4 Replies Latest reply on Apr 28, 2016 12:46 PM by vinny90

    How to create LDAP Group Authentication


      Hi everyone, i have a question. I've succesfully configured LDAP fo authentication in my apex application.

      I want to know if it is possibile to configure the access to the application only for certain company domain group, i will explain.

      In my company there are 200 user on active directory and now with ldap configuration everyone can access my application. In the active directorey there are some group,"ADMIN-GR",POWER-GR ecc, and i whant to know ho garentee access only for "ADMIN-GR" e non anyone else in domain. Now i've configured in APEX, the LDAP as DOMAIN\%LDAP_USER%, i have to change it?

      Is it possible?

      Thanks in advance.

      Best Regards,


        • 2. Re: How to create LDAP Group Authentication

          I've succesfully created a function under APEX_05000 scheme that is:


          create or replace FUNCTION ldap_authentication(

            p_username IN VARCHAR2,

            p_password IN VARCHAR2



            l_ldap_host     VARCHAR2(256) := 'my host';

            l_ldap_port     VARCHAR2(256) := '389';

            l_ldap_base     VARCHAR2(256) := 'DC=*,DC=*,DC=*';

            l_dn_prefix     VARCHAR2(100) := 'DOMAIN\'; -- Amend as desired'.



            l_retval        PLS_INTEGER;

            l_session       DBMS_LDAP.session;


            -- Choose to raise exceptions.

            DBMS_LDAP.use_exception := TRUE;


            -- Connect to the LDAP server.

            l_session := DBMS_LDAP.init(hostname => l_ldap_host,

                                        portnum  => l_ldap_port);


            l_retval := DBMS_LDAP.simple_bind_s(ld     => l_session,

                                                dn     => l_dn_prefix || p_username,

                                                passwd => p_password);



            if p_username not in ('user1','user2') then



                  -- Exception means authentication failed.


                  l_retval := DBMS_LDAP.unbind_s(ld => l_session);


                  APEX_UTIL.set_custom_auth_status(p_status => 'NOT IN DOMAIN');


                  RETURN FALSE;

          ---a end if;


              -- No exceptions mean you are authenticated.

            RETURN TRUE;


            end if;                                    







          and if i try to execute on sqldeveloper, using user3, it return NOT IN DOMAIN so de function is good.


          now i go ot apex and i've created an Authentication scheme custom.

          i've selected de the function name 'APEX_05000.ldap_authentication' and save.

          If i run my application and i use user3 to login it say to me NOT IN DOMAIN, but this response is even give to me also if i use user1 or user2.

          Do you have suggestion?

          • 3. Re: How to create LDAP Group Authentication

            Hi Vincenzo


            Did you follow the steps to create ldap_auth in

            Oracle DBA Blog 2.0: Using Active Directory to control Authentication and Authorisation to Apex


            ldap_auth searches for a certain string in the group membership attributes of the user.



            create or replace function ldap_auth (p_username varchar2,p_password varchar2)
              retval PLS_INTEGER;
              l_session dbms_ldap.session;
              l_attrs dbms_ldap.string_collection;
              l_message dbms_ldap.message;
              l_entry dbms_ldap.message;
              l_attr_name varchar2(256 );
              l_vals dbms_ldap.string_collection;
              l_ber_element dbms_ldap.ber_element;
              ldap_host varchar2(256) := 'domain-controller';
              ldap_port varchar2(256) := '389'; -- default port
              ldap_base varchar2(256) := 'your-ldap-base';
              l_dn_prefix varchar2(100) := 'YOURDOMAIN\'; -- domain, like 'USERS\'
              l_not_authenticated varchar2(100) := 'Incorrect username and/or password';
              l_not_authorized varchar2(100) := 'Not authorized for this application';
              l_authed  boolean;
              l_memberof dbms_ldap.string_collection;
              -- Raise exceptions on failure
              dbms_ldap.use_exception := true;
              -- Connect to the LDAP server
              l_session := dbms_ldap.init( hostname =>ldap_host 
              , portnum => ldap_port );
              -- Authenicate the user -- raises an exception on failure
              retval := dbms_ldap.SIMPLE_BIND_S( ld => l_session 
              , dn => l_dn_prefix || p_username
              , passwd => p_password ); 
              -- Once you are here you are authenticated
              -- Get all "memberOf" attributes  
              l_attrs(1) := 'memberOf';
              -- Searching for the user info using his samaccount (windows login )
              retval := dbms_ldap.search_s( ld => l_session 
              , base => ldap_base 
              , scope  => dbms_ldap.SCOPE_SUBTREE
              , filter => '(&(objectClass=*)(sAMAccountName=' || p_username || '))'
              , attrs => l_attrs
              , attronly => 0
              , res => l_message );
              -- There is only one entry but still have to access that
              l_entry := dbms_ldap.first_entry( ld => l_session 
              , msg => l_message );
              -- Get the first Attribute for the entry
              l_attr_name := dbms_ldap.first_attribute( ld => l_session
              , ldapentry => l_entry  
              , ber_elem => l_ber_element );
              -- Loop through all "memberOf" attributes  
              while l_attr_name is not null loop
               -- Get the values of the attribute
              l_vals := dbms_ldap.get_values( ld => l_session
              , ldapentry => l_entry 
              , attr => l_attr_name );
               -- Check the contents of the value
               for i in l_vals.first..l_vals.last loop
              l_authed := instr(l_vals(i), 'String to look for') > 0 ;
               exit when l_authed;
               end loop;
               exit when l_authed;  
              l_attr_name := dbms_ldap.next_attribute( ld => l_session
              , ldapentry => l_entry  
              , ber_elem => l_ber_element );
              end loop;
              retval := dbms_ldap.unbind_s( ld => l_session );
              if not l_authed
              then -- Although username / password was correct, user isn't authorized for this application
              apex_util.set_custom_auth_status ( p_status => l_not_authorized );
              end if;  
              -- Return Authenticated  
              IF l_authed
               then dbms_output.put_line('OK');
               END IF;
            -- when others then
            -- retval := dbms_ldap.unbind_s( ld => l_session );
              -- Return NOT Authenticated  
              --apex_util.set_custom_auth_status ( p_status => l_not_authenticated );
              --return false;  

            Don't forget to but your own values for the following variables: