This discussion is archived
5 Replies Latest reply: Dec 5, 2012 6:33 AM by ZairS. RSS

Authentication from Win-Domain for all OU s.

ZairS. Newbie
Currently Being Moderated
Hi,

we have Win-Domain server which has users in different OU's(organization units). I use standart LDAP authentication for my apps.

DN string: cn=%LDAP_USER%,ou=accountants,dc=mydomainname,dc=com

But it is problem. Because users from different OUs can not use my application in same time.

I tried number of different DN strings but it does not.

How can I solve it?

Edited by: Zair S. on Dec 5, 2012 4:15 AM
  • 1. Re: Authentication from Win-Domain for all OU s.
    Patrick Wolf Employee ACE
    Currently Being Moderated
    Hi Zair,

    are you talking about MS Active Directory? If yes, have a look at Re: MS Active Directory authentication

    Regards
    Patrick
    -----------
    My Blog: http://www.inside-oracle-apex.com
    APEX Plug-Ins: http://apex.oracle.com/plugins
    Twitter: http://www.twitter.com/patrickwolf
  • 2. Re: Authentication from Win-Domain for all OU s.
    ZairS. Newbie
    Currently Being Moderated
    Hi Patrick,

    yes I am talking about MS Active Directory. Thanks for link and help.

    I have read hole of it and sublinks in reply's. Problem has not been solved in those posts.

    OK. I am trying to clean and build the question again :).

    Under MS AD we have 2 parallel OU's. Both OU's have AD users. How to make a DN string for an application that all users could use it?

    -If possible only showing base of AD it is acceptable.
    -If possible making changes under AD it is also acceptable.

    But I do not want to use custom authentication for multiple OU's.
  • 3. Re: Authentication from Win-Domain for all OU s.
    Patrick Wolf Employee ACE
    Currently Being Moderated
    Hi Zair,

    I don't know AD configuration well enough and I also don't know how you want to distinguish if a entered username exits in both organisations, but
    you might be able use the "LDAP Username Edit Function" function to get what you want.

    You could use that function to manipulate your DN String on the fly to also return the organisation. For example if you

    1) set your DN string to
    cn=%LDAP_USER%,dc=mydomainname,dc=com
    2) and create a "LDAP Username Edit Function" like
    return apex_escape.ldap_dn (
                 p_string => :USERNAME,
                 p_escape_non_ascii => false ) || ',ou=accountants';
    3) "Username Escaping" attribute would be set to "No Escaping".

    Note: You would have to add your own logic instead of the ',ou=accountants' to determine which OU should be set based on the user or some other setting.

    Regards
    Patrick
    -----------
    My Blog: http://www.inside-oracle-apex.com
    APEX Plug-Ins: http://apex.oracle.com/plugins
    Twitter: http://www.twitter.com/patrickwolf

    Edited by: Patrick Wolf on Dec 5, 2012 3:21 PM
  • 4. Re: Authentication from Win-Domain for all OU s.
    ZairS. Newbie
    Currently Being Moderated
    Thanks for reply Patrick,

    I understand you, I am also not AD pro.

    I think I could not draw the problem. My users under OUs are different. It is not possible to insert a user in two other OUs at a time.

    And if I use username edit function as you show I have to know user's OU before the user is authenticated. Problem again not solved.
  • 5. Re: Authentication from Win-Domain for all OU s.
    Christian Neumueller Expert
    Currently Being Moderated
    Hi Zair,

    the Apex LDAP authentication scheme allows you to either use exact DNs or search. The latter requires that your AD server is configured to allow anonymous binds.

    In the authentication scheme, you can enter something like this:

    - DN string: dc=mydomainname,dc=com
    - Use exact DN: No
    - Search Filter: &(cn=%LDAP_USER%)(objectClass=user)(objectCategory=person)

    It will search for entries under what you entered as DN string with the given filter, extract the DN of the first match and try to bind to that with the user-supplied password.

    The LDAP search is quite flexible. If you want to limit the search to 2 OUs, you can enter

    - Search Filter: &(cn=%LDAP_USER%)(objectClass=user)(objectCategory=person)(|(ou=accountants)(ou=hr))

    Regards,
    Christian

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points