1 2 3 Previous Next 36 Replies Latest reply on Jul 5, 2015 4:39 AM by Maahjoor

    separate authentication and authorization for Active directory groups

    Maahjoor

      Dear all,

       

      after a long search and failure, I am posting the question.

      I am using oracle apex 4.2 on windows server 2012 on oracle 12c, all 64 bit.

      we have configured Microsoft  Active directory with LDAP.

      in LDAP we have one main group which is let say A, and under a there are two groups, staff and students.

      under staff there are many other groups and under students there are many groups.

       

      I have created one mobile application, it have a main page which is publically accessed without username and password.

      in this main page, I have a list which contain two items, Staff and another item is Student.

      when the either of the list item, the login screen is displayed.

       

      now I want to control, when the end user click on staff list, only staff should authenticated,

      if the end user is student, it should not be authenticated.

      the same for student list item, if end user click on student list, only student should be authenticated.

       

      somebody please guide me, I am failed in searching and testing.

      thank you.

      Regards.

        • 1. Re: separate authentication and authorization for Active directory groups
          Kiran Pawar

          Hi Maahjoor,

           

              Are you directed to same login page from main page? Means are there different applications for staff and student or one application?

              If one application, then instead of built-in LDAP authentication scheme, you could create your own custom authentication scheme based on packaged/stored function as follows:

          CREATE OR REPLACE FUNCTION AUTHENTICATE_USER ( P_USERNAME IN VARCHAR2
                                                      , P_PASSWORD IN VARCHAR2 )
            RETURN BOOLEAN
          AS
          BEGIN
          
            IF APEX_LDAP.AUTHENTICATE (
                  p_username    => P_USERNAME,
                  p_password    => P_PASSWORD,
                  p_search_base  => 'ou=staff,dc=myldapdomain,dc=com',
                  p_host        => <ldap-server>,
                  p_port        => 389 ) THEN
              -- authenticated by first LDAP group
              DBMS_OUTPUT.PUT_LINE('AUTHENTICATED');
              APEX_UTIL.SET_AUTHENTICATION_RESULT(0);
              RETURN TRUE;
            ELSIF APEX_LDAP.AUTHENTICATE (
                  p_username    => P_USERNAME,
                  p_password    => P_PASSWORD,
                  p_search_base  => 'ou=student,dc=myldapdomain,dc=com',
                  p_host        => <ldap-server>,
                  p_port        => 389 ) THEN
              -- authenticated by second LDAP group
              DBMS_OUTPUT.PUT_LINE('AUTHENTICATED');
              APEX_UTIL.SET_AUTHENTICATION_RESULT(0);
              RETURN TRUE;
            ELSE
              -- unauthenticated user
              DBMS_OUTPUT.PUT_LINE('UNAUTHENTICATED');
              APEX_UTIL.SET_AUTHENTICATION_RESULT(4);
              RETURN FALSE;
            END IF;
          
          EXCEPTION
            WHEN OTHERS THEN
              DBMS_OUTPUT.PUT_LINE('UNAUTHENTICATED');
              APEX_UTIL.SET_AUTHENTICATION_RESULT(4);
              RETURN FALSE;
          
          END;
          
          
          

           

              If two different applications then you can use built-in LDAP authentication with appropriate Distinguished Name (DN) String.

           

               Also for Authorization Schemes you could use the APEX_LDAP.IS_MEMBER function.

               Refer : http://docs.oracle.com/cd/E37097_01/doc.42/e35127/apex_ldap.htm#AEAPI238

           

              Hope this helps!

           

          Regards,

          Kiran

          1 person found this helpful
          • 2. Re: separate authentication and authorization for Active directory groups
            Maahjoor

            Hi Kiran,

             

            i am using two different applications. and i use the built-in LDAP authentication with appropriate Distinguished Name (DN) String,

            but the problem is that i could authenticate only one LDAP group, and not the complete tree of the LDAP.

