I'm trying to create an LDAP authentication scheme on XE APEX

Similar Messages

• What's required to use the built-in LDAP authentication scheme

  In order to use the built-in LDAP authentication scheme in my ApEx application, do I have to have anything more installed in my oracle environment or available to us than accessible LDAP addressing? Our environment is a 10.2 database instance (Enterprise Edition) with ApEx and Microsoft Active Directory that has LDAP setup. It looks like all the DBMS.LDAP packages are in place in my database.
  I'm using something similar to the below for built-in prompts but all LDAP tests fail:
  host=ourdc1.ourdc2.ourdc3.edu
  Port=389
  cn=%LDAP_USER%,OU=Users, OU=Department,DC=ourdc1,DC=ourdc2,DC=ourdc3,DC=edu

  Hello,
  What is your name?
  I know this sounds funny but when I was starting with AD LDAP authentication I seem to remember the user name being the key. Instead of "username" I had to use "[email protected]".
  Ultimately, I created a custom package built on DBMS_LDAP as the ApEx package is really targeted for OID.
  Regards,
  Dan

• LDAP Authentication Scheme - Multiple LDAP Servers?

  How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.

  How to set up ldap authentication so that multiple ldap servers are available? Scenario: ldap service is replicated through several servers, but does not sit behind a common dns/reverse proxy connection, so applications would list each ldap server and attempt to contact each in order if one or more ldap servers is unreachable.

• Error in Custom Ldap Authentication

  Hi All,
  I was trying to use the custom LDAP authentication( [Earlier Post|http://forums.oracle.com/forums/thread.jspa?threadID=2251976&stqc=true] ) but was not successful in making it work with our AD LDAP server. Thats when I came across post [ http://forums.oracle.com/forums/thread.jspa?messageID=916185&#916185|http://forums.oracle.com/forums/thread.jspa?messageID=916185&#916185]
  I used the same function
  create or replace function authenticate_aduser(
  p_username in varchar2,
  p_password in varchar2)
  return boolean
  is
  l_user varchar2(256);
  l_ldap_server varchar2(256) := '<Hostname>';
  l_domain varchar2(256) := '<Domain Name>';
  l_ldap_port number := 389;
  l_retval pls_integer;
  l_session dbms_ldap.session;
  l_cnt number;
  begin
  l_user := p_username||'@'||l_domain;
  l_session := dbms_ldap.init( l_ldap_server, l_ldap_port ); -- start session
  l_retval := dbms_ldap.simple_bind_s( l_session, l_user, p_password ); -- auth as user
  l_retval := dbms_ldap.unbind_s( l_session ); -- unbind
  return true;
  exception when others then
  l_retval := dbms_ldap.unbind_s( l_session );
  return false;
  end;Test it by giving correct password
       SQL> declare
  begin
  if authenticate_aduser('<username>','<correct password>') then
  dbms_output.put_line('Test Successful');
  else
  dbms_output.put_line('Test Failed');
  end if;
  end; 2 3 4 5 6 7 8
  9 /
  Test Successful
  PL/SQL procedure successfully completed.Tested it by giving wrong password
  SQL> declare
  begin
  if authenticate_aduser('<user name>','<wrong password>') then
  dbms_output.put_line('Test Successful');
  else
  dbms_output.put_line('Test Failed');
  end if;
  end; 2 3 4 5 6 7 8
  9 /
  Test Failed
  PL/SQL procedure successfully completed.So the fundtion is working perfectly with LDAP server.
  I am trying to create a custom authentication scheme with the above function.
  Shared Components -> Authentication Schemes -> create ->From Scratch ->
  In Autentication Function -> return authenticate_aduser(:P101_USERNAME,:P101_PASSWORD);
  In Logout URL -> wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&amp;p_next_flow_page_sess=4155:PUBLIC_PAGE
  Then after setting this as the current authentication scheme. Whenever I try to login with correct credentials it is giving me error
  Invalid Login Credentials
  Kindly let me know were I am going wrong here.
  Thanks & Regards,
  Vikas Krishna

  I was able to fix this.
  I used the same function authenticate_aduser
  and then followed blog http://www.talkapex.com/2009/03/custom-authentication-status.html to create a custom authentication. It worked finally.
  Thanks to Martin for his wonderful post.
  Thanks & Regards,
  Vikas Krishna

• How to use two different LDAP authentication for my Apex application login

  Hi,
  I have 2 user groups defined in the LDAP directory and I provided the DN string for apex authentication something like the below
  cn=%LDAP_USER%,ou=usergrp1,dc=oracle,dc=com
  cn=%LDAP_USER%,ou=usergrp2,dc=oracle,dc=com
  The problem is I couln't pointout both the groups in DN string, I am trying to allow both usergroups to access the application.
  Does anyone know how to define both the group in LDAP DN String ?.
  Thanx in advance
  Vijay.

