8 Replies Latest reply on Jul 20, 2017 10:35 AM by Eichelburg

    LDAP Authentication with APEX_LDAP

    Eichelburg

      Hello,

       

      I try to login to my apex developer with ldap credentials. A hard one...

      using Apex 5.1.2, Oracle 12

       

      First I tried to configure it in the internal worspace -> manage instance -> security -> authentication control -> LDAP directory

       

      host: ldap.server.ip.address

      port: 389

      No SSQL

      DN String : cn=md\%LDAP_USER%,OU=my_company,OU=the_other_company,DC=my,DC=company,DC=domain

      use exact DN : Yes

      Usename escaping : Standard

       

      I tried a lot of combinations ot the parameters above, and solutions i found on the internet. Nothing worked.

      Can someone tell me a way to debug this... or even better... does someone have an explanation for this...

       

      I also tried the function from the docs... nothing... also many combinations of usernames and searchbases.

       

      IF APEX_LDAP.AUTHENTICATE(

            p_username =>'md\theuser',

            p_password =>'secret',

            p_search_base => 'OU=my_company,OU=the_other_company,DC=my,DC=company,DC=domain',

            p_host => 'ldap.server.ip.address',

            p_port => 389) THEN

            dbms_output.put_line('authenticated');

      ELSE

            dbms_output.put_line('authentication failed');

      END IF;

       

      As is said... always failing... Is Apex Developer using this function for the authentication control?

       

      But... authentication with the DBMS_LDAP package works:

       

        l_session := dbms_ldap.init('ldap.server.ip.address',

                                                    '389');

        l_retval := dbms_ldap.simple_bind_s(l_session,

                                                                   'theuser',

                                                                   'secret');

       

      Ok... no search_base... is this the answer?

      Any suggestions? Also configured ACL...

        • 1. Re: LDAP Authentication with APEX_LDAP
          swesley_perth

          I've had the best success using:

          DN string: DOMAIN\%LDAP_USER%

          Use exact: Yes

          • 2. Re: LDAP Authentication with APEX_LDAP
            Eichelburg

            Thanks for the advice. I tried it, but it didn't work either...

             

            I investigated the apex code (unwrapping it)... in the procedure: apex_050100.wwv_flow_ldap.authenticate which i guess is used for authenticating in ldap, i found something that seems to be a problem. (prodecude at the bottom of this text)

             

            It seems that under all ciscumstances the apex code adds "cn=" or "uid=" to the username.

            First this proc tries to login with 'cn=md\theuser' and when that fails it tries 'uid=md\theuser'. What also fails.

             

            It fails because the DO_BIND proc is simply a wrapper arround the dbms_ldap.simple_bind_s and using "uid=" or "cn=" isn't working with the user parameter. (In my case)

             

            Question: Does anyone know, if this is a configuration issue in LDAP? Can i configure LDAP in a way to use "uid=" or "cn=" in the username parameter of dbms_ldap.simple_bind_s?

             

             

            FUNCTION DO_INIT_AND_BIND_FOR_DN (

                P_USERNAME     IN VARCHAR2 DEFAULT NULL,

                P_PASSWORD     IN VARCHAR2 DEFAULT NULL,

                P_SEARCH_BASE  IN VARCHAR2,

                P_HOST         IN VARCHAR2,

                P_PORT         IN VARCHAR2 DEFAULT 389,

                P_USE_SSL      IN VARCHAR2 DEFAULT 'N')

                RETURN VARCHAR2

            IS

                L_DUMMY   PLS_INTEGER;

                L_DN      VARCHAR2(4000);

                FUNCTION BUILD_DN (

                    P_ATTR IN VARCHAR2 )

                    RETURN VARCHAR2

                IS

                BEGIN

                    RETURN P_ATTR||'='||

                           WWV_FLOW_ESCAPE.LDAP_DN (

                               P_STRING           => P_USERNAME,

                               P_ESCAPE_NON_ASCII => FALSE )||

                           CASE WHEN P_SEARCH_BASE IS NOT NULL THEN

                             ','||

                             P_SEARCH_BASE

                           END;

                END BUILD_DN;

            BEGIN

                DO_INIT (

                    P_HOST    => P_HOST,

                    P_PORT    => P_PORT,

                    P_USE_SSL => P_USE_SSL );

             

             