             

            for example, in my Case;

             

            i have HCT then inside hct i have STAFF, then inside STAFF i have 15 more groups for departments, which in turn have more groups for sections.

            the DN string could work for a specific department only, instead, i want if somebody is in the staff or where ever in the down hierarchy of staff should be authenticated.

             

            the same for students also.

             

            i am very woried how to fix because i have searched this forum, but no thorough solution.

             

            Please guide me.

             

            Thank you.

            • 3. Re: separate authentication and authorization for Active directory groups
              Maahjoor

              Hi Kiran,

               

              i have still no solution for the problem above. could you put some more light on it? any other references or blog or white paper?

               

              thank you.

              • 4. Re: separate authentication and authorization for Active directory groups
                Kiran Pawar

                Hi Maahjoor,

                Maahjoor wrote:


                i have still no solution for the problem above. could you put some more light on it? any other references or blog or white paper?

                     If in-built APEX LDAP authentication or using APEX_LDAP is not working for your issue, I suggest you build your custom authentication based on DBMS_LDAP package.

                     Following thread is a good reference : LDAP (MS AD) Group Authentication

                     Also the thread refers a chapter in Pro Oracle Application Express 4 (Expert's Voice in Databases): Tim Fox, John Scott, Scott Spendolini: 9781430234944: Am… book which will be very helpful.

                 

                     Following threads might also help you:

                 

                     Hope this helps!

                 

                Regards,

                Kiran

                1 person found this helpful
                • 5. Re: separate authentication and authorization for Active directory groups
                  Maahjoor

                  Let me read them, i may come back to you.

                   

                  Thank you.

                  • 6. Re: separate authentication and authorization for Active directory groups
                    Maahjoor

                    Hi Kirran,

                     

                    things become slight easy i think.

                    i have met with my .Net developer, he told me that i am doing the authorization through the TITLE from active directory.

                    so we have for example the following TITLES

                     

                    Staff

                    Student

                     

                    so i think i have to do the following;

                     

                    1. catch the login username

                    2.check the Title for that username from AD

                    3.if it is a Student then redirect to student portal, otherwise redirect to Staff portal.

                     

                    could you guide in this senario? i mean how to do? where to put which code?

                    i am really stucked here.

                     

                    Thanks kiran.

                    • 7. Re: separate authentication and authorization for Active directory groups
                      Kiran Pawar

                      Hi Maahjoor,

                      Maahjoor wrote:

                       

                      1. catch the login username

                      2.check the Title for that username from AD

                      3.if it is a Student then redirect to student portal, otherwise redirect to Staff portal.

                       

                      could you guide in this senario? i mean how to do? where to put which code?

                           Instead of changing the authentication related components, why don't you handle it after authentication when there is a valid session state.

                           You could create a before header branch on the home page to redirect the user to appropriate user home page.

                          

                           If there are many users and home page of each user varies, you could add a column to map home page to each user.

                           Create a before header process that does APEX_UTIL.REDIRECT_URL getting the appropriate home page from the users table.

                       

                           Refer the following threads:

                       

                           Hope it helps!

                       

                      Regards,

                      Kiran

                      1 person found this helpful
                      • 8. Re: separate authentication and authorization for Active directory groups
                        Maahjoor

                        i will update this thread tomorow since the office time is over now.

                        the problem is that how to check the TITLE  field from active directory for the authenticated user?

                        i think APEX_LDAP.GET_USER_ATTRIBUTES could do this, but i dont know how to use it.

                         

                        somehow, we will see tomorrow.

                         

                        Thank you.

                        • 9. Re: Re: separate authentication and authorization for Active directory groups
                          Maahjoor
                          Instead of changing the authentication related components, why don't you handle it after authentication when there is a valid session state.

                          this is what i am asking you. i will let the user login, after login, i will do the authorization.

                          i need the procedure what capture the active directory attribute named TITLE for me for the authenticated user.

                           

                          Thanks

                          • 10. Re: Re: Re: separate authentication and authorization for Active directory groups
                            Kiran Pawar

                            Hi Maahjoor,

                            Maahjoor wrote:

                             

                            Instead of changing the authentication related components, why don't you handle it after authentication when there is a valid session state.