  Vijay,
  I don't think you'll be able to use the built-in LDAP authentication scheme. Just create a new authentication scheme that has its own authentication function. In that function code your calls to dbms_ldap however you need. Search the forum for dbms_ldap.simple_bind_s to find examples.
  Scott

• LDAP Authentication - Multiple Domains

  I want to be able to use the built in LDAP Authentication scheme to allow authentication against multiple AD Domains... each with it's own separate Host IP/Server, and LDAP DN String. The User ID is formated the same among all Domains, so that is not a concern. I am currently authenticating against one Domain and it scans the tree successfully.
  Host: xx.xx.xx.xx
  DN String: %LDAP_USER%@amer.globalco.net
  (amer.globalco.net is the domain)
  How can this be accomplished? Is it possible all you guru's out there?
  I saw one forum thread discussing how to add a drop down list to the login page, then use the value of the page item in the DN String to specify Domain... That makes sense - HOWEVER - I also have to use a different Host Server / IP address for each domain as well.... Now that is 2 fields that need updating based on one select list.
  I can build the select list using "IP/Domain" - but how do I separate the two data bits in the ITEM Value into their own field values?
  Can I use the ldap_dnprep function to do text editing to create two field values from one ITEM value that I can use in the standard LDAP authentication form fields?
  As you can tell - I am not a SQL/PLSQL person... and I want to avoid creating my own LDAP scheme.
  Please include example/suggested SQL -
  Thanks in advance...
  Rich
  Apex v3.2.1
  Oracle 10G Express

  Based on prior post I had similar question and the result was to write custom auth scheme to read the values from the login page, perform auth against appropriate ldap, then return a valid session to proceed with login in apex app. In our case, the issue was having users is different branch nodes on the same ldap server but not being able to search from a common higher-level branch for some reason...
  Another option you could try, not recommended as it would mean multiple pages to maintain, would be a separate login page per ldap/domain, maybe would even have to multiple apps with just a login page and then redirect to the main app... been a really long time since i've tried anything like it, just giving some options to try.

• LDAP Authentication / User-Role in a database (Weblogic Security)

  Hi,
  I would like to configure the Authentication with an LDAP Server (LDAP Authenticator) and the mapping between users and roles in an external database.
  I saw the following post, http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html.
  According to the previous post, I created an LDAP Authenticator (trying to use embedded LDAP) and a SQL Authenticator.
  The problem is that it doesn't uses LDAP Authentication, it only uses SQL Authentication.
  I'm looking for a solution where password would remain in the LDAP Server and the username/role mapping would be in the database tables.
  Consider I'm using WLS 10.3 and JDeveloper 11g.
  Any suggestions?
  Thanks in advance,
  Olga

  Hi,
  Check following forum thread.
  Re: custome role maper example
  Regards,
  Kal

• AD LDAP authentication or authorization

  Hi,
  It really drives me crazy because I can't seem to find the right solution for my issue.
  I'm trying to use the LDAP authentication for my apex applications.
  So far, straight forward LDAP authentication works just fine, but EVERYBODY who has a user account can log into any application.
  I'm using the %LDAP_USER% string to validate the users and that's just fine.
  But I want to restrict somehow users from logging into my applications.
  Either way by ldap groups or an users table in every application.
  Can someone please help me with this, or give me directions/examples of login functions/schemes?
  Thanks so much!
  Regards, Bas

