This discussion is archived
1 2 Previous Next 16 Replies Latest reply: May 14, 2013 3:53 AM by MalcA RSS

LDAP authentication via a search of AD

MalcA Explorer
Currently Being Moderated
I am using the procedure from Re: authentication of portal users with uid on oid/ldap and it works a treat. Running via Apex SQL Workshop:
....
l_ldap_user := 'cn=John Smith,ou=ABC Users,ou=ABC,dc=abc,dc=corp';
....
results in:
Return value: 0
Statement processed.
0.01 seconds
This is good, but the users don't want to login using "John Smith", they want to enter their uid "jsmith". I have tried simply substituting the cn= for uid= :
....
l_ldap_user := 'uid=jsmith,ou=ABC Users,ou=ABC,dc=abc,dc=corp';
....
but this results in:
ldap session             : 01000000(returned from init)
error: ORA-31202: DBMS_LDAP: LDAP client/server error: Invalid credentials. 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece -31202
user: uid=jsmith,ou=ABC Users,ou=ABC,dc=abc,dc=corp
host: abc.corp
port: 389
The "525" in the above line means "user not found":

52e invalid credentials
525 user not found
530 not permitted to logon at this time
531 not permitted to logon at this workstation
532 password expired
533 account disabled
701 account expired
773 user must reset password

I was hoping to just be able to substitute cn= for uid= but it does not work in this case. I may have simply got the uid wrong, but I'm assured it is correct for the username I am using. Any ideas would be appreciated.

regards,
Malcolm.
  • 1. Re: LDAP authentication using uid instead of cn
    Christian Neumueller Expert
    Currently Being Moderated
    Hi Malcolm,

    the distinguished name in your ldap directory is not a complex search term. You will have to use dbms_ldap.search_st and similar APIs to first find the correct DN and then do a simple_bind_s with that. APEX already provides this functionality, with the built-in LDAP Directory authentication scheme. Maybe you could just use our built-in scheme instead of a custom implementation?

    Regards,
    Christian
  • 2. Re: LDAP authentication using uid instead of cn
    MalcA Explorer
    Currently Being Moderated
    Hi Christian,

    Many thanks for the quick reply. I should have said - I was only using a procedure to debug why I could not get the built-in scheme to work, and was going to plug the values back into the built-in scheme once I'd got it working in the editor.

    I have put the parameters into the built-in scheme:

    Host: abc.corp
    Port: 389
    Use SSL: No SSL
    Distinguished Name (DN) String: cn=%LDAP_USER%,ou=ABC Users,ou=ABC,dc=abc,dc=corp
    Use Exact Distinguished Name (DN): Yes

    If I enter 'John Smith' in my login page and their password, it works fine. The users want to be able to login with jsmith though, that's what I'm stuck on. I don't understand where and how the mapping from a login name of 'jsmith' to the common name of 'John Smith' takes place. Do I have to say No to using the exact distinguished name?

    regards,
    Malcolm.
  • 3. Re: LDAP authentication using uid instead of cn
    Christian Neumueller Expert
    Currently Being Moderated
    Hi Malcolm,

    yes. You can try with

    * Distinguished Name String: ou=ABC Users,ou=ABC,dc=abc,dc=corp
    (the search base)
    * Use Exact Distinguished Name: No
    * Search Filter: uid=%LDAP_USER%

    It often helps to use ldapsearch on the command line, to get these parameters right. E.g.
    $ ldapsearch -x -h ldap.yourcompany.com -b "dc=abc,dc=corp" "(&(ou=ABC)(uid=jsmith))"
    Btw, I'm currently working to bring back the builder LDAP Test page, for APEX 5.

    Regards,
    Christian
  • 4. Re: LDAP authentication using uid instead of cn
    MalcA Explorer
    Currently Being Moderated
    Hi Christian,

    Good news on bringing back the LDAP test page. Without server access is ldapsearch available to me?

