LDAP Authentication for Application APEX 3.2

Similar Messages

• How to use two different LDAP authentication for my Apex application login

  Hi,
  I have 2 user groups defined in the LDAP directory and I provided the DN string for apex authentication something like the below
  cn=%LDAP_USER%,ou=usergrp1,dc=oracle,dc=com
  cn=%LDAP_USER%,ou=usergrp2,dc=oracle,dc=com
  The problem is I couln't pointout both the groups in DN string, I am trying to allow both usergroups to access the application.
  Does anyone know how to define both the group in LDAP DN String ?.
  Thanx in advance
  Vijay.

  Vijay,
  I don't think you'll be able to use the built-in LDAP authentication scheme. Just create a new authentication scheme that has its own authentication function. In that function code your calls to dbms_ldap however you need. Search the forum for dbms_ldap.simple_bind_s to find examples.
  Scott

• How to enable LDAP authentication for APEX

  How do I enable LDAP authentication for APEX 4.2? Thank for your help.
  Kevin

  you need to create new authentication based on predefined LDAP authentication from shared components => Authentication
  and provide your company LDAP authentication credentials

• LDAP authentications fail in APEX

  Does 11g XE Beta support LDAP ?
  We have a number of internal apps running fine in APEX 4.0.2.00.07 installed in Oracle 10g XE.
  Once imported to a new box running 11g XE beta, LDAP authentications always fail, even though the same login processing settings are used. Anybody got LDAP working in APEX on 11g XE ?
  Colin

  Hi Colin,
  though I haven't tested with 11g XE, 11g in general still supports LDAP. However, starting with 11gR1 (and the current beta is based on 11gR2) you need to define ACLs for network access. If you haven't done this, you won't get any LDAP connection out of the database. There is quite a good example for that in the APEX Installation Guide: http://download.oracle.com/docs/cd/E17556_01/doc/install.40/e15513/otn_install.htm#BABBHCID
  I think this is a good example and can be adopted for other database users easily.
  If that's not the solution in your case, please post the error message you receive when the authentication fails.
  -Udo

• Radius or LDAP (not Oracle LDAP) authentication for GridControl

  I'm running GC 10.2.0.3.0 on Oracle Linux, and I'd like to be able to open up GridControl to other users without setting up accounts/passwords for them. Accounts I can handle, passwords, I don't want to handle.
  I see that if I create a new GC user via enterprise manager, a new database accout is also created in the EMREP database. I've configured our EMREP database to use radius authentication and it works when I connect via sqlplus to the EMREP database. The user is set to authenticate "externally" and os_authent_prefix is set to ''.
  However, after I set up external authentication for a given user, they are no longer able to login to enterprise manager using their radius authenticated password. So something about EM is not capable of radius authentication with the local EMREP database?
  Questions for all:
  Is it possible to authenticate users of enterprise manager GridControl against an external password store? I have at my disposal: radius (works great for several of our databases), ActiveDirectory (without oracle schema extensions), LDAP (active directory), proxying the EM server with another Apache server.
  I do not have a license for OID and the "free use" license for OID does not allow for user management. We cannot we purchase OID for this purpose.
  Our GC environment is Linux so Windows OS authentication against AD isn't going to work and we need to support Firefox/IE/Other browsers on various OS's.
  I've seen hints that "external authentication" is possible with "generic" sources, but nothing concrete. Anyone doing this?