  What you have done so far is called Authentication. It's the question of "who am I?"
  What you want to add is called Authorization, which is the "what can I do?"
  So, you need to create an Authorization Scheme to secure components of your application. An authorization scheme can secure almost any component of an APEX app including:
  - The application
  - Pages
  - Tabs
  - Regions
  - List items
  - Items
  - Columns in reports
  - More that I'm not thinking of
  Look at the doc on authorization schemes. You have 2 primary options that I can think of:
  1) Use LDAP groups by using the APEX_LDAP package to lookup information about a user. I'm not sure if the member_of function works against AD or just OID, you might need to use the get_attribute function instead. In short, you query AD, then return true or false based on the attributes of the user. Once they are logged in you can reference the username with the :APP_USER APEX variable
  2) A table of usernames (not passwords). You authorization scheme could just be an "Exists query" such as:
  select 1 from valid_users where username = :APP_USEROnce you decide on an authorization scheme and create it, you then edit the security attributes of your app / page / region / etc and apply it
  Tyler Muth
  http://tylermuth.wordpress.com
  "Applied Oracle Security: Developing Secure Database and Middleware Environments": http://sn.im/aos.book

• Anybody got LDAP Authentication working?

  Hi all,
  I'm not sure if I am understanding the concept correctly, so I hope someone here can help clarify for me:
  1. I'm trying to get all my Linux desktops and servers to authenticate against eDirectory on my OES server. This is a new network (actually a lab network), and so the desktops (running OpenSUSE 12.2) and servers (running SLES11SP1) are newly installed, with no local users except for root.
  2. I setup LDAP authentication on desktops and servers using YaST and using the LDAP browser, I can see and browse the tree.
  3. When I login as an eDirectory/LDAP user, I assumed that a Home Directory and local user account would be created on the desktop and server, but this does not happen. Instead, I get an Authentication Failure.
  4. On OpenSUSE 12.2, which uses SSSD instead, I do not see any incoming LDAP request, so of course, that fails.
  5. On SLES11SP1, I also get an authentication failure (I have not done a DSTRACE to see if any incoming LDAP requests are received by the eDirectory/LDAP/OES11 server).
  So, my question is: do I need to create the user and/or home directory locally first (and the local user's username and password should match the eDirectory/LDAP one?), or is the local account created once LDAP authentication is successful? Or is there some other mechanism here?
  Thanks in advance for any help, and Happy Lunar New Year to all!

  You should not need to create the user first afaik, and while creating the
  home directory may be required the system may handle that as well; in any
  case, lacking a home directory is not a reason to normally prevent a
  successful login (though lacking one, if the system does not create one
  automatically, the user will probably get an error about not being able to
  change into their home directory).
  You did not mention LUM-enabling the relevant users; if not already done
  perhaps this is the problem since a user that is not LUM-enabled will not
  have the uidNumber, gidNumber, loginShell, or other attributes associated
  with the poaix* auxiliary classes, and therefore will not be valid users
  to the Linux machines. You mentioned not having done the ndstrace yet;
  start there as it should give you a good clue.
  Good luck.

• How to create a custom authentication in APEX?

  Hello
  I have little experience in APEX and i'm trying to create a custom authentication for a new application i'm developing. I've tried to follow other posts replies but no success...
  I already have a table for usernames and passwords - let's call it table_users - having the following fields: ent_id, ent_username, ent_password and ent_type. I don't need a form in my application to insert new users; only give users access to change their own password.
  How can i create a custom authentication?
  I thank in advance all the replies.

  Hi,
  I used the authentication described in this page, not sure how it weighs up to others but does the job here
  http://djmein.blogspot.com/2007/07/custom-authentication-authorisation.html

• OAM Basic LDAP Authentication

  I have configuered a policy domain with the defautl Basic Over LDAP authentication scheme. I
  Also create a "Role :Any one" on Authz expression and rule.
  I keep getting the Basic LDAP prompt even I enter right credentials. Did I miss anything? I haven't configured any redirect or success stuff? Do I need to?

  The steps tab are showing the correct order. Following is the default Basic over LDAP scheme:
  Name Basic Over LDAP
  Description This scheme is Basic over LDAP, using the built-in browser login mechanism
  Level 1
  Challenge Method Basic
  Challenge Parameter realm:LDAP User Name/Password
  SSL Required No
  Challenge Redirect
  Enabled Yes
  obMappingBase="dc=oimdemo,dc=org",obMappingFilter="(&(objectclass=User)(uid=%userid%))"
  obCredentialPassword="password"
  The log file says ""The HTTP Authorization header does not have the expected format for basic authentication. Format should be 'Basic [username]:[password]'
  IIS site directory security has anonymous access disabled and IWA enabled.

