Published on InterSystems Developer Community (https://community.intersystems.com)

Article Vasiliy Bondar · Oct 14, 2018

4m read

Configuring LDAP authentication in InterSystems Caché using MicrosoftActive Directory From the first glance, the task of configuring LDAP authentication in Caché is not hard at all ‒ the manual describesthis process in just 6 paragraphs. On the other hand, if the LDAP server uses Microsoft Active Directory, there afew non-evident things that need to be configured on the LDAP server side. Those who don’t do anything like thaton a regular basis may get lost in Caché settings. In this article, we will describe the step-by-step process of settingup LDAP authentication and cover the diagnostic methods that can be used if something doesn’t work as expected.

Configuration of the LDAP server

1. Create a user in ActiveDirectory that we will use to connect to Caché and search for information in the LDAPdatabase. This user must be located in the domain’s root.

2. Let’s create a special unit for users who will be connecting to Caché and call it IdapCacheUsers.

3. Register users there.

Page 1 of 15

Published on InterSystems Developer Community (https://community.intersystems.com)

4. Let’s test the availability of the LDAP database using a tool called ldapAdmin. You can download it here.

5. Configure the connection to the LDAP server:

6. All right, we are connected now. Let’s take a look at how it all works:

Page 2 of 15

Published on InterSystems Developer Community (https://community.intersystems.com)

7. Since users that will be connecting to Caché are in the ldapCacheUsers unit, let’s limit our search to this unitonly.

Page 3 of 15

Published on InterSystems Developer Community (https://community.intersystems.com)

Page 4 of 15

Published on InterSystems Developer Community (https://community.intersystems.com)

Settings on the Caché side

8. The LDAP server is ready, so let’s proceed to configuring the settings on the Caché side. Go to ManagementPortal -> System Administration -> Security -> System Security -> LDAP Options. Let’s clear the “User attribute toretrieve default namespace”, “User attribute to retrieve default routine” and “User attribute to retrieve roles” fields,since these attributes are not in the LDAP database yet.

9. Enable LDAP authentication in System Administration -> Security -> System security -> Authentication/CSPSession Settings

10. Enable LDAP authentication in services. The %Service_CSP service is responsible for connecting webapplications, %Service_Console handles connections through the terminal.

11. Configure LDAP authentication in web applications.

Page 5 of 15

Published on InterSystems Developer Community (https://community.intersystems.com)

12. For the time being and for testing the connection, let’s configure everything so that new users in Caché havefull rights. To do this, assign the %All role to the user _PUBLIC. We will address this aspect in the future ……

Page 6 of 15

Published on InterSystems Developer Community (https://community.intersystems.com)

13. Let’s try opening the configured web application, it should open without problems.

14. The terminal also opens

15. After connecting, LDAP users will appear on the Caché users list

16. The truth is, this configuration gives all new users complete access to the system. To close this security hole,we need to modify the LDAP database by adding an attribute that we will use to store the name of the role that willbe assigned to users after connecting to Caché. Prior to that, we need to make a backup copy of the domaincontroller to ensure that we don’t break the entire network if something goes wrong with the configuration process.

17. To modify the ActiveDirectory schema, let’s install the Active Directory snap-in on the server whereActiveDirectory is installed (it is not installed by default). Read the instruction here.

18. Let’s create an attribute called intersystems-Roles, OID 1.2.840.113556.1.8000.2448.2.3, a case-sensitivestring, a multi-value attribute.

Page 7 of 15

Published on InterSystems Developer Community (https://community.intersystems.com)

19. Then add this attribute to the class “user”.

Page 8 of 15

Published on InterSystems Developer Community (https://community.intersystems.com)

20. Let’s now make it so that when we view the list of unit users, we can see a “Role in InterSystems Cache”column. To do that, click Start -> Run and type “adsiedit.msc”. We are connecting to “Configuration” namingcontext.

Page 9 of 15

Published on InterSystems Developer Community (https://community.intersystems.com)

21. Let’s go to the CN=409, CN=DisplaySpecifiers, CN=Configuration container and choose a container type thatwill show additional user attributes when we view it. Let’s choose unit-level display (OU) provided by theorganisationalUnit-Display container. We need to find the extraColumns attribute in its properties and change itsvalue to ”intersystems-Roles, Role in IntersystemsCache,1,200,0”. The rule of composing the attribute is as follows:attribute name, name of the destination column, display by default or not, column width in pixels, reserved value.One more comment: CN=409 denotes a language code (CN=409 for the English version, CN=419 for the Russianversion of the console).

Page 10 of 15

Published on InterSystems Developer Community (https://community.intersystems.com)

22. We can now fill out the name of the role that will be assigned to all users connecting to Caché. If your ActiveDirectory is running on Windows Server 2003, you won’t have any built-in tools for editing this field. You can use atool called ldapAdmin (see item 4) for editing the value of this attribute. If you have a newer version of Windows,this attribute can be edited in the “Additional functions” mode ‒ the user will see an additional tab for editingattributes.

23. After that, let’s specify the name of this attribute in the LDAP options on the Caché management portal.

Page 11 of 15

Published on InterSystems Developer Community (https://community.intersystems.com)

24. Let’s create an ldapRole with the necessary privileges

Page 12 of 15

Published on InterSystems Developer Community (https://community.intersystems.com)

25. Remove the %ALL role from the user _PUBLIC

26. Everything is set up, let’s try connecting to the system

27. If it doesn’t work right away, enable and set up an audit

Page 13 of 15

Published on InterSystems Developer Community (https://community.intersystems.com)

28. Audit settings

29. Look at the error log in Audit Database.

Conclusion

In reality, it often happens that the configuration of different roles for different users is not required for working in anapplication. If you only need to assign a particular set of permissions to users logging in to a web application, youcan skip steps 16 through 23. All you will need to do is to add these roles and remove all types of authenticationexcept for LDAP on the “Application roles” tab in the web application settings. In this case, only users registered onthe LDAP sever can log in. When such a user logs in, Caché automatically assigns the roles required for working inthis application. #LDAP #Microsoft Windows Server #System Administration #Caché

Page 14 of 15

Published on InterSystems Developer Community (https://community.intersystems.com)

Source URL: https://community.intersystems.com/post/configuring-ldap-authentication-intersystems-cach%C3%A9-using-microsoft-active-directory

Page 15 of 15