    I have tried:
    Host: abc.corp
    Port: 389
    Use SSL: No SSL
    Distinguished Name (DN) String: ou=ABC Users,ou=ABC,dc=abc,dc=corp
    Use Exact Distinguished Name (DN): No
    Search Filter: uid=%LDAP_SEARCH%

    but it still fails. Maybe I have the uid wrong and it isn't jsmith, but I was sent some weblogic debug yesterday, showing a successful auth:

    DEBUG;[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'];2013-04-23 05:56:09,332;
    org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider - Processing authentication request for user: jsmith

    DEBUG;[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'];2013-04-23 05:56:09,523;
    org.springframework.security.ldap.SpringSecurityLdapTemplate - Searching for entry under DN '', base = 'dc=abc,dc=corp', filter = '(&(objectClass=user)(userPrincipalName={0}))'

    DEBUG;[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'];2013-04-23 05:56:09,524;
    org.springframework.security.ldap.SpringSecurityLdapTemplate - Found DN: cn=John Smith,ou=ABC Users,ou=ABC,dc=abc,dc=corp

    So have just used the jsmith (it isn't actually jsmith - I have anonymised everything for this post) from that weblogic debug as the uid in the LDAP setup. That is the username they use to login to the network though, and the one they would expect to use in the APEX login page.

    regards,
    Malcolm.
  • 5. Re: LDAP authentication using uid instead of cn
    Christian Neumueller Expert
    Currently Being Moderated
    Hi Malcolm,

    you should use %LDAP_USER% instead of %LDAP_SEARCH%. The ldapsearch command can be used on clients, but depending on your OS, you will probably have to install additional software.

    The APEX configuration can mimic what you see in these debug logs:

    * DN: dc=abc,dc=corp
    * Exact DN: no
    * Search Filter: (&(objectClass=user)(userPrincipalName=%LDAP_USER%))

    Regards,
    Christian
  • 6. Re: LDAP authentication using uid instead of cn
    MalcA Explorer
    Currently Being Moderated
    Hi Christian,

    I was using %LDAP_USER% but typed %LDAP_SEARCH% in this post, sorry.

    I still can't get it to work. To summarise:

    Host: abc.corp
    Port: 389
    Use SSL: No SSL
    Distinguished Name (DN) String: cn=%LDAP_USER%,ou=ABC Users,ou=ABC,dc=abc,dc=corp
    Use Exact Distinguished Name (DN): Yes

    Entering 'John Smith' on the login page successfully auths and shows the home page.

    Host: abc.corp
    Port: 389
    Use SSL: No SSL
    Distinguished Name (DN) String: ou=ABC Users,ou=ABC,dc=abc,dc=corp
    Use Exact Distinguished Name (DN): No
    Search Filter: uid=%LDAP_USER%

    or Search Filter: (&(objectClass=user)(userPrincipalName=%LDAP_USER%))

    and entering 'jsmith' on the login page does not authorise.

    regards,
    Malcolm.
  • 7. Re: LDAP authentication using uid instead of cn
    Christian Neumueller Expert
    Currently Being Moderated
    Hi John,

    at that point you should probably try to find out the correct parameters, either with ldapsearch or by looking them up in that java application's configuration. Please also make sure that the ACL settings allow you to call out from the DB to the LDAP server. If you run the APEX application from within the builder with debug level 9 (available since APEX 4.2), the debug output could give you further information about any LDAP error.

    Regards,
    Christian
  • 8. Re: LDAP authentication using uid instead of cn
    jrimblas Expert
    Currently Being Moderated
    Coming late into this, but are you sure the attribute name is uid ?

    I once had to search for sAMAccountName as the attribute that held the username value.

    My logic was something like:
    1. Search Filter sAMAccountName=%LDAP_USER%
    2. So that I could find "distinguishedName" not "dn"
    3. Now with the distinguishedName I could pass the distinguishedName and password to authenticate.

    Since you're able to reach and find the user with "John Smith" (which I think is the cn), how about you query all the available attributes to verify that uid is what you want ( or not). To do this you would do a dbms_ldap.search_s with a search_filter of % I believe. Then loop though the results and print them out.

    Thanks
    -Jorge
  • 9. Re: LDAP authentication using uid instead of cn
    MalcA Explorer
    Currently Being Moderated
    Hi Christian,
    Please also make sure that the ACL settings allow you to call out from the DB to the LDAP server
    Doesn't the fact that it works using cn= mean the ACL settings are correct?

