docs.intersystems.com
Caché Security Administration Guide
Using LDAP
[Home] [Back] [Next]
InterSystems: The power behind what matters   
Search:    

This chapter covers the following topics:

Overview of Using LDAP with Caché
Caché provides support for authentication and authorization using LDAP, the Lightweight Directory Access Protocol. LDAP systems have a central repository of user information, from which Caché retrieves information. For example, on Windows, a domain controller using Active Directory is an LDAP server.
Caché supports using LDAP for both authentication and authorization; it also supports using LDAP authorization with OS-based authentication for the local Caché terminal.
Caché includes several forms of support for LDAP:
Caché can also provide authentication and authorization for multiple LDAP domains simultaneously.
To configure an InterSystems service or application to use an existing LDAP server for authentication and authorization:
  1. Configure Caché to use the LDAP server:
    1. Create an LDAP configuration for the instance. This includes specifying the names of LDAP user properties to be used for setting the values of properties of Caché users.
    2. Optionally, configure the instance to support multiple LDAP domains.
    3. Enable LDAP for the instance’s relevant services and applications. This involves enabling LDAP for the entire instance of Caché and then enabling it for the relevant services or applications.
  2. For LDAP authorization:
    1. Configure the LDAP server to use those groups
Supported Versions of the LDAP Protocols
Caché supports Active Directory and OpenLDAP for LDAP authentication and authorization. This support is for LDAP version 3 protocols; earlier LDAP protocols are not supported.
Configuring LDAP Authentication for Caché
This section describes the following tasks:
Enabling LDAP for a Caché Instance
The first step in configuring an instance of Caché to use LDAP is to enable the features you wish to use:
  1. Click Save to apply the changes.
Enabling LDAP for Services and Applications
After enabling LDAP authentication for the instance, enable it for the instance’s relevant services or applications:
  1. Because LDAP authentication is enabled for the instance, an LDAP check box appears on the Edit Service page for the services that support LDAP authentication and the Edit Web Application page for web applications.
  2. Enable LDAP authentication for services and applications as appropriate.
The following services support LDAP authentication:
These fall into several categories of access modes:
Creating or Modifying an LDAP Configuration in Caché
To perform LDAP authentication, Caché uses an LDAP configuration. An LDAP configuration specifies a connection to an LDAP server for a particular security domain and has information required to:
Note:
If Kerberos is enabled for an instance, all menu items and other labels for LDAP configurations refer to LDAP/Kerberos configurations. The following procedure does not note this in each individual situation.
To create or modify an LDAP configuration:
  1. During installation, if you are installing Caché onto a machine that is currently using an LDAP server, Caché creates an LDAP configuration based on that LDAP server’s domain and other configuration information.
  2. Create or modify a configuration:
  3. Modify or complete the fields to define the configuration (listed below).
  4. If you create multiple configurations, you must specify which one is the default on the System-wide Security Parameters page (Security Administration > Security > System Security > System-wide Security Parameters), using the Default security domain drop-down.
LDAP Configuration Fields
An LDAP configuration includes the following fields:
The values of the fields of an LDAP configuration are stored in an instance of the Security.LDAPConfigs class.
Note on LDAP/Kerberos Configuration Fields
If Kerberos authentication is enabled for an instance, then the page for creating an LDAP configuration is Edit LDAP/Kerberos configurations page. It has the same fields as the Edit LDAP configurations page, as described in the LDAP Configuration Fields section.
Using Multiple Domains with LDAP
When using LDAP with Caché, you have the option of supporting authentication with multiple domains. This allows the instance to have user accounts that include the same username from more than one domain, such as EndUser@example.com and EndUser@otherexample.com. This feature can be useful in multiple scenarios. For example:
To use multiple domains:
  1. Create additional LDAP configurations according to the instructions in the previous section, Creating or Modifying an LDAP Configuration in Caché.”
  2. Configure the instance to use multiple domains and then specify a default domain:
    1. Enable the use of multiple domains for the instance. In the Management Portal, on the System-wide Security Parameters page (System Administration > Security > System Security > System-wide Security Parameters), select the Allow multiple security domains check box.
    2. Specify a default domain. In the Management Portal, on the System-wide Security Parameters page (System Administration > Security > System Security > System-wide Security Parameters), select a default domain using the Default security domain drop-down.
    3. Click Save.
    For more information about this page, see the System-wide Security Parameters section of the “System Management and Security” chapter.
