Skip to Main Content
Forums

APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

LDAP Authentications across multiple OU groups

SleepDeprivedInSeattleNov 3 2010 — edited Dec 13 2010
I am trying to get LDAP Authentication to work in APEX. I have gotten really close. Except the wonderful system administrators who set up my LDAP put all the users in their own specific Organizational Units (OU). So I don't know what OU to pass to LDAP.

For example:
users A, B, and C are part of ou=Admins, ou=Power Users
users D, E, and F are part of ou=Admins, ou=Simple Users
users G, H and I are part of ou=Desktop, ou=Friendly Users

How can I tell LDAP to search all the ou containers when user G wants to sign in?

Thank you in advance.

Comments

Udo
Hello,

if searching the whole domain (dn) doesn't work, you're probably at the end of what you can do just by using APEX's LDAP API. The database offers a more comprehensive API with DBMS_LDAP, which can be used to build your own authentication function: 
create or replace
FUNCTION ldapAuth( p_username IN VARCHAR2, 
                                     p_password IN VARCHAR2 )
RETURN boolean
IS
  l_ldap_host    VARCHAR2(256) :='myldaphost';
  l_ldap_port    VARCHAR2(256) :='389';
  l_ldap_user    VARCHAR2(256) :='cn=ldaptechuser,ou=ldapadmins,dn=mydomain,dc=com';
  l_ldap_passwd  VARCHAR2(256) :='techpassword';
  l_ldap_base    VARCHAR2(256) :='dn=mydomain,dc=com';
  l_ldap_filter  VARCHAR2(256);
  l_ldap_session DBMS_LDAP.SESSION;
  l_retval       PLS_INTEGER;
  l_num_entries  PLS_INTEGER;
  l_attributes   DBMS_LDAP.STRING_COLLECTION;
  l_message      DBMS_LDAP.MESSAGE;
  l_entry        DBMS_LDAP.MESSAGE;
  l_user_dn      VARCHAR2(2000);
  l_result       PLS_INTEGER;
BEGIN
  l_attributes(1) :='*';
  l_ldap_filter := '(&(objectClass=user)(cn='||p_username||'))';
  
  DBMS_LDAP.USE_EXCEPTION := TRUE;
  
  -- initialize ldap library and get session handle.
  l_ldap_session :=DBMS_LDAP.init(hostname => l_ldap_host,
                                  portnum => l_ldap_port);
  -- bind to the directory
  l_retval := DBMS_LDAP.simple_bind_s(ld => l_ldap_session,
                                      dn => l_ldap_user,
                                      passwd => l_ldap_passwd);
  -- perform search;
  -- base defines the root node for the search
  -- scope defines the search depth (base only, one level, or whole subtree)
  -- filter defines the search string - here a cn-entry matching the value of parameter p_username
  -- attr defines the attributes to be returned
  -- attronly defines if only types shall be returned, or types with values
  -- res defines the variable to store the search results in
  l_retval := DBMS_LDAP.search_s(ld => l_ldap_session,
                                 base => l_ldap_base,
                                 scope => DBMS_LDAP.SCOPE_SUBTREE,
                                 filter => l_ldap_filter,
                                 attrs => l_attributes,
                                 attronly => 0,
                                 res => l_message);
  /* -- if you expect that more than one hit occurs you might want to loop
  -- disable exception, so we could probe multiple users
  DBMS_LDAP.USE_EXCEPTION := FALSE;
  -- determine number of hits
   l_num_entries:=DBMS_LDAP.count_entries(ld => l_ldap_session,
                                          msg => l_message);
  -- found something, iterate
  IF l_num_entries > 0 THEN
    l_entry := DBMS_LDAP.first_entry(ld => l_ldap_session,
                                     msg => l_message);
     WHILE l_entry IS NOT NULL LOOP
     
  */
    -- get dn of the user we found
    l_user_dn := DBMS_LDAP.get_dn(ld => l_ldap_session,
                                  ldapentry => l_message);
    -- try to bind with that user dn and the supplied password    
    l_retval := DBMS_LDAP.simple_bind_s(ld => l_ldap_session,
                                        dn => l_user_dn,
                                        passwd => p_password );
  /* -- Loop bottom; exit loop on success
      IF l_retval=DBMS_LDAP_UTL.SUCCESS THEN EXIT END IF;
      l_entry:=DBMS_LDAP.next_entry(l_session,l_entry);
    END LOOP
    -- enable exception again
    DBMS_LDAP.USE_EXCEPTION := TRUE;    
    */
  IF l_retval=DBMS_LDAP_UTL.SUCCESS THEN
    l_retval := DBMS_LDAP.unbind_s( l_ldap_session );
    RETURN TRUE;
  ELSE
    RETURN FALSE;
  END IF;
    
  EXCEPTION WHEN OTHERS THEN
  -- put some debug logger here if desired
  RETURN FALSE;
END ldapAuth;
There is an example for MS Directory/LAN manager in this message: {message:id=4393640}
For further details, you can take a look into the [url http://download.oracle.com/docs/cd/E14571_01/oid.1111/e10186/dbmsldap_ref.htm]API documentation for DMBS_LDAP.

Hope this helps you get your LDAP authentication running.

-Udo
This is PERFECT. This is exactly what I need it to do. I can run the stored procedure from a page and I get authenticated as I expect.

Now, how do I create a custom authentication using the LDAPAUTH routine instead of the standard canned routine. Page 101 (the login page) calls the wwv_flow_custom_auth_std.login routine.

But on the authentication screen, I add LDAPAUTH(
p_username => p_uname,
p_password => p_password)
to the AUTHENTICATION Function section and I get an error: Error ERR-10460 Unable to run authentication credential check function.

What am I doing wrong? I seem to find lots of suggestions on how to create my own authenitication scheme but no instructions on how to implement it.

Please advise

Oracle 3.2.1.00.10
Oracle 11g

Seattle
Okay - I have gotten really close. I got the LDAP installed. Now, my last step is to get one attribute from the LDAP structure (displayName). But how do I get just the one entry for the single person whose login I have now verified as being accurate? I can use the DBMS_LDAP.simple_bind_s to validate the password.

Nowhere have I found how to search just one item on just one person (especially since I still don't know their OU structure).

Any help (even if it is just a pointer in the right direction) would be appreciated.

Thank you
1 - 3
Locked Post
New comments cannot be posted to this locked post.

Post Details

Locked on Jan 10 2011
Added on Nov 3 2010
#apex, #apex-discussions, #ldap
3 comments
1,275 views