To give you the best possible experience, this site uses cookies and by continuing to use the site you agree that we can save them on your device.

LearningDocumentationCommunityOpen ExchangeGlobal MastersCertificationPartner DirectoryIdeas Portal
Submit application
Submit applicationApplicationsContest
HistoryAbout Contests
NewsAbout
About UsWhat's newMembersTagsDocumentationReport an IssueContact UsDiscord
Create an AccountLogin

iris-ldap-auth

Downloads9
Subscribe
0
Bookmark
0
This application is not supported by InterSystems Corporation. Please be notified that you use it at your own responsibility.
Details
Releases
Reviews
Issues

What's new in this version

Initial Release

iris-ldap-auth

Example of LDAP authentication for REST services hosted by InterSystems IRIS.

(Disclaimer) It's not using TLS though InterSystems recommends that you enable TLS encryption for LDAP.

How to start

$ git clone --recursive https://github.com/IRISMeister/iris-ldap-auth.git
$ cd iris-ldap-auth
$ ./first-run.sh
Creating network "iris-ldap-auth_default" with the default driver
Creating iris ... done
Goal state not specified; using 'running'
............
Waited 11 seconds for InterSystems IRIS to reach state 'running'
Creating ldap-server ... done
Creating ldap-admin  ... done
adding new entry "cn=module,cn=config"
adding new entry "olcOverlay=memberof,olcDatabase={1}mdb,cn=config"
adding new entry "ou=Group,dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "uid=LDAPUSER1,ou=People,dc=example,dc=com"
adding new entry "uid=LDAPUSER2,ou=People,dc=example,dc=com"
adding new entry "cn=intersystems-Namespace-USER,ou=Group,dc=example,dc=com"
adding new entry "cn=intersystems-Role-%All,ou=Group,dc=example,dc=com"
$

Take a look at ./iris.log if something went wrong.

ordinal user access

$ curl -s -X POST http://localhost:52773/rest/coffeemakerapp/coffeemakers -u SuperUser:sys | jq

It should return coffee makers in JSON format.

LDAP user access

$ curl -s -X POST http://localhost:52773/rest/coffeemakerapp/coffeemakers -u LDAPUSER1:sys | jq

It should return coffee makers in JSON format.

How to remove everything

$ ./rm.sh
Stopping ldap-admin  ... done
Stopping ldap-server ... done
Stopping iris        ... done
Removing ldap-admin  ... done
Removing ldap-server ... done
Removing iris        ... done
Removing network iris-ldap-auth_default
$

Additional info

PasswordHash value for IRIS users

PasswordHash value in merge.cpf was generated by issuing

$ docker run --rm -it containers.intersystems.com/intersystems/passwordhash:1.0
Enter password:sys
Enter password again:sys
PasswordHash=a647ce65fda7c09890288ebb8a899b7f48f70fe5,2rv3vp7v

(Caution) It means you can access any predefined IRIS accounts via this (sys) password.
See https://docs.intersystems.com/irislatest/csp/docbook/Doc.View.cls?KEY=ADOCK#ADOCK_iris_images_password_auth

userPassword value for LDAP users

{SSHA} userPassword value in groups-and-users.ldif was generated by issuing

$ docker-compose exec ldap-server slappasswd -s sys
{SSHA}KjnadpCTJKirxOx/eVIMbrHNKmwRZCvQ

(Caution) It means you can access LDAP users via this (sys) password.

Enabling memberOf overlay

It is important that memberOf overlay is enabled to get this work. See memberof.ldif.

$ docker-compose exec ldap-server ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=LDAPUSER1)" -b dc=example,dc=com memberOf
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
version: 1

dn: uid=LDAPUSER1,ou=People,dc=example,dc=com

memberOf: cn=intersystems-Namespace-USER,ou=Group,dc=example,dc=com

memberOf: cn=intersystems-Role-%All,ou=Group,dc=example,dc=com

How to lookup directory

via portal

LDAP admin portal is available at http://localhost:8080/. Use following credential.

Login DN: cn=admin,dc=example,dc=com  
Password: ldap

You will see two Groups and two Peoples.

ou=Group
cn=intersystems-Namespace-USER
cn=intersystems-Role-%All
ou=People
uid=LDAPUSER1
uid=LDAPUSER1

via Command line

To see what "People"s you have.

$ docker-compose exec ldap-server ldapsearch -x -w ldap -D "cn=admin,dc=example,dc=com" -b "ou=People,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# People, example.com

dn: ou=People,dc=example,dc=com

objectClass: organizationalUnit

ou: People


# LDAPUSER1, People, example.com

dn: uid=LDAPUSER1,ou=People,dc=example,dc=com

objectClass: inetOrgPerson

sn: LDAPUSER1

cn: LDAPUSER1

uid: LDAPUSER1

displayName: LDAPUSER1

description: LDAP user created by this sample

mail: LDAPUSER1@localhost.local

mobile: 1234567

userPassword:: e1NTSEF9VUxkTDI4TWV5Q2M4elRrRkcyTGdZU2taSG9NY3BwLzg=


# LDAPUSER2, People, example.com

dn: uid=LDAPUSER2,ou=People,dc=example,dc=com

objectClass: inetOrgPerson

sn: LDAPUSER2

cn: LDAPUSER2

uid: LDAPUSER2

userPassword:: e1NTSEF9VUxkTDI4TWV5Q2M4elRrRkcyTGdZU2taSG9NY3BwLzg=


# search result

search: 2

result: 0 Success


# numResponses: 4

# numEntries: 3

To see what "Group"s you have.

$ docker-compose exec ldap-server ldapsearch -x -w ldap -D "cn=admin,dc=example,dc=com" -b "ou=Group,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <ou=Group,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Group, example.com

dn: ou=Group,dc=example,dc=com

objectClass: organizationalUnit

ou: Group


# intersystems-Role-%All, Group, example.com

dn: cn=intersystems-Role-%All,ou=Group,dc=example,dc=com

objectClass: groupOfNames

cn: intersystems-Role-%All

member: uid=LDAPUSER1,ou=People,dc=example,dc=com

member: uid=LDAPUSER2,ou=People,dc=example,dc=com


# intersystems-Namespace-USER, Group, example.com

dn: cn=intersystems-Namespace-USER,ou=Group,dc=example,dc=com

objectClass: groupOfNames

cn: intersystems-Namespace-USER

member: uid=LDAPUSER1,ou=People,dc=example,dc=com

member: uid=LDAPUSER2,ou=People,dc=example,dc=com


# search result

search: 2

result: 0 Success


# numResponses: 4

# numEntries: 3

Rating
0 (0)
Category
Technology Example
Works with
InterSystems IRISInterSystems IRIS for Health
Tags
ldap
Info
Author
Tomohiro Iwamoto
Version
1.0.0
Last updated
2020-09-16
Repository
Open
Documentation
Open
License
Link