  <QUOTE>All I want now is the capability to perform my own method of LDAP BIND to AD to be used as a security plugin to the database authentication piece</QUOTE>
  Amen.
  Right now, I've got an SR open on the radius authentication issue in GC. It took me a two weeks to convince the Oracle tech that I wasn't talking about getting Oracle to use OS authentication where OS users were authenticated by radius.
  I've put about 40 actual work hours in on this issue, going so far as to deconstruct the EM install .jar files and trying to replace the JDBC drivers.
  At this point I believe that it would be relatively easy for Oracle to add Radius authentication support to Grid control in their next big release (11g).
  Doing so would involve replacing the 10g JDBC thin drivers with 11g JDBC thin drivers. The 10g thin jdbc drivers support advanced security encryption and checksums, but not the radius authentication. The 11g thin drivers DO implement the radius option as well as a full complement of encryption checksum types not supported in 10g. From there it should be a simple matter of the EM java login procedure/bean/servlet/jsp being able to set the thin driver to use the radius code in the jdbc layer.
  The other option, which I haven't yet given up on would be to hack the EM code so that instead of using 10g thin drivers it uses 10g OCI jdbc (thick) drivers. The thick drivers support the radius authentication and encryption/checksum features natively, and the settings are controled by the sqlnet.ora file. I've got java code using those just fine. If only I could hack EM to use them.
  In short, if I had access to the source, I could probably code this up in a week. Very frustrating.
  I thought about trying the OID route, but as I said in my original post, we don't have a license. Even if I got it working, and it sounds like it doesn't really work, I can't justify spending $x00,000 for 10-15 dbas not to have to use dedicated accounts and passwords.
  Normal user login to our 9i and 10g databases we have working with radius (backed by Active Directory). All we do is "create user xxxxxx identified externally;" and the user is good to go.
  In short, I think EM GridControl is awesome. I manage 36 databases with it and I've solved problems in minutes that used to take hours or days. When I show it to some of our oracle "power users" they all want it, but they're all radius authenticated.
  I'll keep the thread updated if I see results from our SR.

• Download Patch For Application Apex

  Hello Everybody ,
  How can i downlaod the Patch for Application Express 3.0
  I wan tto downlaod file p6113844_10203_GENERIC.zip.
  So please guide me

  You have to have a Metalink account.
  Here is the patch number:
  6113844
  Regards,
  Bill Chadbourne

• No Authentication for application but need to be authorized for few pages

  Hi,
  I am new to the security concepts of APEX. Could you please assist me if my below requirement could be acheived, if so how?
  My application has 'No Login Authentication' schema selected which makes it open for any user, and this is as per our requirement. I have few pages which have to be accessed only by
  * Administrator
  * Higher Management team
  * Some pages where any enduser need to login (for instance, for posting any query, I would require to know the owner of the query for which I require the user to be authenticated and further have email communications)
  Any assistance in this regard is much appreciated.
  Thanks & regards,
  Anasuya

  Anasuya,
  You need to select an appropriate authentication scheme based on how you want to authenticate users and then make all pages "public" except for those that require authenticated access. For those authenticated pages, you can then assign authorization scheme to limit which authenticated users are authorized for each page.
  Scott

• Global authentication for applications deployed in OC4J server

  Hi,
  I have a couple of JSP pages deployed in OC4J server. I
  would like to use authentication provided by OC4J, it
  means to use JAZN UserManager (encrypted principals, LDAP
  or SSO).
  My question is, if it's possible to set default
  authentication method for whole server or whole
  http-web-site on OC4J, or I have to make change in web.xml
  in each and every program, which I am going to deploy into
  my OC4J. If I have 100 programs and somebody will make
  decision, there will be no authentocation on this particular
  server, do I have to change all my programs and remove
  entries from web.xml files?
  Is there a way how to specify the login page globally for
  the server, not by application?
  Thanks,
  Marek

  lograste resolver tu problema????... si es asi me puedes enviar la solucisn.....
  gracias..

• Sasl and LDAP authentification for application

  Dear MAC administrators,
  I would like to ask how to set sasl to authentificate
  against  openLDAP for and svnserve application
  A) LDAP works well on MAC and slack as well
  ldapsearch -x -h ldap.stuba.sk -b "ou=People,dc=stuba, dc=sk" -W -D
  "uid=fodrek,ou=People,dc=stuba,dc=sk"  uid=*fodrek*|egrep employ
  Enter LDAP Password:
  employeeType: staff
  employeeType: ext
  employeeType: ext
  employeeType: student
  employeeType: staff
  B)  saslauthd -c -m /var/runsaslauthd -d -a ldap
  shows
  saslauthd : set_auth_mech: unknown mechanism: ldap
  Is there anobody who is able to tell me where am I doing an error, plase?
  I look forward hearingf from you
  Yours faithfully
  Peter Fodrek