Note:
Even if you are using multiple domains, the name for each user must be unique, even if they are of different types. Hence, if you create a user such as EndUser@example.com that is a Password user, you cannot then log in to Caché through LDAP as the user EndUser@example.com, as Caché cannot create the account for EndUser@example.com as an LDAP user.
Setting Up a Required Login Role
If you have multiple instances of Caché and are using LDAP authentication or OS-based authentication with LDAP authorization, then InterSystems strongly recommends that each instance have a role that is required for the users who are connecting to it. This mechanism prevents users from accessing instances where they are insufficiently privileged; otherwise, a user who holds various roles on one instance may then have those same roles on an instance where this is not intended.
To set up a required login role:
  1. For each instance, if the role to be required does not already exist, create it. Do this according to the instructions in the Creating Roles section of the “Roles” chapter.
  2. Add an LDAP group with a name that includes the name of the required role. The name of the group is of the form:
    where:
Note:
In certain circumstances, such as with mirroring, you may prefer to have a single required login role among multiple instances.
For example, suppose there are two systems, TEST and PRODUCTION. To secure each of these productions, create a role on TEST called TESTACCESS and a role on PRODUCTION called PRODUCTIONACCESS. On TEST, set the value of the Role required to connect to this system field to TESTACCESS; on PRODUCTION, set it to PRODUCTIONACCESS. Then, if a user is only allowed to access the TEST system, assign that user the TESTACCESS role only and do not assign the PRODUCTIONACCESS role to the user. For users who can access either system, assign them both PRODUCTIONACCESS and TESTACCESS roles.
Configuring LDAP Authorization for Caché
In addition to performing authentication with LDAP, Caché supports LDAP authorization. To use LDAP authorization with Caché, InterSystems provides two mechanisms:
Note:
InterSystems recommends the use of LDAP groups rather than LDAP attributes for managing role, routine, and namespace definitions.
Configuring LDAP Authorization with LDAP Groups
About LDAP Groups and Caché
LDAP groups allow you to assign privileges to users using an LDAP server:
Caché supports LDAP groups that provide authorization for:
To set up groups for Caché:
  1. Determine if you are going to use groups for a single instance, for multiple instances, or for all instances.
  2. Create one or more groups with names that follow the appropriate naming convention. Each group specifies a user’s role, default namespace, or default routine; since a user can have multiple roles, it is valid to belong to multiple groups that specify roles.
  3. Configure your LDAP users to specify which ones belong to which groups. This requires that, for each user’s LDAP account, you assign the user to multiple groups to specify one or more roles, a default namespace, and a default routine. This determines which roles each user has after logging in, the user’s default namespace, and the user’s default routine.
  4. Configure the local Caché instance so that there are definitions for all the roles that are specified on the LDAP server.
About the LDAP Authorization Group Models
Caché supports three kinds of group authorization using LDAP.
Creating LDAP Authorization Groups for a Single Instance (Single-Instance Groups)
Caché allows you to create LDAP groups that provide authorization for only a single instance; hence, each of these is known as a single-instance group. To create this kind of authorization group:
  1. On the Caché instance, confirm or modify the value of the LDAP parameter Authorization Instance ID. By default, its value is NodeName_InstanceName, where NodeName is the machine on which the Caché instance is running and InstanceName is the name of that instance.
    To set the parameter’s value manually:
    1. On that page, select the configuration to edit by clicking on its name.
    2. On the page for editing the configuration that appears, select Use LDAP Groups for Roles/Routine/Namespace.
    3. Next, in the Authorization Instance ID field, enter the value for the parameter and click Save.
  2. On the LDAP server, define role, namespace, and routine groups with names that conform to the required InterSystems structure and that use the Instance keyword, followed by the value of the Authorization Instance ID. Note that these strings are not case sensitive. These group names are of the form:
    where:
  3. On the Caché instance, configure a role associated with each group.
For example, suppose you are running an application on an instance called Test that is on a machine called Node1. You wish to set up three categories of users:
To set up this authorization model, create the following groups on the LDAP server:
intersystems-Instance-Node1_Test-Role-Administrator
intersystems-Instance-Node1_Test-Role-LocalApplication 
intersystems-Instance-Node1_Test-Role-%All 
intersystems-Instance-Node1_Test-Routine-LocalApplication 
intersystems-Instance-Node1_Test-Routine-%SS
intersystems-Instance-Node1_Test-Routine-%pmode
intersystems-Instance-Node1_Test-Namespace-%SYS
intersystems-Instance-Node1_Test-Namespace-USER
Next, create the roles that corresponds to each category of user:
Note:
You do not need to create a %All role, because it already exists.
