7 Replies Latest reply: Jan 30, 2014 4:04 AM by Christian Neumueller-Oracle RSS

    APEX_LDAP Authenticate

    jstem1177

      Hello All,

       

      I'm looking to include LDAP as an optional authentication scheme a part of my custom authentication scheme. Basically, I'm first doing a check for the user against the database, if the user does not exist then I check against LDAP and if that does not exist then I try to authenticate the user against SSO before I declare that the username/password are invalid.

       

      I've done a verification using the basic LDAP package and the connection and authencation is validated a OK. However when I use the same setup in APEX_LDAP.AUTHENTICATE I get a return of FALSE. However I have n way of knowing what the "ERROR" was.

       

      I'm hoping someone can provide some insight to what I'm missing:

       

      DBMS_LDAP: (works correctly)

      =======================

      DECLARE
          v_retval pls_integer;
          v_session dbms_ldap.session;
      BEGIN
          dbms_ldap.use_exception := TRUE;
          BEGIN
              v_session := dbms_ldap.init('192.168.3.15', 389 ); -- ldap host, port
          EXCEPTION
          WHEN OTHERS THEN
              dbms_output.put_line('Error with dbms_ldap.init ' || SQLERRM ||'|'||SQLCODE);
          END;
          BEGIN
              -- bind with the dn of the user and password
              -- If you are already connected you can pass en empty password
              v_retval := dbms_ldap.simple_bind_s(
                      v_session,
                      'cn=jans,dc=intm,dc=local','' );
              dbms_output.put_line('Connected ' || v_retval);
          EXCEPTION
              WHEN OTHERS THEN
                  dbms_output.put_line(
                          'Error with simple_bind_s ' ||
                          'SQLERRM: ' || SQLERRM ||' | '||
                          'SQLCODE: ' || SQLCODE ||' | '||
                          'Return Value:' || v_retval);
          END;
          v_retval := dbms_ldap.unbind_s( v_session );
      END;
      
      

       

       

      APEX_LDAP.AUTHENTICATE (Does not work - Authentication failed)

      =================================================

      BEGIN
        IF APEX_LDAP.AUTHENTICATE(
          p_username =>'jans',
          p_password =>'',
          p_search_base => 'dc=intm,dc=local',
          p_host => '192.168.3.15',
          p_port => 389) THEN
          dbms_output.put_line('authenticated');
      ELSE
          dbms_output.put_line('authentication failed');
      END IF;
      END;
      
      

       

      I've tried several variation including using cn, omitting both the username and password.


      Thansk in advance for your assistance.

       

      Jan S.

        • 1. Re: APEX_LDAP Authenticate
          Christian Neumueller-Oracle

          Hi Jan,

           

          APEX_LDAP.AUTHENTICATE immediately returns false if p_password is null.

           

          Regards,

          Christian

          • 2. Re: APEX_LDAP Authenticate
            jstem1177

            Hello Christain,

             

            I've tried to add the password and I'm still getting a return of FALSE.

            However, after testing, I also get this error when I put the password in the standard DBMS_LDAP.

             

            I must be doing something wrong, and my sys admin is not of much use since he no longer exists.

             

            Thanks in adavnce for your suggestions

             

            Jan S.

            • 3. Re: APEX_LDAP Authenticate
              Christian Neumueller-Oracle

              Hi Jan,

               

              are you sure that the DN (cn=jans,dc=intm,dc=local) and the password are correct? I would try to connect to the LDAP repository with some admin tool and check the DN. One option is to create a new user and try to connect to that with dbms_ldap.


              Regards,

              Christian

              • 4. Re: APEX_LDAP Authenticate
                jstem1177

                Hello Christian,


                Sorry for the late response, but had to justify my reason for wanting the LDAP Tree information of where my user is. I have tried several variation and got the standard LDAP(simple_bind) working.

                 

                LDAP Tree from the Top(upper & lower can have been kept)

                =======================================

                DC=company,DC=local

                  --->OU=Company

                     ---> OU=Users

                        ---> OU=DBA Oracle-SQL

                             -->CN=Jan S

                 

                I've got 2 issues I'm hoping the community can help me with.

                 

                ISSUE 1: Login fails when using APEX_LDAP

                ========

                set serveroutput on
                BEGIN
                  IF APEX_LDAP.AUTHENTICATE(
                    p_username =>'Jan S',
                    p_password =>'PASSWDJANS',
                    p_search_base => 'ou=DBA Oracle-SQL,ou=Users,ou=Company,dc=company,dc=local',
                    p_host => '192.168.1.100',
                    p_port => 389) THEN
                    dbms_output.put_line('authenticated');
                ELSE
                    dbms_output.put_line('authentication failed');
                END IF;
                END;
                /
                
                

                 

                ISSUE 2: This is very limited, in terms of an APEX Authentication Scheme, as my manager would not be able to authenticate against the LDAP using this search base.

                ========

                 

                Jan S  -->  'ou=DBA Oracle-SQL,ou=Users,ou=Company,dc=company,dc=local','PASSWDJANS');

                Manager --> 'ou=Users,ou=Company,dc=company,dc=local','PASSWD' );

                 

                I'm not sure how I could implement NOT Exact Search Base, if that is even possible?

                 

                Thanks a lot and more over thanks in advance for any assistance.

                 

                Jan S.

                • 5. Re: APEX_LDAP Authenticate
                  Christian Neumueller-Oracle

                  Hi Jan,

                   

                  APEX_LDAP has quite a lot of instrumentation. If you run this call from an application or SQL Commands and have debug at level 9 (e.g. by calling APEX_DEBUG.ENABLE(9)), you should see what's going wrong in the debug log (APEX_DEBUG_MESSAGES).

                   

                  The APEX_LDAP.AUTHENTICATE function does not search. If the users are in different trees and you do not know a user's tree beforehand, this will not work for you. You might have luck with the undocumented and unsupported APEX_CUSTOM_AUTH.LDAP_AUTHENTICATE, something like

                   

                  l_result := apex_custom_auth.ldap_authenticate (
                    p_username => : P101_USERNAME,
                    p_password => : P101_PASSWORD,
                    p_ldap_host => '192.168.1.100',
                    p_ldap_port => 389,
                    p_use_exact_dn=>'N',
                    p_ldap_string=>'ou=users,ou=Company,dc=company,dc=local',
                    p_search_filter=>'cn=%LDAP_USER%',
                    p_ldap_edit_function => null,
                    p_owner => null );
                  

                   

                  Regards,

                  Christian

                  • 6. Re: APEX_LDAP Authenticate
                    jstem1177

                    Hello Christian,


                    Cool Thanks a lot. However what si the expected return type for LDAP_AUTHENTICATE?

                     

                    jan S.

                    • 7. Re: APEX_LDAP Authenticate
                      Christian Neumueller-Oracle

                      Hi Jan,

                       

                      the function returns a boolean.


                      Regards,

                      Christian