I got jTDS working through using Squirrel SQL Client, I am just now trying to transpose that over to Ensemble to see if I can get it to work.
- Log in to post comments
All
Accepted answers
Maybe I didn't describe this right. I am trying to go from No Authentication to a Windows Authentication account. Has anyone done this? if so can you share your part of your URL to see what I am possibly missing.
Thanks
Scott
- Log in to post comments
Yes I was. That would explain the syntax issue. I have verified that the SimpleBinds without StartTLSs works fine. I have added some additional print statements to see where the issue might lie. The code gets past the Init, and SetOption, but then dies on the StartTLSs.
LD=1
SetOption=Success
-11,ldap_StartTLSs(Certificate) - Connect error
I went ahead and opened a ticket up with WRC to see if they could help. Thanks everyone.
- Log in to post comments
I am still struggling to get this to work. If I go through %SYS and manually try to start a TLS connection in AIX to my LDAP server I am getting...
s Status=##Class(%SYS.LDAP).SetOption(LD,$$$LDAPOPTXTLSCACERTFILE,"/ensemble/TestClin/mgr/LDAPKeyStore/OSUWMC_CA.pem") - Error <SYNTAX>
Does the certificate need to be in a certain directory for this to work as the examples suggested " /usr/share/ssl/certs/...."?
- Log in to post comments
I was able to track down the error to
s Status=##class(%SYS.LDAP).StartTLSs(LD)
i Status'=$$$LDAPSUCCESS{
s Status=Status_",ldap_setoption(Certificate) - "_##class(%SYS.LDAP).Err2String(Status)
w Status,!
g Error
}
-1,ldap_setoption(Certificate) - Can't contact LDAP server
- Log in to post comments
I was able to track down the error to
s Status=##class(%SYS.LDAP).StartTLSs(LD)
i Status'=$$$LDAPSUCCESS{
s Status=Status_",ldap_setoption(Certificate) - "_##class(%SYS.LDAP).Err2String(Status)
w Status,!
g Error
}
-1,ldap_setoption(Certificate) - Can't contact LDAP server
- Log in to post comments
That's the part I am unsure of, because it is not logging to the Audit Database. How can I run this and put breakpoints in to verify where it might be getting stuck?
- Log in to post comments
Thanks.
I am now to the point where I am getting Error message: LDAP error: 0 - Success. How can a Success be a Failure?
ZAUTHENTICATE(ServiceName,Namespace,Username,Password,Credentials,Properties) PUBLIC {
#include %occErrors
#include %sySecurity
#include %sySite
#include %syLDAP
#define LDAPServer $Get(^OSUMCLDAP("Server"))
#define WindowsLDAPServer 1
#define WindowsCacheClient 0
#define UseSecureConnection 1
#define UnixCertificateFile $Get(^OSUMCLDAP("LDAPKey"))_"certnew.pem"
#define WindowsBaseDN "dc="_$Get(^OSUMCLDAP("Domain"))_",dc=edu"
#define WindowsFilter "sAMAccountname"
#define WindowsAttributeList $lb("displayName","department","mail")
s $zt="Error"
s Status = 0
i Password="" {
s Status= $SYSTEM.Status.Error($$$InvalidUsernameOrPassword)
g Error
}
i $$$WindowsLDAPServer{
s AdminDN=$Get(^OSUMCLDAP("User"))
s AdminPW=$Get(^OSUMCLDAP("Pass"))
}
#;The following line sets up the internal LDAP structures.
