We have been playing around with using LDAP authentication for an APEX site we created. Everything works fine, but it authorizes everyone in who has an LDAP account. We want to limit authorization to only people we want to let in, and just have their password managed in LDAP
Is there a good way to limit authorization by only allowing in those who we create an application account for? I figure I could setup an authorization group and add it to the home page, but not sure how good that would be from a security standpoint and the error message is not the best. If someone can point me to a good doc or give some advice, it would be appreciated
Thanks in advance
Use an LDAP group to control access. Assign members to it, and in your code somewhere, check the group.
I don't have a specific example, but if you search for oracle ldap group I'm sure you can get examples. The nice thing is you can control access outside of Apex and never have to touch the code.
you're going to have to rely on a table that has the username, maybe apps allowed (app # if you desire), and/or access level, and use an authorization scheme throughout your app that checks who's allowed to see/use/update/edit/delete what etc.. the Apex Packaged applications demonstrate how to do this quite well (P-Track, Meetings, etc) -- install an app, change it's authentication scheme to ldap, run it, go to admin (gear icon), enable ACL (access control list) and you'll see how it works -- a table is created in the schema you install the application into, and throughout the various pages, you can see calls to a packaged function for returning the access level, which is implemented as an as-needed authorization, at the item/region/process level. I do it this same way exclusively.