Finally, create the three categories of users:
Creating LDAP Authorization Groups for Multiple Instances (Multiple-Instance Groups)
Caché allows you to create LDAP groups that provide authorization for multiple instances; hence, each of these is known as a multiple-instance group. To create this kind of authorization group:
  1. Determine how the various instances are sharing information among groups. This determines the group for each instance and the information to which users have access.
  2. To set the parameter’s value manually:
    1. On that page, select the configuration to edit by clicking on its name.
    2. On the page for editing the configuration that appears, select Use LDAP Groups for Roles/Routine/Namespace.
    3. Next, in the Authorization Group ID field, enter the value for the parameter and click Save.
  3. On the LDAP server, set up role, namespace, and routine groups that conform to the required InterSystems structure and that use the Group keyword, followed by the value of the Authorization Group ID. Note that these strings are not case sensitive. These group names are of the form:
    where:
  4. Configure the required roles on all the instances that are using them.
For example, suppose you have seven ECP application servers attached to five database servers. Two of the database servers are a failover pair, and the other three are async reporting members. All these servers (both the application servers and the database servers) run the SALES application. The application’s end users need a more limited set of privileges and its administrative users need greater privileges. Hence, you set up three categories of users:
To configure LDAP authorization to support these requirements:
On the LDAP server, define the groups as follows:
intersystems-Group-SALESAPP-Role-%All
intersystems-Group-SALESAPP-Role-LocalApplication 
intersystems-Group-SALESAPP-Routine-LocalApplication
intersystems-Group-SALESAPP-Routine-%pmode
intersystems-Group-SALESAPP-Namespace-USER
intersystems-Group-SALESAPP-Namespace-%SYS
intersystems-Group-SALESDB-Role-Administrator
intersystems-Group-SALESDB-Routine-INTEGRIT
intersystems-Group-SALESDB-Namespace-%SYS
Next, create the roles that corresponds to each category of user:
Note:
You do not need to create a %All role, because it already exists.
Finally, create the three categories of users:
At this point, there is a fully functioning authorization model, but it does not include any superuser access to the database servers (that is, with %All). To add such access, create and add users to the following new group:
intersystems-Group-SALESDB-Role-%All
Configuring LDAP Authorization Groups with Mirroring
In you are using LDAP and mirroring, InterSystems recommends using multiple-instance LDAP groups to configure authorization. Create the required multiple-instance groups and configure all the users on all members (including any async members) to use these groups.
Consider the following example, which is based on the group structure defined in the example above. Suppose, additionally:
To configure authorization for this mirror:
  1. To provide full access to the failover pair, create the group
  2. To provide full access to the asynchronous members, create the group
  3. Set the LDAP parameter Authorization Instance ID on each member in the failover pair to SALESDBMIRFAILOVER.
    Important:
    Because a disaster recovery (DR) async member may be promoted to failover member, the Authorization Instance ID for any DR async should also be set to SALESDBMIRFAILOVER
  4. Set the LDAP parameter Authorization Group ID on the mirror’s asynchronous members to SALESDBMIRASYNC.
  5. Next, create the mirror administrators, who have %All access to the application servers; administrative access to the nonmirrored database servers; and %All access to the failover pair only. These users are assigned to the following LDAP groups:
  6. Finally, create the full administrators, who have %All access to all the members (the application servers, the database servers, the failover pair, and the asynchronous members). These users are assigned to the following LDAP groups:
Creating Universal LDAP Authorization Groups
Caché allows you to create LDAP groups that provide authorization for all its instances that use a single LDAP server; these are known as universal authorization groups. To create this kind of authorization group:
  1. Enable the use of universal authorization groups for the current instance:
    1. On that page, select the configuration to edit by clicking on its name, which displays the page for editing that configuration.
    2. On the page for editing the configuration, select Use LDAP Groups for Roles/Routine/Namespace.
    3. Click Save.
  2. On the LDAP server, set up role, namespace, and routine groups that conform to the required InterSystems structure. Note that these strings are not case sensitive. These group names are of the form:
    where RoleName, RoutineName, and NamespaceName are each the name of the role, default routine, or default namespace.
    Note:
    A user can have any number of roles; typically, access to the system requires at least one role. A user can have only one default routine and one default namespace; however, these are not required, so a user may have no default routine and no default namespace.