i $$$ISWINDOWS,$$$UseSecureConnection {
s LD=##Class(%SYS.LDAP).Init($$$LDAPServer,636)
} else {
s LD=##Class(%SYS.LDAP).Init($$$LDAPServer)
}
i LD=0 {
s Status=##Class(%SYS.LDAP).GetLastError()
s Status="Init error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
g Error
}
s Status=##Class(%SYS.LDAP).SetOption(LD,$$$LDAPOPTXTLSCACERTFILE,$$$UnixCertificateFile)
i Status'=$$$LDAPSUCCESS{
s Status ="SetOption error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
g Error
}
s Status=##class(%SYS.LDAP).StartTLSs(LD)
i Status'=$$$LDAPSUCCESS{
s Status=Status_",ldap_setoption(Certificate) - "_##class(%SYS.LDAP).Err2String(Status)
g Error
}
s Status=##Class(%SYS.LDAP).SimpleBinds(LD,AdminDN,AdminPW)
i Status'=$$$LDAPSUCCESS
{
s Status = Status_", ldap_Simple_Bind(AdminDN) - "_##Class(%SYS.LDAP).Err2String(Status)
#;w !,Status
g Error
}
i $$$WindowsLDAPServer {
s Filter=$$$WindowsFilter_"="_Username
}
i $$$WindowsLDAPServer {
s AttributeList=$$$WindowsAttributeList
}
i $$$WindowsLDAPServer {
s BaseDN=$$$WindowsBaseDN
}
s SearchScope=$$$LDAPSCOPESUBTREE
s Timeout=30
s SizeLimit=1
s Status=##Class(%SYS.LDAP).SearchExts(LD,BaseDN,SearchScope,Filter,AttributeList,0,"","",Timeout,"",.SearchResult)
i Status'=$$$LDAPSUCCESS {
i Status=$$$XLDAPFILTERERROR {
s Status="1,User "_Username_" does not exist"
w !,Status
} else {
s Status=Status_",ldap_Search_Ext - "_##Class(%SYS.LDAP).Err2String(Status)
}
g Error
}
s NumEntries=##Class(%SYS.LDAP).CountEntries(LD,SearchResult)
i NumEntries=-1 {
s Status=##Class(%SYS.LDAP).GetError(LD)
s Status=Status_",ldap_Count_Entries - "_##Class(%SYS.LDAP).Err2String(Status)
g Error
}
i NumEntries=0 {
s Status="1,User "_Username_" does not exist"
g Error
}
i NumEntries>1 {
s Status="1,LDAP Filter is not unique"
g Error
}
s CurrentEntry=##Class(%SYS.LDAP).FirstEntry(LD,SearchResult)
i CurrentEntry=0 {
s Status=##Class(%SYS.LDAP).GetError(LD)
s Status=Status_",ldap_FirstEntry - "_##Class(%SYS.LDAP).Err2String(Status)
g Error
}
s DN=##Class(%SYS.LDAP).GetDN(LD,CurrentEntry)
i Password="" {
s Status="1,ldap_Simple_Bind("_DN_") - password cannot be null"
g Error
}
s Status=##Class(%SYS.LDAP).SimpleBinds(LD,DN,Password)
i Status'=$$$LDAPSUCCESS {
s Status=Status_",ldap_Simple_Bind("_DN_") - "_##Class(%SYS.LDAP).Err2String(Status)
g Error
}
s Attribute=##Class(%SYS.LDAP).FirstAttribute(LD,CurrentEntry,.Ptr)
while (Attribute'="") {
s Values=##Class(%SYS.LDAP).GetValuesLen(LD,CurrentEntry,Attribute)
#;Values:"_Values
s Properties("Attributes",Attribute)=Values
s Attribute=##Class(%SYS.LDAP).NextAttribute(LD,CurrentEntry,.Ptr)
}
s Properties("Username")=Username
s Properties("FullName")=$li(Properties("Attributes","displayName"))
k Properties("Attributes","displayName")
s Properties("Comment")=$li(Properties("Attributes","department"))
k Properties("Attributes","department")
s Properties("EmailAddress")=$li(Properties("Attributes","mail"))
k Properties("Attributes","mail")
i $d(SearchResult) d ##Class(%SYS.LDAP).MsgFree(SearchResult)
s GroupFilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:="_DN_"))"
s GroupAttributes=""
s Status=##Class(%SYS.LDAP).SearchExts(LD,BaseDN,$$$LDAPSCOPESUBTREE,GroupFilter,GroupAttributes,0,"","",10,0,.GroupSearchResult)
#;GroupSearch Status: "_Status
i Status'=$$$LDAPSUCCESS {
w !,"SearchExts error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
g Error
}
s GroupNumEntries=##Class(%SYS.LDAP).CountEntries(LD,GroupSearchResult)
i GroupNumEntries=-1 {
s Status=##Class(%SYS.LDAP).GetError(LD)
s Status=##Class(%SYS.LDAP).Err2String(Status)
g Error
}
w !