• Create Authentication Scheme From Scretch

  Hi there,
  I have build an application for users, but the problem i ran in to is that when i try to create a new Create Authentication Scheme,
  it doenst let me create one from scratch.
  only two options avaliable are :
  - Based on a pre-configured scheme from the gallery
  - As a copy of an existing authentication scheme
  Can some one maby explain me why i dont have the option to create a scheme from scratch, and what will i need to do to get the option.
  Yours Sincerly,
  Sebastian!

  The scenario is as follow,
  I'm working on a project as for my finals, and the they asked us to make a Authetication login for users.
  I can make groups and users in Apex. I've put some users in a group called: 'Developers'. I want users that are in 'Developers' to be blocked
  from certain pages in the application (they may not access all the pages, only certain pages).
  So i have read the book Pro Oracle Application Express 4 AUTHENTICATION AND USER MANAGEMENT
  and the book says you need to start wich an authentication for users.
  I tried it with several tutorials and still it doesnt work. I'm not that good in programming, I do understand what they are saying but finding everything in apex.oracle is just such a work.
  I did the following.
  Creating the my_users
  apexdemo@10gR2> create table my_users(
  username varchar2(8),
  password varchar2(8)
  insert into user_repository values
  ('john', '1234');
  This was to create a table and add a user into it.
  Next i created a custom Authentication Scheme and added the following code
  create or replace package pkg_auth as
  function authenticate(p_username in varchar2,
  p_password in varchar2) return boolean;
  end;
  create or replace package body pkg_auth as
  function authenticate(p_username in varchar2,
  p_password in varchar2) return boolean is
  -- default the result to 0
  v_result integer := 0;
  begin
  -- store 1 in v_result if a matching row
  -- can be found
  select 1
  into v_result
  from user_repository
  where username = lower(p_username)
  and password = p_password;
  -- return true if a matching record was found
  return(v_result = 1);
  exception
  -- if no record was found then return false
  when no_data_found then
  return false;
  end authenticate;
  end;
  I tried the code with
  declare
  bres boolean := false;
  begin
  -- use the correct username and password
  bres := pkg_auth.authenticate('john', '1234');
  if (bres = true) then
  dbms_output.put_line('Authentication was successful');
  else
  dbms_output.put_line('Authentication failed');
  end if;
  end;
  and it returned : Authentication was successful
  But when i try to login with the user him self i says login credentials invalid
  I dont know what i;m doing wrong or what i'm forgetting here to make it work.

• Cant create an LDAP instance on DSCC

  Hi everybody,
  I've just installed directory system server 7, and I deployed the DSCC war file in tomcat, everything is ok, but when I tried to create an ldap instance i get the next error:
  Error executing the operation. The exception is com.sun.directory.nquick.NquickException.
  Please any help, I have'nt found anything on the web
  Thanks

  I had this same issue, when attempting to create a new server under Directory Servers->Servers in the DSCC admin gui. I am using the latest version of Sun DSCC and Oracle DS EE downloaded from Oracle yesterday (6/17/2001): DSEE.7.0.Windows-X86
  To get around the problem, I created my instance using the dsadm command line tool:
  C:\dsee7\bin> dsadm create C:\ldap_instances\my_instance
  ** NOTE** be sure that "my_instance" directory doesnt exist.
  The tool then asked for Directory Manager password and confirmation (which I entered) and then I started the instance:
  C:\dsee7\bin> dsadm start C:\ldap_instances\my_instance
  I then reopened DSCC and returned to Directory Servers->Servers tab, and selected "Register Existing Server..." in the "--More Server Actions--" drop down list. After entering my info and contuing through the options, my instance finally shows up.

• 4.0.1 to 4.1.1 -- LDAP Directory Authentication Scheme fails

  Using the out of the box LDAP directory authentication scheme that worked fine in v. 4.0.1 is failing in v. 4.1.1. User authentication is failing with 'Invalid Login Credentials'. Debug shows that the User is 'nobody'. Looking at v. 4.0.1, User shows 'Admin'. Also, the 'LDAP test link' is no longer available in 4.1.1 - that's a bummer.
  Example debug 4.1.1:
  4161     426774014496602     nobody     103     101     50     6 minutes ago     0.8562
  Example debug 4.0.1:
  661     3340172823117775     ADMIN     130     101     57     36 seconds ago     0.3298
  Does anyone know if something was changed with the standard LDAP directory scheme? Or am I missing some configuration?

