12 Replies Latest reply on Apr 27, 2013 7:32 AM by Maahjoor

    LDAP Authentication for apex 4.2

      Dear all,

      i search internet, and the forums also for LDAP authentication.
      i am not blaming that they were not accurate or thorough.
      i am beginner in apex, and got failed configuring it for LDAP authentication.
      i am using apex 4.2, with oracle database 11g R2 on windows server 2008 64 bit.

      kindly help me.

        • 1. Re: LDAP Authentication for apex 4.2
          i have done the following steps
          Navigate to Application Builder home page
          Select the desired application
          Click the Shared Components icon 
          Under Application, click authincation scheme
          Select the Security tab and then the Authentication icon. 
          Click Create Scheme. 
          Under Create Scheme, select Based on a pre-configured scheme from the gallery. 
          Under Gallery, select Show Login Page and Use LDAP Directory Credentials. 
          Click Next. 
          Under Specify Login Page, Select Use Built-In Login Page
          Click Next. 
          Distinguished Name (DN) String=cn=%LDAP_USER%,dc=hct,dc=org
          and finally create and make it current,(it was current by default)
          now when i try to logon using my LDAP id like "et04" it failed login.
          how to fix it?
          • 2. Re: LDAP Authentication for apex 4.2

            Is any error messages displayed at the page when failed to login? And check debug for error messages.
            Are you sure that DN string correct?
            • 3. Re: LDAP Authentication for apex 4.2
              then dn string give my by administrator of network
              but he do omit the "l-amer" as mentioned on http://www.oracle.com/technetwork/developer-tools/apex/how-to-ldap-authenticate-099256.html.
              how to debug?
              where to find the error?

              thank you.
              • 4. Re: LDAP Authentication for apex 4.2
                Usually error message displayed at login page, after login attempt failed. In my app its look like:
                ORA-31202: DBMS_LDAP: LDAP client/server error: Invalid credentials. 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece...
                Debug mode turns on by "Debug" button on developer toolbar. Then you must do login attempt, then press "View debug" button on developer toolbar.

                Try this script to test ldap connection and authentication:

                  c_ldap_server constant varchar2(100) := '';
                  c_ldap_port   constant integer       := 389;
                  c_ldap_cn     constant varchar2(100) := 'CN=USER1,dc=hct,dc=org';  -- replace USER1 with your login
                  c_pwd         constant varchar2(100) := '1111';    -- enter here user's password
                  l_ldap_session dbms_ldap.SESSION;
                  l_result       integer;
                  l_ldap_session := dbms_ldap.init(
                    hostname => c_ldap_server,
                    portnum => c_ldap_port
                  l_result := dbms_ldap.simple_bind_s(
                    ld => l_ldap_session,
                    dn => c_ldap_cn,
                    passwd => c_pwd
                  dbms_output.put_line('simple_bind_s result: '||dbms_ldap.err2string(l_result));
                  l_result := DBMS_LDAP.unbind_s(l_ldap_session);
                • 5. Re: LDAP Authentication for apex 4.2
                  Tom Petrus
                  Also, did you provide network access to the LDAP server ( in your case) through the network ACLs?
                  • 6. Re: LDAP Authentication for apex 4.2
                    Thank you nogot

                    but i tell you at the begginning that i am very new to apex.
                    kindly guide thoroughly,
                    from where and which user i should run the script you provide?
                    Thank you so much.
                    • 7. Re: LDAP Authentication for apex 4.2
                      hi tom,


                      what is Network ACls?

                      • 8. Re: LDAP Authentication for apex 4.2
                        Usually i use developer tools like SQL Developero or TOAD, but if you don't have any tool, run from SQL workshop in APEX.
                        Run it from user, defined as "application parsing schema" in application properties.
                        • 9. Re: LDAP Authentication for apex 4.2

                          i will try to summarize some informations regarding LDAP authentication for you.

                          1. Oracle 11g and ACL
                          With version 11g Oracle implemented a security feature called ACL (Access control lists). The database controls (and restricts) now all network traffic from or to the database. For LDAP-authentication Apex (and so the database) has to create a network connection to the LDAP server. If the ACL's in the database are not configured to allow this, the connection request will be rejected.