i GroupNumEntries=0 {
w !,"No nested groups for "_Username_" found"
g Done
}
i GroupNumEntries>0 {
}
s GroupCurrentEntry=##Class(%SYS.LDAP).FirstEntry(LD,GroupSearchResult)
i GroupCurrentEntry=0 {
s Status=##Class(%SYS.LDAP).GetError(LD)
w !,"FirstEntry error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
g Error
}
s Groups=""
While (GroupCurrentEntry'=0) {
s GroupDN=##Class(%SYS.LDAP).GetDN(LD,GroupCurrentEntry)
i GroupDN="" {
s Status=##Class(%SYS.LDAP).GetError(LD)
w !,"GetDN Group error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
g Error
}
s CN=$p(GroupDN,",",1)
s AD=$p(CN,"=",2)
s AD=$zcvt(AD,"L")
s exists=''$d(^|"%SYS"|SYS("Security","RolesD",AD))
i exists{
s Properties("Roles") = AD
}
s GroupCurrentEntry=##Class(%SYS.LDAP).NextEntry(LD,GroupCurrentEntry)
}
Done
i +$d(LD) d ##Class(%SYS.LDAP).UnBinds(LD)
#;w !,"SystemOK "_$SYSTEM.Status.OK()
q $SYSTEM.Status.OK()
Error s $zt=""
i $d(SearchResult) d ##Class(%SYS.LDAP).MsgFree(SearchResult)
i $d(GroupSearchResult) d ##Class(%SYS.LDAP).MsgFree(GroupSearchResult)
i +$d(LD) s Status=##class(%SYS.LDAP).UnBinds(LD)
i $ze'=""{
q $SYSTEM.Status.Error($$$CacheError,$ze)
} else{
q $SYSTEM.Status.Error($$$GeneralError,"LDAP error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status))
}
}
- Log in to post comments
Haven't tried that. Wasn't sure if it was going to make me do the Authentication before I connect to the external database, or while connecting to the external database.
Maybe I am making a mountain out of a mole hill.
- Log in to post comments
After many TRACE statements found I was missing (1) after the FT1 in my syntax. So it should be... request.GetValueAt("FT1(1):16.4.2")
- Log in to post comments
When I look at the message in Message viewer it is showing 06CL as FT1:16.4.2
- Log in to post comments
What type of database is the stored procedure on? If it is Microsoft have you tried VARCHAR(8000)? MAX does not exist in some SQL languages so sometime you have to limit it down to the number of bytes I believe. Though I might be wrong.
- Log in to post comments
Just adding a bump to see if anyone has a way to have the system users bypass the delegated sign on without having to hard code the system.
THanks
Scott
- Log in to post comments
Using the Ensemble Scheduler we ran into issues when we had multiple schedules running at the same time, and notice it pausing the whole environment just to refresh. That's why we went down this route.
It looks like this particular Inbound.SQL.Adapter service that caused the issue had a data lock on the database which caused more issues. So I am wondering if the data lock caused EnsConfigItem() to get in a hung status.
- Log in to post comments
I have always called it the other way around with the outbound before the I in the Execute Procedure Parm Array.
Method InsertProviderDivisionSp(pRequest As osuwmc.CPD.DataStructures.InsertProviderDivision, Output pResponse As Ens.Response) As %Status
{
set SPQuery = "{ ?= call usp_Interfaces_Insert_ProviderDivision_Ens(?,?,?,?) }"
set par = 4
set par(1) = pRequest.DoctorNumber
set par(2) = pRequest.Division
set par(3) = pRequest.UpdatedBy
set par(4) = pRequest.OrderBy
set tSC = ..Adapter.ExecuteProcedureParmArray(.InsertDivision,.outputs,SPQuery,"oiiii",.par)
if 'tSC write " failed ",tSC
quit tSC
}
or you can call it like...