  Hi Julie,
  sorry, there is too little context for me to answer this question. I have no idea where and how you got that debug output, for example.
  As for testing, the LDAP authentication scheme calls wwv_flow_custom_auth_ldap.authenticate. It's no official API and we may revoke the grant in future versions, but in 4.1, you can for test LDAP auth in SQL workshop with
  declare
      l_status boolean;
  begin
      l_status := wwv_flow_custom_auth_ldap.authenticate (
                                   p_ldap_host     => ...host...,
                                   p_ldap_port     => ...port...,
                                   p_dn            => ...dn_string...,
                                   p_search_filter => ...search_filter...,
                                   p_password      => ...password...,
                                   p_use_ssl       => ...ssl_mode... (Y for SSL, A for SSL with authentication, N for no SSL),
                                   p_use_exact_dn  => ...use_exact_dn... (Y or N) );
      dbms_output.put_line(case when l_status then 'authenticated' else 'auth error' end);
  end;Regards,
  Christian

• Ldap function gives errors in apex 4.1.1

  Hi all,
  I have a custom function for ldap authentication.
  create or replace
  FUNCTION bgt_ldap_authenticatie_func (
        p_username IN VARCHAR2
      , p_password IN VARCHAR2
  RETURN BOOLEAN
  AS
      l_ldap_host     VARCHAR2(100) := 'domain';
      l_ldap_port     VARCHAR2(4)   := '389';
      l_session       DBMS_LDAP.SESSION;
      l_retval        PLS_INTEGER;
      l_login_result  BOOLEAN := true;
      l_error VARCHAR2(4000);
  BEGIN
      IF p_password IS NULL THEN
          l_login_result := FALSE;
      ELSE
          -- I. LDAP-Login
          BEGIN
              -- LDAP Exceptions
              DBMS_LDAP.USE_EXCEPTION := TRUE;
              -- LDAP-Handle initialiseren ...
              l_session := DBMS_LDAP.INIT(
                    hostname  => l_ldap_host
                  , portnum   => l_ldap_port
              l_retval := DBMS_LDAP.SIMPLE_BIND_S(
                    ld        => l_session
                  , dn        => 'domain\' || LOWER(p_username)
                  , passwd    => p_password
              -- Afmelden van LDAP Server.
              l_retval := DBMS_LDAP.UNBIND_S(ld => l_session);
              -- Registratie was succesvol.
              l_login_result := TRUE;
          EXCEPTION WHEN OTHERS THEN
              l_login_result := FALSE;
          END;
      END IF;
      RETURN l_login_result;
  END;This is working fine on Apex 3.2 and Oracle 10g.
  I now have a development environment with apex 4.1.1 and Oracle 11g.
  I have run above function, with success (no compilation errors).
  I then go to authentication schemes to create my ldap authentication:
  host: domain
  port: 389
  Distinguished Name (DN) String: ou=domain,ou=New Security Groups,ou=Applications,cn=Budgeting_Dev
  Use Exact Distinguished Name (DN): Yes     
  LDAP Username Edit Function: return bgt_ldap_authenticatie_func;      
  When I click on the create button, I get
  1 error has occurred
      ORA-06550: line 5, column 8: PLS-00382: expression is of wrong type ORA-06550: line 5, column 1: PL/SQL: Statement ignoredWhy is it that I'm getting an error when trying to create the authentication when the function has been successfully compiled?
  Thanks,
  Diana

  Hi Diana,
  in addition to Christian comment, the "LDAP Username Edit Function" attribute expects a function which returns VARCHAR2 and not BOOLEAN as your function returns. It should also not be used to actually perform a LDAP lookup, instead it returns the LDAP Username you want to give APEX to perform the LDAP lookup.
  Regards
  Patrick
  My Blog: http://www.inside-oracle-apex.com
  APEX Plug-Ins: http://apex.oracle.com/plugins
  Twitter: http://www.twitter.com/patrickwolf