  3. Configure the required roles on all the instances that are using the LDAP server.
For example, suppose you have an application called LocalApplication and you wish to grant various levels of access to it for users on all the Caché instances that use your LDAP server. Define the following LDAP groups:
intersystems-Role-%All
intersystems-Role-Administrator
intersystems-Role-LocalApplication
intersystem-Routine-%SS
intersystem-Routine-LocalApplication
intersystems-namespace-USER
intersystems-namespace-%SYS
Next, create the roles that corresponds to each category of user:
Note:
You do not need to create a %All role, because it already exists.
Finally, create the three categories of users:
Other Topics for LDAP Authorization with LDAP Groups
This section includes the following topics:
LDAP Group Definition Structure
Group definitions typically include:
For example, some possible group definitions might be:
CN=intersystems-Role-Administrator,OU=Groups,DC=intersystems,DC=com
CN=intersystems-Group-MyGroup-Namespace-USER,OU=Groups,DC=intersystems,DC=com
CN=intersystems-Instance-MyNode:MyInstance-Routine-INTEGRIT,OU=Groups,DC=intersystems,DC=com 
Mixing Different Kinds of Groups
You can use universal groups in conjunction with single-instance or multiple-instance roles.
For example, suppose you:
You would like for UserOne to:
To do this:
  1. Set the authorization instance ID on the APPTEST instance on the Test machine to Test:APPTEST
  2. Create the following group on the LDAP server:
  3. Assign this group to UserOne on the LDAP server
  4. Create the Administrator role on the APPTEST instance on the Test machine and grant it administrative access
You can also mix authorization groups in other ways. For example, if UserTwo has %All permission on all the instances authenticating to the LDAP server, you can give UserTwo exclusive administrative permission on an instance called SECRET on a machine called Server10. To do this, disable Allow universal groups access and then go through the process of assigning an intersystems-Instance-Server10_SECRET-Role-Administrator to that user.
Using Nested Groups
On an Active Directory LDAP server, LDAP groups include support for what are known as nested groups. A nested group is a group that is a member of a second group, which means that all the users who are members of the nested group are also members of the second group. For example, suppose that there are two LDAP groups defined, known as ABC and DEF. You can make the ABC group a member of the DEF group. This means that if a user is a member of the ABC group, then they are also a member of the DEF group without explicitly assigning the user to that group.
How LDAP Groups Regulate Access to Caché
Through their LDAP groups, users receive roles along with a default namespace and a default routine. If the user’s granted roles lack sufficient privilege for any required point of access for an instance, the user then is denied access that instance; for example, if a user lacks sufficient privilege to use their default routine, that user is denied access.
The following rules also apply:
Configuring LDAP Authorization with Attributes
For LDAP authorization, InterSystems recommends the use of LDAP groups. InterSystems also supports authorization using LDAP attributes. There are three registered OIDs that are available for use with an LDAP schema to store authorization information. Each has its own dedicated purpose:
To use these attributes, the procedure on the LDAP server is:
  1. Enable the attributes for use. To do this, modify the value of objectClass field in the LDAP schema by appending the intersystemsAccount value to its list of values. (intersystemsAccount has an LDAP OID of 1.2.840.113556.1.8000.2448.1.1.)
  2. Add the fields (as few or as many as required) to the schema.
  3. Populate their values for the entries in the LDAP database.
Note:
It is not required to use the registered LDAP schema names. In fact, you may use existing attributes from your LDAP schema.
For example, with a UNIX® LDAP server, to define the schema for using LDAP authentication with Caché, use the content that appears in the following definitions:
# Attribute Type Definitions

attributetype ( 1.2.840.113556.1.8000.2448.2.1 NAME 'intersystems-Namespace'
       DESC 'InterSystems Namespace'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.8000.2448.2.2 NAME 'intersystems-Routine'
        DESC 'InterSystems Routine'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} SINGLE-VALUE )
 
attributetype ( 1.2.840.113556.1.8000.2448.2.3 NAME 'intersystems-Roles'
        DESC 'InterSystems Roles'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 
# Object Class Definitions
 
objectclass ( 1.2.840.113556.1.8000.2448.1.1 
        NAME 'intersystemsAccount' 
        SUP top 
        AUXILIARY
        DESC 'Abstraction of an account with InterSystems attributes'
        MAY ( 
                intersystems-Routine $ 
                intersystems-Namespace $ 
                intersystems-Roles
        ) 
)
This content goes to two locations:
Other LDAP Topics
This section covers the following topics:
Viewing LDAP Configurations in the Portal as %Operator
If you are logged in to the Management Portal as a user who has the %Operator role or the %Admin_Operate:Use privilege, you can view (but not edit) the instance’s LDAP configurations:
  1. In the Portal, go to the LDAP Configurations page (System Operation > LDAP Configurations).
  2. On that page, click on the name of the configuration you wish to view, which displays the Display LDAP Configuration for that configuration.