Method InsertProviderPreference(pRequest As osuwmc.CPD.DataStructures.InsertPreferences, Output pResponse As Ens.Response) As %Status
{
set SPQuery = "{ ?= call usp_Interfaces_Insert_ProviderPreference(?,?,?,?,?) }"
set parm = 6
set parm(1,"SqlType")=$$$SQLVARCHAR
set parm(1,"IOTypes")=$$$SQLPARAMOUTPUT
set parm(2) = pRequest.DoctorNumber
set parm(2,"SqlType")=$$$SQLVARCHAR
set parm(2,"IOTypes")=$$$SQLPARAMINPUT
set parm(3) = pRequest.Preference
set parm(3,"SqlType")=$$$SQLNUMERIC
set parm(3,"IOTypes")=$$$SQLPARAMINPUT
set parm(4) = pRequest.PreferenceValue
set parm(4,"SqlType")=$$$SQLNUMERIC
set parm(4,"IOTypes")=$$$SQLPARAMINPUT
set parm(5) = pRequest.PreferenceDesc
set parm(5,"SqlType")=$$$SQLVARCHAR
set parm(5,"IOTypes")=$$$SQLPARAMINPUT
set parm(6) = pRequest.UpdatedBy
set parm(6,"SqlType")=$$$SQLVARCHAR
set parm(6,"IOTypes")=$$$SQLPARAMINPUT
set tSC = ..Adapter.ExecuteProcedureParmArray(.InsertPreference,.outputs,SPQuery,"oiiiii",.parm)
if 'tSC write "Failed",tSC
quit tSC
}
- Log in to post comments
Thanks not the exact answer that I was looking for but I think I can make it work somehow.
- Log in to post comments
What does your... ##class(SamsReq).%New() look like? Here is what my Request and code look like as a whole. I have used this many times across many services in different fashions. I am using JDBC vs ODBC which maybe a difference, not sure.
Class osuwmc.CPD.DataStructures.StartJobRequest Extends (%Library.Persistent, %XML.Adaptor) [ Not ProcedureBlock, SqlRowIdPrivate ]
{
Property StartJobStatus As %Integer;
Storage Default
{
<Data name="StartJobRequestDefaultData">
<Value name="1">
<Value>%%CLASSNAME</Value>
</Value>
<Value name="2">
<Value>StartJobStatus</Value>
</Value>
</Data>
<DataLocation>^osuwmc.CPD59D.StartJobReqE986D</DataLocation>
<DefaultData>StartJobRequestDefaultData</DefaultData>
<IdLocation>^osuwmc.CPD59D.StartJobReqE986D</IdLocation>
<IndexLocation>^osuwmc.CPD59D.StartJobReqE986I</IndexLocation>
<StreamLocation>^osuwmc.CPD59D.StartJobReqE986S</StreamLocation>
<Type>%Library.CacheStorage</Type>
}
}
Class osuwmc.CPD.UpdateClarityAddressesFromCPDService Extends Ens.BusinessService [ ClassType = "", ProcedureBlock ]
{
Parameter ADAPTER = "EnsLib.SQL.InboundAdapter";
Parameter REQUESTCLASSES As %String = "EnsLib.SQL.Snapshot";
Property InitDSN As %String;
Method OnInit() As %Status
{
Set ..InitDSN = ..Adapter.DSN
//Set ..Adapter.ConnectAttrs = "QueryTimeout:45" ; try this too just in case...
Quit $$$OK
}
Method OnProcessInput(pInput As EnsLib.SQL.Snapshot, pOutput As %RegisteredObject) As %Status
{
set req=##class(osuwmc.CPD.DataStructures.StartJobRequest).%New()
set req.StartJobStatus = pInput.Get("1")
set sc = ..SendRequestSync("CPDClarityAddressUpdateBPL",req,.pOutput)
Quit sc
}
}
- Log in to post comments
I have used this in the past...
Under my Data Settings I use the following as my Query to act like a status kick off for my job...
SELECT 1
Then my service does...
Method OnProcessInput(pInput As EnsLib.SQL.Snapshot, pOutput As %RegisteredObject) As %Status
{
set req=##class(osuwmc.CPD.DataStructures.StartJobRequest).%New()
set req.StartJobStatus = pInput.Get("1")
set sc = ..SendRequestSync("CPDClarityAddressUpdateBPL",req,.pOutput)
Quit sc
}
It appears you are not setting your request variable so there is nothing to send to your DQTT.
