This discussion is archived
1 2 3 4 Previous Next 54 Replies Latest reply: Apr 15, 2009 3:32 PM by 610880 RSS

LDAP Setup - How ?

373501 Newbie
Currently Being Moderated
I'm stuggling with the LDAP setup, and so far have only been able to receive the "Invalid Credentials" message. I've got the right port, server, and I think I have the correct DN string.. using %LDAP_USER% ... but I still cannot get it to work.

Does anyone have a working setup ?

I'm NOT an LDAP person, and have very limited knowledge of how it works, so be kind. ;O)
  • 1. Re: LDAP Setup - How ?
    373501 Newbie
    Currently Being Moderated
    I guess I should specify that I'm trying to do just simple authentication. (One less password to maintain). My String for the ldap server looks like this:

    CN=%LDAP_USER%,OU=Hrusers,DC=ad,DC=fgfield,DC=com

    Also, one question about the built in LDAP testing tool. Is the username and password on there meant to be the LDAP administrator password ? or can any valid LDAP user name be tested. Thanks!
  • 2. Re: LDAP Setup - How ?
    60437 Employee ACE
    Currently Being Moderated
    Ken,

    When your application's login page calls the HTML DB login API with a username and password, the HTML DB engine calls the credentials verification method specified in the application's current authentication scheme. You can implement this method yourself as a PL/SQL function returning boolean and put it in your application's schema. This allows you to perform username/password verification however you like (your own tables, LDAP lookup, 3rd-party API, etc.). As a convenience, HTML DB offers some built-in credentials verification methods. One of those uses DBMS_LDAP to access the LDAP directory that you specify in the authentication scheme attributes. You can use this method if:

    1. There is an LDAP directory accessible from the server that hosts your HTML DB instance, and
    2. The LDAP directory has entries that correlate usernames with passwords, and
    3. The LDAP directory can be accessed as shown using this PL/SQL, which you can run from SQL*Plus:
           set serveroutput on
           declare
                l_dn                 varchar2(256) := 'CN=TEST_USER,OU=Hrusers,DC=ad,DC=fgfield,DC=com'; -- adjust as required
                l_password           varchar2(256) := 'TEST_PASSWORD'; -- adjust as required
                l_ldap_host          varchar2(256) := 'MY_LDAP_HOST'; -- adjust as required
                l_ldap_port          number        := 389; -- adjust as required
                l_retval             pls_integer;
                l_session            dbms_ldap.session; 
            begin
                l_retval                := -1;
                dbms_ldap.use_exception := TRUE;
                begin
                    l_session       := dbms_ldap.init( l_ldap_host, l_ldap_port );
                    l_retval        := dbms_ldap.simple_bind_s( l_session, l_dn, l_password );
                    l_retval       := dbms_ldap.unbind_s( l_session );
                    dbms_output.put_line('Authentication succeeded!');
                exception when others then
                    l_retval       := dbms_ldap.unbind_s( l_session );
                    dbms_output.put_line('Authentication failed!');
                end;
            exception when others then
                    dbms_output.put_line('Authentication exception!');
            end;
            /
    If this code doesn't show 'Authentication succeeded!', ask your admin if the LDAP directory can be set up to allow username/password verification using this interface. If so, you can use HTML DB's built-in LDAP support in your authentication scheme. If not, you still may be able to use an LDAP directory for authentication, but you'll have to write a PL/SQL wrapper function to access LDAP according to your installation's interface requirements. You can then use the function that you write as the 'Authentication Function' attribute of your authentication scheme using the syntax: return function_name;

    Note: You must already have run catldap in your database to create the LDAP packages. If in doubt, please read your HTMLDB installation file: doc/ldap.html.

    The LDAP test tool works just like the login page of your application would. The username and password you enter will be used exactly as shown in the sample code above.

    -Scott
  • 3. Re: LDAP Setup - How ?
    373501 Newbie
    Currently Being Moderated
    Scott,

    Thank you very much for the PL/SQL, and the setup notes. I've got everything installed and setup correctly, however, I think I might have a setup issue with something... I get this message when trying to call the ldap.init function:

    Authentication exception: ORA-31204: DBMS_LDAP: PL/SQL - Invalid LDAP Session.

    I have verified that the LDAP server and port are correct, and that everything is installed and compiled. Any suggestions on what I could try next ?

