APEX_LDAP.AUTHENTICATE - using Microsoft Active Directory

Application Express 4.1.1.00.23
Internet Explorer - 8
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
Hi very new to Apex and trying to get the authenticaqtion to work against our active directory. I have setup an authentication scheme for my application chossing the schema type as LDAP Directory...my settings are as follows:
Host : ****
Port : 389
Use SSL: No SSL
Distinguished Name (DN) String : domain\%LDAP_USER%
Use Exact Distinguished Name (DN) : Yes
This works perfectly and authenticates the user against active directory. The problem is when I try do the following in the database as I really want to setup a custom authentication scheme, it just does not work.
Begin
IF apex_ldap.authenticate(
p_username => 'testusername',
p_password => 'testpassword',
p_search_base => 'domain\%LDAP_USER%',
p_host => '*****',
p_port => 389) THEN
dbms_output.put_line('True');
Else
dbms_output.put_line('False');
End If;
End;
No matter what I do this always returns false. I have created a function based on same code and created a custom authentication scheme that calls the function but I always get a false. Not sure why it works one way and not the other. Also would really appreciate if someone could help me get the code above to work or help correct it.
I have looked through the forum and tried many different search base strings but nothing seems to work.
Regards
Ash

Hi Ash,
Microsoft AD allows "domain\%LDAP_USER%" instead of a real distinguished name (DN), but this does not work with apex_ldap.authenticate. The authenticate function tries to create a DN from username and search base. It does not substitute the "%LDAP_USER%" pattern with the username. Based on the parameters I see in your example, it would try to authenticate with "cn=testusername,domain\%LDAP_USER%", which is clearly wrong, hence the authentication failure.
What you could do is use another package, although it's not in the official API docs, like this (untested):
Begin
    IF wwv_flow_custom_auth_ldap.authenticate(
           p_dn => 'domain\testusername',
           p_password => 'testpassword',
           p_ldap_host => '*****',
           p_ldap_port => 389)
    THEN
        dbms_output.put_line('True');
    Else
        dbms_output.put_line('False');
    End If;
End;Regards,
Christian

Similar Messages

  • Web Service Authentication using Microsoft Active Directory

    Hi
    Is there a way to create Oracle Java Web Services that requires authentication using Active Directory?
    Regards,
    Néstor Boscán

    If you use the SOA Suite the Oracle Web Service Manager is included in there. Using this you can add steps that will authenticate against an AD.
    cu
    Andreas

  • Webservice authenticate by microsoft active directory

    Hi,
    i am a newbie about web services...
    i want to create a 'secure' web service that user have to provide user name
    and password so as to call the web service..
    i am using jdeveloper 10.1.3.1...
    i secured the web service by wss (set through web service wizard..
    i.e. right-click web service..then Security->Authenticate, tick the 'Expect username to
    authenticate" and "password required")...
    *****My question is how can authenticate the user through active directory?
    *****Counld anybody please give me some information?
    thank you...
    Message was edited by:
    lsp

    Hi Tugdual,
    thank you for your advice...
    i follow the document "External LDAP Security Providers" and set up the
    LDAP security provider...
    in the OC4J web admin security page...i have press the 'test ldap authorization'
    button to confirm the ldap connection is correctly set.
    but when i want to call the web service, deployed in that OC4J container,
    operation fail with an error message :
    javax.xml.rpc.soap.SOAPFaultException: UnsupportedCallbackException: oracle.security.jazn.callback.IdentityCallback@19f410 not available to gather authentication information from the user
         at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:568)
         at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:396)
         at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
         at test.proxy.ws1.runtime.MyWebService1SoapHttp_Stub.getUserNameYY(MyWebService1SoapHttp_Stub.java:134)
         at test.proxy.ws1.MyWebService1SoapHttpPortClient.getUserNameYY(MyWebService1SoapHttpPortClient.java:50)
         at test.proxy.ws1.MyWebService1SoapHttpPortClient.main(MyWebService1SoapHttpPortClient.java:33)
    it seems the problem is related to the web service client proxy..
    do you have any idea or solution??
    thank you...
    Message was edited by:
    lsp

  • Problem with Oracle external procedures and Microsoft Active Directory

    Hi,
    Our server was recently updated to use Microsoft Active Directory. However, we noticed that all external procedure calls keeps on failing with ORA-28575: unable to open RPC connection external procedure agent. Everything was working fine before we migrated to Active Directory which is why we can say that the listener is configured correctly.
    Any idea on how we can make extproc calls with Active Directory?
    thanks.