                IF LOWER(P_USERNAME) LIKE 'cn=%' OR LOWER(P_USERNAME) LIKE 'uid=%' THEN

                    WWV_FLOW_DEBUG.TRACE('...rdn is already in p_username');

                    L_DN    := P_USERNAME||

                               CASE WHEN P_SEARCH_BASE IS NOT NULL THEN

                                 ','||P_SEARCH_BASE

                               END;

                    L_DUMMY := DO_BIND(

                                   P_DN       => L_DN,

                                   P_PASSWORD => P_PASSWORD );

                ELSE

                    WWV_FLOW_DEBUG.TRACE('... try cn=<p_username> and uid=<p_username>');

                    BEGIN

                        L_DN := BUILD_DN(P_ATTR => 'cn');

                        L_DUMMY := DO_BIND(

                                       P_DN       => L_DN,

                                       P_PASSWORD => P_PASSWORD );

                    EXCEPTION WHEN OTHERS THEN

                        L_DN := BUILD_DN(P_ATTR => 'uid');

                        L_DUMMY := DO_BIND(

                                       P_DN       => L_DN,

                                       P_PASSWORD => P_PASSWORD );

                    END;

                END IF;

                RETURN L_DN;

            END DO_INIT_AND_BIND_FOR_DN;

            • 3. Re: LDAP Authentication with APEX_LDAP
              jozzh

              Try using UserPrincipalName as your Login User. For me that solved some Problems with baseDN / search base.

               

              The sytnax is theuser@ldap_host

               

              I'm not using LDAP for internal developer auth, just for the end users.

              • 4. Re: LDAP Authentication with APEX_LDAP
                Eichelburg

                Alright. Found it...

                 

                You must use "cn" or "uid"... Like in my case, when you use cn, it is not the logon name, principal name or NT-logon name. It is the Username

                In my case. My Name ist Stefan Eichelburg.

                The Username is: Eichelburg Stefan

                ...not as i excpected the logon name: md\eichelburgs, or eichelburgs

                 

                and you have to use the search base. In my case it was: 'OU=my_company,OU=the_other_company,DC=my,DC=company,DC=domain'

                 

                The correct configuration is:host: ldap.server.ip.address

                port: 389

                No SSQL

                DN String : cn=%LDAP_USER%,OU=my_company,OU=the_other_company,DC=my,DC=company,DC=domain

                use exact DN : Yes

                Usename escaping : Standard

                 

                Log in with th "cn". You can find that out with the program: LDAP Admin. Its a free standalone.

                 

                That scenario works fine when you login an application.

                But, it was my intention to log into all the different workspaces my company has, with just one ldap user.

                And that is not as comfortable as i thought... You can also use the ldap authentication schema for your worspace developers / administrators... BUT you have to create a user for every workspace manually. Only the password gets authenticated towards the ldap server. The user must be set in Manage Workspace -> Manage Developers and Users -> Create/ Edit user

                 

                Well...

                • 5. Re: LDAP Authentication with APEX_LDAP
                  Eichelburg

                  Hi, thanks...

                   

                  I wanted to use it for internal developer auth with a post-process, that does a second auth against out internal auth-system...

                  But I learned you have to create every developer/admin user maually... for every workspace...Only the password is from ldap.

                   

                  BR!

                  • 6. Re: LDAP Authentication with APEX_LDAP
                    jozzh

                    Maybe you want to utilize the CREATE_USER Procedure for creating your users:

                     

                    https://docs.oracle.com/cd/E59726_01/doc.50/e39149/apex_util.htm#AEAPI114

                    • 7. Re: LDAP Authentication with APEX_LDAP
                      Eichelburg

                      Creating this users automatically would be the most comfortable approach... i guess.

                      Thanks for the advice...

                      • 8. Re: LDAP Authentication with APEX_LDAP
                        Eichelburg

                        Hi,

                         

                        i tried to use the apex_util.create_user procedure.

                         

                        Since you can't access the :USERNAME variable in the Pre- or Post Authentication proceduresi tried it in the "LDAP Username Edit Function".

                         

                        I got the Error: An API call has been prohibited. Contact your administrator. Details about this incident are available via debug id "8350".

                         

                        Well prohibited.

                        Maybe because I wasn't logged in when i executed the apex_util.create_user proc. Maybe because it is just prohibited to create a user on Login.

                        Couldnt find any Apex Debug IDs.

                         

                        BR