  What thype of ldap server are you using? Microsoft Windows 2012 or 2008. I got a problem with 2012 not give the groups back with some users.
  Same problem as
  https://supportforums.cisco.com/message/3866327#3866327
  debug ldap 255
  shows correct value with one user that is workin:
  [196] Authentication successful for Administrator to 192.168.20.80
  [196] Retrieved User Attributes:
  [196]   objectClass: value = top
  [196]   objectClass: value = person
  [196]   objectClass: value = organizationalPerson
  [196]   objectClass: value = user
  [196]   cn: value = Administrator
  [196]   description: value = Vordefiniertes Konto f..r die Verwaltung des Computers bzw. der Dom..ne
  [196]   distinguishedName: value = CN=Administrator,CN=Users,DC=xxxx,DC=local
  [196]   instanceType: value = 4
  [196]   whenCreated: value = 20081201134058.0Z
  [196]   whenChanged: value = 20131126141559.0Z
  [196]   displayName: value = Administrator
  [196]   uSNCreated: value = 12298
  [196]   memberOf: value = CN=G_SSLVPN,OU=Service,OU=Groups,OU=XXXXX,DC=XXXX,DC=local
  [196]           mapped to Group-Policy: value = ssl_admin
  [196]           mapped to LDAP-Class: value = ssl_admin
  One user that is not working:
  no entries with memberOf in debug
  [190] Authentication successful for sdag to 192.168.20.80
  [190] Retrieved User Attributes:
  [190]   objectClass: value = top
  [190]   objectClass: value = person
  [190]   objectClass: value = organizationalPerson
  [190]   objectClass: value = user
  [190]   cn: value = sdag
  [190]   distinguishedName: value = CN=sdag,OU=Lieferanten,OU=Users,OU=xxxx,DC=xxxxxx,DC=local
  [190]   displayName: value = sdag
  [190]   homeMTA: value = CN=Microsoft MTA,CN=SRVSBS01,CN=Servers,CN=erste administrative gruppe,CN=Admini
  [190]   proxyAddresses: value = smtp:sdag@xxxx
  [190]   proxyAddresses: value = SMTP:sdag@xxxxx

• Error in LDAP Authentication for Sun One App Server 8..pls help

  I need to authenticate my sun java system application server 8 with openldap server.....
  i have added ldap realm as given in the administrators guide http://docs.sun.com/source/817-6088/security.html
  My settings in the sun app server were like this:
  Realm: ldap
  Class Name: com.sun.enterprise.security.auth.realm.ldap.LDAPRealm
  directory ldap://10.1.1.79:389
  base-dn o=stooges
  jaas-context ldapRealm
  search-bind-dn cn=StoogeAdmin,o=stooges
  search-bind-password secret1
  My openldap schema is as follows
  file : /etc/openldap/slapd.conf
  include /etc/openldap/schema/core.schema
  include /etc/openldap/schema/cosine.schema
  include /etc/openldap/schema/inetorgperson.schema
  include /etc/openldap/schema/nis.schema
  database ldbm
  suffix "o=stooges"
  rootdn "cn=StoogeAdmin,o=stooges"
  rootpw secret1
  directory /var/lib/ldap/stooges
  defaultaccess read
  schemacheck off
  lastmod on
  index cn,sn,st pres,eq,sub
  index uid,userPassword eq
  file : /var/lib/ldap/stooges/stooges.ldif
  dn: o=stooges
  objectClass: top
  objectClass: organization
  o: stooges
  description: The Three Stooges
  dn: cn=StoogeAdmin,o=stooges
  objectClass: organizationalRole
  cn: StoogeAdmin
  description: LDAP Directory Administrator
  dn: ou=MemberGroupA,o=stooges
  ou: MemberGroupA
  objectClass: top
  objectClass: organizationalUnit
  description: Members of MemberGroupA
  dn: ou=MemberGroupB,o=stooges
  ou: MemberGroupB
  objectClass: top
  objectClass: organizationalUnit
  description: Members of MemberGroupB
  dn: uid=vikram,ou=MemberGroupA,o=stooges
  uid:vikram
  givenName:vicky
  objectClass:top
  objectClass:person
  objectClass:organizationalPerson
  objectClass:inetorgperson
  sn:kone
  cn:Kone Vikram
  userPassword:glamsham
  When i start ldap server and sun server,
  the login page for sun server asks for username and password ....
  when i give
  username : vikram
  password : glamsham
  Error page comes.....
  HTTP Status 403 - Access to the requested resource has been denied
  type Status report
  message Access to the requested resource has been denied
  description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
  Sun-Java-System/Application-Server-PE-8.0
  Subsequent attempts to login gives another error page
  HTTP Status 500 -
  type Exception report
  message
  description The server encountered an internal error () that prevented it from fulfilling this request.
  exception
  com.sun.enterprise.tools.guiframework.exception.FrameworkException: Unabled to handle pre-compiled JSP '/jsp/j_security_check'. Expected pre-compiled classname: 'org.apache.jsp.jsp.j_005fsecurity_005fcheck'.
  com.sun.enterprise.tools.admingui.servlet.HandlePrecompiledJsp.doPost(HandlePrecompiledJsp.java:59)
  javax.servlet.http.HttpServlet.service(HttpServlet.java:768)
  javax.servlet.http.HttpServlet.service(HttpServlet.java:861)
  sun.reflect.GeneratedMethodAccessor55.invoke(Unknown Source)
  sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  java.lang.reflect.Method.invoke(Method.java:324)
  org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:289)
  java.security.AccessController.doPrivileged(Native Method)
  javax.security.auth.Subject.doAsPrivileged(Subject.java:500)
  org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
  org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:205)
  note The full stack trace of the root cause is available in the Sun-Java-System/Application-Server-PE-8.0 logs.
  Sun-Java-System/Application-Server-PE-8.0
  So pls... help as to how to go about this..
  P.S. My ldap server runs as "ldap" user not as root

