5 Replies Latest reply on Mar 6, 2016 2:05 PM by Irha10

    AD Group for Authorization Scheme

    Irha10

      Hi all,

       

      Using Apex 4.2 and oracle 10g, 11g. Theme 26.

       

      I have an admin page where I can create a record for application authorization scheme for different purposes and all work fine. No Issue.

       

      However, I want to use Active Directory Group instead of create one by one user to control the different tabs, edit, delete functionality. for example "Admin Group" and within this if we have a 25 people so permissions grant to whole group members so I do not need to create individually .  How could I do that using AD please?


      Thank you.

      RI

        • 1. Re: AD Group for Authorization Scheme
          Irha10

          Any help please!

          • 2. Re: AD Group for Authorization Scheme
            Irha10

            By mistake click Assumed Answer but this case is still open. Any help!

            • 4. Re: AD Group for Authorization Scheme
              Kiran Pawar

              Hi Irha10,

              Irha10 wrote:


              Using Apex 4.2 and oracle 10g, 11g. Theme 26.

              I have an admin page where I can create a record for application authorization scheme for different purposes and all work fine. No Issue.

              However, I want to use Active Directory Group instead of create one by one user to control the different tabs, edit, delete functionality. for example "Admin Group" and within this if we have a 25 people so permissions grant to whole group members so I do not need to create individually .  How could I do that using AD please?

                   The following thread has extensive discussion on this topic on how to use AD groups for Authentication as well as Authorization Schemes in Oracle APEX.

                   Also it has references to old threads on this topic and references to books containing this topic.

                   Refer : separate authentication and authorization for Active directory groups

               

              Regards,

              Kiran

              • 5. Re: AD Group for Authorization Scheme
                Irha10

                Hi Kiran,

                 

                Thanks for your reply and help.

                 

                I write a code (function) and created an Autorisatio Scheme and calling function (plsql function returning boolean). I am bit stuck.

                 

                What should I do for specific group such as ADMIN so only members of ADMIN group only can see some tabs.

                I believe I am no supply the specific GROUP but don't know where and how?

                 

                my code are as follows.

                 

                function ldap_authorisation (p_username in varchar2 default null, p_password in varchar2 default null)

                    return boolean is

                    retval          pls_integer;

                  l_attrs         dbms_ldap.string_collection;

                    my_session      dbms_ldap.session;

                    v_server        system_variable.value%type;

                    v_port          system_variable.value%type;

                    v_user_prefix   system_variable.value%type;

                    v_user_suffix   system_variable.value%type;

                  l_message       dbms_ldap.message;

                    l_entry         dbms_ldap.message;

                    l_attr_name     varchar2(256 );

                  l_vals          dbms_ldap.string_collection;

                    l_ber_element   dbms_ldap.ber_element;

                  ldap_base        varchar2(256) := 'OU=<base OU>,DC=<dc1>,DC=<dc2>,DC=<dc3>';

                    l_not_authenticated varchar2(100) := 'Incorrect username and/or password';

                   l_not_authorized    varchar2(100) := 'Not authorized for this application';

                   l_authed         boolean;

                   l_memberof       dbms_ldap.string_collection;

                 

                  begin

                    if p_password is null then

                      return false;

                    end if;

                 

                    dbms_ldap.use_exception := true;

                 

                    retval := -1;

                 

                     v_server := get_sys_var ('COMPANY_LDAP_SERVER');

                      v_port := get_sys_var ('COMPANY_LDAP_PORT');

                      v_user_prefix := get_sys_var ('COMPANY_USER_PREFIX');

                      v_user_suffix := get_sys_var ('COMPANY_USER_SUFFIX');

                 

                 

                    my_session := dbms_ldap.init (v_server, v_port);

                 

                 

                    retval := dbms_ldap.simple_bind_s (my_session, v_user_prefix || p_username || v_user_suffix, p_password);

                 

                 

                    retval := dbms_ldap.unbind_s (my_session);

                 

                --

                  -- Get all "memberOf" attributes   

                  l_attrs(1) := 'memberOf';

                  -- Searching for the user info using his samaccount (windows login )

                  retval := dbms_ldap.search_s( ld       => v_server

                                              , base     => ldap_base

                                              , scope    => dbms_ldap.SCOPE_SUBTREE

                                              , filter   => '(&(objectClass=*)(sAMAccountName=' || p_username || '))'

                                              , attrs    => l_attrs

                                              , attronly => 0

                                              , res      => l_message );

                 

                  -- There is only one entry but still have to access that

                  l_entry := dbms_ldap.first_entry( ld  => v_server

                                                  , msg => l_message );

                 

                 

                    -- Get the first Attribute for the entry

                  l_attr_name := dbms_ldap.first_attribute( ld        => v_server

                                                          , ldapentry => l_entry      

                                                          , ber_elem  => l_ber_element );

                  -- Loop through all "memberOf" attributes 

                  while l_attr_name is not null loop

                 

                 

                    -- Get the values of the attribute

                    l_vals := dbms_ldap.get_values( ld        => v_server

                                                  , ldapentry => l_entry

                                                  , attr      => l_attr_name );

                    -- Check the contents of the value

                    for i in l_vals.first..l_vals.last loop

                      -- A user gets access to APP 101 when he is assigned to a group where the name contains "APEX_101"

                      l_authed := instr(upper(l_vals(i)), 'APEX_'||v('APP_ID')) > 0 ;

                      exit when l_authed;

                    end loop;

                    exit when l_authed;   

                 

                 

                    l_attr_name := dbms_ldap.next_attribute( ld        => v_server

                                                           , ldapentry => l_entry      

                                                           , ber_elem  => l_ber_element );

                  end loop;

                    retval := dbms_ldap.unbind_s( ld => v_server );

                 

                  if not l_authed

                  then -- Although username / password was correct, user isn't authorized for this application

                    apex_util.set_custom_auth_status ( p_status => l_not_authorized );

                  end if; 

                 

                 

                  -- Return Authenticated 

                  return l_authed;

                --

                --   return true;

                EXCEPTION

                  when others then

                  retval := dbms_ldap.unbind_s( ld => v_server );

                  -- Return NOT Authenticated 

                  apex_util.set_custom_auth_status ( p_status => l_not_authenticated );

                  return false;   

                END ldap_authorisation;

                 

                calling as return ldap_authorisation;

                 

                Please help.

                 

                Kind regards,

                RI