                            this is what i am asking you. i will let the user login, after login, i will do the authorization.

                            i need the procedure what capture the active directory attribute named TITLE for me for the authenticated user.

                                If you are not able to determine the TITLE LDAP profile attribute using APEX_LDAP.GET_USER_ATTRIBUTES, use "LDAPWalk" routine based on DBMS LDAP mentioned in the following book:

                            Also the thread refers a chapter 13 in Pro Oracle Application Express 4 (Expert's Voice in Databases): Tim Fox, John Scott, Scott Spendolini: 9781430234944: Am… book which will be very helpful.

                             

                                Also following threads also show how to fetch LDAP attributes for a user using DBMS_LDAP:

                             

                            Regards,

                            Kiran

                            1 person found this helpful
                            • 11. Re: Re: Re: Re: separate authentication and authorization for Active directory groups
                              Maahjoor

                              i was able to get the required attribute by the following code, i will come back to you after some hour.

                               

                              declare

                                          LDAP_SERVER constant varchar2(200) := 'hct.org';

                                          LDAP_PORT constant number := 389;                   

                                          LDAP_USER constant varchar2(200) := 'hct\itnew';    

                                          LDAP_PASSW constant varchar2(200) := 'itnew';     

                                          LDAP_BASE constant varchar2(200) := 'DC=hct,DC=org';

                                                                                                     

                                          rc              integer;                                   

                                          ldapSession     DBMS_LDAP.session;                         

                                         ntUser          varchar2(30);                              

                                         attrName        varchar2(255);                             

                                         attrList        DBMS_LDAP.string_collection;               

                                         valList         DBMS_LDAP.string_collection;               

                                         ldapMessage     DBMS_LDAP.message;                         

                                         ldapEntry       DBMS_LDAP.message;                         

                                         berElem         DBMS_LDAP.ber_element;                     

                                                                                                    

                                         --// very primitive assertion interface - should be catering

                                         --// for unique error code and messages in a prod environment

                                         procedure assert( condition boolean ) is                    

                                         begin                                                       

                                                 if not condition then                               

                                                         raise_application_error(                    

                                                                 -20001,                             

                                                                 'LDAP call unsuccessful.'           

                                                         );                                          

                                                 end if;                                             

                                         end;                                                        

                                                                                                     

                                         procedure W( line varchar2 ) is                             

                                         begin                                                       

                                                 DBMS_OUTPUT.put_line( line );                       

                                         end;                                                        

                                 begin                                                               

                                         --// logon to the Microsoft Active Directory Server         

                                         DBMS_LDAP.USE_EXCEPTION := false;                            

                                         W( 'Logging on to AD server;' );                            

                                         ldapSession := DBMS_LDAP.init( LDAP_SERVER, LDAP_PORT );    

                                                                                                     

                                         rc := DBMS_LDAP.simple_bind_s(                              

                                                 ld => ldapSession,                                  

                                                 dn => LDAP_USER,                                    

                                                 passwd => LDAP_PASSW                                

                                         );                                                          

                                         assert( rc = DBMS_LDAP_UTL.SUCCESS  );                                                                

                                                                                                     

                                         --// set the NTLM user and attributes that we want                        

                                         ntUser := 'itnew';                                        

                                         attrList(1) := 'title';   

                                         --// so a search on the username (NTLM username typically)  

                                         W( 'Doing a basic search on NT username' );                 

                                         rc := DBMS_LDAP.search_s(                                   

                                                 ld => ldapSession,                                  

                                                 base => LDAP_BASE,                                  

                                                 scope => DBMS_LDAP.SCOPE_SUBTREE,                   

                                                 filter => '(&(objectclass=USER)(SAMAccountName='||ntUser||'))',

                                                 attrs => attrList,                                            

                                                 attronly => 0,                                                

                                                 res => ldapMessage                                            

                                         );                                                                    