  Try with "vikram" as a member of "cn=asadmin" group in your LDAP directory...

• Problem with LDAP authentication for users in a group

  I've gone through several forums attempting to find a solution, but I still can't get authentication to work for users in a particular group within AD. Our ASA is running 9.1(2), and the domain controller is a Windows Server 2012 R2.
  I can configure the VPN connection, so that all users can authenticate just fine; however, when I setup the group, there appears to be success, but I'm reprompted to authenticate, and it eventually fails:
  [6707]  memberOf: value = CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com
  [6707]          mapped to IETF-Radius-Class: value = GroupPolicy_COMPANY_SSL_VPN
  [6707]          mapped to LDAP-Class: value = GroupPolicy_COMPANY_SSL_VPN
  [6707]  msNPAllowDialin: value = TRUE
  I'd be grateful if anyone can point me into the right direction and show me what I'm doing wrong. Thank you.
  ldap attribute-map AuthUsers
    map-name  memberOf IETF-Radius-Class
    map-value memberOf "CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com" GroupPolicy_COMPANY_SSL_VPN
  aaa-server LDAP protocol ldap
  aaa-server LDAP (COMPANY_PROD_INTERNAL) host 10.10.100.110
   ldap-base-dn DC=COMPANY,DC=com
   ldap-scope subtree
   ldap-naming-attribute sAMAccountName
   ldap-login-password *****
   ldap-login-dn CN=LDAPAuth,CN=Users,DC=COMPANY,DC=com
   server-type microsoft
   ldap-attribute-map AuthUsers
  group-policy NOACCESS internal
  group-policy NOACCESS attributes
   vpn-simultaneous-logins 0
   vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
   webvpn
    anyconnect ask none default anyconnect
  group-policy GroupPolicy_COMPANY_SSL_VPN internal
  group-policy GroupPolicy_COMPANY_SSL_VPN attributes
   wins-server none
   dns-server value 10.10.100.102
   vpn-tunnel-protocol ikev1 ikev2 ssl-client
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value SPLIT-TUNNEL
   default-domain value net.COMPANY.com
   webvpn
    anyconnect profiles value COMPANY_SSL_VPN_client_profile type user
  tunnel-group COMPANY_SSL_VPN type remote-access
  tunnel-group COMPANY_SSL_VPN general-attributes
   address-pool COMPANY-SSL-VPN-POOL
   authentication-server-group LDAP
   authorization-server-group LDAP
   authorization-server-group (COMPANY_PROD_INTERNAL) LDAP
   default-group-policy NOACCESS
   authorization-required
  tunnel-group COMPANY_SSL_VPN webvpn-attributes
   group-alias COMPANY_SSL_VPN enable
  tunnel-group COMPANY_SSL_VPN ipsec-attributes
   ikev1 pre-shared-key *****

  I just figured it out. Under "group-policy GroupPolicy_COMPANY_SSL_VPN attributes", I had to add "vpn-simultaneous-logins 15". Apparently, it was using the value "vpn-simultaneous-logins 0" under the NOACCESS group policy.

