Home Applications iris-ldap-auth

iris-ldap-auth

This application is not supported by InterSystems Corporation. Please be notified that you use it at your own risk.
5
0 reviews
0
Awards
145
Views
0
IPM installs
0
0
Details
Releases
Reviews
Issues
Example of how to setup IRIS and OpenLDAP for LDAP user authentication

What's new in this version

Initial Release

iris-ldap-auth

Example of LDAP authentication for REST services hosted by InterSystems IRIS.

(Disclaimer) It’s not using TLS though InterSystems recommends that you enable TLS encryption for LDAP.

How to start

$ git clone --recursive https://github.com/IRISMeister/iris-ldap-auth.git
$ cd iris-ldap-auth
$ ./first-run.sh
Creating network "iris-ldap-auth_default" with the default driver
Creating iris ... done
Goal state not specified; using 'running'
............
Waited 11 seconds for InterSystems IRIS to reach state 'running'
Creating ldap-server ... done
Creating ldap-admin  ... done
adding new entry "cn=module,cn=config"
adding new entry "olcOverlay=memberof,olcDatabase={1}mdb,cn=config"
adding new entry "ou=Group,dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "uid=LDAPUSER1,ou=People,dc=example,dc=com"
adding new entry "uid=LDAPUSER2,ou=People,dc=example,dc=com"
adding new entry "cn=intersystems-Namespace-USER,ou=Group,dc=example,dc=com"
adding new entry "cn=intersystems-Role-%All,ou=Group,dc=example,dc=com"
$

Take a look at ./iris.log if something went wrong.

ordinal user access

$ curl -s -X POST http://localhost:52773/rest/coffeemakerapp/coffeemakers -u SuperUser:sys | jq

It should return coffee makers in JSON format.

LDAP user access

$ curl -s -X POST http://localhost:52773/rest/coffeemakerapp/coffeemakers -u LDAPUSER1:sys | jq

It should return coffee makers in JSON format.

How to remove everything

$ ./rm.sh
Stopping ldap-admin  ... done
Stopping ldap-server ... done
Stopping iris        ... done
Removing ldap-admin  ... done
Removing ldap-server ... done
Removing iris        ... done
Removing network iris-ldap-auth_default
$

Additional info

PasswordHash value for IRIS users

PasswordHash value in merge.cpf was generated by issuing

$ docker run --rm -it containers.intersystems.com/intersystems/passwordhash:1.0
Enter password:sys
Enter password again:sys
PasswordHash=a647ce65fda7c09890288ebb8a899b7f48f70fe5,2rv3vp7v

(Caution) It means you can access any predefined IRIS accounts via this (sys) password.
See https://docs.intersystems.com/irislatest/csp/docbook/Doc.View.cls?KEY=ADOCK#ADOCK_iris_images_password_auth

userPassword value for LDAP users

{SSHA} userPassword value in groups-and-users.ldif was generated by issuing

$ docker-compose exec ldap-server slappasswd -s sys
{SSHA}KjnadpCTJKirxOx/eVIMbrHNKmwRZCvQ

(Caution) It means you can access LDAP users via this (sys) password.

Enabling memberOf overlay

It is important that memberOf overlay is enabled to get this work. See memberof.ldif.

$ docker-compose exec ldap-server ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=LDAPUSER1)" -b dc=example,dc=com memberOf
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
version: 1

dn: uid=LDAPUSER1,ou=People,dc=example,dc=com
memberOf: cn=intersystems-Namespace-USER,ou=Group,dc=example,dc=com
memberOf: cn=intersystems-Role-%All,ou=Group,dc=example,dc=com

How to lookup directory

via portal

LDAP admin portal is available at http://localhost:8080/. Use following credential.

Login DN: cn=admin,dc=example,dc=com  
Password: ldap  

You will see two Groups and two Peoples.

ou=Group
cn=intersystems-Namespace-USER
cn=intersystems-Role-%All
ou=People
uid=LDAPUSER1
uid=LDAPUSER1

via Command line

To see what “People”s you have.

$ docker-compose exec ldap-server ldapsearch -x -w ldap -D "cn=admin,dc=example,dc=com" -b "ou=People,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

People, example.com

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

LDAPUSER1, People, example.com

dn: uid=LDAPUSER1,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
sn: LDAPUSER1
cn: LDAPUSER1
uid: LDAPUSER1
displayName: LDAPUSER1
description: LDAP user created by this sample
mail: LDAPUSER1@localhost.local
mobile: 1234567
userPassword:: e1NTSEF9VUxkTDI4TWV5Q2M4elRrRkcyTGdZU2taSG9NY3BwLzg=

LDAPUSER2, People, example.com

dn: uid=LDAPUSER2,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
sn: LDAPUSER2
cn: LDAPUSER2
uid: LDAPUSER2
userPassword:: e1NTSEF9VUxkTDI4TWV5Q2M4elRrRkcyTGdZU2taSG9NY3BwLzg=

search result

search: 2
result: 0 Success

numResponses: 4

numEntries: 3

To see what “Group”s you have.

$ docker-compose exec ldap-server ldapsearch -x -w ldap -D "cn=admin,dc=example,dc=com" -b "ou=Group,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

Group, example.com

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

intersystems-Role-%All, Group, example.com

dn: cn=intersystems-Role-%All,ou=Group,dc=example,dc=com
objectClass: groupOfNames
cn: intersystems-Role-%All
member: uid=LDAPUSER1,ou=People,dc=example,dc=com
member: uid=LDAPUSER2,ou=People,dc=example,dc=com

intersystems-Namespace-USER, Group, example.com

dn: cn=intersystems-Namespace-USER,ou=Group,dc=example,dc=com
objectClass: groupOfNames
cn: intersystems-Namespace-USER
member: uid=LDAPUSER1,ou=People,dc=example,dc=com
member: uid=LDAPUSER2,ou=People,dc=example,dc=com

search result

search: 2
result: 0 Success

numResponses: 4

numEntries: 3

Made with
Version
1.0.016 Sep, 2020
Category
Technology Example
Works with
InterSystems IRISInterSystems IRIS for Health
First published
16 Sep, 2020
Last checked by moderator
27 Jun, 2023Works