This discussion is archived
9 Replies Latest reply: Feb 19, 2013 4:42 AM by Christian Erlinger RSS

Forms 10g authentication with LDAP

Roger22 Explorer
Currently Being Moderated
Hi,
We have developed an oracle forms 10g application on Oracle application server. We want to use LDAP authentication. How should we configure Forms to use LDAP authentication? This is what we want. we're new to this.

p.s. the Forms version is 10gR2
Thanks!
  • 1. Re: Forms 10g authentication with LDAP
    Michael Ferrante (Oracle) Guru Moderator
    Currently Being Moderated
    Something to consider if you are using a licensed copy of the software is that both Oracle iAS 10 and the compatible Oracle SSO version are no longer supported. It's time to upgrade. The latest version of Forms/Reports is part of Fusion Middleware 11.1.2.1 and is supported with Oracle Access Manager

    For version 10, refer to the v10gR2 Deployment Guide:
    http://docs.oracle.com/cd/B14099_11/web.1012/b14032/sso.htm

    For version 11.1.1, refer to the 11gR1 Deployment Guide:
    http://docs.oracle.com/cd/E23943_01/web.1111/e10240/sso.htm

    For version 11.1.2, refer to the 11gR1 Deployment Guide:
    http://docs.oracle.com/cd/E24269_01/doc.11120/e24477/sso.htm
  • 2. Re: Forms 10g authentication with LDAP
    Roger22 Explorer
    Currently Being Moderated
    Ok, regarding to version 10:

    >
    The following software components in OracleAS are involved when running Forms applications in OracleAS Single Sign-On mode:

    Oracle Application Server Single Sign-On Server - an authentication Service in Oracle Application Server that uses Oracle Internet Directory to store user names and passwords

    mod_osso - The HTTP module mod_osso simplifies the authentication process by serving as the sole partner application to the Oracle Application Server Single Sign-On server, rendering authentication transparent for Oracle Application Server applications. OracleAS Forms Services and OracleAS Reports Services use mod_osso to register as a partner application to the Oracle Application Server Single Sign-On Server

    Oracle Internet Directory - A LDAP v3 compliant directory server that stores user login information. An LDAP server is a special database that is optimized for read access.

    Forms Servlet - The OracleAS Forms Services component that accepts the initial user request to start a Forms application. The Forms Servlet detects if an application requires OracleAS Single Sign-On, directs the request to the OracleAS Single Sign-On Server and accesses the Oracle Internet Directory to obtain the database connect information.

    formsweb.cfg - The Forms configuration file that contains the parameters to enable a Forms application for OracleAS Single Sign-On. The formsweb.cfg file is located in the forms/server directory of an Oracle Application Server installation.
    >

    Where can i find some details (step by step) or an example, of how to configure this Internet Directory and then run the Oracle Forms application to comply with our new requirements?

    p.s. We use version 10, don't know why the company is not upgrading the version to 11
  • 3. Re: Forms 10g authentication with LDAP
    Michael Ferrante (Oracle) Guru Moderator
    Currently Being Moderated
    For the most part, SSO can be configured as part of the iAS 10 installation. However, if for some reason you did not allow this to happen there are some MyOracleSupport documents which can help guide you.
    <blockquote>How to Implement Single Sign-On (SSO) For Oracle Forms 9i / 10g (Doc ID 199072.1)
    roubleshooting Oracle Forms 10gR2/Forms 11g Single Sign-On (SSO) Integration Issues (Doc ID 980793.1)</blockquote>
    The product documentation may also help, but might be more difficult to follow:

    http://docs.oracle.com/cd/B14099_11/index.htm
  • 4. Re: Forms 10g authentication with LDAP
    Roger22 Explorer
    Currently Being Moderated
    Ok, another question (seems like we adopt another approach): if we use a Java Bean in Forms which is based on a Java class searchUsername(String username, String password), how can we use this (pre-logon / post-logon triggers?) information we get from the bean in order to admit/refuse the access to Forms application if the user/password is correct (or not)?
    So we need to match the user/password entered when application is run, with the response from the JavaBean (either the combination is correct or not).
    Thanks
  • 5. Re: Forms 10g authentication with LDAP
    Michael Ferrante (Oracle) Guru Moderator
    Currently Being Moderated
    It is unclear as to why you cannot use Oracle SSO or the Forms built-in logon dialog. Regardless, I do not recommend the approach you are considering. This is not a good plan for security. Consider that in order to use a java bean in a form, the form must actually start before you begin your authentication process. This would be like allowing a bank robber into the bank then into the vault and letting him look at the money before asking who he was or what he wanted. The earlier you can stop a request and have proper authentication completed the safer your environment will be.

    Authentication should happen before the Forms applet has been offered an opportunity to start.
  • 6. Re: Forms 10g authentication with LDAP
    Roger22 Explorer
    Currently Being Moderated
    So first the form must actually start (authentication process) and just then make use of java beans? it's not possible to invoke a java bean immediately after the form started up, and then if the result of the java method is 'false', give an error message and exit the form?
  • 7. Re: Forms 10g authentication with LDAP
    Michael Ferrante (Oracle) Guru Moderator
    Currently Being Moderated
    What I am suggesting is:

    1. If you add a java bean to a form, the form must be running in order to use the code in the bean. In most cases, we will suggest that calls to beans not occur until after the gui has rendered. For example after the WHEN-NEW-FORM-INSTANCE trigger.

    2. You can create your own custom logon and if the result is false, simply exit (exit_form). However, the point in this thread was related to using LDAP. By using SSO with OID (Oracle LDAP), the Forms application will not start until a successful login occurs via SSO. This is a much safer approach as users attempting to gain access to the Forms servlet will be expected to successfully login before doing so.
  • 8. Re: Forms 10g authentication with LDAP
    Roger22 Explorer
    Currently Being Moderated
    Ok, i understand now. So first i'm rendering the GUI and then make use of java beans.
    But I want to know, if the java class is something like
    public LDAPUser searchUser(String username) {
    ...
    }
    , where LDAPUser is a bean class (getters/setters), how should i handle the response of searchUser in Forms? So in forms i have something like
    if :block.item = 'D' then
      -- search the user, and return a bean response containing all the attributes
    end if;
    Is it possible?
    Thanks

    p.s. the bean has no visual component, its value is used in an on-insert trigger, if :block.item = 'D'.

    Edited by: Roger22 on 19.02.2013 04:20
  • 9. Re: Forms 10g authentication with LDAP
    Christian Erlinger Guru
    Currently Being Moderated
    If you plan not to use OID anyway then dbms_ldap is a far better way to authenticate against active directory:
    http://docs.oracle.com/cd/E23943_01/oid.1111/e10186/dbmsldap_ref.htm#OIMAD009

    cheers

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points