                          Here is some PL/SQL-Code to configure the ACL for LDAP requests. You have to change the placeholders (<...>) with values of your environment. The resulting code block has to be executed by a user with DBA privileges!
                                acl =>         'LDAPRequests.xml'
                              when others then null; -- ACL does not exist yet
                            -- Privilege to connect to a host
                              acl =>         'LDAPRequests.xml',
                              description => 'Accessing the local host for creating requests to the LDAP service',
                              principal =>   upper('<Your database schema here>'), -- DB Schema (grantee), most likely the schema that has been assigned to the Apex workspace
                              is_grant =>    true,
                              privilege =>   'connect',
                              start_date  => null, 
                              end_date  =>   null
                            -- Privilege to resolve a hostname (DNS lookup)
                              acl =>         'LDAPRequests.xml',
                              principal =>   upper('<Your database schema here>'), -- DB Schema (grantee), most likely the schema that has been assigned to the Apex workspace
                              is_grant  =>   true,
                              privilege =>   'resolve',
                              start_date  => null, 
                              end_date  =>   null
                            -- Privilege to connect to localhost
                              acl =>         'LDAPRequests.xml',
                              host =>        '<IP or host name of your LDAP server>',
                              lower_port =>  <Port of the LDAP service, most likely 389>,
                              upper_port =>  <Port of the LDAP service, most likely 389>
                          2. Accessing the LDAP
                          What the built-in LDAP authentication schema does, is to try a login with the given credentials. The authentication scheme uses the DBMS_LDAP package and tries a binding by using a code block similar to this
                            v_session DBMS_LDAP.SESSION;
                            v_result PLS_INTEGER;
                            DBMS_LDAP.use_exception => true;
                            v_session := DBMS_LDAP.init(
                                                hostname => '<IP or host name of the LDAP server>',
                                                portnum => 389);
                            v_result := DBMS_LDAP.simple_bind_s(
                                               ld => v_session,
                                               dn => '<The complete distinguished name (DN) containing the username>',
                                               passwd => '<Password string>');
                            v_Result := DBMS_LDAP.unbind_s(v_Session);
                            -- No errors occured? Binding was successful
                          3. Username and DN
                          As you can see in the code block above, you can not directly try the binding with the plain username. Your LDAP server needs some more information where (in the LDAP structure) the user is located. So, you have to build a dn string first.

                          For example, if all LDAP users are located in a directory structure like this OU=Domain Users,DC=de,DC=root,DC=net, then a valid dn string for a user would look like this DN=username,OU=Domain Users,DC=de,DC=root,DC=net.

                          4. Configuration of the Apex built-in authentication schema
                          With this information you should be able to configure the authentication schema. Put in the host, port and dn template string. For the template string take a look in the online help. It is possible to configure an exact dn (if all users are organized in one branche of the LDAP directory) or a base dn. A base dn could be something like this DC=de,DC=root,DC=net. If you set the "Use Distinguished Name" flag to No, the authentication will perform a search for a dn with the given username in all children branches below the base dn before trying the bind.

                          Finally, this is a very basic example of how to use a LDAP server for authentication purpose. But i hope, it helps for the beginning.

                          • 10. Re: LDAP Authentication for apex 4.2
                            Very very thorough reply j.gauger!!

                            thank you so much for that.

                            kindly explain a little step *2:Accessing the LDAP*
                            where should i put this code?
                            i mean, i should execute this code from sqlplus, or i have to include this code somewhere in my apex?

                            step 1,
                             principal =>   upper('<Your database schema here>'),
                            what apex schema? if i am developing appication for HRMS,INVENTORY AND PAYROLL, and each of them has their own schemas, then i have
                            to execute the step 1 once for each schema? kindly explain.
                            thank you so much for such a nice reply.
                            • 11. Re: LDAP Authentication for apex 4.2
                              Hello Maahjoor,

                              the step 2 was just for informational reasons. You don't need to use this code block as long you use the built-in authentication scheme. But if you once decide to write your own custom LDAP authentication schema you will need this. But please skip this for the moment.

                              Regarding step 1:
                              Currently i'm not pretty sure who's the user that invokes the LDAP request if the built-in authentication schema is used. In my case i write my own auth procedures and in this case the user who creates the request is the schema user assigned to the workspace where the application is located in. Could be possible that for the built-in schemas the user "APEX_04xxxx" is used. But i think it ought to be the schema user as well.

                              If you have more than one schema assigned to your workspace, you have to look into your application what the parsing schema is.

                              But you are right. You have to execute the ACL script for each schema then...

                              Regards, Jens
                              • 12. Re: LDAP Authentication for apex 4.2
                                hi gauger,

                                i try to follow the steps you provide.
                                it run successflly from sql plus
                                in the apex, when i set Distinguished Name (DN) String of my APEX_LADAP scheme to
                                CN=et04,OU=ast-technician,OU=staff OU,DC=hct,DC=org 
                                ( whcih i copy from SQLPLUS)
                                it works, but only for my user which is et04.
                                any other user of LDAPc is unable to authinticate.
                                then i meet my network administrator,
                                he set Distinguished Name (DN) String of my APEX_LADAP scheme to
                                cn=%LDAP_USER%,OU=staff OU,DC=hct,DC=org
                                but not working.
                                what is wrong?

                                THANK YOU SO MUCH.