How to create LDAP Group Authentication

vinny90

    Hi everyone, i have a question. I've succesfully configured LDAP fo authentication in my apex application.

    I want to know if it is possibile to configure the access to the application only for certain company domain group, i will explain.

    In my company there are 200 user on active directory and now with ldap configuration everyone can access my application. In the active directorey there are some group,"ADMIN-GR",POWER-GR ecc, and i whant to know ho garentee access only for "ADMIN-GR" e non anyone else in domain. Now i've configured in APEX, the LDAP as DOMAIN\%LDAP_USER%, i have to change it?

    Is it possible?

    Thanks in advance.

    Best Regards,

    Vincenzo

      • 2. Re: How to create LDAP Group Authentication
        vinny90

        I've succesfully created a function under APEX_05000 scheme that is:

         

        create or replace FUNCTION ldap_authentication(

          p_username IN VARCHAR2,

          p_password IN VARCHAR2

        )

        RETURN BOOLEAN IS

          l_ldap_host     VARCHAR2(256) := 'my host';

          l_ldap_port     VARCHAR2(256) := '389';

          l_ldap_base     VARCHAR2(256) := 'DC=*,DC=*,DC=*';

          l_dn_prefix     VARCHAR2(100) := 'DOMAIN\'; -- Amend as desired'.

         

         

          l_retval        PLS_INTEGER;

          l_session       DBMS_LDAP.session;

        BEGIN

          -- Choose to raise exceptions.

          DBMS_LDAP.use_exception := TRUE;

         

          -- Connect to the LDAP server.

          l_session := DBMS_LDAP.init(hostname => l_ldap_host,

                                      portnum  => l_ldap_port);

         

          l_retval := DBMS_LDAP.simple_bind_s(ld     => l_session,

                                              dn     => l_dn_prefix || p_username,

                                              passwd => p_password);

         

         

          if p_username not in ('user1','user2') then

         

         

                -- Exception means authentication failed.

              

                l_retval := DBMS_LDAP.unbind_s(ld => l_session);

              

                APEX_UTIL.set_custom_auth_status(p_status => 'NOT IN DOMAIN');

              

                RETURN FALSE;

        ---a end if;

          else

            -- No exceptions mean you are authenticated.

          RETURN TRUE;

         

          end if;                                    

         

         

        END;

         

         

         

        and if i try to execute on sqldeveloper, using user3, it return NOT IN DOMAIN so de function is good.

         

        now i go ot apex and i've created an Authentication scheme custom.

        i've selected de the function name 'APEX_05000.ldap_authentication' and save.

        If i run my application and i use user3 to login it say to me NOT IN DOMAIN, but this response is even give to me also if i use user1 or user2.

        Do you have suggestion?

        • 3. Re: How to create LDAP Group Authentication
          Mahmoud_Rabie

          Hi Vincenzo

           

          Did you follow the steps to create ldap_auth in

          Oracle DBA Blog 2.0: Using Active Directory to control Authentication and Authorisation to Apex

           

          ldap_auth searches for a certain string in the group membership attributes of the user.

           

           

          create or replace function ldap_auth (p_username varchar2,p_password varchar2)
          is
            retval PLS_INTEGER;
            l_session dbms_ldap.session;
            l_attrs dbms_ldap.string_collection;
            l_message dbms_ldap.message;
            l_entry dbms_ldap.message;
            l_attr_name varchar2(256 );
            l_vals dbms_ldap.string_collection;
            l_ber_element dbms_ldap.ber_element;
            ldap_host varchar2(256) := 'domain-controller';
            ldap_port varchar2(256) := '389'; -- default port
            ldap_base varchar2(256) := 'your-ldap-base';
            l_dn_prefix varchar2(100) := 'YOURDOMAIN\'; -- domain, like 'USERS\'
            l_not_authenticated varchar2(100) := 'Incorrect username and/or password';
            l_not_authorized varchar2(100) := 'Not authorized for this application';
            l_authed  boolean;
            l_memberof dbms_ldap.string_collection;
            
          BEGIN
            -- Raise exceptions on failure
            dbms_ldap.use_exception := true;
            
            -- Connect to the LDAP server
            l_session := dbms_ldap.init( hostname =>ldap_host 
            , portnum => ldap_port );
            
            -- Authenicate the user -- raises an exception on failure
            retval := dbms_ldap.SIMPLE_BIND_S( ld => l_session 
            , dn => l_dn_prefix || p_username
            , passwd => p_password ); 
            -- Once you are here you are authenticated
             
            -- Get all "memberOf" attributes  
            l_attrs(1) := 'memberOf';
            -- Searching for the user info using his samaccount (windows login )
            retval := dbms_ldap.search_s( ld => l_session 
            , base => ldap_base 
            , scope  => dbms_ldap.SCOPE_SUBTREE
            , filter => '(&(objectClass=*)(sAMAccountName=' || p_username || '))'
            , attrs => l_attrs
            , attronly => 0
            , res => l_message );
            
            -- There is only one entry but still have to access that
            l_entry := dbms_ldap.first_entry( ld => l_session 
            , msg => l_message );
            
            -- Get the first Attribute for the entry
            l_attr_name := dbms_ldap.first_attribute( ld => l_session
            , ldapentry => l_entry  
            , ber_elem => l_ber_element );
          
          
            -- Loop through all "memberOf" attributes  
            while l_attr_name is not null loop
          
          
             -- Get the values of the attribute
            l_vals := dbms_ldap.get_values( ld => l_session
            , ldapentry => l_entry 
            , attr => l_attr_name );
             -- Check the contents of the value
             for i in l_vals.first..l_vals.last loop
            l_authed := instr(l_vals(i), 'String to look for') > 0 ;
             exit when l_authed;
             end loop;
             exit when l_authed;  
          
          
            l_attr_name := dbms_ldap.next_attribute( ld => l_session
            , ldapentry => l_entry  
            , ber_elem => l_ber_element );
            end loop;
          
          
            retval := dbms_ldap.unbind_s( ld => l_session );
            
            if not l_authed
            then -- Although username / password was correct, user isn't authorized for this application
            apex_util.set_custom_auth_status ( p_status => l_not_authorized );
            end if;  
          
          
            -- Return Authenticated  
            IF l_authed
             then dbms_output.put_line('OK');
             END IF;
             
          --EXCEPTION
          -- when others then
          -- retval := dbms_ldap.unbind_s( ld => l_session );
            -- Return NOT Authenticated  
            --apex_util.set_custom_auth_status ( p_status => l_not_authenticated );
            --return false;  
          END;
          



          Don't forget to but your own values for the following variables:

          ldap_host

          ldap_base

          l_dn_prefix



          Regards

          Mahmoud