                                                                                                               

                                         assert( rc = DBMS_LDAP_UTL.SUCCESS  );                                

                                                                                                              

                                         if DBMS_LDAP.count_entries(ldapSession,ldapMessage) > 0 then          

                                                 W( '1st entry - only 1 expected as we did a unique account lookup' );

                                                 ldapEntry := DBMS_LDAP.first_entry( ldapSession, ldapMessage );

                               

                                                 while (ldapEntry is not null) loop

                                                         --// get the attribute

                                                         attrName := DBMS_LDAP.first_attribute(

                                                                         ld => ldapSession,

                                                                         ldapEntry => ldapEntry,

                                                                        ber_elem  => berElem

                                                                 );

                                                         while (attrName is not null) loop

                                                                 --// get the list of values for the attribute

                                                                 valList := DBMS_LDAP.get_values(

                                                                                 ld => ldapSession,

                                                                                ldapEntry => ldapEntry,

                                                                                 attr =>  attrName

                                                                        );

                                                                 --// for simplicity sake, we expect a scalar name-value and

                                                                --// thus a single value only

                                                                 W( attrName||'='||valList(0) );

                              -- dbms_output.put_line(valList(0));

                                                                 --// proceed to process the next attribute

                                                                 attrName :=  DBMS_LDAP.next_attribute(

                                                                                 ld => ldapSession,

                                                                                 ldapEntry => ldapEntry,

                                                                                 ber_elem  => berElem

                                                                         );

                                                         end loop;

                               

                                                       --// not really needed in this case as we're processing a single SAMaccount entry

                                                        ldapEntry := DBMS_LDAP.next_entry( ldapSession, ldapEntry );

                                                end loop;

                                        end if;

                               

                                        W( 'Disconnecting from AD server' );

                                        rc := DBMS_LDAP.unbind_s( ld => ldapSession );

                                end;

                               

                              i get it from Billy reply in thread https://community.oracle.com/thread/2248994

                               

                              thank you.

                              • 12. Re: Re: separate authentication and authorization for Active directory groups
                                Maahjoor

                                hi kiran,

                                 

                                now i have the following senario,

                                 

                                1. i have main application which is public and need no login.

                                2. i have an application named PORTALS with active directory authentication

                                3. once the user is authenticated, i have two other portals STAFF and STUDENTS

                                4. if the user is a student, it should be redirected to STUDENT, otherwise it should be redirected to STAFF

                                 

                                as you told me,

                                You could create a before header branch on the home page to redirect the user to appropriate user home page.

                                how could i do this? where should i put my code which could take the TITLE of the login user. then i will conditionally check if the title is STUDENT then redirect to student portal, otherwise, redirect to staff portal.

                                 

                                Thank you.

                                • 13. Re: separate authentication and authorization for Active directory groups
                                  Kiran Pawar

                                  Hi Maahjoor,

                                  Maahjoor wrote:


                                  now i have the following senario,

                                  1. i have main application which is public and need no login.

                                  2. i have an application named PORTALS with active directory authentication

                                  3. once the user is authenticated, i have two other portals STAFF and STUDENTS

                                  4. if the user is a student, it should be redirected to STUDENT, otherwise it should be redirected to STAFF

                                  as you told me,

                                  You could create a before header branch on the home page to redirect the user to appropriate user home page.

                                  how could i do this? where should i put my code which could take the TITLE of the login user. then i will conditionally check if the title is STUDENT then redirect to student portal, otherwise, redirect to staff portal.

                                       You should put your code on the home page of the PORTALS application (with AD authentication) in a page process which executes on page load.

                                   

                                  Regards,

                                  Kiran

                                  1 person found this helpful
                                  • 14. Re: Re: separate authentication and authorization for Active directory groups
                                    Maahjoor

                                    i will try tomorrow, it is late now.

                                    i think your last reply would fix the problem.

                                    i will update the thread tomorrow Inshallah.

                                    Thank you so much.

                                    1 2 3 Previous Next