Ldap security configuration using Broadsea 3.5

sue785 · March 5, 2025, 3:43pm

We have configured the Altas using OHDSI Broadsea 3.5 by using GitHub - OHDSI/Broadsea: Broadsea deploys the core OHDSI technology stack (Atlas & R Hades), using cross-platform Docker container technology.. Ldap is not working. Please help us fix it.
kindly find the below environment variables and config.local.js file

ENV variables
ATLAS_USER_AUTH_ENABLED=“true”

ATLAS_SECURITY_PROVIDER_TYPE=“ldap”
ATLAS_SECURITY_PROVIDER_NAME=“LDAP Authentication”
ATLAS_SECURITY_ICON=“fa-cubes”
ATLAS_SECURITY_USE_FORM=“true”
ATLAS_SECURITY_USE_AJAX=“true”

WEBAPI_SECURITY_PROVIDER=“AtlasRegularSecurity”
SECURITY_TOKEN_EXPIRATION=“28800”

SECURITY_AUTH_LDAP_ENABLED=“true”
SECURITY_LDAP_DN=“cn={0},OU=SystemUsers,OU=ServiceAccounts,DC=xxx,DC=xxx,DC=local”
SECURITY_LDAP_URL=“ldaps://ldaps.example.org:636”
SECURITY_LDAP_BASEDN=“OU=SystemUsers,OU=ServiceAccounts,DC=xxx,DC=xxx,DC=local”
SECURITY_LDAP_SYSTEM_USERNAME=“xxx”
SECURITY_LDAP_SYSTEM_PASSWORD_FILE=“./secrets/webapi/SECURITY_LDAP_SYSTEM_PASSWORD”
SECURITY_LDAP_SEARCHSTRING=“(&(objectClass=*)(commonName={0}))”
SECURITY_LDAP_USERMAPPING_DISPLAYNAMEATTR=“displayname”
SECURITY_LDAP_USERMAPPING_FIRSTNAMEATTR=“givenName”
SECURITY_LDAP_USERMAPPING_MIDDLENAMEATTR=“initials”
SECURITY_LDAP_USERMAPPING_LASTNAMEATTR=“sn”
SECURITY_LDAP_USERMAPPING_USERNAMEATTR=“cn”
SECURITY_LDAP_USERIMPORT_USERNAMEATTR=“cn”
SECURITY_LDAP_USERIMPORT_LOGINATTR=“uid”
SECURITY_LDAP_SEARCHBASE=“OU=Departments,OU=SystemUsers,OU=ServiceAccounts,DC=xxx,DC=xxx,DC=local”

config-local.js file settings
configLocal.userAuthenticationEnabled = $ATLAS_USER_AUTH_ENABLED;
configLocal.authProviders = [{
“name”: “$ATLAS_SECURITY_PROVIDER_NAME”,
“url”: “user/login/$ATLAS_SECURITY_PROVIDER_TYPE”,
“ajax”: $ATLAS_SECURITY_USE_AJAX,
“icon”: “fa $ATLAS_SECURITY_ICON”,
“isUseCredentialsForm”: $ATLAS_SECURITY_USE_FORM
}];

Error
2025-03-03 20:18:53.615 INFO http-nio-8080-exec-4 org.ohdsi.webapi.audittrail.AuditTrailServiceImpl - - <110>1 2025-03-03T20:18:53.614Z eaf865efef10 Atlas - - - User login failed: xxx, remote-host = 172.18.0.6

On the command line on webserver, we can successfully authenticate and query the LDAP server with the following:
ldapsearch -x -LLL -H ldaps://ldaps.example.org:636 -D “CN=example,OU=Service Accounts,OU=SystemUsers,DC=xxx,DC=xxx,DC=local” -W -b “OU=SystemUsers,DC=xxx,DC=xxx,DC=local”

@Lee_evans @Ajit_Londhe @ssuvorov-fls @Konstantin_Yaroshove

Marco_Lima · March 6, 2025, 12:37pm

Hi
I had the same problem, escaping the SECURITY_AD_SEARCHFILTER is not trivial.
change
SECURITY_AD_SEARCHFILTER: “(&(objectClass=person)(userPrincipalName=%s))”
to:
SECURITY_AD_SEARCHFILTER: “”

and check if it works.

sue785 · March 6, 2025, 7:02pm

Many Thanks Marco, I tried with SECURITY_LDAP_SEARCHSTRING=“". I get the same error.

hspence · March 8, 2025, 9:33pm

Can you check the CN value in the environment variables?

SECURITY_LDAP_DN=“cn={0},OU=SystemUsers,OU=ServiceAccounts,DC=xxx,DC=xxx,DC=local”

Try to use the same CN value of the working query to the LDAP server?

ldapsearch -x -LLL -H ldaps://ldaps.example.org:636 -D “CN=example,OU=Service Accounts,OU=SystemUsers,DC=xxx,DC=xxx,DC=local” -W -b “OU=SystemUsers,DC=xxx,DC=xxx,DC=local”

sue785 · March 19, 2025, 9:51pm

Thank you Spence,
I tried using the same CN value of the working query to the LDAP server however we get the same error. Would you have any additional suggestion in mind that could help. Many thanks in advance.