#LDAP

I was recently asked whether we have a function to convert LDAP date time stamps into $HOROLOG format or other formats and the answer is not at the moment, but there is a simple method to do the conversion.

Let us look at the facts and figures involved...

1) Active Directory's (AD) date 0 (zero) is 1601-01-01 00:00:00.000 or January 1st, 1601 at midnight (00:00:00)

2) AD timestamps are calculated as the number of 100 nanosecond intervals from date 0

3) 864000000000 is the number of 100 nanosecond intervals per day

I'm writing an operation to use the LDAP Outbound Adapter to query AD.

The operation's settings include a basic Credentials selector, to allow you to use the built in Credentials function of Ensemble. This can be referenced in the operation with ..Adapter.Credentials

I wrote a ZAUTHENTICATE.mac a couple of months back, and found recently that it is creating coredumps on almost a nightly basis. I think I have figured out this problem to be not clearing out my MsgSearch after I am doing 2 of them within the code.

1. Get User Attibutes from AD

2. Get User Groups From AD

So while I am trying to cleanup the code I thought it would be a good time to add a Certificate and TLS to the mix since I should of been using that all along. However I keep running into issues

Has anyone worked out a way to use LDAP to define the default namespace on multiple servers? I know that documentation says that intersystems-Namespace-xxx only supports one namespace, but how is this useful? Any workaround to say have intersystems-Namespace-server1-namespaceA and intersystems-Namespace-server2-namespaceB? Is it best practice to use the same "namespace" on every server?

Thanks!

Hi Group, I've followed the instructions from the documentation to configure LDAP and Ensemble to authenticate, however, I'm unable to authenticate using an account in the LDAP. The user is able to authenticate in a Linux shell. I have added the ObjectClass of IntersystemsAccount and the 3 group definitions to the schema. Other than adding the user to this group, do I have to change the user's objectClass at all?

This is not on active directory - it is a Linux based LDAP solution (slapd).

Currently we are using Delegated Authentication using ZAUTHENTICATE to look at the groups that are associated with a user and if it matches a role within IRIS, to assign the user to that role within IRIS.

Does Intersystems specifically Ensemble support a Single Sign On architecture? Currently we are using Delegated sign on using LDAP and TLS, however our CIO would like us to move toward a single sign on, so when you sign into your PC it would automatically pass the credentials to Ensemble.

Thanks

Scott

Hi Community!

Please welcome a new video onInterSystems Developers YouTube Channel:

Building Powerful LDAP Configurations

https://www.youtube.com/embed/oRQ7NbK-Uk8
[This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]

Hi,

I am getting the following error while logging in using LDAP authentication,

"An error occurred with the CSP application and has been logged to system error log (^ERRORS)". I've set the connection up and using Authentication Test was successful. I seem to be able to login as well but keep getting that error. If I allows unauthenticated access then the page works but changing it to LDAP is not working.

The LDAP account once created in Cache has U access to the resource related with the web application.

I am trying to troubleshoot an issue with LDAP and a specific user. Besides what is in the Audit Database is there another way to look to see the LDAP functionality that is being called and the response, like there is with OAuth and the ISCLOG? The Audit Log is returning a failure (Unexpected - /api/atelier login failure | InterSystems Developer Community) for this particular user, and I want to get proof that it might be something with the LDAP and not IRIS.

Thanks

Scott

Hi,
I am facing issue during LDAP lookup like whenever I used product group parameter in AD explorer to search data from application I am getting empty result. If I set product group parameter as null then based on distinguished name result is generated in application. So if anyone knows about how LDAP works and how parameters are set in AD explorer then please let me know.

Thanks in advance.

I am working on an ZAUTHENTICATE.mac to move us from local cache users to Delegated Authentication against LDAP.

I have created a user role within my instance of Ensemble that matches the AD Group that I will be assigning everyone in my group to. Is there a way to query the list of available Roles within Ensemble, and if one of my AD groups matches that role, set the role for that user?

How would I compare the AD Group against the Role listing?

Thanks

Scott

Lately my group has been seeing issues when signing in through the Management Portal or VS Code we are getting "Service Unavailable" errors returned to us. We recently migrated away from using the PWS to using Apache/InterSystems Web Gateway and using LDAP instead of Delegated Authentication.

Dear All,

I am currently part of a team that is developing an application using Microsoft PowerApps as the front end and IRIS as the backend. Effectively that frontend screens, which are house and an Azure serve, call a series of REST interfaces exposed by IRIS from a physical Microsoft server. During the development stage we have not had any security in place but now we need to secure the application using a single sign on. PowerApps relies on Microsoft Entra for its security both LDAP and OAuth. Has anyone in the community connected IRIS to Microsoft Entra?