iris-ldap-auth

Example of LDAP authentication for REST services hosted by InterSystems IRIS.

(Disclaimer) It’s not using TLS though InterSystems recommends that you enable TLS encryption for LDAP.

How to start

$ git clone --recursive https://github.com/IRISMeister/iris-ldap-auth.git
$ cd iris-ldap-auth
$ ./first-run.sh
Creating network "iris-ldap-auth_default" with the default driver
Creating iris ... done
Goal state not specified; using 'running'
............
Waited 11 seconds for InterSystems IRIS to reach state 'running'
Creating ldap-server ... done
Creating ldap-admin  ... done
adding new entry "cn=module,cn=config"
adding new entry "olcOverlay=memberof,olcDatabase={1}mdb,cn=config"
adding new entry "ou=Group,dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "uid=LDAPUSER1,ou=People,dc=example,dc=com"
adding new entry "uid=LDAPUSER2,ou=People,dc=example,dc=com"
adding new entry "cn=intersystems-Namespace-USER,ou=Group,dc=example,dc=com"
adding new entry "cn=intersystems-Role-%All,ou=Group,dc=example,dc=com"
$

Take a look at ./iris.log if something went wrong.

ordinal user access

$ curl -s -X POST http://localhost:52773/rest/coffeemakerapp/coffeemakers -u SuperUser:sys | jq

It should return coffee makers in JSON format.

LDAP user access

$ curl -s -X POST http://localhost:52773/rest/coffeemakerapp/coffeemakers -u LDAPUSER1:sys | jq

It should return coffee makers in JSON format.

How to remove everything

$ ./rm.sh
Stopping ldap-admin  ... done
Stopping ldap-server ... done
Stopping iris        ... done
Removing ldap-admin  ... done
Removing ldap-server ... done
Removing iris        ... done
Removing network iris-ldap-auth_default
$

Additional info

PasswordHash value for IRIS users

PasswordHash value in merge.cpf was generated by issuing

$ docker run --rm -it containers.intersystems.com/intersystems/passwordhash:1.0
Enter password:sys
Enter password again:sys
PasswordHash=a647ce65fda7c09890288ebb8a899b7f48f70fe5,2rv3vp7v

(Caution) It means you can access any predefined IRIS accounts via this (sys) password.
See https://docs.intersystems.com/irislatest/csp/docbook/Doc.View.cls?KEY=ADOCK#ADOCK_iris_images_password_auth

userPassword value for LDAP users

{SSHA} userPassword value in groups-and-users.ldif was generated by issuing

$ docker-compose exec ldap-server slappasswd -s sys
{SSHA}KjnadpCTJKirxOx/eVIMbrHNKmwRZCvQ

(Caution) It means you can access LDAP users via this (sys) password.

Enabling memberOf overlay

It is important that memberOf overlay is enabled to get this work. See memberof.ldif.

$ docker-compose exec ldap-server ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=LDAPUSER1)" -b dc=example,dc=com memberOf
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
version: 1
dn: uid=LDAPUSER1,ou=People,dc=example,dc=com

memberOf: cn=intersystems-Namespace-USER,ou=Group,dc=example,dc=com

memberOf: cn=intersystems-Role-%All,ou=Group,dc=example,dc=com

How to lookup directory

via portal

LDAP admin portal is available at http://localhost:8080/. Use following credential.

Login DN: cn=admin,dc=example,dc=com  
Password: ldap  

You will see two Groups and two Peoples.

ou=Group
cn=intersystems-Namespace-USER
cn=intersystems-Role-%All
ou=People
uid=LDAPUSER1
uid=LDAPUSER1

via Command line

To see what “People”s you have.

$ docker-compose exec ldap-server ldapsearch -x -w ldap -D "cn=admin,dc=example,dc=com" -b "ou=People,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
People, example.com
dn: ou=People,dc=example,dc=com

objectClass: organizationalUnit

ou: People
LDAPUSER1, People, example.com
dn: uid=LDAPUSER1,ou=People,dc=example,dc=com

objectClass: inetOrgPerson

sn: LDAPUSER1

cn: LDAPUSER1

uid: LDAPUSER1

displayName: LDAPUSER1

description: LDAP user created by this sample

mail: LDAPUSER1@localhost.local

mobile: 1234567

userPassword:: e1NTSEF9VUxkTDI4TWV5Q2M4elRrRkcyTGdZU2taSG9NY3BwLzg=
LDAPUSER2, People, example.com
dn: uid=LDAPUSER2,ou=People,dc=example,dc=com

objectClass: inetOrgPerson

sn: LDAPUSER2

cn: LDAPUSER2

uid: LDAPUSER2

userPassword:: e1NTSEF9VUxkTDI4TWV5Q2M4elRrRkcyTGdZU2taSG9NY3BwLzg=
search result
search: 2

result: 0 Success
numResponses: 4
numEntries: 3

To see what “Group”s you have.

$ docker-compose exec ldap-server ldapsearch -x -w ldap -D "cn=admin,dc=example,dc=com" -b "ou=Group,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
Group, example.com
dn: ou=Group,dc=example,dc=com

objectClass: organizationalUnit

ou: Group
intersystems-Role-%All, Group, example.com
dn: cn=intersystems-Role-%All,ou=Group,dc=example,dc=com

objectClass: groupOfNames

cn: intersystems-Role-%All

member: uid=LDAPUSER1,ou=People,dc=example,dc=com

member: uid=LDAPUSER2,ou=People,dc=example,dc=com
intersystems-Namespace-USER, Group, example.com
dn: cn=intersystems-Namespace-USER,ou=Group,dc=example,dc=com

objectClass: groupOfNames

cn: intersystems-Namespace-USER

member: uid=LDAPUSER1,ou=People,dc=example,dc=com

member: uid=LDAPUSER2,ou=People,dc=example,dc=com
search result
search: 2

result: 0 Success
numResponses: 4
numEntries: 3