To edit an LDAP configuration, go to the Security LDAP Configurations page (System Administration > Security > System Security > LDAP Configurations); you must have the %Admin_Secure:Use privilege.
About the Security LDAP Configurations Page
The Portal’s Security LDAP Configurations page (System Operation > LDAP Configurations) displays a list of the instance’s LDAP configurations. Click the name of a configuration to view its properties. If Kerberos authentication is enabled for the instance, this is called the Security LDAP/Kerberos configurations page (System Operation > LDAP/Kerberos configurations).
About LDAP Cached Credentials
An instance can use LDAP cached credentials to store (cache) a copy of the credentials that it most recently used to authenticate each user. If the use of cached credentials is enabled (by selecting the Allow LDAP cache credentials authentication field) and the instance is unable to connect to the LDAP server, then the instance uses the cached LDAP credentials to authenticate the user. This can be useful if the instance cannot contact the LDAP server, either because of an issue with the LDAP server itself or with the connection to the server.
To secure cached credentials, Caché stores all LDAP passwords in the security database as a one-way hash. If the instance cannot use the LDAP server to validate the user, it then attempts to confirm that:
If both conditions are true, the user is authenticated and login proceeds; otherwise, login fails.
Testing LDAP Configuration
Once you have created an LDAP configuration, you can test it. This allows you to confirm that it properly connects to the LDAP server or troubleshoot any issues that arise. To test a configuration:
  1. In the Username and Password fields, enter a valid username and password defined on the LDAP server. If the instance is configured to use multiple domains, you must provide a fully qualified username, such as EndUser@example.com; if the instance is using only a single domain, simply enter the unqualified username (without the @ symbol or the domain name), such as EndUser.
  2. Click Test.
The Test Results field displays output from the LDAP server.
Note:
This feature only tests if an instance can connect to an LDAP server and perform authentication checks for the entered user. It does not perform any authorization or permission checks to determine if the user can successfully log in to the system.
If the test succeeds for the entered user, but the user cannot log in, then check the audit record for the login failure. To ensure successful login, you may need to give additional permissions to the user.
The State of an Instance after User Authentication
Any user who is initially authenticated using LDAP authentication is listed in the table of users on the Users page (System Administration > Security > Users) as having a Type of “LDAP user”. If a system administrator has explicitly created a user through the Management Portal (or using any other native Caché facility), that user has a type of “Password user”. If a user attempts to log in using LDAP authentication and is successfully authenticated, Caché determines that this user already exists as a Password user — not an LDAP user — and so login fails.
Configuring LDAP Authorization with Operating-System–Based Authentication (Operating System LDAP Authorization)
This section includes the following topics:
About Operating System LDAP Authentication
Caché allows you to configure your system to support operating-system–based authentication, and then to perform authorization via LDAP. This is known as Operating System LDAP authorization or OS/LDAP. It allows a user to authenticate to Caché using credentials from the operating-system login and then to have their authorization information retrieved from an LDAP server. Operating system LDAP authorization is available in the Console on Windows and in the Terminal and on UNIX®, Linux, and macOS.
To configure OS/LDAP:
  1. Configure authorization. This occurs in the same manner as that which accompanies LDAP authentication, as described in the section Configuring LDAP Authorization for Caché.”
Enabling OS/LDAP for a Caché Instance
To use OS/LDAP, first enable it for the instance:
  1. Click Save to apply the changes.
Enabling OS/LDAP for the %Service_Console and %Service_Terminal Services
To enable OS/LDAP for the instance’s relevant services or applications:
  1. With LDAP authentication enabled for the instance, an Operating System LDAP Authorization check box appears on the Edit Service page for %Service_Console and %Service_Terminal, which are the services that support OS/LDAP.
  2. Enable LDAP authentication for those services, as appropriate.
OS/LDAP with a Single Domain and Multiple Domains
OS/LDAP supports the use of a single domain or multiple domains.