• LDAP Authentication for OSB Services

  Hi ,
  I would like to know how to secure proxy services to be accessible to only selected users in a given LDAP configured under weblogic "Providers".
  For example only users test1 and test2 must be able to access the proxy service and the methods.
  Also is similar type of access control possible with roles?ie only users assigned to a particular role must be able to access the proxy service.
  Please note we don't want to use OWSM for this.
  Thanks.

  Please refer section "45.5 Access Control Policies" at -
  http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15866/model.htm#i1063159
  Also refer -
  http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15866/message_level_cust_auth.htm#i1069719
  Regards,
  Anuj

• AD LDAP authentication or authorization

  Hi,
  It really drives me crazy because I can't seem to find the right solution for my issue.
  I'm trying to use the LDAP authentication for my apex applications.
  So far, straight forward LDAP authentication works just fine, but EVERYBODY who has a user account can log into any application.
  I'm using the %LDAP_USER% string to validate the users and that's just fine.
  But I want to restrict somehow users from logging into my applications.
  Either way by ldap groups or an users table in every application.
  Can someone please help me with this, or give me directions/examples of login functions/schemes?
  Thanks so much!
  Regards, Bas

  What you have done so far is called Authentication. It's the question of "who am I?"
  What you want to add is called Authorization, which is the "what can I do?"
  So, you need to create an Authorization Scheme to secure components of your application. An authorization scheme can secure almost any component of an APEX app including:
  - The application
  - Pages
  - Tabs
  - Regions
  - List items
  - Items
  - Columns in reports
  - More that I'm not thinking of
  Look at the doc on authorization schemes. You have 2 primary options that I can think of:
  1) Use LDAP groups by using the APEX_LDAP package to lookup information about a user. I'm not sure if the member_of function works against AD or just OID, you might need to use the get_attribute function instead. In short, you query AD, then return true or false based on the attributes of the user. Once they are logged in you can reference the username with the :APP_USER APEX variable
  2) A table of usernames (not passwords). You authorization scheme could just be an "Exists query" such as:
  select 1 from valid_users where username = :APP_USEROnce you decide on an authorization scheme and create it, you then edit the security attributes of your app / page / region / etc and apply it
  Tyler Muth
  http://tylermuth.wordpress.com
  "Applied Oracle Security: Developing Secure Database and Middleware Environments": http://sn.im/aos.book

• How to include all the child OU groups of a master OU group in LDAP authentication

  Dear All,
  I am using Apex 4.2 on windows server 2012 on internet explorer with database 11g R2 all 64 bit.
  we are using Microsoft Active Directory Authentication in our domain.
  I have created two protals, Staff Portal and Student Portal
  I have two groups, Staff and Students. these two groups coming under HCT group.
  I want to configure LDAP authentication for these groups, so that student cannot login to staff portal and vice versa.
  I had created on authentication schema in apex.
  inititally I configured as below
  for example I have a group ETC, inside ETC I have CSS in active directory,
  DN String=cn=%LDAP_USER%,dc=hct,dc=org
  Use Exact distinguish name=YES
  LDAP Username edit function=
  return apex_escape.ldap_dn (
               p_string => :USERNAME,
               p_escape_non_ascii => false ) || ',ou=users,ou=css,ou=etc,ou=staff,ou=hct'   ;
  Username Escaping=NO ESCAPING
  and it is working,
  now I have another group under ETC, which is ESS. how to include ESS also? I mean how to include all the child groups of a master group?
  because I will then only include the STAFF ou and the rest of the ou which coming under staff will come automatically.
  please refer to this thread for more details.
  Re: Re: Different LDAP authentication for Student and Staff Active directory groups
  Thank you.

  Powershell (or vbscript if you want to be old school).
  You can trigger a powershell script which will remove the offending user(s) easily enough with out resorting to a TOLDAP pass.  Nearly any script type thing would work but powershell is preferred.  It can be triggered separately from the TO AD stuff and will take multiple objects to run in one pass if you can construct the command line (or create a text file and feed it in).
  Otherwise, TOLDAP is the way to write to AD...
  Peter

• How to do LDAP authentication in OC4J instance?

  Need to configure third party LDAP authentication for an application deployed in OC4J instance. How to configure this?

  Hi,
  I think that links will be useful to you!
  http://download-uk.oracle.com/docs/cd/B15904_01/web.1012/b14013/configoc4j.htm
  http://www.oracle.com/technology/sample_code/tech/java/codesnippet/security/jaznldap/index.html
  Afonso