1 2 3 Previous Next 37 Replies Latest reply: Feb 18, 2013 5:03 PM by 703377 RSS

    LDAP to Active Directory= 'invalid login credentials'

    Rambo79
      Hi

      I am looking at setting up Active Directory authentication in APEX, so I am changing the authentication scheme to LDAP Directory

      I have completed the host, port, NO SSL, etc under the settings tab

      Host : ip address of ad server
      Port : 389
      Use SSL: No SSL
      Distinguished Name (DN) String : domain\%LDAP_USER%
      Use Exact Distinguished Name (DN) : Yes

      However when trying to run the application and entering my details it keeps bringing back 'invalid login credentials'

      What steps have I missed out

      I have come across the following code on another thread but where would this go in PL/SQL code?

      DECLARE
      vSession DBMS_LDAP.session;
      vResult PLS_INTEGER;
      BEGIN
      DBMS_LDAP.use_exception := TRUE;
      vSession := DBMS_LDAP.init
      ( hostname => 'CREDPWY01SDCG01'
      , portnum => 389
      );
      vResult := DBMS_LDAP.simple_bind_s
      ( ld => vSession
      , dn => 'CN=<username>,dc=credit,dc=com'
      , passwd => NULL
      );
      DBMS_Output.put_line('User authenticated!');
      vResult := DBMS_LDAP.unbind_s(vSession);
      END;

      I am not able to authenticate at all when using apex_ldap regardless if I pass NULL for the password, or use the real password.

      BEGIN
      IF APEX_LDAP.authenticate
      ( p_username => '<username>'
      , p_password => NULL
      , p_search_base => 'dc=credit,dc=com'
      , p_host => 'CREDPWY01SDCG01'
      , p_port => 389
      )
      THEN
      DBMS_Output.put_line('ok');
      ELSE
      DBMS_Output.put_line('not ok');
      END IF;
      END;

      Edited by: Rambo79 on 05-Nov-2012 03:44
        • 1. Re: LDAP to Active Directory= 'invalid login credentials'
          Christian Neumueller
          Hi Rambo79,

          which version of Apex and Oracle are you using? Did you follow the post installation docs about ACLs?

          Regards,
          Christian
          • 2. Re: LDAP to Active Directory= 'invalid login credentials'
            Rambo79
            Hi

            I am using Application Express 4.1.1.00.23 locally along with the built in Oracle DB. Yes followed the post installation about ACLs
            • 3. Re: LDAP to Active Directory= 'invalid login credentials'
              Rambo79
              Hi Christian

              Using the LDAP test tool in APEX i am entering the following which is the correct info but it keeps returning Authentication failed!

              LDAP Host: my hostname / also tried the IP address of the AD server
              Port: 389
              Use SSL: No SSL
              Use Exact DN: domain\%LDAP_USER%

              Under the credentials fields I am using my login details to Active Directory that I use to log into the network each day
              • 4. Re: LDAP to Active Directory= 'invalid login credentials'
                742417
                What errors are you getting when you do the simple bind?
                See if this helps in any way: http://ruepprich.wordpress.com/2012/11/02/ldap-authentication-with-apex

                Edited by: Christoph on Nov 6, 2012 7:51 AM
                • 5. Re: LDAP to Active Directory= 'invalid login credentials'
                  Christian Neumueller
                  Hi Rambo79,

                  the following snippet can be used to test ldap authentication in SQL Commands:
                  declare
                      l_host varchar2(80)     := 'localhost';
                      l_port number           := 389;
                      l_user varchar2(80)     := 'cn=johndoe,ou=people,dc=example,dc=com';
                      l_password varchar2(80) := 'john';
                      --
                      l_session dbms_ldap.session;
                      l_result pls_integer;
                  begin
                      dbms_ldap.use_exception := true;
                      l_session := dbms_ldap.init(l_host, l_port);
                      l_result  := dbms_ldap.simple_bind_s (
                                       ld     => l_session,
                                       dn     => l_user,
                                       passwd => l_password );
                      dbms_output.put_line('result='||l_result);
                      l_result  := dbms_ldap.unbind_s(l_session);
                  end;
                  /
                  You'll have to enter your connection and login credentials, of course.

                  Regards,
                  Christian
                  • 6. Re: LDAP to Active Directory= 'invalid login credentials'
                    Rambo79
                    Hi Christian

                    As outlined in the following post
                    http://ruepprich.wordpress.com/2012/11/02/ldap-authentication-with-apex/

                    In SQL Plus as SYSDBA on my local install of APEX(which is on the ad network)

                    I ran the following code at the bottom of this thread but I am getting the error shown below

                    Error at Line 1:
                    ORA-44416: INVALID ACL: unresolved principle 'apex_040100'
                    ORA-06512: at "SYS.DBMS_NETWORK_ACL_ADMIN", line 252
                    ORA-06512: at line 9


                    DECLARE
                    l_acl VARCHAR2(100) := 'ldapacl.xml';
                    l_desc VARCHAR2(100) := 'LDAP Authentication for myadservername.mydomain';
                    l_principal VARCHAR2(30) := 'apex_040100';
                    l_host VARCHAR2(100) := 'myadservername.mydomain';
                    BEGIN
                    -- Create the new ACL.
                    -- Also, provide one starter privilege, granting the schema the privilege to connect.
                    dbms_network_acl_admin.create_acl(l_acl, l_desc, l_principal, TRUE, 'connect');

                    -- Now grant privilege to resolve DNS names.
                    dbms_network_acl_admin.add_privilege(l_acl, l_principal, TRUE, 'resolve');

                    -- Specify which hosts this ACL applies to.
                    dbms_network_acl_admin.assign_acl(l_acl, l_host);

                    COMMIT;
                    END;
                    • 7. Re: LDAP to Active Directory= 'invalid login credentials'
                      Christian Neumueller
                      Hi Rambo79,

                      please check the installation docs about ACLs again: http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21673/otn_install.htm#BEHHJJIH

                      I think the l_principal value has to be uppercase.

                      Regards,
                      Christian
                      • 8. Re: LDAP to Active Directory= 'invalid login credentials'
                        742417
                        Christian is correct, the principal needs to be upper case.
                        I made the correction in my blog post.

                        Christoph
                        • 9. Re: LDAP to Active Directory= 'invalid login credentials'
                          Rambo79
                          Hi

                          I have changed it to uppercase and the script has run, so again many thanks

                          Still can't log in however - getting invalid login credentials?

                          Under settings I am using

                          Host: nameofmyadserver.domain.co.uk
                          Port: 389
                          Use SSL: NO SSL
                          DN String: domain.co.uk\%LDAP_USER%
                          Use DN: Yes

                          Do I need to set anything else?

                          Edited by: Rambo79 on 08-Nov-2012 04:19
                          • 10. Re: LDAP to Active Directory= 'invalid login credentials'
                            742417
                            In the DN string try (omit co.uk):

                            domain\%LDAP_USER%
                            • 11. Re: LDAP to Active Directory= 'invalid login credentials'
                              Rambo79
                              Hi

                              Just tried it without the .co.uk in the DN String but I am still getting the Invalid Login Credentials when trying to log in?

                              Are there any tests I can run to make sure that the Oracle Apex server can communicate with the AD server? as all of the credentials I am entering are correct
                              • 12. Re: LDAP to Active Directory= 'invalid login credentials'
                                Tom Petrus
                                Hopefully you did remove the unresolved principal from your ACL ('apex_040100' instead of 'APEX_040100'). If you haven't go to the docs linked by Christian to find a cleanup-code. Or drop the whole ACL and just recreate it from scratch.

                                I think that to run the testcode with simple bind in sql workshop requires the schema user to have connect rights, so firstly add the schema user of your application's parsing schema to the ldap acl (fe, here i add user APX to the ad_ldap.xml ACL)(and of course, has to be done as sys)
                                BEGIN
                                   DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE (
                                    acl          => 'ad_ldap.xml',                
                                    principal    => 'APX',
                                    is_grant     => TRUE, 
                                    privilege    => 'connect',
                                    position     => null);
                                   COMMIT;
                                END;
                                /
                                Then go to the SQL workshop, and select the parsing schema of the application you are trying to use the authentication in. Run this code with the required alterations.
                                For l_user, try with both the shorthand string and a full DN string. For example, 'DOMAIN\johnd' and 'cn=johndoe,ou=people,dc=example,dc=com'.
                                declare
                                    l_host varchar2(80)     := 'localhost';
                                    l_port number           := 389;
                                    l_user varchar2(80)     := 'cn=johndoe,ou=people,dc=example,dc=com';
                                    l_password varchar2(80) := 'john';
                                    --
                                    l_session dbms_ldap.session;
                                    l_result pls_integer;
                                begin
                                    dbms_ldap.use_exception := true;
                                    l_session := dbms_ldap.init(l_host, l_port);
                                    l_result  := dbms_ldap.simple_bind_s (
                                                     ld     => l_session,
                                                     dn     => l_user,
                                                     passwd => l_password );
                                    dbms_output.put_line('result='||l_result);
                                    l_result  := dbms_ldap.unbind_s(l_session);
                                end;
                                See what that gives you as output or error.
                                • 13. Re: LDAP to Active Directory= 'invalid login credentials'
                                  Rambo79
                                  Hi Tom

                                  Yes I have run the following which has been set up ok to allow APEX on my PC to connect with the Active Directory server

                                  DECLARE
                                  l_acl VARCHAR2(100) := 'ldapacl.xml';
                                  l_desc VARCHAR2(100) := 'LDAP Authentication for domain.co.uk';
                                  l_principal VARCHAR2(30) := 'APEX_040100'; -- upper case
                                  l_host VARCHAR2(100) := 'adservername.domain.co.uk';
                                  BEGIN
                                  -- Create the new ACL.
                                  -- Also, provide one starter privilege, granting the schema the privilege to connect.
                                  dbms_network_acl_admin.create_acl(l_acl, l_desc, l_principal, TRUE, 'connect');

                                  -- Now grant privilege to resolve DNS names.
                                  dbms_network_acl_admin.add_privilege(l_acl, l_principal, TRUE, 'resolve');

                                  -- Specify which hosts this ACL applies to.
                                  dbms_network_acl_admin.assign_acl(l_acl, l_host);

                                  COMMIT;
                                  END;

                                  But when trying to run

                                  BEGIN
                                  DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE (
                                  acl => 'ldapacl.xml',
                                  principal => 'APX',
                                  is_grant => TRUE,
                                  privilege => 'connect',
                                  position => null);
                                  COMMIT;
                                  END;
                                  /

                                  I am getting the following error when running this as sysdba

                                  Error at Line 1:
                                  ORA-44416: Invalid ACL: Unresolved principal 'APX'
                                  ORA-06512: at "SYS.DMBS_NETWORK_ACL_ADMIN", line 384
                                  ORA-06512: at line 2
                                  • 14. Re: LDAP to Active Directory= 'invalid login credentials'
                                    Rambo79
                                    UPDATE

                                    Run the command as SYSTEM and it has run ok. I tried the username used to get into my workspace but this brought back the same error as I mentioned at the bottom of the thread above


                                    When running the SQL in SQL Workshop as described I am getting the following error message

                                    ORA-24247: network access denied by access control list (ACL)

                                    Edited by: Rambo79 on 13-Nov-2012 06:40
                                    1 2 3 Previous Next