my firm has many child domains in Microsoft AD depending on various locations. when I use the built in AD authentication in Oracle apex?, how should I provide the DN string so all child domain users can be authenticated?
currently I am able to authenticate only one child domain that I provide in DN as "mychilddomain\%LDAP_USER%".
Please help me resolve this.
no I am not having any dropdowns.. its fine if the user has to mention his domain in username as "mydomain\uid". the documentation says the DN for internal AD authentication should be given as mydomain\%LDAP_USER%... when I give such DN, users from only the child domain that I mention in DN can be authenticated..other users get invalid credentials error..
if I give DN as only %LDAP_USER%, everybody get invalid credentials error.
what is the value of the LDAP authentication scheme's "Username Escaping" attribute? If the user enters "mydomain\uid", the "\" will be escaped by default. I do not recommend to simply disable escaping, that would be insecure. However, you could use a custom LDAP edit function in combination with the apex_escape.ldap_dn and apex_escape.ldap_search_filter functions.
I have not disabled escaping in ldap authentication. however am not clear on how I should write the DN string so all child domains can be authenticated. As per locations, my firm has child domains like city1.mycompany.com; city2.mycompany.com and when user is transferred to another location, he is simply moved from one child domain to another. when I give DN as city1\%LDAP_USER%, only users from city1 child domain can be authenticated with thier uid attribute and user from other child domain get invalid credentials error. how can I resolve this easiest way. I am completely new to this hence not aware of functions in apex.
can you try this for testing?
1. set "Distinguished Name (DN) String" to "%LDAP_USER%"
2. set "Username Escaping" to "No Escaping"
3. log in with "city1\username"
If it works, you can define a Username Edit function that allows one "\" but uses apex_escape.ldap_dn to make sure the parts left and right of the backslash are properly escaped.