- Log in to post comments
Can I still add code in Business Studio and it maintain integrity to be able to still open in the BPL editor?
I added the following in my while loop, but then the BPL hung.
<assign property='..%Process.%SessionId' value='""'/>
- Log in to post comments
Within the BPL editor how do you set a Property in Code?
- Log in to post comments
Never mind I figured it out.
- Log in to post comments
Instead of storing it at the Credentials level, I have created a Global to store the LDAP server information. However when I am calling $Get(^OSUMCLDAP(Server)) nothing is being returned. Am I not calling it appropriately? Do I need to add an include statement somewhere to make sure it includes the globals?
#define LDAPServer $Get(^OSUMCLDAP(Server))
i $$$WindowsLDAPServer{
s AdminDN=$Get(^OSUMCLDAP(User))
s AdminPW=$Get(^OSUMCLDAP(Pass))
}
Thanks
Scott
- Log in to post comments
Sorry I am learning AD/LDAP as I go. I talked with the "powers that be" and they did confirm that I do not see a separate username and password to BIND to LDAP, and that I can use the UserName. So I will make that switch in the code above.
Thanks everyone.
- Log in to post comments
- To verify against LDAP we needed a separate user other than the user trying to log into the system.
- Also to make it easier on all parties involved instead of using new Attributes in LDAP, I had a group created that I could match up against a role of the same name in Ensemble.
So if I have an additional user I need to use to verify as the LDAP search user, how would I store the user name and password in this scenario?
- Log in to post comments
ZAUTHENTICATE(ServiceName,Namespace,Username,Password,Credentials,Properties) PUBLIC {
#include %occErrors
#include %sySecurity
#include %syLDAP
s LDAPServer="xxxxx.xxxxxx.xxxx"
s LD=##Class(%SYS.LDAP).Init(LDAPServer)
i LD=0 {
s Status=##Class(%SYS.LDAP).GetLastError()
//g Error
}
s LDAPUser = "ensemble.Services"
s LDAPPass = "xxxxxxxxxxxxxxxxxxxxxxxxxxx"
s Status=##Class(%SYS.LDAP).Binds(LD,"",$lb(LDAPUser,"",LDAPPass),$$$LDAPAUTHNEGOTIATE)
i Status'=$$$LDAPSUCCESS q $SYSTEM.Status.Error($$$InvalidUsernameOrPassword)
s BaseDN="dc=OSUMC,dc=EDU"
s Filter="sAMAccountname="_Username
s Attributes=$lb("sAMAccountname","displayName","mail")
s Status=##Class(%SYS.LDAP).SearchExts(LD,BaseDN,$$$LDAPSCOPESUBTREE,Filter,Attributes,0,"","",10,1,.SearchResult)
i Status'=$$$LDAPSUCCESS {
w !,"SearchExts error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
g Done
}
s CurrentEntry=##Class(%SYS.LDAP).FirstEntry(LD,SearchResult)
i CurrentEntry=0 {
s Status=##Class(%SYS.LDAP).GetError(LD)
w !,"FirstEntry error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
g Done
}
s DN=##Class(%SYS.LDAP).GetDN(LD,CurrentEntry)
s Attribute=##Class(%SYS.LDAP).FirstAttribute(LD,CurrentEntry,.Ptr)
while (Attribute'="") {
s Values=##Class(%SYS.LDAP).GetValuesLen(LD,CurrentEntry,Attribute)
//w Values
s Properties("Attributes",Attribute)=Values
//w Attributes(Attribute)
s Attribute=##Class(%SYS.LDAP).NextAttribute(LD,CurrentEntry,.Ptr)
}
s Properties("Username")=$li(Properties("Attributes","sAMAccountName"))
k Properties("Attributes","sAMAccountName")
s Properties("FullName")=$li(Properties("Attributes","displayName"))
k Properties("Attributes","displayName")
s GroupFilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:="_DN_"))"
s GroupAttributes=""
s Status=##Class(%SYS.LDAP).SearchExts(LD,BaseDN,$$$LDAPSCOPESUBTREE,GroupFilter,GroupAttributes,0,"","",10,0,.GroupSearchResult)
i Status'=$$$LDAPSUCCESS {
w !,"SearchExts error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
g Done
}
s GroupNumEntries=##Class(%SYS.LDAP).CountEntries(LD,GroupSearchResult)
i GroupNumEntries=-1 {
s Status=##Class(%SYS.LDAP).GetError(LD)
//w !,"CountEntries Group error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
g Done
}
w !
