Home Applications iris-ldap-auth

iris-ldap-auth

InterSystems does not provide technical support for this project. Please contact its developer for the technical assistance.
5
1 reviews
0
Awards
157
Views
0
IPM installs
0
0
Details
Releases (1)
Reviews (1)
Issues
Example of how to setup IRIS and OpenLDAP for LDAP user authentication

What's new in this version

Initial Release

iris-ldap-auth

Example of LDAP authentication for REST services hosted by InterSystems IRIS.

(Disclaimer) It’s not using TLS though InterSystems recommends that you enable TLS encryption for LDAP.

How to start

$ git clone --recursive https://github.com/IRISMeister/iris-ldap-auth.git
$ cd iris-ldap-auth
$ ./first-run.sh
Creating network "iris-ldap-auth_default" with the default driver
Creating iris ... done
Goal state not specified; using 'running'
............
Waited 11 seconds for InterSystems IRIS to reach state 'running'
Creating ldap-server ... done
Creating ldap-admin  ... done
adding new entry "cn=module,cn=config"
adding new entry "olcOverlay=memberof,olcDatabase={1}mdb,cn=config"
adding new entry "ou=Group,dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "uid=LDAPUSER1,ou=People,dc=example,dc=com"
adding new entry "uid=LDAPUSER2,ou=People,dc=example,dc=com"
adding new entry "cn=intersystems-Namespace-USER,ou=Group,dc=example,dc=com"
adding new entry "cn=intersystems-Role-%All,ou=Group,dc=example,dc=com"
$

Take a look at ./iris.log if something went wrong.

ordinal user access

$ curl -s -X POST http://localhost:52773/rest/coffeemakerapp/coffeemakers -u SuperUser:sys | jq

It should return coffee makers in JSON format.

LDAP user access

$ curl -s -X POST http://localhost:52773/rest/coffeemakerapp/coffeemakers -u LDAPUSER1:sys | jq

It should return coffee makers in JSON format.

How to remove everything

$ ./rm.sh
Stopping ldap-admin  ... done
Stopping ldap-server ... done
Stopping iris        ... done
Removing ldap-admin  ... done
Removing ldap-server ... done
Removing iris        ... done
Removing network iris-ldap-auth_default
$

Additional info

PasswordHash value for IRIS users

PasswordHash value in merge.cpf was generated by issuing

$ docker run --rm -it containers.intersystems.com/intersystems/passwordhash:1.0
Enter password:sys
Enter password again:sys
PasswordHash=a647ce65fda7c09890288ebb8a899b7f48f70fe5,2rv3vp7v

(Caution) It means you can access any predefined IRIS accounts via this (sys) password.
See https://docs.intersystems.com/irislatest/csp/docbook/Doc.View.cls?KEY=ADOCK#ADOCK_iris_images_password_auth

userPassword value for LDAP users

{SSHA} userPassword value in groups-and-users.ldif was generated by issuing

$ docker-compose exec ldap-server slappasswd -s sys
{SSHA}KjnadpCTJKirxOx/eVIMbrHNKmwRZCvQ

(Caution) It means you can access LDAP users via this (sys) password.

Enabling memberOf overlay

It is important that memberOf overlay is enabled to get this work. See memberof.ldif.

$ docker-compose exec ldap-server ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=LDAPUSER1)" -b dc=example,dc=com memberOf
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
version: 1

dn: uid=LDAPUSER1,ou=People,dc=example,dc=com
memberOf: cn=intersystems-Namespace-USER,ou=Group,dc=example,dc=com
memberOf: cn=intersystems-Role-%All,ou=Group,dc=example,dc=com

How to lookup directory

via portal

LDAP admin portal is available at http://localhost:8080/. Use following credential.

Login DN: cn=admin,dc=example,dc=com  
Password: ldap  

You will see two Groups and two Peoples.

ou=Group
cn=intersystems-Namespace-USER
cn=intersystems-Role-%All
ou=People
uid=LDAPUSER1
uid=LDAPUSER1

via Command line

To see what “People”s you have.

$ docker-compose exec ldap-server ldapsearch -x -w ldap -D "cn=admin,dc=example,dc=com" -b "ou=People,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

People, example.com

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

LDAPUSER1, People, example.com

dn: uid=LDAPUSER1,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
sn: LDAPUSER1
cn: LDAPUSER1
uid: LDAPUSER1
displayName: LDAPUSER1
description: LDAP user created by this sample
mail: LDAPUSER1@localhost.local
mobile: 1234567
userPassword:: e1NTSEF9VUxkTDI4TWV5Q2M4elRrRkcyTGdZU2taSG9NY3BwLzg=

LDAPUSER2, People, example.com

dn: uid=LDAPUSER2,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
sn: LDAPUSER2
cn: LDAPUSER2
uid: LDAPUSER2
userPassword:: e1NTSEF9VUxkTDI4TWV5Q2M4elRrRkcyTGdZU2taSG9NY3BwLzg=

search result

search: 2
result: 0 Success

numResponses: 4

numEntries: 3

To see what “Group”s you have.

$ docker-compose exec ldap-server ldapsearch -x -w ldap -D "cn=admin,dc=example,dc=com" -b "ou=Group,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

Group, example.com

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

intersystems-Role-%All, Group, example.com

dn: cn=intersystems-Role-%All,ou=Group,dc=example,dc=com
objectClass: groupOfNames
cn: intersystems-Role-%All
member: uid=LDAPUSER1,ou=People,dc=example,dc=com
member: uid=LDAPUSER2,ou=People,dc=example,dc=com

intersystems-Namespace-USER, Group, example.com

dn: cn=intersystems-Namespace-USER,ou=Group,dc=example,dc=com
objectClass: groupOfNames
cn: intersystems-Namespace-USER
member: uid=LDAPUSER1,ou=People,dc=example,dc=com
member: uid=LDAPUSER2,ou=People,dc=example,dc=com

search result

search: 2
result: 0 Success

numResponses: 4

numEntries: 3

Made with
Version
1.0.016 Sep, 2020
Category
Technology Example
Works with
InterSystems IRISInterSystems IRIS for Health
First published
16 Sep, 2020
Last edited
16 Sep, 2020
Last checked by moderator
27 Jun, 2023Works