    Thank you very much.
  • 4. Re: LDAP Setup - How ?
    60437 Employee ACE
    Currently Being Moderated
    Ken,
    If you're sure you have the correct host and port, make sure you can ping the ldap host.
    -Scott
  • 5. Re: LDAP Setup - How ?
    373501 Newbie
    Currently Being Moderated
    I can ping the host. I'm pretty sure the port is the default 389. Something else I can check ? Anything that I need to do with the database config ?
  • 6. Re: LDAP Setup - How ?
    373501 Newbie
    Currently Being Moderated
    I'm not sure if it makes a difference, but we are using microsofts' Active Directory for the LDAP. The info I was sent from the network people looks something like this:

    LDAP://1.2.3.4/OU=Hrusers,DC=ad,DC=fgfield,DC=com

    I can ping the box, and I do use this LDAP for other application authentication.
  • 7. Re: LDAP Setup - How ?
    60437 Employee ACE
    Currently Being Moderated
    DBMS_LDAP supports non-Oracle LDAP services. You may have to have a DBA hammer this out with your network people. The key thing is to get that anonymous block to work. Once you get to that point, you can use that LDAP directory with Oracle HTML DB.
    -Scott
  • 8. Re: LDAP Setup - How ? - Again
    425960 Newbie
    Currently Being Moderated
    I hate to beat a dead horse here, but...

    We are trying to create an login page and/or authorization scheme based on user accounts in MS Active Directory. I have a "page" that when submitted calls a function and passes in user credentials that authenticate to our Microsoft LDAP server. My disconnect is in how to base a authorization shcheme on this. When I try to write a function call to create the authorization scheme, I dont know how include the password for the users. I know that I am mssing something crucial.

    We would also like to base authorization on LDAP groups from active directory. Do we need to mirror these groups in OID?
  • 9. Re: LDAP Setup - How ? - Again
    60437 Employee ACE
    Currently Being Moderated
    James,

    Just so I don't go down the wrong path, please clarify "authentication scheme" vs. "authorization scheme" in your description of what you are trying to do, and what is/is not working for you presently.

    Scott
  • 10. Re: LDAP Setup - How ? - Again
    425960 Newbie
    Currently Being Moderated
    We are trying to understand how we can use Active Directory LDAP to both authenticate HTML DB users and then provide content specific authorization based on users active directory group membership. So...a user would log into the HTML DB app via an LDAP login. We would then search LDAP for their group memberships, and then apply the correct authorization to certain content based on group membership. I have written a page that when submitted will execute the PL/SQL to authenticate with LDAP and I am working on the code to search for attributes, inlcluding group membership, but I do not know how to contruct the authentication and/or authorization structures within the HTML DB environment based on the outcome of the PL/SQL function.
  • 11. Re: LDAP Setup - How ? - Again
    60437 Employee ACE
    Currently Being Moderated
    James,

    Let's focus on authentication first. I assume you have a login page in the app. Create a new authentication scheme based on the LDAP model (follow the wizard.) Edit the scheme, changing the authentication function from -LDAP- to: return function_name;, giving the name of a function in your schema which does the ldap authentication. This function must have the signature(p_username in varchar2, p_password in varchar2) return boolean. Null out any other ldap-related fields in this new authentication scheme and make sure it points to the login page in your app for the Invalid Session Page attribute. Save changes and then make this the current scheme. Your login page is already set up to call the HTML DB login API and because your authentication scheme specifies an authentication function, that's what it will use to check credentials when the login page which captured username and password is submitted. If the credentials check out, the login API will redirect to the page specified in the login pages login process' p_flow_page argument, e.g., p_flow_page=>&APP_ID.:1, for page 1. Change this page ID as required.

    Authorization schemes are simpler. They will probably be of type PL/SQL function returning boolean which will use the current value of :APP_USER to consult the LDAP directory for specific information. After creating the schemes, you can attach them to whatever components you need to, e.g., regions, buttons, processes.

    Scott
  • 12. Re: LDAP Setup - How ? - Again
    425960 Newbie
    Currently Being Moderated
    Ok...I setup the authorization scheme. The authentication function is "return hr.util_ldap.connectAuthenticate(:P101_USERNAME,:P101_PASSWORD)". I made the new scheme current and it uses the 101 page for login. When I run the login page 101 I get the error:

    ORA-01008: not all variables bound, Location: f?p=108:101:9788789130766578718¬ification_msg=Invalid%20Login%20Credentials

  • 13. Re: LDAP Setup - How ? - Again
    60437 Employee ACE
    Currently Being Moderated
    Authentication, not authorization.

    Specify return hr.util_ldap.connectAuthenticate in the function field. The arguments will get bound based on the assumed signature.

    Scott
  • 14. Re: LDAP Setup - How ? - Again
    425960 Newbie
    Currently Being Moderated
    Ok...your right...authentication scheme. I changed the function to read "return hr.util_ldap.connectAuthenticate". I make the scheme current and have it use the current login page 101. I now get the errors:
    ORA-06550: line 2, column 8: PLS-00306: wrong number or types of arguments in call to 'CONNECTAUTHENTICATE' ORA-06550: line 2, column 1: PL/SQL: Statement ignored

    Do I need to remove the default login process from this 101 page?
1 2 3 4 Previous Next