7 Replies Latest reply: Feb 14, 2013 9:34 AM by snmdla RSS

    read application item from LDAP

    snmdla
      We are using OpenLDAP authorization. The configuration data resides in the APEX authorization definition.

      Now my question: should it be feasible to read further attributes from the user logging in, without the need to redundantly define host, base dn etc. on page level?

      I imagine a LDAP authorization that gives me back more than only the APP_USER.

      Comments welcome.

      Tom
        • 1. Re: read application item from LDAP
          adrianp
          Hi Tom,

          I published an LDAP authorization plugin (http://www.apex-plugin.com/oracle-apex-plugins/authorization-plugin/ldap-group-authorization_244.html) not too long ago. The host/port configuration is something I might have made application versus component attributes but decided otherwise. And the reason for that was to give users the flexibility to use different LDAP hosts per authorization scheme. What I haven't recommended in my documentation though, is to use substitution strings to set an application-wide setting for these standard values.

          HTH.

          Best regards,
          Adrian
          • 2. Re: read application item from LDAP
            snmdla
            thanks. The issue is that when the login and authentication occur, I have the username and password ready.

            When I need another attribute (e.g. mail address), I need to do a lot of programming, and I need to authenticate against LDAP directory again, needing the password from the user, which is no more available from the login screen.

            Any hints on simplifying this?

            Thanks, Tom
            • 3. Re: read application item from LDAP
              Tom Petrus
              The user and password are still available in the post-authentication part of the authentication. You could fetch more values here into application items without having to prompt the user for credentials again. If you do need to connect at a later point then you're out of luck really, since the password is blanked out after the authentication.

              I implemented a solution before where i connected to the ldap directory in post-authentication to retrieve the user's groups: {message:id=10197833}
              I'm also not sure since i haven't tried yet, but you could probably use the apex_ldap package to reduce the amount of code
              • 4. Re: read application item from LDAP
                snmdla
                Tom, sounds very promising. Will try ASAP.

                But, at last, password will be lost after leaving the login dialogue, and when I further want to do LDAP based authorization, would I need to fetch and process all required group structures (answering the "is user A member of group B?" type of question) at that point, too?

                Thanks and regards, Tom
                • 5. Re: read application item from LDAP
                  Tom Petrus
                  No. Once you have retrieved the user's group (for example) and stored those in an application item, then you'd not need to connect to the LDAP directory again afterwards. You can create authorization schemes which check the groups in the application item than rather than connect to LDAP.
                  • 6. Re: read application item from LDAP
                    adrianp
                    Does your LDAP server require authentication before you can query the directory? If so, I'm wondering if creating and using a LDAP proxy user might help. There are functions in APEX_LDAP that you could use to get the user's attributes, but again, I do believe this package won't work for you if subtree searching is needed. If so, then you'll need to use DBMS_LDAP.
                    • 7. Re: read application item from LDAP
                      snmdla
                      Following the hints of Tom in [this discussion|https://forums.oracle.com/forums/thread.jspa?threadID=2336146] we implemented reading
                      further attributes from LDAP during the post authentication process.

                      We adapted Tom's code to read groups in our posixgroup structure, and
                      we implemented reading another (single valued) attribute.

                      I'm not yet completely happy with the code, as we cannot utilize
                      settings like the LDAP servers's host name and port from the LDAP
                      Authentication pluging being utilized, but, the code does what he
                      should do.

                      Thanks for all contributions.