This content has been marked as final. Show 12 replies
i have done the following steps
now when i try to logon using my LDAP id like "et04" it failed login.
Navigate to Application Builder home page Select the desired application Click the Shared Components icon Under Application, click authincation scheme Select the Security tab and then the Authentication icon. Click Create Scheme. Under Create Scheme, select Based on a pre-configured scheme from the gallery. Under Gallery, select Show Login Page and Use LDAP Directory Credentials. Click Next. Under Specify Login Page, Select Use Built-In Login Page Click Next. host=10.153.7.220 port=389 Distinguished Name (DN) String=cn=%LDAP_USER%,dc=hct,dc=org and finally create and make it current,(it was current by default)
how to fix it?
Usually error message displayed at login page, after login attempt failed. In my app its look like:
ORA-31202: DBMS_LDAP: LDAP client/server error: Invalid credentials. 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece...Debug mode turns on by "Debug" button on developer toolbar. Then you must do login attempt, then press "View debug" button on developer toolbar.
Try this script to test ldap connection and authentication:
declare c_ldap_server constant varchar2(100) := '10.153.7.220'; c_ldap_port constant integer := 389; c_ldap_cn constant varchar2(100) := 'CN=USER1,dc=hct,dc=org'; -- replace USER1 with your login c_pwd constant varchar2(100) := '1111'; -- enter here user's password l_ldap_session dbms_ldap.SESSION; l_result integer; begin l_ldap_session := dbms_ldap.init( hostname => c_ldap_server, portnum => c_ldap_port ); dbms_output.put_line('session='||l_ldap_session); l_result := dbms_ldap.simple_bind_s( ld => l_ldap_session, dn => c_ldap_cn, passwd => c_pwd ); dbms_output.put_line('simple_bind_s result: '||dbms_ldap.err2string(l_result)); l_result := DBMS_LDAP.unbind_s(l_ldap_session); end;
i will try to summarize some informations regarding LDAP authentication for you.
1. Oracle 11g and ACL
With version 11g Oracle implemented a security feature called ACL (Access control lists). The database controls (and restricts) now all network traffic from or to the database. For LDAP-authentication Apex (and so the database) has to create a network connection to the LDAP server. If the ACL's in the database are not configured to allow this, the connection request will be rejected.
Here is some PL/SQL-Code to configure the ACL for LDAP requests. You have to change the placeholders (<...>) with values of your environment. The resulting code block has to be executed by a user with DBA privileges!
2. Accessing the LDAP
begin begin dbms_network_acl_admin.drop_acl( acl => 'LDAPRequests.xml' ); exception when others then null; -- ACL does not exist yet end; -- Privilege to connect to a host dbms_network_acl_admin.create_acl( acl => 'LDAPRequests.xml', description => 'Accessing the local host for creating requests to the LDAP service', principal => upper('<Your database schema here>'), -- DB Schema (grantee), most likely the schema that has been assigned to the Apex workspace is_grant => true, privilege => 'connect', start_date => null, end_date => null ); -- Privilege to resolve a hostname (DNS lookup) DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE( acl => 'LDAPRequests.xml', principal => upper('<Your database schema here>'), -- DB Schema (grantee), most likely the schema that has been assigned to the Apex workspace is_grant => true, privilege => 'resolve', start_date => null, end_date => null ); -- Privilege to connect to localhost dbms_network_acl_admin.assign_acl( acl => 'LDAPRequests.xml', host => '<IP or host name of your LDAP server>', lower_port => <Port of the LDAP service, most likely 389>, upper_port => <Port of the LDAP service, most likely 389> ); end; /
What the built-in LDAP authentication schema does, is to try a login with the given credentials. The authentication scheme uses the DBMS_LDAP package and tries a binding by using a code block similar to this
3. Username and DN
DECLARE v_session DBMS_LDAP.SESSION; v_result PLS_INTEGER; BEGIN DBMS_LDAP.use_exception => true; v_session := DBMS_LDAP.init( hostname => '<IP or host name of the LDAP server>', portnum => 389); v_result := DBMS_LDAP.simple_bind_s( ld => v_session, dn => '<The complete distinguished name (DN) containing the username>', passwd => '<Password string>'); v_Result := DBMS_LDAP.unbind_s(v_Session); -- No errors occured? Binding was successful END;
As you can see in the code block above, you can not directly try the binding with the plain username. Your LDAP server needs some more information where (in the LDAP structure) the user is located. So, you have to build a dn string first.
For example, if all LDAP users are located in a directory structure like this OU=Domain Users,DC=de,DC=root,DC=net, then a valid dn string for a user would look like this DN=username,OU=Domain Users,DC=de,DC=root,DC=net.
4. Configuration of the Apex built-in authentication schema
With this information you should be able to configure the authentication schema. Put in the host, port and dn template string. For the template string take a look in the online help. It is possible to configure an exact dn (if all users are organized in one branche of the LDAP directory) or a base dn. A base dn could be something like this DC=de,DC=root,DC=net. If you set the "Use Distinguished Name" flag to No, the authentication will perform a search for a dn with the given username in all children branches below the base dn before trying the bind.
Finally, this is a very basic example of how to use a LDAP server for authentication purpose. But i hope, it helps for the beginning.
Very very thorough reply j.gauger!!
thank you so much for that.
kindly explain a little step *2:Accessing the LDAP*
where should i put this code?
i mean, i should execute this code from sqlplus, or i have to include this code somewhere in my apex?
what apex schema? if i am developing appication for HRMS,INVENTORY AND PAYROLL, and each of them has their own schemas, then i have
principal => upper('<Your database schema here>'),
to execute the step 1 once for each schema? kindly explain.
thank you so much for such a nice reply.
the step 2 was just for informational reasons. You don't need to use this code block as long you use the built-in authentication scheme. But if you once decide to write your own custom LDAP authentication schema you will need this. But please skip this for the moment.
Regarding step 1:
Currently i'm not pretty sure who's the user that invokes the LDAP request if the built-in authentication schema is used. In my case i write my own auth procedures and in this case the user who creates the request is the schema user assigned to the workspace where the application is located in. Could be possible that for the built-in schemas the user "APEX_04xxxx" is used. But i think it ought to be the schema user as well.
If you have more than one schema assigned to your workspace, you have to look into your application what the parsing schema is.
But you are right. You have to execute the ACL script for each schema then...
i try to follow the steps you provide.
it run successflly from sql plus
in the apex, when i set Distinguished Name (DN) String of my APEX_LADAP scheme to
( whcih i copy from SQLPLUS)
it works, but only for my user which is et04.
any other user of LDAPc is unable to authinticate.
then i meet my network administrator,
he set Distinguished Name (DN) String of my APEX_LADAP scheme to
but not working.
what is wrong?
THANK YOU SO MUCH.