IBM i Global

IBM i Global

Connect, learn, share, and engage with IBM Power.

 View Only

  • 1.  AD lookup from application

    Posted Thu April 13, 2023 03:50 PM

    We are going to implement SSO very soon for our IBMi's.

    But we have an application for insurances where we today have password check inside the application to/from the userprofile when payments are made. 
    We want to use AD for this in the future ad as we are going to use sso/kerberos.
    Our insurance system is an RPG from the start. But other modern language is used as well.
    Is there an api for password check from AD?  or any another solution?



    ------------------------------
    Erik Aasland
    IBMi administrator
    Fremtind Insurance
    ------------------------------


  • 2.  RE: AD lookup from application

    Posted Fri April 14, 2023 07:29 AM

    In qshell I can use the ldapsearch command.
    A sample on using it to a Domino based ldap server which is not setup to require authentication is:
     ldapsearch -h ldap01.corp.dekko.com -s one "cn=*smith*"

    Now, try it to a server which does require authentication and is Windows based.  Here is a quick google start:
    https://tylersguides.com/guides/search-active-directory-ldapsearch/

    This way if you later decide to not load all your customers into your windows domain (which I fail to understand) you can later change to something else which serves up ldap.

    Note:  we are using "IBM Security Verify Governance - Identity Manager".  This keeps our Windows passwords in sync with our IBM i passwords (and Notes, and ...).  If you have a one to many account, like erik in Windows and ERIKOPR, ERIKSEC, ERIKPGMR on IBM i it will keep all those in sync.  I have heard of shops in EIM/SSO which, in the one to many situation, have to use separate IP addresses for each user on the IBM i.  Like if erik in Windows wants to connect to the IBM i as ERIKOPR they would go to x.x.x.10, ERIKSEC x.x.x.11, ERIKPGMR x.x.x.12.  This just blew my mind.  Especially in a shop like ours which does H/A swaps from our primary to our secondary in a different subnet in a different city.




    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------

    Original Message


  • 3.  RE: AD lookup from application

    Posted Mon April 17, 2023 10:45 AM

    Based on Robs suggestion you could also wrap the call to QShell or PASE and make it usable from a traditional RPG/CL job by utilizing a QShell wrapper such as the QSHEXEC command I wrote or your own QShell caller. https://github.com/richardschoen/QshOni

    With QSHEXEC you can also use native Python, PHP or Node scripts to connect to Active Directory for authentication. 

    The good thing is you have options.



    ------------------------------
    Richard Schoen
    ------------------------------

    Original Message


  • 4.  RE: AD lookup from application

    Posted Fri April 14, 2023 11:30 AM

    Hello Erik,

    For this type of processing, the AD can be attacked directly with LDAP functions as Robert points out.

    These functions are available in RPG IV and they work fine.

    The first difficulty is to have the prototypes of these functions. You can find them here (by Scott Klement).

    The second is, depending on what you want to do, to manage the many nested loops and pointers in quantity.

    What you ask for is still quite simple because it is a question of making a connection to check if the AD account / password pair is correct.  A ldap_init followed by a ldap_simple_bind_s should be enough. These are two very simple functions.

    Then you will finish with a ldap_unbind to properly close the connection.



    ------------------------------
    Dominique Gayte
    ------------------------------

    Original Message


  • 5.  RE: AD lookup from application

    Posted Fri April 14, 2023 02:45 PM

    Hi Eric,

    Perhaps a more simple approach with minimal risk is to use the ADDKRBTKT (or equivalent API function) for the user to authenticate to Active Directory.  This approach leverages the security of Kerberos without the need to retrieve passwords.  The user will receive a ticket granting ticket from the domain controller if the AD password is correct (CPCC604) or a CPFC60E if the password is incorrect.  The prerequisite for this approach is a home directory is required for all users.

    Fortra offers IBM i SSO services and solutions. 





    ------------------------------
    Steve Sisk
    ------------------------------

    Original Message


  • 6.  RE: AD lookup from application

    Posted Fri April 14, 2023 02:45 PM

    Hi Erik,

    Using the ADDKRBTKT command (or API equivalent) provides Active Directory authentication by leveraging Kerberos.  The user can be prompted to enter their Windows ID and password on IBM i.  If the authentication is successful, CPCC604 is issued and if not, a CPFC60E.  The prerequisite for this approach is each user must have a home directory in the IFS. 

    Fortra offers IBM i SSO services and solutions.



    ------------------------------
    Steve Sisk
    Senior Security Consultant
    Fortra
    ------------------------------

    Original Message


  • 7.  RE: AD lookup from application

    Posted Tue April 18, 2023 02:35 PM

    Thank you for all suggestions. I will have a developer on that. And we may have other questions later.



    ------------------------------
    Erik Aasland
    IBMi administrator
    Fremtind Insurance
    ------------------------------

    Original Message