    Michael,
    Oracle Forms does support Single Sign-On (SSO). Take a look at Oracle Containers for J2EE Security Guide: OC4J Java Single Sing-On. Also take a look at the Oracle Forms 10g Sample Code and scroll to the SSO demo under the Forms Services Demo section. There are also, numerous other documents available via Google. ;-)
    Craig B-)
    If someone's response is helpful or correct, please mark it accordingly.

  • How to authenticate Username and password in MVC using Azure Active Directory

    Need a sample application where in need to authenticate user entered logindetails using Azure Active directory.

    Hi,
    Kindly go through beneath article which helpful to understand the procedure.
    How to Authenticate Web Users with Azure Active Directory Access Control
    http://azure.microsoft.com/en-in/documentation/articles/active-directory-dotnet-how-to-use-access-control/
    Developing ASP.NET Apps with Windows Azure Active Directory
    http://www.asp.net/identity/overview/getting-started/developing-aspnet-apps-with-windows-azure-active-directory
    Adding Sign-On to Your Web Application Using Azure AD
    https://msdn.microsoft.com/en-us/library/azure/dn151790.aspx
    Hope it helps!
    Thanks.
    Dharmesh Solanki
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • How i use OEM 12c to monitor Microsoft Active directory.

    Hi,
    How i use OEM 12c to monitor Microsoft Active directory.Please assist me on this.
    Thanks,
    Sagar

    Hi,
    The fundamental problem with this scenario is that you have non-failover capable modules in a failover chassis - think of the ASA failover pair as one device and the IPS modules as two completely separate devices.
    Then, as already mentioned, add only the primary ASA. (The secondary will never be passing traffic in standby mode so it's not actually needed in MARS) Then, with the first IPS module you can add it as a module of the ASA or as a standalone device (MARS doesn't care). With the second IPS module the only option is to add it as a separate device anyway.
    In a failover scenario the ASA's swap IP's but the IPS's don't so whereas you'll only ever get messages from the active ASA you'll get messages from both IPS IP's depending on which one happens to be in the active ASA at the time.
    Don't forget that you have to manually replicate all IPS configuration every time you make a change.
    HTH
    Andrew.

  • SSO (single sign on) on NetWeaver 7.0 Enterprise Portal based on spnego with Microsoft Active Directory

    Hi,
    we are using SAP Netweaver Enterprise Portal 7.0 (SP25) based on Windows 2008 R2/Oracle 11g.
    When we setup the Portal, we used the UME of the ECC - ABAP.
    The portal is used internally only.
    Now we want to provide SSO.
    User authenticate against Windows Active Directory (Windows 2003).
    We thought SSO via spnego would be the best solution.
    Any better alternates, we should use?
    We are following the SAP documentation:
    SAP-Bibliothek - Benutzerauthentifizierung und Single Sign-On
    We still want to create users in ABAP and assign them the portal roles. LDAP access should only have read access, to verify the security token from Active Directory.
    When we setup the portal from scratch using ABAP as its UME, in the system configuration, LDAP can't be selected/add as data source.
    In case we understand the documentation correctly, we would now need to add LDAP via the configtool for read access.
    What is not clear to us, when we active now LDAP via config tool, if we would now lose the ABAP connection.
    Is there a tutorial for SSO Netweaver 7.0 EP, like for EP 7.3, available?
    In 7.3 SSO is pretty simple to get it running, thanks to the many tutorials here and on the internet.
    Thanks for your help.
    Best regards
    Carlos Behlau

    Hi,
    I was able to generate the key via ktab program.
    But when I am enable SSO, nothing is happening when I try to log-on via SSO to the portal.
    I installed WebDiag tool on the portal server and ran trace.
    The users are located in domain: company.com of activate directory.
    The Java AS are located in domain: sap.company.com of activate directory.
    The sap.company.com domain acts as child of company.com.
    When I check the WebDiag trace, I see for the SPNegoLoginModule - the entry "... no key (etype: 23) for realm sap.company.com available ..."
    I would except company.com as realm key, as the keytabs have been generated on the domain controller of company.com.
    Is it possible to get SSO with child domain running?
    Based on the statement of the network folks, child and father domain having a trust.
    Thanks for your help.
    Best regards
    Carlos

  • Lion Server 10.7.4 VPN service not using my Active Directory domain for authentication

