8 Replies Latest reply: Aug 7, 2012 10:13 AM by Gor_Mahia RSS

    Help with LDAP

      i followed the steps below to create custom LDAP access

      1. Created LDAP group with names on the appropriate server(SALES_GRP) <===DBA
      2. went to shared component > Authorization scheme > create > Create Scheme(      
      Based on a pre-configured scheme from the gallery) > enter name & scheme type=ldap directory (enter Host, port and distinguished name (DN) string) > create,
      3. confirm that my Application is using the new authorization scheme.
      4. Now when i run and login to the Application with my Userid & temporary new password it gives errors(invalid credentials),

      any idea what could be the problem here?... thanks in advance.

      Edited by: jieri on Aug 5, 2012 1:38 PM
        • 1. Re: Help with LDAP
          I really need help with LDAP setup please anybody out there who has done this? thanks in advance.
          • 2. Re: Help with LDAP

            I am not a LDAP expert by any means but I have used LDAP authentication in the past. Two things I noticed: it is authentication scheme not authorization scheme so make sure LDAP is your current authentication scheme. Also, why do you have a temporary password? You should be using the same password from your Active Directory (AD) or Oracle Identity Directory (OID) server. I hope this helps.

            • 3. Re: Help with LDAP
              oh my bad its authentication scheme not authorization scheme ,

              2. went to shared component > authentication scheme > create > Create Scheme . . . .
              • 4. Re: Help with LDAP
                oh typo error yes i did create as authentication scheme and assigned correctly as the current. The temporary password was created by dba to be changed when i log-on first time so thats ok but is there something extra iam missing here? thank you.
                • 5. Re: Help with LDAP
                  Tom Petrus

                  Try running this code. You can do this from the sql workshop, make sure you do this using the schema you use as parsing schema for your application with this authentication.
                  If you use 'Exact Distinguished Name = Yes', put the DN string in the l_user variable. If not, put the whole string there (just try it for your user, you're sure it exists and are sure of the settings).
                  You also didn't specify using ssl or not, it matters fe for the port, 389 is no ssl.
                     ldap_host      VARCHAR2(200);
                     ldap_port      VARCHAR2(200);
                     l_user         VARCHAR2(200);
                     l_password     VARCHAR2(200);
                     l_retval       BINARY_INTEGER;
                     ldap_session   DBMS_LDAP.session;
                     -- adapt these!
                     ldap_host   := '';
                     ldap_port   := '389';
                     l_user      := 'johndoe';
                     l_password  := 'xxx';
                     DBMS_LDAP.USE_EXCEPTION := TRUE;
                     --create a session
                     ldap_session := DBMS_LDAP.init(ldap_host, ldap_port);   
                     --authenticate user through simple bind
                     l_retval := DBMS_LDAP.simple_bind_s(ldap_session,
                     dbms_output.put_line('return value of bind: '||l_retval);
                  See if you get errors here such as network ACL errors. If not, what does it say? Try experiment a bit with what you put in l_user. If you can't find it, you'll have to be clearer on what you specified in "Distinguished Name (DN) String"
                  • 6. Re: Help with LDAP
                    ok, i used different values for l_user and other variables run the plsql block as below e.g

                    ldap_host := 'TXREPL031';
                    ldap_port := '389';
                    l_user := 'cn=sales_grp,ou=apex,ou=apps,ou=inet,ou=r1,o=education'; ===> also tried username='devuser'
                    l_password := 'mypass0tjwYZ';

                    My "Distinguished Name (DN) String" = yes

                    In all cases iam getting the error => ORA-24247: network access denied by access control list (ACL)

                    Iam using default login page i didnt create a custom new login i hope thats not an issue.
                    Apex 4.1.0/Oracle 11g Ent.

                    Any further suggestion? thanks in advance.
                    • 7. Re: Help with LDAP
                      Tom Petrus
                      In all cases iam getting the error => ORA-24247: network access denied by access control list (ACL)
                      The error explains everything. Oracle db 11g uses network ACLs. Your error is nothing more than oracle telling you you don't have permission to access the host 'TXREPL031'. It's exactly the same as with mails.
                      Taken from apex_mail api docs:
                      2.If you are running Oracle Application Express with Oracle Database 11g release 1 (11.1), you must enable outbound mail. In Oracle Database 11g release 1 (11.1), the ability to interact with >network services is disabled by default. See "Enabling Network Services in Oracle Database 11g" in Oracle Application Express Application Builder User's Guide.
                      Take a look here (docs), Enabling Network Services in Oracle Database 11g

                      If you do a google search ("oracle 11g network acl") or a search here on the forums, you'll find lots of information here.
                      Eg http://blog.whitehorses.nl/2010/03/17/oracle-11g-access-control-list-and-ora-24247/

                      Example code:
                        DBMS_NETWORK_ACL_ADMIN.create_acl (
                          acl          => 'ad_ldap.xml', 
                          description  => 'User authentication AD',
                          principal    => 'APX',  -- > the user of your parsing schema
                          is_grant     => TRUE, 
                          privilege    => 'connect',
                          start_date   => NULL,
                          end_date     => NULL);
                        DBMS_NETWORK_ACL_ADMIN.assign_acl (
                          acl         => 'ad_ldap.xml',
                          host        => '_your_host_here_', 
                          lower_port  => 389,
                          upper_port  => 389);
                      • 8. Re: Help with LDAP
                        I thank Tom and sect55 for excellent suggestions on this issue but i came to realise the DBA didnt complete the process actually the Service Acct was missing and that made me scratch my head alot anyway its now working...thanks.