Other LDAP Topics
Create a Secure Outbound LDAP Connection
While this document primarily concerns using LDAP for authentication and authorization when connecting to InterSystems IRIS, you may also connect from InterSystems IRIS to an LDAP server. To establish a secure outbound connection to an LDAP server, InterSystems IRIS includes support for TLS. For more information on this topic, see the class documentation for %SYS.LDAP, in the content for the Init method.
Use the LDAP APIs
The %SYS.LDAP class supports LDAP programmatically.
If you are using the InterSystems IRIS LDAP APIs with certificates on UNIX® and need detailed debugging information, you may wish to use the ldapsearch program that is part of the OpenLDAP package. Once you have corrected any problems with certificates, you can use the test configuration tool to verify that the connection is functioning. The ldapsearch program may also be useful for debugging other LDAP connection problems.
How Various LDAP Actions Occur
This section describes what occurs during certain processes associated with LDAP authentication and authorization:
How LDAP Performs Authentication and Authorization
When a user attempts to authenticate to an instance of InterSystems IRIS that uses LDAP authentication, the process is:
The user is prompted for a user name and password. This user, who is trying to authenticate, is known as the target user.
InterSystems IRIS establishes a connection to the LDAP server using the values specified for the LDAP username to use for searches and LDAP username password. This user, who has privileges to search the LDAP database so that InterSystems IRIS can retrieve information, is known as the search user.
Once the connection is established, the next step is to look up the target user in the LDAP database using the LDAP Unique search attribute.
If the target user is found in the LDAP database, it retrieves the attributes associated with the user, such as the user’s roles, namespace, and routine.
InterSystems IRIS then attempts to authenticate the user to the LDAP database, using the user name and password provided in step 1.
If authentication succeeds, authorization occurs on the LDAP server (either via group assignment or attributes). The user can then interact with InterSystems IRIS based on the privileges associated with their roles and any publicly available resources. The user’s properties are displayed read-only in the Management Portal and are not editable from within InterSystems IRIS.
How LDAP Looks Up the Target User in Its Database
Once InterSystems IRIS has established a connection to the LDAP server as the search user, it next retrieves information about the target user. To do this, InterSystems IRIS checks the username provided at login against values in the LDAP database for the LDAP Unique search attribute. The name of this attribute is often “sAMAccountName” for an Active Directory LDAP server and “uid” for an OpenLDAP server.
Once InterSystems IRIS has located the user, it retrieves attribute information. It retrieves information about every named attribute in the InterSystems IRIS LDAP configuration fields (described in Create or Modify an LDAP Configuration), and it retrieves all values associated with each attribute. Note that InterSystems IRIS retrieves all values associated with all attributes specified for the user in the InterSystems IRIS LDAP configuration fields; it is not possible to configure it to retrieve only a subset of these.
How an Instance Checks and Removes Local Accounts Based on LDAP Account Conditions
InterSystems IRIS removes a user account on the local instance when the account meets any of the following conditions:
The LDAP account no longer exists
The LDAP account is disabled
On Active Directory only, the LDAP account has the flag set to require a password change
On Active Directory only, the LDAP account is expired
InterSystems IRIS checks for these conditions and removes accounts under the following circumstances:
When a user attempts to log into an InterSystems IRIS instance, the instance checks the user’s LDAP account. If any of the specified conditions are true for the LDAP account, InterSystems IRIS removes the local user account.
As a result of the SecurityScan task. InterSystems IRIS comes with this task; run it to determine if any of these conditions are true for the LDAP account associated with any local user account. If so, InterSystems IRIS removes the local user account.