between systems 

In Active Directory Integration with LDAP, a live webinar (June 21, 11:00 a.m. EDT) Katherine Reid, Senior Support Specialist at InterSystems, will discuss the main options for integrating your user accounts with your domain, including delegated authentication and LDAP authentication. 

Katherine will also walk through how you might set this up on your own system. After the webinar, you can practice what you've learned using a lab from InterSystems Documentation

Last comment 29 August 2018
0   1 4
304

views

0

rating

I wrote a ZAUTHENTICATE.mac a couple of months back, and found recently that it is creating coredumps on almost a nightly basis. I think I have figured out this problem to be not clearing out my MsgSearch after I am doing 2 of them within the code.

1. Get User Attibutes from AD

2. Get User Groups From AD

So while I am trying to cleanup the code I thought it would be a good time to add a Certificate and TLS to the mix since I should of been using that all along. However I keep running into issues

Error message: Cache error: <UNDEFINED>ZAUTHENTICATE+104^ZAUTHENTICATE *LD

its not displaying the error code it should be from the ZAUTHENTICATE in the Audit Database. How do I get it to tell me where it is actually stopping in the ZAUTHENTICATE code? Or can someone look at the code below and see what I might be doing wrong

Last answer 30 June 2018 Last comment 24 July 2018
+ 1   0 3
202

views

+ 1

rating

Is there a way to pull a user name and password from the Credentials list that is kept in Ensemble? Right now I have a LDAP user that I have hard coded into my ZAUTHENTICATE, which I would like to get away from. I am not to familiar with settings Global, or calling them at least.

Thanks

Scott

Last answer 24 February 2018 Last comment 1 March 2018
+ 1   0 5
486

views

+ 1

rating

I am working on an ZAUTHENTICATE.mac to move us from local cache users to Delegated Authentication against LDAP. 

I have created a user role within my instance of Ensemble that matches the AD Group that I will be assigning everyone in my group to.  Is there a way to query the list of available Roles within Ensemble, and if one of my AD groups matches that role, set the role for that user?

How would I compare the AD Group against the Role listing?

Thanks

Scott

Last answer 17 February 2018 Last comment 20 February 2018
0   0 3
235

views

0

rating

I am working through trying to use ZAUTHENTICATE.mac and LDAP.mac to do Delegated sign on into Ensemble. In reading over the samples and the documentation, I am not clearly finding on how to set the Appropriate Role from the LDAP group I return. Can someone help explain this part to me? If I have a user sign on, and I return a "Group" from the Authentication, how do I get that to transform into the Role I need for Ensemble.

Thanks

Scott Roth

Last answer 12 February 2018
0   0 2
0

comments

207

views

0

rating

Hi,

I am getting the following error while logging in using LDAP authentication,

"An error occurred with the CSP application and has been logged to system error log (^ERRORS)". I've set the connection up and using Authentication Test  was successful. I seem to be able to login as well but keep getting that error. If I allows unauthenticated access then the page works but changing it to LDAP is not working.

The LDAP account once created in Cache has U access to the resource related with the web application.  

Also, when I check the ^ERRORS variable there is no data there. 

 

Kind regards,

Alice

Last comment 23 October 2017
0   0 2
0

answers

262

views

0

rating

Some key points are emphasized in this article in order to save your time to get linux ldap client in cache working with windows AD (active directory) LDAP server.
The first thing to do is to get successful TLS connection to windows AD.
Raw tcp case is beyond of this article, there is no problem with it, it is trivial.
Windows ldap server uses port 636 for tls and this port can be used to get ldap certificate.
As we will see later there is reason for this.
linux ldap client uses STARTTLS special ldap extension to switch plain tcp to TLS only.
Hence, connection should use port 389.
After TLS connection, openldap client lib checks host domain name used in ldap Init() call against some fields of certificate of ldap server.
That is why it is worth to get certificate using openssl tool in order to be sure that this check will succed.
Unfortunately openldap client lib has pure diagnostic.

+ 7   0 0
0

comments

924

views

+ 7

rating

Hi,

Does calling the BIND method of %SYS.LDAP, with the username, domain and password of the user that  needs to be authenticated- the right way to authenticate him/her ?

Also - am I correct in assuming that something like this is independant to (and I don't  need to specify setting for),  System Security -> LDAP Options 

Thanks

Steve

 

 

Last answer 3 April 2017
0   0 4
0

comments

387

views

0

rating

Hi Group, I've followed the instructions from the documentation to configure LDAP and Ensemble to authenticate, however, I'm unable to authenticate using an account in the LDAP.  The user is able to authenticate in a Linux shell.  I have added the ObjectClass of IntersystemsAccount and the 3 group definitions to the schema.  Other than adding the user to this group, do I have to change the user's objectClass at all?  

This is not on active directory - it is a Linux based LDAP solution (slapd).

Last answer 10 March 2017 Last comment 11 January 2017
0   0 2
382

views

0

rating

I was recently asked whether we have a function to convert LDAP date time stamps into $HOROLOG format or other formats and the answer is not at the moment, but there is a simple method to do the conversion.

Let us look at the facts and figures involved...

1) Active Directory's (AD) date 0 (zero) is 1601-01-01 00:00:00.000 or January 1st, 1601 at midnight (00:00:00)

2) AD timestamps are calculated as the number of 100 nanosecond intervals from date 0

3) 864000000000 is the number of 100 nanosecond intervals per day

4) The $HOROLOG format (Cache internal date) is a pair of numbers separated by a comma. The first number is the number of days since December 31st, 1840 and the second number is the number of seconds since midnight on the given day.

5) It is 87657 days from the 01/01/1601 to 01/01/1841, but not including the end date - so number of days pas

+ 5   0 2
0

comments

396

views

+ 5

rating

Presenter: Rich Taylor
Task: Use an LDAP schema that differs from the provided default
Approach: Give examples of customized LDAP schema development, using LDAP APIs and ZAUTHORIZE
 

In this session we explore the various options of for working with LDAP as an authentication and authorization framework. We will look beyond the simple LDAP schemas into working with more complex LDAP configurations that incorporate application level security information.

 

Content related to this session, including slides, video and additional learning content can be found here.

Last comment 14 April 2016
0   0 3
223

views

0

rating

In preparation for a presentation I need a  real-world LDAP schema that has been customized a bit beyond the basics.   Perferably this would be based on an OpenLDAP system which would make it easier to merge into this presentation. 

 

If you have such a schema you would be willing to share please respond or contact my directly at Rich.Taylor@InterSystems.com

Thanks in advance.

Rich Taylor

Last comment 17 February 2016
0   0 2
0

answers

149

views

0

rating