    I have Lion Server 10.7.4 setup on a Mac Mini and I have enabled the VPN service for both L2TP and PPTP. The Mac Mini is joined to my Windows Domain at a functional level of Server 2008 R2. I have set the authentication paths to point to my domain in Directory Utility.
    What I would like to have happen is for my laptop to be able to VPN into my office network remotely using domain credentials and not local account credentials on the Mac Mini itself. This is a process I have done numerous times on Windows boxes, but for some reason the only way I can get the VPN to work on this instance of Lion Server 10.7.4 is by authenticating using local accounts only.
    Does Lion Server 10.7.4 only authenticate VPN users based on it's local account schema? Or can it truly authenticate against an active directory domain?
    Any suggestions or help is greatly appreciated. Thanks,

    Hi g-pirtle,
    Yes, I had already done that a few days ago. I was able to add the desired AD group to the allowed users/groups for the VPN service. Thats exactly what is so weird about this...it allows me to search for and add an AD user or group to the list of allowed users/groups, but then when I actually try to use a domain account to authenticate to the VPN is just gives me the "cannot authenticate" error. Very strange.
    I wondered if for some reason Apple is only allowing local accounts to be authenticated against. Sounds crazy, but I cannot for the life of me get this to work. I also wondered if Kerberizing the server would help, but when I go to join a Kerberos realm in Open Directory inside of Server Admin, it just has no realm listed in the drop down menu.
    Other than that, all other aspects of the Mac Mini being joined to the AD domain seems to be good. I'm really stumped here...
    Thanks again,

  • Use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature?

    Dear all,
    I am looking to setup the use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature. We SSO to the backened ABAP AS via an SAP NW Portal to which SPNEgo kerberos authentication is setup. Today we specify R3 user id/password to digitally approvae a lot release. The idea is to have users maintain one AD password and don't have to remember the R/3 password anymore and also our Security team to avoid password maintenance.
    I know there are 3 options for digital signature and
    System signature with authorization by user ID and password (We use this currently)
    Digital User signature with verification - (We would like to use this with AD userid/password, so the system still ask the users their AD userid/password for the authentication when they try to "sign" a document.)
    User signature without verification
    Do you think there is a way to configure the system in order to ask and check the active directory userid/password instead of SAP R/3 password? Where can I found documentation about it ?
    I have several different versions of AS ABAP starting from NW 7.02 to NW 7.31.
    My active directory is based on Windows 2008.
    Thanks in advance!!
    Dhee

    Actually enabling Kerberos for SSO purposes and enabling Kerberos for digital signatures are two different topics although the latter is because of the former. I'm interested in the topic as well and I'm currently looking at different options. SAP provides a BAdI for the digital signature API which can be used for external authentication but they do not provide the solution to invoke Kerberos authentication based on username and password. SAP provides a semi solution with NWSSO 2.0 SP2 which works only on Windows with classic dynpros meaning SAP GUI for Windows is assumed. The solution is based on an ActiveX component which does the actual Kerberos authentication using the Secure Login Client which is part of the NWSSO suite. Extending that implementation to non-Windows and non-GUI applications would require some sort of web enabled service that could be used to authenticate the user with username and password. In case authentication is successful, a Kerberos token would be returned to SAP which would then be validated. All the required pieces are there since SAP has Kerberos support now in both stacks of the NetWeaver Application Server, some bits are still missing though which leaves customers looking at 3rd party or custom solutions.

  • Use Microsoft Online Directory Services as a user authentication provider for our own SharePoint farm?

    Hi,
    I've managed to configure my farm so that  Microsoft Online Directory Services (Office 365 etc.) can be used for STS authentication, but what I'm actually trying to do is allow user authentication - that is, I'm hoping to be able to use the user's
    O365 credentials to authenticate them in my own farm so they can view certain parts of it. If I need to write my own login form or authentication provider or whatever that's fine, as long as the user doesn't need to enter anything when they access my farm
    (provided they already have cached O365 credentials in their browser session).
    FWIW I actually need to be able to support the possibility that users are coming from multiple O365 tenancies, whereby each site collection will be configured to allow users from a different O365 tenancy (more or less).
    If it's not possible to do with my own development farm on a PC, it is possible if the farm is hosted in Azure?
    Thanks
    Dylan

    Hi  Dylan,
    According to your description, my understanding is that you want to use Microsoft Online Directory Services as a user authentication provider for your SharePoint farm.
    For your demand, you can configure a hybrid topology for your SharePoint farm:
    http://technet.microsoft.com/en-us/library/jj838715(v=office.15).aspx
    http://technet.microsoft.com/en-us/library/dn197168(v=office.15).aspx
    Thanks,
    Eric
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support,
    contact [email protected]
    Eric Tao
    TechNet Community Support

  • Portal Integration with Microsoft Active Directory

    We are working on a project to integrate Oracle9iAS Portal with Microsoft Active Directory. I am wondering if anyone has any experience with this and hence suggestions. Particularly, I'm wondering if its possible and how to use Active Directory to manage the Portal user accounts and group relationships?

