This discussion is archived
1 2 3 Previous Next 37 Replies Latest reply: Feb 18, 2013 3:03 PM by 703377 RSS

LDAP to Active Directory= 'invalid login credentials'

Rambo79 Newbie
Currently Being Moderated
Hi

I am looking at setting up Active Directory authentication in APEX, so I am changing the authentication scheme to LDAP Directory

I have completed the host, port, NO SSL, etc under the settings tab

Host : ip address of ad server
Port : 389
Use SSL: No SSL
Distinguished Name (DN) String : domain\%LDAP_USER%
Use Exact Distinguished Name (DN) : Yes

However when trying to run the application and entering my details it keeps bringing back 'invalid login credentials'

What steps have I missed out

I have come across the following code on another thread but where would this go in PL/SQL code?

DECLARE
vSession DBMS_LDAP.session;
vResult PLS_INTEGER;
BEGIN
DBMS_LDAP.use_exception := TRUE;
vSession := DBMS_LDAP.init
( hostname => 'CREDPWY01SDCG01'
, portnum => 389
);
vResult := DBMS_LDAP.simple_bind_s
( ld => vSession
, dn => 'CN=<username>,dc=credit,dc=com'
, passwd => NULL
);
DBMS_Output.put_line('User authenticated!');
vResult := DBMS_LDAP.unbind_s(vSession);
END;

I am not able to authenticate at all when using apex_ldap regardless if I pass NULL for the password, or use the real password.

BEGIN
IF APEX_LDAP.authenticate
( p_username => '<username>'
, p_password => NULL
, p_search_base => 'dc=credit,dc=com'
, p_host => 'CREDPWY01SDCG01'
, p_port => 389
)
THEN
DBMS_Output.put_line('ok');
ELSE
DBMS_Output.put_line('not ok');
END IF;
END;

Edited by: Rambo79 on 05-Nov-2012 03:44
  • 1. Re: LDAP to Active Directory= 'invalid login credentials'
    Christian Neumueller Expert
    Currently Being Moderated
    Hi Rambo79,

    which version of Apex and Oracle are you using? Did you follow the post installation docs about ACLs?

    Regards,
    Christian
  • 2. Re: LDAP to Active Directory= 'invalid login credentials'
    Rambo79 Newbie
    Currently Being Moderated
    Hi

    I am using Application Express 4.1.1.00.23 locally along with the built in Oracle DB. Yes followed the post installation about ACLs
  • 3. Re: LDAP to Active Directory= 'invalid login credentials'
    Rambo79 Newbie
    Currently Being Moderated
    Hi Christian

    Using the LDAP test tool in APEX i am entering the following which is the correct info but it keeps returning Authentication failed!

    LDAP Host: my hostname / also tried the IP address of the AD server
    Port: 389
    Use SSL: No SSL
    Use Exact DN: domain\%LDAP_USER%

    Under the credentials fields I am using my login details to Active Directory that I use to log into the network each day
  • 4. Re: LDAP to Active Directory= 'invalid login credentials'
    742417 Newbie
    Currently Being Moderated
    What errors are you getting when you do the simple bind?
    See if this helps in any way: http://ruepprich.wordpress.com/2012/11/02/ldap-authentication-with-apex

    Edited by: Christoph on Nov 6, 2012 7:51 AM
  • 5. Re: LDAP to Active Directory= 'invalid login credentials'
    Christian Neumueller Expert
    Currently Being Moderated
    Hi Rambo79,

    the following snippet can be used to test ldap authentication in SQL Commands:
    declare
        l_host varchar2(80)     := 'localhost';
        l_port number           := 389;
        l_user varchar2(80)     := 'cn=johndoe,ou=people,dc=example,dc=com';
        l_password varchar2(80) := 'john';
        --
        l_session dbms_ldap.session;
        l_result pls_integer;
    begin
        dbms_ldap.use_exception := true;
        l_session := dbms_ldap.init(l_host, l_port);
        l_result  := dbms_ldap.simple_bind_s (
                         ld     => l_session,
                         dn     => l_user,
                         passwd => l_password );
        dbms_output.put_line('result='||l_result);
        l_result  := dbms_ldap.unbind_s(l_session);
    end;
    /
    You'll have to enter your connection and login credentials, of course.

    Regards,
    Christian
  • 6. Re: LDAP to Active Directory= 'invalid login credentials'
    Rambo79 Newbie
    Currently Being Moderated
    Hi Christian

    As outlined in the following post
    http://ruepprich.wordpress.com/2012/11/02/ldap-authentication-with-apex/

    In SQL Plus as SYSDBA on my local install of APEX(which is on the ad network)

    I ran the following code at the bottom of this thread but I am getting the error shown below

    Error at Line 1:
    ORA-44416: INVALID ACL: unresolved principle 'apex_040100'
    ORA-06512: at "SYS.DBMS_NETWORK_ACL_ADMIN", line 252
    ORA-06512: at line 9


    DECLARE
    l_acl VARCHAR2(100) := 'ldapacl.xml';
    l_desc VARCHAR2(100) := 'LDAP Authentication for myadservername.mydomain';
    l_principal VARCHAR2(30) := 'apex_040100';
    l_host VARCHAR2(100) := 'myadservername.mydomain';
    BEGIN
    -- Create the new ACL.
    -- Also, provide one starter privilege, granting the schema the privilege to connect.
    dbms_network_acl_admin.create_acl(l_acl, l_desc, l_principal, TRUE, 'connect');

    -- Now grant privilege to resolve DNS names.
    dbms_network_acl_admin.add_privilege(l_acl, l_principal, TRUE, 'resolve');

    -- Specify which hosts this ACL applies to.
    dbms_network_acl_admin.assign_acl(l_acl, l_host);

    COMMIT;
    END;
  • 7. Re: LDAP to Active Directory= 'invalid login credentials'
    Christian Neumueller Expert
    Currently Being Moderated
    Hi Rambo79,

    please check the installation docs about ACLs again: http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21673/otn_install.htm#BEHHJJIH

    I think the l_principal value has to be uppercase.

