Got feedback or spotted a mistake?

Leave a comment at the end of this page or email contact@krishagni.com

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 32 Next »

Introduction

To integrate LDAP with OpenSpecimen, one needs to register LDAP with OpenSpecimen. OpenSpecimen needs the below config parameters to communicate with LDAP:
  • LDAP URL
  • Bind user and password
  • User search base
  • User search filter

LDAP can be configured using UI(v6.1 onwards) or API. One can configure one or more LDAPs at the same time. Once configured, the LDAPs will appear on the login and sign up page as a dropdown.

Via UI

Super admins can configure LDAP via UI (v6.1 onwards) by going to Extras from the home page. 

Click on 'Identity Providers' and create a new entry for registering to your LDAP. Select the type as LDAP and fill all required details

Once created, the list of all LDAPs registered are displayed and can be updated if required.


Via REST API

openspecimen/rest/ng/auth-domains

Use the register authentication domain resource for registering LDAP authentication domains in OpenSpecimen application.  Use the HTTP POST method to call this API by passing the below details in JSON format.

Parameter
Details
name

A unique user-friendly name that end-user wants to give his/her domain. E.g., Hopkins_LDAP, KUMC_LDAP, etc.

authType

Unique name for the LDAP. E.g., UNIV_LDAP, HOSP_LDAP.

implClass

Should be "com.krishagni.catissueplus.core.auth.services.impl.LdapAuthenticationServiceImpl"

If you are going to customize the LDAP implementation for some reason, replace the string with your custom class name.

authProviderProps

This parameter is mandatory.

There are two authentication strategies:

  • Bind Authentication: Authenticate directly to the LDAP server. Needs URL and userDnPatterns.
  • Password comparison: The password supplied by the user is compared with the one stored in the repository. Needs url, userDn, password, userSearchFilter and userSearchBase.

The parameter that comes under the authProviderProps parameter is described below.

url  -

LDAP URLs have the following syntax:

ldap[s]://<hostname>:<port>/<base_dn>
ComponentDescription
ldap[s]://An LDAP URL is a URL that begins with the ldap:// protocol prefix (or ldaps://, if the server is communicating over an SSL connection) and specifies a search request to be sent to an LDAP server.
<hostname>Name of the LDAP server. Eg. ldap.forumsys.com
<port>

Port number of LDAP server. Eg. 696

If the port number is not specified, the standard LDAP port 389 is used.

<base_dn>

The distinguished name (DN) of an entry in the directory. This DN identifies the entry that is the starting point of the search.

If this component is empty, the search starts at the root DN. Eg. dc=example,dc=com

Eg. ldap://ldap.forumsys.com:389/dc=example,dc=com

userDnPatterns - User Dn pattern. Eg. "uid={0}" or in case of active directory "sAMAccountName={0}".

OpenSpecimen creates full Dn using userDnPattern and baseDn and tries to authenticate by provided username and password.

Eg.

userName - "jonDoe",
password - "passwd"

url - ldap://ldap.forumsys.com:389/dc=example,dc=com
userDnPatterns - "uid={0}" or "sAMAccountName={0}"
Full Dn - "uid=jonDoe,dc=example,dc=com" or "sAMAccountName=jonDoe,dc=example,dc=com"

OR
 
url - ldap://ldap.forumsys.com:389/dc=example,dc=com
userDnPatterns - "uid={0}, ou=users" or "sAMAccountName={0},ou=users"
Full Dn - "uid=jonDoe, ou=users, dc=example, dc=com" or "sAMAccountName=jonDoe, ou=users, dc=example, dc=com"
userDn - This is required for authenticating to the directory. Eg. "cn=read-only-admin,ou=users,dc=example,dc=com"
password - bind password
userSearchFilter - Search user using an attribute. Eg. "(uid={0})" or in case of active directory "(sAMAccountName={0})"

userSearchBase - User search base, from where the search will be started. It might be an empty string like "" or "ou=People".

If Oracle DBMS is used, then an empty string is treated as null, which will fail LDAP authentication. Therefore it is advised to specify the base node from which the search needs to be carried.


Eg.

Suppose users are resided in following directory:
  1. ou=others,dc=example,dc=com
  2. ou=users,dc=example,dc=com
  3. ou=people,dc-example,dc=com
 
url - ldap://ldap.forumsys.com:389/dc=example,dc=com
userSearchFilter - "(uid={0})" or "(sAMAccountName={0})"
userSearchBase - ""
Search will start from "dc=example, dc=com", It will search user in all the sub directories.
 
OR
 
url - ldap://ldap.forumsys.com:389/dc=example,dc=com
userSearchFilter - "(uid={0})" or "(sAMAccountName={0})"
userSearchBase - "ou=people"
Search will start from "ou=people,dc=example,dc=com". It will search user only in ou=people.


http[s]:<host>:<port>/openspecimen/rest/ng/auth-domains

Use this URL to register the authentication domain in the OpenSpecimen application.


Result:

The response of this request will contain the details of the registered authentication domain.

Below is the example of the register authentication domain:

  1.  Ldap Domain Registration :
Method

POST: Use to register new domain

PUT : Use to update existing domain

POST URLopenspecimen/rest/ng/auth-domains
PUT URLopenspecimen/rest/ng/auth-domains/{id}
Requestapplication/json
json
{
	"name": "krishagni-ldap",
 	"implClass": "com.krishagni.catissueplus.core.auth.services.impl.LdapAuthenticationServiceImpl",
 	"authType": "ldap",
 	"authProviderProps": {
 		"url": "ldap://ldap.forumsys.com:389/",
		"userDn": "cn=read-only-admin,ou=users,dc=example,dc=com",
		"password": "passwd",
 		"userSearchFilter": "uid= {0}",
		"userSearchBase": "dc=example,dc=com"
	}
 }

Response

{
	"id": 3,
 	"name": "krishagni-ldap",
 	"implClass": "com.krishagni.catissueplus.core.auth.services.impl.LdapAuthenticationServiceImpl",
 	"authType": "ldap",
 	"authProviderProps": {
 		"url": "ldap://ldap.forumsys.com:389/",
		"userDn": "cn=read-only-admin,ou=users,dc=example,dc=com",
		"password": "passwd",
 		"userSearchFilter": "uid= {0}",
		"userSearchBase": "dc=example,dc=com"
 	}
}
Error cases :

This section describes the response cases for register authentication API

code
Applies to
Status Message
200All resourcesDomain has been registered successfully
400All requestsInvalid parameters, e.g. blank implClass in-case of a custom domain, duplicate domain name, etc
401All requestsAuthorization failed, the user doesn’t have the authority
500All requestsInternal server error, encountered server error while performing operations or provided wrong LDAP information

Debugging LDAP Issues

Run the below command on command prompt / terminal and fill the same details as configured on OpenSpecimen UI. This command will give you an error if there is an issue with configuration, and if it works fine, then the same configuration will work in OpenSpecimen.

ldapsearch -x -H <ldap_host> -b "<search_base>" -D "<bind_dn>" -W "objectclass=account"

For Example:

ldapsearch -x -D "cn=Manager,dc=krishagni,dc=in" -H ldap://192.168.121.133 -b "ou=People,dc=krishagni,dc=in" -W "uid=test"

The command will prompt for the password. Enter the same password that you entered in the password field on UI.

Here 'test' is the user account created in LDAP, and the same user needs to be created into OpenSpecimen. Here is a wiki page to setup LDAP users. (refer to via UI section)

  • No labels
Got feedback or spotted a mistake?

Leave a comment at the end of this page or email contact@krishagni.com