i GroupNumEntries=0 {
w !,"No nested groups for "_Username_" found"
g Done
}
i GroupNumEntries>0 {
//w !,"Found "_GroupNumEntries_" nested groups for user "_Username
}
#;Get the dn of the first entry returned.
s GroupCurrentEntry=##Class(%SYS.LDAP).FirstEntry(LD,GroupSearchResult)
i GroupCurrentEntry=0 {
s Status=##Class(%SYS.LDAP).GetError(LD)
w !,"FirstEntry error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
g Done
}
s Groups=""
While (GroupCurrentEntry'=0) {
s GroupDN=##Class(%SYS.LDAP).GetDN(LD,GroupCurrentEntry)
i GroupDN="" {
s Status=##Class(%SYS.LDAP).GetError(LD)
w !,"GetDN Group error: "_Status_" - "_##Class(%SYS.LDAP).Err2String(Status)
q
}
s CN=$p(GroupDN,",",1)
s AD=$p(CN,"=",2)
s AD=$zcvt(AD,"L")
set exists=''$d(^|"%SYS"|SYS("Security","RolesD",AD))
if exists{
s Properties("Roles") = AD
w Properties("Roles")
}
#;Save for later display
//w !,AD
s GroupCurrentEntry=##Class(%SYS.LDAP).NextEntry(LD,GroupCurrentEntry)
}
Done
i $d(SearchResult) d ##Class(%SYS.LDAP).MsgFree(SearchResult)
i $d(GroupSearchResult) d ##Class(%SYS.LDAP).MsgFree(GroupSearchResult)
#;Close the connection and free the LDAP in memory structures.
i $d(LD) d ##Class(%SYS.LDAP).UnBinds(LD)
q $SYSTEM.Status.OK()
Error s $zt=""
w !,"Cache error: "_$ze
g Done
}- Log in to post comments
When I run...
f i=2:1:$LL(list2) write !,i,"",$p($li(list2,i),",")
w i
I am getting the output of
2Access.Ensemble.Developer.User2
How can I remove the 2 from the beginning and ending of the string, then compare it to the %SYS Roles?
Thanks
Scott
- Log in to post comments
I believe it is either a String for a Fixed Sequence. I cut and pasted that from a document given to me to show me the LDAP/AD Attributes. I believe the structure is {CN= ,OU=, DC=, DC= , CN=,OSU=,DC=,DC=.....} so every time we see a CN its a new group which is what I want to key off of.
- Log in to post comments
You can use a Data Lookup table to specify the Subject based on the Error you are looking for.
- Log in to post comments
So I am trying to take a list of....
managedObjects : {CN=Access.Ensemble.Developer.User,OU=Access Groups,DC=OSUMC,DC=EDU, CN=[CPD Admin],OU=Distribution Lists,DC=OSUMC,DC=EDU, CN=[MUSE_Access],OU=Distribution Lists,DC=OSUMC,DC=EDU, CN=[IT eMaterials],OU=Distribution Lists,DC=OSUMC,DC=EDU...}
How can I put this into a list and properly filter out the values I need. For Example Access.Ensemble.Developer.User is my end target that corresponds to a role of that same name.
I am struggling with how to appropriately pull this information out so I can do the IF statements below.
- Log in to post comments
I have run into a case where the Last Name or First Name contains a Hyphen but no spaces between the Hyphen and the split name. I have tried "S", but that seemed not to help.
Anyone have suggestions on how to handle names with a hyphen besides doing an IF statement, and Piecing the Name apart to make it Proper Case?
- Log in to post comments