    Regards,
    Christian
  • 8. Re: LDAP to Active Directory= 'invalid login credentials'
    742417 Newbie
    Currently Being Moderated
    Christian is correct, the principal needs to be upper case.
    I made the correction in my blog post.

    Christoph
  • 9. Re: LDAP to Active Directory= 'invalid login credentials'
    Rambo79 Newbie
    Currently Being Moderated
    Hi

    I have changed it to uppercase and the script has run, so again many thanks

    Still can't log in however - getting invalid login credentials?

    Under settings I am using

    Host: nameofmyadserver.domain.co.uk
    Port: 389
    Use SSL: NO SSL
    DN String: domain.co.uk\%LDAP_USER%
    Use DN: Yes

    Do I need to set anything else?

    Edited by: Rambo79 on 08-Nov-2012 04:19
  • 10. Re: LDAP to Active Directory= 'invalid login credentials'
    742417 Newbie
    Currently Being Moderated
    In the DN string try (omit co.uk):

    domain\%LDAP_USER%
  • 11. Re: LDAP to Active Directory= 'invalid login credentials'
    Rambo79 Newbie
    Currently Being Moderated
    Hi

    Just tried it without the .co.uk in the DN String but I am still getting the Invalid Login Credentials when trying to log in?

    Are there any tests I can run to make sure that the Oracle Apex server can communicate with the AD server? as all of the credentials I am entering are correct
  • 12. Re: LDAP to Active Directory= 'invalid login credentials'
    Tom Petrus Expert
    Currently Being Moderated
    Hopefully you did remove the unresolved principal from your ACL ('apex_040100' instead of 'APEX_040100'). If you haven't go to the docs linked by Christian to find a cleanup-code. Or drop the whole ACL and just recreate it from scratch.

    I think that to run the testcode with simple bind in sql workshop requires the schema user to have connect rights, so firstly add the schema user of your application's parsing schema to the ldap acl (fe, here i add user APX to the ad_ldap.xml ACL)(and of course, has to be done as sys)
    BEGIN
       DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE (
        acl          => 'ad_ldap.xml',                
        principal    => 'APX',
        is_grant     => TRUE, 
        privilege    => 'connect',
        position     => null);
       COMMIT;
    END;
    /
    Then go to the SQL workshop, and select the parsing schema of the application you are trying to use the authentication in. Run this code with the required alterations.
    For l_user, try with both the shorthand string and a full DN string. For example, 'DOMAIN\johnd' and 'cn=johndoe,ou=people,dc=example,dc=com'.
    declare
        l_host varchar2(80)     := 'localhost';
        l_port number           := 389;
        l_user varchar2(80)     := 'cn=johndoe,ou=people,dc=example,dc=com';
        l_password varchar2(80) := 'john';
        --
        l_session dbms_ldap.session;
        l_result pls_integer;
    begin
        dbms_ldap.use_exception := true;
        l_session := dbms_ldap.init(l_host, l_port);
        l_result  := dbms_ldap.simple_bind_s (
                         ld     => l_session,
                         dn     => l_user,
                         passwd => l_password );
        dbms_output.put_line('result='||l_result);
        l_result  := dbms_ldap.unbind_s(l_session);
    end;
    See what that gives you as output or error.
  • 13. Re: LDAP to Active Directory= 'invalid login credentials'
    Rambo79 Newbie
    Currently Being Moderated
    Hi Tom

    Yes I have run the following which has been set up ok to allow APEX on my PC to connect with the Active Directory server

    DECLARE
    l_acl VARCHAR2(100) := 'ldapacl.xml';
    l_desc VARCHAR2(100) := 'LDAP Authentication for domain.co.uk';
    l_principal VARCHAR2(30) := 'APEX_040100'; -- upper case
    l_host VARCHAR2(100) := 'adservername.domain.co.uk';
    BEGIN
    -- Create the new ACL.
    -- Also, provide one starter privilege, granting the schema the privilege to connect.
    dbms_network_acl_admin.create_acl(l_acl, l_desc, l_principal, TRUE, 'connect');

    -- Now grant privilege to resolve DNS names.
    dbms_network_acl_admin.add_privilege(l_acl, l_principal, TRUE, 'resolve');

    -- Specify which hosts this ACL applies to.
    dbms_network_acl_admin.assign_acl(l_acl, l_host);

    COMMIT;
    END;

    But when trying to run

    BEGIN
    DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE (
    acl => 'ldapacl.xml',
    principal => 'APX',
    is_grant => TRUE,
    privilege => 'connect',
    position => null);
    COMMIT;
    END;
    /

    I am getting the following error when running this as sysdba

    Error at Line 1:
    ORA-44416: Invalid ACL: Unresolved principal 'APX'
    ORA-06512: at "SYS.DMBS_NETWORK_ACL_ADMIN", line 384
    ORA-06512: at line 2
  • 14. Re: LDAP to Active Directory= 'invalid login credentials'
    Rambo79 Newbie
    Currently Being Moderated
    UPDATE

    Run the command as SYSTEM and it has run ok. I tried the username used to get into my workspace but this brought back the same error as I mentioned at the bottom of the thread above


    When running the SQL in SQL Workshop as described I am getting the following error message

    ORA-24247: network access denied by access control list (ACL)

    Edited by: Rambo79 on 13-Nov-2012 06:40
1 2 3 Previous Next

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points