3 Replies Latest reply: Jul 11, 2013 10:46 AM by Jayson Hanes RSS

    Question re public access and LDAP authentication




      We have been playing around with using LDAP authentication for an APEX site we created.  Everything works fine, but it authorizes everyone in who has an LDAP account.  We want to limit authorization to only people we want to let in, and just have their password managed in LDAP


      Is there a good way to limit authorization by only allowing in those who we create an application account for?  I figure I could setup an authorization group and add it to the home page, but not sure how good that would be from a security standpoint and the error message is not the best.  If someone can point me to a good doc or give some advice, it would be appreciated


      Thanks in advance

        • 1. Re: Question re public access and LDAP authentication

          Use an LDAP group to control access.  Assign members to it, and in your code somewhere, check the group.

          I don't have a specific example, but if you search for oracle ldap group I'm sure you can get examples.  The nice thing is you can control access outside of Apex and never have to touch the code.

          • 2. Re: Question re public access and LDAP authentication

            Thanks Scott,


            I did find an example on the internet about using an ldap group.  While I could see how that would work and do exactly what we need, my preference would be to manage it within APEX without requiring an LDAP group.



            • 3. Re: Question re public access and LDAP authentication
              Jayson Hanes

              you're going to have to rely on a table that has the username, maybe apps allowed (app # if you desire), and/or access level, and use an authorization scheme throughout your app that checks who's allowed to see/use/update/edit/delete what etc.. the Apex Packaged applications demonstrate how to do this quite well (P-Track, Meetings, etc) -- install an app, change it's authentication scheme to ldap, run it, go to admin (gear icon), enable ACL (access control list) and you'll see how it works -- a table is created in the schema you install the application into, and throughout the various pages, you can see calls to a packaged function for returning the access level, which is implemented as an as-needed authorization, at the item/region/process level. I do it this same way exclusively.