iris-ldap-auth

InterSystems does not provide technical support for this project. Please contact its developer for the technical assistance.

1 reviews

Awards

157

Views

IPM installs

Details

Releases (1)

Reviews (1)

Issues

Example of how to setup IRIS and OpenLDAP for LDAP user authentication

What's new in this version

Initial Release

iris-ldap-auth

Example of LDAP authentication for REST services hosted by InterSystems IRIS.

(Disclaimer) It’s not using TLS though InterSystems recommends that you enable TLS encryption for LDAP.

How to start

$ git clone --recursive https://github.com/IRISMeister/iris-ldap-auth.git
$ cd iris-ldap-auth
$ ./first-run.sh
Creating network "iris-ldap-auth_default" with the default driver
Creating iris ... done
Goal state not specified; using 'running'
............
Waited 11 seconds for InterSystems IRIS to reach state 'running'
Creating ldap-server ... done
Creating ldap-admin  ... done
adding new entry "cn=module,cn=config"
adding new entry "olcOverlay=memberof,olcDatabase={1}mdb,cn=config"
adding new entry "ou=Group,dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "uid=LDAPUSER1,ou=People,dc=example,dc=com"
adding new entry "uid=LDAPUSER2,ou=People,dc=example,dc=com"
adding new entry "cn=intersystems-Namespace-USER,ou=Group,dc=example,dc=com"
adding new entry "cn=intersystems-Role-%All,ou=Group,dc=example,dc=com"
$

Take a look at ./iris.log if something went wrong.

ordinal user access

$ curl -s -X POST http://localhost:52773/rest/coffeemakerapp/coffeemakers -u SuperUser:sys | jq

It should return coffee makers in JSON format.

LDAP user access

$ curl -s -X POST http://localhost:52773/rest/coffeemakerapp/coffeemakers -u LDAPUSER1:sys | jq

It should return coffee makers in JSON format.

How to remove everything

$ ./rm.sh
Stopping ldap-admin  ... done
Stopping ldap-server ... done
Stopping iris        ... done
Removing ldap-admin  ... done
Removing ldap-server ... done
Removing iris        ... done
Removing network iris-ldap-auth_default
$

Additional info

PasswordHash value for IRIS users

PasswordHash value in merge.cpf was generated by issuing

$ docker run --rm -it containers.intersystems.com/intersystems/passwordhash:1.0
Enter password:sys
Enter password again:sys
PasswordHash=a647ce65fda7c09890288ebb8a899b7f48f70fe5,2rv3vp7v

(Caution) It means you can access any predefined IRIS accounts via this (sys) password.
See https://docs.intersystems.com/irislatest/csp/docbook/Doc.View.cls?KEY=ADOCK#ADOCK_iris_images_password_auth

userPassword value for LDAP users

{SSHA} userPassword value in groups-and-users.ldif was generated by issuing

$ docker-compose exec ldap-server slappasswd -s sys
{SSHA}KjnadpCTJKirxOx/eVIMbrHNKmwRZCvQ

(Caution) It means you can access LDAP users via this (sys) password.

Enabling memberOf overlay

It is important that memberOf overlay is enabled to get this work. See memberof.ldif.

$ docker-compose exec ldap-server ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=LDAPUSER1)" -b dc=example,dc=com memberOf
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
version: 1
dn: uid=LDAPUSER1,ou=People,dc=example,dc=com

memberOf: cn=intersystems-Namespace-USER,ou=Group,dc=example,dc=com

memberOf: cn=intersystems-Role-%All,ou=Group,dc=example,dc=com

How to lookup directory

via portal

LDAP admin portal is available at http://localhost:8080/. Use following credential.

Login DN: cn=admin,dc=example,dc=com  
Password: ldap

You will see two Groups and two Peoples.

ou=Group
cn=intersystems-Namespace-USER
cn=intersystems-Role-%All
ou=People
uid=LDAPUSER1
uid=LDAPUSER1

via Command line

To see what “People”s you have.

$ docker-compose exec ldap-server ldapsearch -x -w ldap -D "cn=admin,dc=example,dc=com" -b "ou=People,dc=example,dc=com" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # People, example.com dn: ou=People,dc=example,dc=com objectClass: organizationalUnit ou: People LDAPUSER1, People, example.com dn: uid=LDAPUSER1,ou=People,dc=example,dc=com objectClass: inetOrgPerson sn: LDAPUSER1 cn: LDAPUSER1 uid: LDAPUSER1 displayName: LDAPUSER1 description: LDAP user created by this sample mail: LDAPUSER1@localhost.local mobile: 1234567 userPassword:: e1NTSEF9VUxkTDI4TWV5Q2M4elRrRkcyTGdZU2taSG9NY3BwLzg= LDAPUSER2, People, example.com dn: uid=LDAPUSER2,ou=People,dc=example,dc=com objectClass: inetOrgPerson sn: LDAPUSER2 cn: LDAPUSER2 uid: LDAPUSER2 userPassword:: e1NTSEF9VUxkTDI4TWV5Q2M4elRrRkcyTGdZU2taSG9NY3BwLzg= search result search: 2 result: 0 Success numResponses: 4 numEntries: 3

To see what “Group”s you have.

$ docker-compose exec ldap-server ldapsearch -x -w ldap -D "cn=admin,dc=example,dc=com" -b "ou=Group,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
Group, example.com
dn: ou=Group,dc=example,dc=com

objectClass: organizationalUnit

ou: Group
intersystems-Role-%All, Group, example.com
dn: cn=intersystems-Role-%All,ou=Group,dc=example,dc=com

objectClass: groupOfNames

cn: intersystems-Role-%All

member: uid=LDAPUSER1,ou=People,dc=example,dc=com

member: uid=LDAPUSER2,ou=People,dc=example,dc=com
intersystems-Namespace-USER, Group, example.com
dn: cn=intersystems-Namespace-USER,ou=Group,dc=example,dc=com

objectClass: groupOfNames

cn: intersystems-Namespace-USER

member: uid=LDAPUSER1,ou=People,dc=example,dc=com

member: uid=LDAPUSER2,ou=People,dc=example,dc=com
search result
search: 2

result: 0 Success
numResponses: 4
numEntries: 3

Made with

Docker

Repository Documentation License

Version

1.0.016 Sep, 2020