Hi there,
I have a basic Orthanc server up and running on a Red Hat box through the latest docker image, and am loving it. Next step is to integrate with our enterprise LDAP (for read-only authentication validation, only), and it seems that there are many possible approaches to accomplish such LDAP integration.
Here’s what I have explored or considered so far:
- A. from How to authenticate users? — Orthanc Book documentation (“How to authenticate users?”)
-
“Implement a Lua callback to filter incoming REST requests. This is the most simple solution, and would notably allow you to implement read-only access or, more generally, access control lists.”.
I have explored some of the Lua samples and integrated a quick test HelloWorld.lua that implements the “OnStoredInstance()” callback. This looks good for some triggered functionality, but are such Lua Server-Side scripts a reasonable place to setup an initial LDAP authentication? Server-side scripting with Lua — Orthanc Book documentation (“Server-side scripting with Lua - Filtering incoming REST requests”) indicates that the use of IncomingHttpRequestFilter() could be applicable, and I wonder if SetHttpCredentials(username, password) might likewise tie in somehow.
-
"Develop a C/C++ plugin that uses the
OrthancPluginRegisterIncomingHttpRequestFilter()
. This solution is potentially useful if you wish to integrate with an LDAP server."This currently seems to be the most likely candidate, but I am unsure of whether or not I can do so using the pre-built docker image. I see some starting clues on C/C++ plugins at Creating new plugins — Orthanc Book documentation (“Creating new plugins”) and the example Implementing a WADO Server using Orthanc - CodeProject (“Implementing a WADO Server using Orthanc”), but nothing regarding the deprecated
OrthancPluginRegisterIncomingHttpRequestFilter()
or its newerOrthancPluginRegisterIncomingHttpRequestFilter2()
except for a wee bit of description on the API page itself at http://sdk.orthanc-server.com/ .Although I would love to simply connect a plugin into the latest pre-built docker image for such a plugin, I would be more than willing to build the image locally if that is what is required to make this happen. A bit more guidance there might be very nice, though, or at least some assurance that this is indeed the recommended path before investing much more time here.
-
“Use Orthanc as a reverse proxy (e.g. behind nginx, Apache, or Microsoft IIS), and use the authentication mechanisms of the main Web server.”
I have looked a little bit at How can I run Orthanc behind nginx? — Orthanc Book documentation ("How can I run Orthanc behind nginx?") and have attempted the nginx configuration snippet, but even that “location /orthanc/” snippet does not yet seem to work for me (results in a 502 Bad Gateway at first pass).
I am using the latest docker image for nginx along with jwilder/docker-gen:0.3.4, and am unsure if these can be configured directly for LDAP. Clues point to trying to build NGINX Plus with an nginx-ldap-auth.conf (as per Using NGINX Plus and NGINX to Authenticate Users with LDAP), but I am hoping to stick with a pre-built nginx image, if at all possible since this is already a relatively finicky part of our infrastructure, and I am hesitate to increase its complexity too much more.
-
“Create a new Web user interface on the top of the REST API of Orthanc, using your favorite framework (Meteor, AngularJS, Ember.js, Node.js…)”
Not sure I want to go down this path if unnecessary since I really do like the existing Orthanc web user interface, and don’t want to merely reinvent its already quite usable wheel.
- B. Redirecting to Google Groups (“Orthanc as a Hospital PACS?”)
Sorry, don’t really intend to open up that thread, except to highlight one very relevant line where Sébastien recommends:
“So you need LDAP? Just implement it with a PHP/Django/nginx wrapper around Orthanc. Bottom line.”
I like the sounds of this (!!!), and it seems like a great approach. Given my lack of success so far with nginx alone (above), I tried a few tweaks to a Django app that is on the same server, but am not yet sure of the details to approach this. My test Django app is already integrated with LDAP for authentication, and is sitting under http://myhost/app. I would love to configure an endpoint such as http://myhost/app/orthanc which is safely within the net of the Django app.
If I understand correctly, though, I can only configure the port for Orthanc, and not its endpoint, is that right? And that would require that I do get the nginx proxy_pass setup properly, yes?
I also wonder, though, if a savvy user could still gain access directly to the redirected URL (e.g., http://localhost:8042) to bypass any Django-based authentication under its configured SITEAUTH_ALLOW_URLS.
Any other thoughts on the use of Django or PHP as such a wrapper? I really do like the idea of such an approach, if I can make it happen.
- C. Redirecting to Google Groups (“Re: DNS and ldab”)
mentions that "Orthanc does not support LDAP authentication out-of-the-box, but a plugin can be developed using the
“OrthancPluginRegisterIncomingHttpRequestFilter()” primitive: Creating new plugins — Orthanc Book documentation "
- D. Redirecting to Google Groups (“Orthanc security”)
also recommends that “Orthanc 1.0.1 will also allow the possibility to filter incoming HTTP requests with a C/C++ plugin (check out the new “OrthancPluginRegisterIncomingHttpRequestFilter()” function in the mainline code).”
With all of the above shared, I suppose that a relatively simple wrapper approach that allows me to continue using the pre-built Orthanc docker image would be ideal. If not, I do expect that my next best option is implementing a plugin to utilize OrthancPluginRegisterIncomingHttpRequestFilter() but do, again, hope for a little more guidance before starting into that path.
Might any of you be able to kindly provide any further details, examples, or guidance on any techniques for any such LDAP integration?
Thank you very much,
Remo