This content has been marked as final. Show 54 replies
I guess I should specify that I'm trying to do just simple authentication. (One less password to maintain). My String for the ldap server looks like this:
Also, one question about the built in LDAP testing tool. Is the username and password on there meant to be the LDAP administrator password ? or can any valid LDAP user name be tested. Thanks!
When your application's login page calls the HTML DB login API with a username and password, the HTML DB engine calls the credentials verification method specified in the application's current authentication scheme. You can implement this method yourself as a PL/SQL function returning boolean and put it in your application's schema. This allows you to perform username/password verification however you like (your own tables, LDAP lookup, 3rd-party API, etc.). As a convenience, HTML DB offers some built-in credentials verification methods. One of those uses DBMS_LDAP to access the LDAP directory that you specify in the authentication scheme attributes. You can use this method if:
1. There is an LDAP directory accessible from the server that hosts your HTML DB instance, and
2. The LDAP directory has entries that correlate usernames with passwords, and
3. The LDAP directory can be accessed as shown using this PL/SQL, which you can run from SQL*Plus:
set serveroutput onIf this code doesn't show 'Authentication succeeded!', ask your admin if the LDAP directory can be set up to allow username/password verification using this interface. If so, you can use HTML DB's built-in LDAP support in your authentication scheme. If not, you still may be able to use an LDAP directory for authentication, but you'll have to write a PL/SQL wrapper function to access LDAP according to your installation's interface requirements. You can then use the function that you write as the 'Authentication Function' attribute of your authentication scheme using the syntax: return function_name;
l_dn varchar2(256) := 'CN=TEST_USER,OU=Hrusers,DC=ad,DC=fgfield,DC=com'; -- adjust as required
l_password varchar2(256) := 'TEST_PASSWORD'; -- adjust as required
l_ldap_host varchar2(256) := 'MY_LDAP_HOST'; -- adjust as required
l_ldap_port number := 389; -- adjust as required
l_retval := -1;
dbms_ldap.use_exception := TRUE;
l_session := dbms_ldap.init( l_ldap_host, l_ldap_port );
l_retval := dbms_ldap.simple_bind_s( l_session, l_dn, l_password );
l_retval := dbms_ldap.unbind_s( l_session );
exception when others then
l_retval := dbms_ldap.unbind_s( l_session );
exception when others then
Note: You must already have run catldap in your database to create the LDAP packages. If in doubt, please read your HTMLDB installation file: doc/ldap.html.
The LDAP test tool works just like the login page of your application would. The username and password you enter will be used exactly as shown in the sample code above.
Thank you very much for the PL/SQL, and the setup notes. I've got everything installed and setup correctly, however, I think I might have a setup issue with something... I get this message when trying to call the ldap.init function:
Authentication exception: ORA-31204: DBMS_LDAP: PL/SQL - Invalid LDAP Session.
I have verified that the LDAP server and port are correct, and that everything is installed and compiled. Any suggestions on what I could try next ?
Thank you very much.
If you're sure you have the correct host and port, make sure you can ping the ldap host.
I can ping the host. I'm pretty sure the port is the default 389. Something else I can check ? Anything that I need to do with the database config ?
I'm not sure if it makes a difference, but we are using microsofts' Active Directory for the LDAP. The info I was sent from the network people looks something like this:
I can ping the box, and I do use this LDAP for other application authentication.
DBMS_LDAP supports non-Oracle LDAP services. You may have to have a DBA hammer this out with your network people. The key thing is to get that anonymous block to work. Once you get to that point, you can use that LDAP directory with Oracle HTML DB.
I hate to beat a dead horse here, but...
We are trying to create an login page and/or authorization scheme based on user accounts in MS Active Directory. I have a "page" that when submitted calls a function and passes in user credentials that authenticate to our Microsoft LDAP server. My disconnect is in how to base a authorization shcheme on this. When I try to write a function call to create the authorization scheme, I dont know how include the password for the users. I know that I am mssing something crucial.
We would also like to base authorization on LDAP groups from active directory. Do we need to mirror these groups in OID?
Just so I don't go down the wrong path, please clarify "authentication scheme" vs. "authorization scheme" in your description of what you are trying to do, and what is/is not working for you presently.
We are trying to understand how we can use Active Directory LDAP to both authenticate HTML DB users and then provide content specific authorization based on users active directory group membership. So...a user would log into the HTML DB app via an LDAP login. We would then search LDAP for their group memberships, and then apply the correct authorization to certain content based on group membership. I have written a page that when submitted will execute the PL/SQL to authenticate with LDAP and I am working on the code to search for attributes, inlcluding group membership, but I do not know how to contruct the authentication and/or authorization structures within the HTML DB environment based on the outcome of the PL/SQL function.
Let's focus on authentication first. I assume you have a login page in the app. Create a new authentication scheme based on the LDAP model (follow the wizard.) Edit the scheme, changing the authentication function from -LDAP- to: return function_name;, giving the name of a function in your schema which does the ldap authentication. This function must have the signature(p_username in varchar2, p_password in varchar2) return boolean. Null out any other ldap-related fields in this new authentication scheme and make sure it points to the login page in your app for the Invalid Session Page attribute. Save changes and then make this the current scheme. Your login page is already set up to call the HTML DB login API and because your authentication scheme specifies an authentication function, that's what it will use to check credentials when the login page which captured username and password is submitted. If the credentials check out, the login API will redirect to the page specified in the login pages login process' p_flow_page argument, e.g., p_flow_page=>&APP_ID.:1, for page 1. Change this page ID as required.
Authorization schemes are simpler. They will probably be of type PL/SQL function returning boolean which will use the current value of :APP_USER to consult the LDAP directory for specific information. After creating the schemes, you can attach them to whatever components you need to, e.g., regions, buttons, processes.
Ok...I setup the authorization scheme. The authentication function is "return hr.util_ldap.connectAuthenticate(:P101_USERNAME,:P101_PASSWORD)". I made the new scheme current and it uses the 101 page for login. When I run the login page 101 I get the error:
ORA-01008: not all variables bound, Location: f?p=108:101:9788789130766578718Â¬ification_msg=Invalid%20Login%20Credentials
Authentication, not authorization.
Specify return hr.util_ldap.connectAuthenticate in the function field. The arguments will get bound based on the assumed signature.
Ok...your right...authentication scheme. I changed the function to read "return hr.util_ldap.connectAuthenticate". I make the scheme current and have it use the current login page 101. I now get the errors:
ORA-06550: line 2, column 8: PLS-00306: wrong number or types of arguments in call to 'CONNECTAUTHENTICATE' ORA-06550: line 2, column 1: PL/SQL: Statement ignored
Do I need to remove the default login process from this 101 page?