When Caché is configured to support only a single domain:
  1. The system prompts the user for a username and password for the first login.
  2. For subsequent logins, there is no prompt because the operating system has already authenticated the user.
When Caché is configured to support multiple domains:
  1. The system prompts the user for a username and password for the first login.
  2. For subsequent logins, the operating system prompts for a username and password by default. You can configure Caché to prevent this prompting; see the next section.
Configuring OS/LDAP with Multiple Domains for Simplified Prompting
If you are using OS/LDAP and multiple domains, you can configure the instance for simplified prompting. By default, users are prompted for a username and password at every login. You can configure Caché so that there is only a username/password prompt when a user first logs in, and that subsequent connections are authenticated without prompting.
To configure Caché for this behavior:
  1. For each user, create the environment variable ISC_LDAP_CONFIGURATION with a value of the domain in which the user is authenticating.
  2. For each domain in which users are authenticating:
    1. Ensure that there is an LDAP configuration or create one.
    2. For that LDAP configuration, select the Allow ISC_LDAP_CONFIGURATION environment variable check box, which enables use of the environment variable.
Using LDAP with Delegated Authentication or Other Mechanisms
You can also use LDAP as part of a custom authentication system (that is, with the Caché delegated authentication feature). To do this, use calls to the %SYS.LDAP class as part of the custom authentication code in the ZAUTHENTICATE routine.
InterSystems provides a sample routine, LDAP.mac, that demonstrates these calls. This routine is part of the Samples-Security sample on GitHub (https://github.com/intersystems/Samples-Security).
Also, if you need to authenticate to LDAP or use instance authentication after collecting credentials through another mechanism, call $SYSTEM.Security.Login with those credentials to authenticate the user.
For more details about delegated authentication and the ZAUTHENTICATE routine, see the Delegated Authentication chapter.
Securing Outbound LDAP Connections
While this chapter primarily concerns using LDAP for authentication and authorization when connecting to Caché, you may also wish to establish an outbound connection from Caché to an LDAP server. To secure an outbound connection to an LDAP server, Caché includes support for TLS/SSL. For more information on this topic, see the class documentation for %SYS.LDAP, in the content for the Init method.
Checking and Removing Local Accounts Based on LDAP Account Conditions
Caché removes a user account on the local instance when the account meets any of the following conditions:
Caché checks for these conditions and removes accounts under the following circumstances:
Debugging When Using the LDAP APIs with Certificates on UNIX®
If you are using the Caché LDAP APIs with certificates on UNIX® and need detailed debugging information, you may wish to use the ldapsearch program that is part of the OpenLDAP package. Once you have corrected any problems with certificates, you can use the test configuration tool to verify that the connection is functioning. The ldapsearch program may also be useful for debugging other LDAP connection problems.
How Various LDAP Actions Occur
This section describes what occurs during certain processes associated with LDAP authentication and authorization:
How LDAP Performs Authentication and Authorization
When a user attempts to authenticate to an instance of Caché that uses LDAP authentication, the process is:
  1. Caché establishes a connection to the LDAP server using the values specified for the LDAP username to use for searches and LDAP username password. This user, who has privileges to search the LDAP database so that Caché can retrieve information, is known as the search user.
  2. Once the connection is established, the next step is to look up the target user in the LDAP database using the LDAP Unique search attribute.
  3. If the target user is found in the LDAP database, it retrieves the attributes associated with the user, such as the user’s roles, namespace, and routine.
  4. Caché then attempts to authenticate the user to the LDAP database, using the user name and password provided in step 1.
  5. If authentication succeeds, authorization occurs on the LDAP server (either via group assignment or attributes. The user can then interact with Caché based on the privileges associated with their roles and any publicly available resources. The user’s properties are displayed read-only in the Management Portal and are not editable from within Caché.
How LDAP Looks Up the Target User in Its Database
Once Caché has established a connection to the LDAP server as the search user, it next retrieves information about the target user. To do this, Caché checks the username provided at login against values in the LDAP database for the LDAP Unique search attribute. The name of this attribute is often “sAMAcccountName” for an Active Directory LDAP server and “uid” for an OpenLDAP server.
Once Caché has located the user, it retrieves attribute information. It retrieves information about every named attribute in the Caché LDAP configuration fields (described in Specifying Configuration Information for LDAP in Caché), and it retrieves all values associated with each attribute. Note that Caché retrieves all values associated with all attributes specified for the user in the Caché LDAP configuration fields; it is not possible to configure it to retrieve only a subset of these.


Send us comments on this page
Copyright © 1997-2019 InterSystems Corporation, Cambridge, MA