5 Replies Latest reply: Dec 5, 2012 8:33 AM by ZairS. RSS

    Authentication from Win-Domain for all OU s.

    ZairS.
      Hi,

      we have Win-Domain server which has users in different OU's(organization units). I use standart LDAP authentication for my apps.

      DN string: cn=%LDAP_USER%,ou=accountants,dc=mydomainname,dc=com

      But it is problem. Because users from different OUs can not use my application in same time.

      I tried number of different DN strings but it does not.

      How can I solve it?

      Edited by: Zair S. on Dec 5, 2012 4:15 AM
        • 1. Re: Authentication from Win-Domain for all OU s.
          Patrick Wolf-Oracle
          Hi Zair,

          are you talking about MS Active Directory? If yes, have a look at Re: MS Active Directory authentication

          Regards
          Patrick
          -----------
          My Blog: http://www.inside-oracle-apex.com
          APEX Plug-Ins: http://apex.oracle.com/plugins
          Twitter: http://www.twitter.com/patrickwolf
          • 2. Re: Authentication from Win-Domain for all OU s.
            ZairS.
            Hi Patrick,

            yes I am talking about MS Active Directory. Thanks for link and help.

            I have read hole of it and sublinks in reply's. Problem has not been solved in those posts.

            OK. I am trying to clean and build the question again :).

            Under MS AD we have 2 parallel OU's. Both OU's have AD users. How to make a DN string for an application that all users could use it?

            -If possible only showing base of AD it is acceptable.
            -If possible making changes under AD it is also acceptable.

            But I do not want to use custom authentication for multiple OU's.
            • 3. Re: Authentication from Win-Domain for all OU s.
              Patrick Wolf-Oracle
              Hi Zair,

              I don't know AD configuration well enough and I also don't know how you want to distinguish if a entered username exits in both organisations, but
              you might be able use the "LDAP Username Edit Function" function to get what you want.

              You could use that function to manipulate your DN String on the fly to also return the organisation. For example if you

              1) set your DN string to
              cn=%LDAP_USER%,dc=mydomainname,dc=com
              2) and create a "LDAP Username Edit Function" like
              return apex_escape.ldap_dn (
                           p_string => :USERNAME,
                           p_escape_non_ascii => false ) || ',ou=accountants';
              3) "Username Escaping" attribute would be set to "No Escaping".

              Note: You would have to add your own logic instead of the ',ou=accountants' to determine which OU should be set based on the user or some other setting.

              Regards
              Patrick
              -----------
              My Blog: http://www.inside-oracle-apex.com
              APEX Plug-Ins: http://apex.oracle.com/plugins
              Twitter: http://www.twitter.com/patrickwolf

              Edited by: Patrick Wolf on Dec 5, 2012 3:21 PM
              • 4. Re: Authentication from Win-Domain for all OU s.
                ZairS.
                Thanks for reply Patrick,

                I understand you, I am also not AD pro.

                I think I could not draw the problem. My users under OUs are different. It is not possible to insert a user in two other OUs at a time.

                And if I use username edit function as you show I have to know user's OU before the user is authenticated. Problem again not solved.
                • 5. Re: Authentication from Win-Domain for all OU s.
                  Christian Neumueller-Oracle
                  Hi Zair,

                  the Apex LDAP authentication scheme allows you to either use exact DNs or search. The latter requires that your AD server is configured to allow anonymous binds.

                  In the authentication scheme, you can enter something like this:

                  - DN string: dc=mydomainname,dc=com
                  - Use exact DN: No
                  - Search Filter: &(cn=%LDAP_USER%)(objectClass=user)(objectCategory=person)

                  It will search for entries under what you entered as DN string with the given filter, extract the DN of the first match and try to bind to that with the user-supplied password.

                  The LDAP search is quite flexible. If you want to limit the search to 2 OUs, you can enter

                  - Search Filter: &(cn=%LDAP_USER%)(objectClass=user)(objectCategory=person)(|(ou=accountants)(ou=hr))

                  Regards,
                  Christian