iris-ldap-auth


Follow
0
Star
0
Details
Releases
Issues
This application is not supported by InterSystems Corporation. Use it at your own risk.

What's new in this version

Initial Release

Example of how to setup IRIS and OpenLDAP for LDAP user authentication

iris-ldap-auth

Example of LDAP authentication for REST services hosted by InterSystems IRIS.

(Disclaimer) It's not using TLS though InterSystems recommends that you enable TLS encryption for LDAP.

How to start

$ git clone --recursive https://github.com/IRISMeister/iris-ldap-auth.git
$ cd iris-ldap-auth
$ ./first-run.sh
Creating network "iris-ldap-auth_default" with the default driver
Creating iris ... done
Goal state not specified; using 'running'
............
Waited 11 seconds for InterSystems IRIS to reach state 'running'
Creating ldap-server ... done
Creating ldap-admin  ... done
adding new entry "cn=module,cn=config"
adding new entry "olcOverlay=memberof,olcDatabase={1}mdb,cn=config"
adding new entry "ou=Group,dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "uid=LDAPUSER1,ou=People,dc=example,dc=com"
adding new entry "uid=LDAPUSER2,ou=People,dc=example,dc=com"
adding new entry "cn=intersystems-Namespace-USER,ou=Group,dc=example,dc=com"
adding new entry "cn=intersystems-Role-%All,ou=Group,dc=example,dc=com"
$

Take a look at ./iris.log if something went wrong.

ordinal user access

$ curl -s -X POST http://localhost:52773/rest/coffeemakerapp/coffeemakers -u SuperUser:sys | jq

It should return coffee makers in JSON format.

LDAP user access

$ curl -s -X POST http://localhost:52773/rest/coffeemakerapp/coffeemakers -u LDAPUSER1:sys | jq

It should return coffee makers in JSON format.

How to remove everything

$ ./rm.sh
Stopping ldap-admin  ... done
Stopping ldap-server ... done
Stopping iris        ... done
Removing ldap-admin  ... done
Removing ldap-server ... done
Removing iris        ... done
Removing network iris-ldap-auth_default
$

Additional info

PasswordHash value for IRIS users

PasswordHash value in merge.cpf was generated by issuing

$ docker run --rm -it intersystems/passwordhash:latest
Enter password:sys
Enter password again:sys
PasswordHash=a647ce65fda7c09890288ebb8a899b7f48f70fe5,2rv3vp7v

(Caution) It means you can access any predefined IRIS accounts via this (sys) password.
See https://docs.intersystems.com/irislatest/csp/docbook/Doc.View.cls?KEY=ADOCK#ADOCK_iris_images_password_auth

userPassword value for LDAP users

{SSHA} userPassword value in groups-and-users.ldif was generated by issuing

$ docker-compose exec ldap-server slappasswd -s sys
{SSHA}KjnadpCTJKirxOx/eVIMbrHNKmwRZCvQ

(Caution) It means you can access LDAP users via this (sys) password.

Enabling memberOf overlay

It is important that memberOf overlay is enabled to get this work. See memberof.ldif.

$ docker-compose exec ldap-server ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=LDAPUSER1)" -b dc=example,dc=com memberOf
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
version: 1

dn: uid=LDAPUSER1,ou=People,dc=example,dc=com
memberOf: cn=intersystems-Namespace-USER,ou=Group,dc=example,dc=com
memberOf: cn=intersystems-Role-%All,ou=Group,dc=example,dc=com

How to lookup directory

via portal

LDAP admin portal is available at http://localhost:8080/. Use following credential.

Login DN: cn=admin,dc=example,dc=com  
Password: ldap  

You will see two Groups and two Peoples.

ou=Group
cn=intersystems-Namespace-USER
cn=intersystems-Role-%All
ou=People
uid=LDAPUSER1
uid=LDAPUSER1

via Command line

To see what "People"s you have.

$ docker-compose exec ldap-server ldapsearch -x -w ldap -D "cn=admin,dc=example,dc=com" -b "ou=People,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# People, example.com
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

# LDAPUSER1, People, example.com
dn: uid=LDAPUSER1,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
sn: LDAPUSER1
cn: LDAPUSER1
uid: LDAPUSER1
displayName: LDAPUSER1
description: LDAP user created by this sample
mail: LDAPUSER1@localhost.local
mobile: 1234567
userPassword:: e1NTSEF9VUxkTDI4TWV5Q2M4elRrRkcyTGdZU2taSG9NY3BwLzg=

# LDAPUSER2, People, example.com
dn: uid=LDAPUSER2,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
sn: LDAPUSER2
cn: LDAPUSER2
uid: LDAPUSER2
userPassword:: e1NTSEF9VUxkTDI4TWV5Q2M4elRrRkcyTGdZU2taSG9NY3BwLzg=

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

To see what "Group"s you have.

$ docker-compose exec ldap-server ldapsearch -x -w ldap -D "cn=admin,dc=example,dc=com" -b "ou=Group,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <ou=Group,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Group, example.com
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

# intersystems-Role-%All, Group, example.com
dn: cn=intersystems-Role-%All,ou=Group,dc=example,dc=com
objectClass: groupOfNames
cn: intersystems-Role-%All
member: uid=LDAPUSER1,ou=People,dc=example,dc=com
member: uid=LDAPUSER2,ou=People,dc=example,dc=com

# intersystems-Namespace-USER, Group, example.com
dn: cn=intersystems-Namespace-USER,ou=Group,dc=example,dc=com
objectClass: groupOfNames
cn: intersystems-Namespace-USER
member: uid=LDAPUSER1,ou=People,dc=example,dc=com
member: uid=LDAPUSER2,ou=People,dc=example,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3
Category
Technology Example
Works with
InterSystems IRISInterSystems IRIS for Health
Tags
Info
Version
1.0.0
Last updated
2020-09-16
Repository
Open
Documentation
Open
License
Link