    Please note that we finally got this working. For Active Directories sake, I would suggest using userPrincipalName or sAMAccountName as the Unique Attribute. Also, note that Active Directory uses OUs for organization, not CNs, so the search base should be either just the DN of the domain or an OU in the domain. Also, be sure to specify the full DN of the Bind DN as in CN=Administrator,CN=Users,DN=domain,DN=com

  • E-Business suite r12 login through Microsoft Active Directory

    I integrated E-business suite release 12.1 with SSO and OID and i want to integrate OID with Microsoft Active Directory. how is this possible?

    804050 wrote:
    I integrated E-business suite release 12.1 with SSO and OID and i want to integrate OID with Microsoft Active Directory. how is this possible?Yes, it is possible. The basic idea is EBS 12.1 will use OID, which will be configured to use third party external authentication, like Microsoft AD.
    Please see this document:
    Oracle® Identity Management Integration Guide
    10g (10.1.4.0.1)
    Part Number B15995-01
    Chap 19 Integrating with Microsoft Active Directory
    HTH
    AMN

  • Oracle account and microsoft active directory password synchronisation

    Hi
    We are migrating our application to use windows active directory authentication. We have separate oracle account for
    each logged in user in the application, and these oracle credentials have to be the same as the windows active directory
    credentials.
    Also, a password change on windows Active directory should change the oracle account password.
    Is there a tool available to manage and synchronize the microsoft active directory and oracle account.
    We use oracle 10g and application is hosted on Windows 2008 server.
    Thanks
    Karthik

    There's an OOTB connector for Password Synch between AD -> OIM. Please use that.
    http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html
    For password synch, OIM- AD/Oracle, you can use triggers.
    Enabling update for provisioned user in OIM11g

  • Integrate Oracle Apps R12 with Microsoft Active Directory

    Dear Friends,
    I am using Oracle Apps R12.1.3 and alsoo we have Microsoft Activity Directory.
    we need to integrate both so that any employee cretaed in Oracle Apps HRMS will be replicated in Microsoft Directory.
    Please let us know the oracle 10g and 11g products we have to use to achieve this.
    Please let us know both 10g and 11g products and is 10g products covered in Oracle support?
    Regards,
    DB

    Please see these docs/links.
    Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On 10gR3 (10.1.4.3) [ID 376811.1]
    Using the Latest Oracle Internet Directory 11gR1 Patchset with Single Sign-on and Oracle E-Business Suite [ID 876539.1]
    Registering Oracle E-Business Suite Release 12 with Oracle Internet Directory 11gR1 and Single Sign-On [ID 1370938.1]
    External Authentication To Active Directory Integration With E-Business Suite [ID 429020.1]
    Re: Integrating Active directory  with oracle EBS 12.1.3 with 11g R2 database
    Re: Oracle EBS with SSO
    Re: Need to integrate AD with R12.1.3 with the most simplest architecture.
    Re: EBS R12,how to use OID implement SSO without OAM/OID(with 3rd product)?
    Thanks,
    Hussein

  • How can I configure ECC6.0 to use LDAP (Active Directory) password

    We're setting up an integrated authentication between the ECC 6.0 and the LDAP server, in our case the Microsoft Active Directory. We have some users that can't use WebGui because some features, that only run in the SapGui. We have already configured UME in the Sap Portal accessing directly the ADS server, and Sap Logon Ticket from Portal to ECC. Everything is ok to access the WebGui and SapGui by the Portal with the Sap Logon Ticket. However it demands that all users make the authentication previously in the Sap Portal. Is there another scenario only with SAP tools, for example using Sap Logon directly to the Active Directory. Obs.: Our entire sap servers are UNIX.

    I had already read all these notes.
    In the last week, I tried to configure the UME in our PI/XI environment to access the LDAP. As the result, the ABAP stack was perform the authentication perfectly above the LDAP. However I had some problems with the Java stack and I comeback the back. I will try it, in the next week again.
    It's what I'd like to ECC environment. Anyone has already configured the UME in an ECC? Install a basic Java stack without all Java components only the UME in order to make this integration. If it’s possible I’ll very appreciate any documentation.
    Other problem is the limitation of datasource in the UME, I didn't remember exactly but I guess that is only 5 (Authorization in the ECC, BI, SolMan, PI, APO, CRM, LDAP, Portal, etc). If it's possible I'll group the environments in different UME managers. Forget this paragraph lets focus in the integrated authentication in this thread after that authorization.

Maybe you are looking for