yes, clearly the p_authentication.attribute_01 is way out of scope in
the context of authorization, but one could have hoped that it is
available in the APEX LDAP authentication (actually also a plugin I
suppose) scope, when running the post authentication procedure. But it
isn't, and I still feel that host, port etc. configuration should not
be in the procedure code, which we copy from application to
Perhaps it would be best to have an own LDAP authentication plugin
(has anybody done already?).
Apex Version 4.2.1
LDAP = Active Directory
I'm attempting to use the code provided by Tom to authenticate and authorize users in particular AD groups. I can authenticate users but authorization is failing. If I disable the authorization scheme every user in my domain can access the application.
I'm using the ad_post_auth procedure code in my authentication scheme and have set my post-authentication procedure name to ad_post_auth.
To authorize users I'm trying to use the 2nd code block provided by Tom in my authorization scheme and replacing the GROUPNAME with the group I'm searching for. So far this isn't working. How do I figure out where the problem is, debugging the login screen isn't helping?
I've tried implementing the authorization plugin but I can't get that to work either.
Has anyone successfully setup authentication and authorization agianst AD/Groups?
Any assistance is greatly appreciated.
If you implemented all the code as I've described, then the application item should hold the groups associated with the user when authenticated. Authenticate and then hit "Session" from the developer bar, then look at the session state of the application item. Does it hold a value?
Thank You!!!! for the follow up and for this AD Group authentication solution.
Initially I overlooked the Application Item setup so that was part of my problem.
When I first set out to use your code I enlisted the help of a developer and to verify the code you provided worked he had me comment out the following line
"APEX_UTIL.set_session_state('AI_USER_AD_GROUPS', v_groups);", ; we used "Dbms_Output.Put_Line(v_Groups);" to verify the code worked, and it did.
I mistakenly used the test code in the Source pl/sql field instead of your original code. Once I corrected that it started working.
Thank You Again!!!
So after reading this thread I found it interesting that no one responded to Patrick Wolfs posting.
So Im assuming his #2 item listed does NOT solve group authorization for Active Directory ?
Or did I miss something ?
Are there any changes in the base for 4.2.2 that resolves the main issue ?
Thanks for your time,
Can you re-establish the link for your plugin and authorization scheme. They seem to be unavailable -- probably result of the upgrade of forum?
I'm trying to do same thing.
One of the other issues that is not mentioned in this thread is that if your AD or other LDAP requires SSL, then you also have to make sure the SSL cert of your directory server is in the Oracle server wallet directory. It is covered in other threads.
a few months too late but i found this forum entry when trying to solve the same issue - i managed to get it working in the end and i posted a blog entry about it. I'm putting it here as it may be useful for someone else hitting the same requirement and doesn't want to hit the same dead end i did.