4 Replies Latest reply on Apr 28, 2016 12:46 PM by vinny90

    How to create LDAP Group Authentication

    vinny90

      Hi everyone, i have a question. I've succesfully configured LDAP fo authentication in my apex application.

      I want to know if it is possibile to configure the access to the application only for certain company domain group, i will explain.

      In my company there are 200 user on active directory and now with ldap configuration everyone can access my application. In the active directorey there are some group,"ADMIN-GR",POWER-GR ecc, and i whant to know ho garentee access only for "ADMIN-GR" e non anyone else in domain. Now i've configured in APEX, the LDAP as DOMAIN\%LDAP_USER%, i have to change it?

      Is it possible?

      Thanks in advance.

      Best Regards,

      Vincenzo

        • 2. Re: How to create LDAP Group Authentication
          vinny90

          I've succesfully created a function under APEX_05000 scheme that is:

           

          create or replace FUNCTION ldap_authentication(

            p_username IN VARCHAR2,

            p_password IN VARCHAR2

          )

          RETURN BOOLEAN IS

            l_ldap_host     VARCHAR2(256) := 'my host';

            l_ldap_port     VARCHAR2(256) := '389';

            l_ldap_base     VARCHAR2(256) := 'DC=*,DC=*,DC=*';

            l_dn_prefix     VARCHAR2(100) := 'DOMAIN\'; -- Amend as desired'.

           

           

            l_retval        PLS_INTEGER;

            l_session       DBMS_LDAP.session;

          BEGIN

            -- Choose to raise exceptions.

            DBMS_LDAP.use_exception := TRUE;

           

            -- Connect to the LDAP server.

            l_session := DBMS_LDAP.init(hostname => l_ldap_host,

                                        portnum  => l_ldap_port);

           

            l_retval := DBMS_LDAP.simple_bind_s(ld     => l_session,

                                                dn     => l_dn_prefix || p_username,

                                                passwd => p_password);

           

           

            if p_username not in ('user1','user2') then

           

           

                  -- Exception means authentication failed.

                

                  l_retval := DBMS_LDAP.unbind_s(ld => l_session);

                

                  APEX_UTIL.set_custom_auth_status(p_status => 'NOT IN DOMAIN');

                

                  RETURN FALSE;

          ---a end if;

            else

              -- No exceptions mean you are authenticated.

            RETURN TRUE;

           

            end if;                                    

           

           

          END;

           

           

           

          and if i try to execute on sqldeveloper, using user3, it return NOT IN DOMAIN so de function is good.

           

          now i go ot apex and i've created an Authentication scheme custom.

          i've selected de the function name 'APEX_05000.ldap_authentication' and save.

          If i run my application and i use user3 to login it say to me NOT IN DOMAIN, but this response is even give to me also if i use user1 or user2.

          Do you have suggestion?

          • 3. Re: How to create LDAP Group Authentication
            Mahmoud_Rabie

            Hi Vincenzo

             

            Did you follow the steps to create ldap_auth in

            Oracle DBA Blog 2.0: Using Active Directory to control Authentication and Authorisation to Apex

             

            ldap_auth searches for a certain string in the group membership attributes of the user.

             

             

            create or replace function ldap_auth (p_username varchar2,p_password varchar2)
            is
              retval PLS_INTEGER;
              l_session dbms_ldap.session;
              l_attrs dbms_ldap.string_collection;
              l_message dbms_ldap.message;
              l_entry dbms_ldap.message;
              l_attr_name varchar2(256 );
              l_vals dbms_ldap.string_collection;
              l_ber_element dbms_ldap.ber_element;
              ldap_host varchar2(256) := 'domain-controller';
              ldap_port varchar2(256) := '389'; -- default port
              ldap_base varchar2(256) := 'your-ldap-base';
              l_dn_prefix varchar2(100) := 'YOURDOMAIN\'; -- domain, like 'USERS\'
              l_not_authenticated varchar2(100) := 'Incorrect username and/or password';
              l_not_authorized varchar2(100) := 'Not authorized for this application';
              l_authed  boolean;
              l_memberof dbms_ldap.string_collection;
              
            BEGIN
              -- Raise exceptions on failure
              dbms_ldap.use_exception := true;
              
              -- Connect to the LDAP server
              l_session := dbms_ldap.init( hostname =>ldap_host 
              , portnum => ldap_port );
              
              -- Authenicate the user -- raises an exception on failure
              retval := dbms_ldap.SIMPLE_BIND_S( ld => l_session 
              , dn => l_dn_prefix || p_username
              , passwd => p_password ); 
              -- Once you are here you are authenticated
               
              -- Get all "memberOf" attributes  
              l_attrs(1) := 'memberOf';
              -- Searching for the user info using his samaccount (windows login )
              retval := dbms_ldap.search_s( ld => l_session 
              , base => ldap_base 
              , scope  => dbms_ldap.SCOPE_SUBTREE
              , filter => '(&(objectClass=*)(sAMAccountName=' || p_username || '))'
              , attrs => l_attrs
              , attronly => 0
              , res => l_message );
              
              -- There is only one entry but still have to access that
              l_entry := dbms_ldap.first_entry( ld => l_session 
              , msg => l_message );
              
              -- Get the first Attribute for the entry
              l_attr_name := dbms_ldap.first_attribute( ld => l_session
              , ldapentry => l_entry  
              , ber_elem => l_ber_element );
            
            
              -- Loop through all "memberOf" attributes  
              while l_attr_name is not null loop
            
            
               -- Get the values of the attribute
              l_vals := dbms_ldap.get_values( ld => l_session
              , ldapentry => l_entry 
              , attr => l_attr_name );
               -- Check the contents of the value
               for i in l_vals.first..l_vals.last loop
              l_authed := instr(l_vals(i), 'String to look for') > 0 ;
               exit when l_authed;
               end loop;
               exit when l_authed;  
            
            
              l_attr_name := dbms_ldap.next_attribute( ld => l_session
              , ldapentry => l_entry  
              , ber_elem => l_ber_element );
              end loop;
            
            
              retval := dbms_ldap.unbind_s( ld => l_session );
              
              if not l_authed
              then -- Although username / password was correct, user isn't authorized for this application
              apex_util.set_custom_auth_status ( p_status => l_not_authorized );
              end if;  
            
            
              -- Return Authenticated  
              IF l_authed
               then dbms_output.put_line('OK');
               END IF;
               
            --EXCEPTION
            -- when others then
            -- retval := dbms_ldap.unbind_s( ld => l_session );
              -- Return NOT Authenticated  
              --apex_util.set_custom_auth_status ( p_status => l_not_authenticated );
              --return false;  
            END;
            



            Don't forget to but your own values for the following variables:

            ldap_host

            ldap_base

            l_dn_prefix



            Regards

            Mahmoud