This discussion is archived
7 Replies Latest reply: Feb 14, 2013 7:34 AM by snmdla RSS

read application item from LDAP

snmdla Explorer
Currently Being Moderated
We are using OpenLDAP authorization. The configuration data resides in the APEX authorization definition.

Now my question: should it be feasible to read further attributes from the user logging in, without the need to redundantly define host, base dn etc. on page level?

I imagine a LDAP authorization that gives me back more than only the APP_USER.

Comments welcome.

Tom
  • 1. Re: read application item from LDAP
    adrianp Newbie
    Currently Being Moderated
    Hi Tom,

    I published an LDAP authorization plugin (http://www.apex-plugin.com/oracle-apex-plugins/authorization-plugin/ldap-group-authorization_244.html) not too long ago. The host/port configuration is something I might have made application versus component attributes but decided otherwise. And the reason for that was to give users the flexibility to use different LDAP hosts per authorization scheme. What I haven't recommended in my documentation though, is to use substitution strings to set an application-wide setting for these standard values.

    HTH.

    Best regards,
    Adrian
  • 2. Re: read application item from LDAP
    snmdla Explorer
    Currently Being Moderated
    thanks. The issue is that when the login and authentication occur, I have the username and password ready.

    When I need another attribute (e.g. mail address), I need to do a lot of programming, and I need to authenticate against LDAP directory again, needing the password from the user, which is no more available from the login screen.

    Any hints on simplifying this?

    Thanks, Tom
  • 3. Re: read application item from LDAP
    Tom Petrus Expert
    Currently Being Moderated
    The user and password are still available in the post-authentication part of the authentication. You could fetch more values here into application items without having to prompt the user for credentials again. If you do need to connect at a later point then you're out of luck really, since the password is blanked out after the authentication.

    I implemented a solution before where i connected to the ldap directory in post-authentication to retrieve the user's groups: {message:id=10197833}
    I'm also not sure since i haven't tried yet, but you could probably use the apex_ldap package to reduce the amount of code
  • 4. Re: read application item from LDAP
    snmdla Explorer
    Currently Being Moderated
    Tom, sounds very promising. Will try ASAP.

    But, at last, password will be lost after leaving the login dialogue, and when I further want to do LDAP based authorization, would I need to fetch and process all required group structures (answering the "is user A member of group B?" type of question) at that point, too?

    Thanks and regards, Tom
  • 5. Re: read application item from LDAP
    Tom Petrus Expert
    Currently Being Moderated
    No. Once you have retrieved the user's group (for example) and stored those in an application item, then you'd not need to connect to the LDAP directory again afterwards. You can create authorization schemes which check the groups in the application item than rather than connect to LDAP.
  • 6. Re: read application item from LDAP
    adrianp Newbie
    Currently Being Moderated
    Does your LDAP server require authentication before you can query the directory? If so, I'm wondering if creating and using a LDAP proxy user might help. There are functions in APEX_LDAP that you could use to get the user's attributes, but again, I do believe this package won't work for you if subtree searching is needed. If so, then you'll need to use DBMS_LDAP.
  • 7. Re: read application item from LDAP
    snmdla Explorer
    Currently Being Moderated
    Following the hints of Tom in [this discussion|https://forums.oracle.com/forums/thread.jspa?threadID=2336146] we implemented reading
    further attributes from LDAP during the post authentication process.

    We adapted Tom's code to read groups in our posixgroup structure, and
    we implemented reading another (single valued) attribute.

    I'm not yet completely happy with the code, as we cannot utilize
    settings like the LDAP servers's host name and port from the LDAP
    Authentication pluging being utilized, but, the code does what he
    should do.

    Thanks for all contributions.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points