    When running in debug level 9 I see:

    ldap_authentication_impl p_username=>JSMITH,p_password=>...

    ldap_dn p_string=>JSMITH,p_reserved_chars=>"+,;<=>\,p_escape_non_ascii=>true

    authenticate p_dn=>ou=ABC Users,ou=ABC,dc=abc,dc=corp,p_search_filter=>uid=JSMITH,p_password=>...,p_ldap_host=>abc.corp,p_ldap_port=>389,p_use_ssl=>N,p_use_exact_dn=>N

    ...dbms_ldap.search_s p_dn=>ou=ABC Users,ou=ABC,dc=abc,dc=corp, l_filter=>(uid=JSMITH)

    error:ORA-31202: DBMS_LDAP: LDAP client/server error: Operations error. 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece, backtrace:ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86 ORA-06512: at "SYS.DBMS_LDAP", line 1487 ORA-06512: at "SYS.DBMS_LDAP", line 234 ORA-06512: at "APEX_040200.WWV_FLOW_CUSTOM_AUTH_LDAP", line 71

    Thanks for your help today. I will now have to find out what LDAP is replying with when I'm sending uid. I will update this thread once it is fixed.

    regards,
    Malcolm.

    ps. Thanks Jorge, I'll try that.

    Edited by: MalcA on Apr 24, 2013 2:58 PM
  • 10. Re: LDAP authentication using uid instead of cn
    Christian Neumueller Expert
    Currently Being Moderated
    Hi Malcolm,

    you are right about the ACL settings.

    Regarding that LDAP error, the search requires that your LDAP server supports anonymous binds with
    sys.dbms_ldap.simple_bind_s(l_session, null, null)
    If it does not and it is not possible to change that configuration, you will have to roll your own authentication scheme, directly based on dbms_ldap.

    Regards,
    Christian
  • 11. Re: LDAP authentication using uid instead of cn
    MalcA Explorer
    Currently Being Moderated
    I did as Jorge suggested and used dbms_ldap.search_s to retrieve the whole entry for John Smith. The sample code is here: http://docs.oracle.com/cd/B10500_01/network.920/a96577/smplcode.htm#636994 but I needed to put '(&(objectCategory=person)(objectClass=user)(sAMAccountName=jsmith))' as the filter parameter instead of 'objectclass=*' or else I blew the 1000 record retrieval limit.

    That worked - the whole record is shown, and the dn and distinguished name are the same.

    I put sAMAccountName=%LDAP_USER% in the search filter in the built-in LDAP authentication definition, but still could not log in.

    I also have verified an anonymous bind by trying:
    retval := dbms_ldap.simple_bind_s(my_session, null, null);
    and the retval was zero.
  • 12. Re: LDAP authentication using uid instead of cn
    jrimblas Expert
    Currently Being Moderated
    Ok, so going back to the first entry here, you said that this works.
    l_ldap_user := 'cn=John Smith,ou=ABC Users,ou=ABC,dc=abc,dc=corp';
    Wouldn't then this work:
    l_ldap_user := 'sAMAccountName=jsmith,ou=ABC Users,ou=ABC,dc=abc,dc=corp';
    If it does, then perhaps that's all you need for the APEX LDA Auth:
    sAMAccountName=%LDAP_USER%,ou=ABC Users,ou=ABC,dc=abc,dc=corp


    Thanks
    -Jorge
  • 13. Re: LDAP authentication using uid instead of cn
    Christian Neumueller Expert
    Currently Being Moderated
    Hi Malcolm,

    that example uses simple_bind_s with a service account before search_s. Does it still work if you pass null instead of the service account credentials?

    If you are on Active Directory, it may only allow rootDSE searches when not authenticated. See section "Anonymous Queries" here:

    http://technet.microsoft.com/en-us/library/cc755809(v=ws.10).aspx

    Regards,
    Christian
  • 14. Re: LDAP authentication using uid instead of cn
    MalcA Explorer
    Currently Being Moderated
    To update the post, this works:
    l_ldap_user := 'cn=John Smith,ou=ABC Users,ou=ABC,dc=abc,dc=corp';
    This doesn't work unfortunately:
    l_ldap_user := 'sAMAccountName=jsmith,ou=ABC Users,ou=ABC,dc=abc,dc=corp';
    The sAMAccountName is correct because I can retrieve it with a search_s (after already authenticating with John Smith). Just checking the parameters for simple_bind_s, the second parameter must match the dn, and of course the second string doesn't.

    I'll keep trying, starting with your initial advice "... use dbms_ldap.search_st and similar APIs to first find the correct DN and then do a simple_bind_s with that".

    regards,
    Malcolm.
1 2 Previous Next

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points